Merge branch 'main' into docs-editor/attack-surface-reduction-rules-1732743585

Author: denisebmsft

.acrolinx-config.edn

@@ -1,6 +1,6 @@
 {:changed-files-limit 60
  :allowed-branchname-matches ["main" "release-.*"]
- :allowed-filename-matches ["ATADocs/" "CloudAppSecurityDocs/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/" "exposure-management/" "unified-secops-platform/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
+ :allowed-filename-matches ["ATADocs/" "ATPDocs/" "CloudAppSecurityDocs/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/" "exposure-management/" "unified-secops-platform/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
 
 :use-gh-statuses true
 

ATPDocs/technical-faq.yml

@@ -70,7 +70,7 @@ sections:
           
           - **[UEBA capabilities](/cloud-app-security/tutorial-ueba)**: Insights into individual user risk through user investigation priority scoring. The score can assist SecOps in their investigations and help analysts understand unusual activities for the user and the organization.
           
-          - **Native integrations**: Integrates with Microsoft Defender for Cloud Apps and Azure AD Identity Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.
+          - **Native integrations**: Integrates with Microsoft Defender for Cloud Apps and Microsoft Entra ID Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.
           
           - **Contributes to Microsoft Defender XDR**: Contributes alert and threat data to  Microsoft Defender XDR. Microsoft Defender XDR uses the Microsoft 365 security portfolio (identities, endpoints, data, and applications) to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. 
           

ATPDocs/what-is.md

@@ -1,7 +1,7 @@
 ---
 title: What is Microsoft Defender for Identity?
 description: This article describes the Microsoft Defender for Identity service and the sorts of suspicious activities Defender for Identity can detect.
-ms.date: 08/27/2023
+ms.date: 08/27/2024
 ms.topic: overview
 #customer intent: As a Microsoft Defender for Identity customer or potential customer, I want to understand the main use case scenarios for Defender for Identity so that I can best use my Microsoft Defender XDR deployment.
 ---

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -1,7 +1,7 @@
 ---
 title:  Microsoft Defender for Cloud Apps – privacy
 description: Learn about how Microsoft Defender for Cloud Apps manages user privacy.
-ms.date: 06/19/2024
+ms.date: 11/24/2024
 ms.topic: concept-article
 ---
 # Privacy with Microsoft Defender for Cloud Apps
@@ -29,12 +29,25 @@ Defender for Cloud Apps operates in the Microsoft Azure data centers in the foll
 |---------|---------|
 |**Customers whose tenants are provisioned in the United States**     |  United States       |
 |**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    Either the European Union and/or the United Kingdom      |
-|**Customers whose tenants are provisioned in the Asia Pacific**     |   Either Asia Pacific and/or the United States      |
-|**Customers whose tenants are provisioned in Canada**     |  Canada and/or the United States       |
-|**Customers whose tenants are provisioned in India**     |   Either India and/or the United States      |
 |**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned    |
 
-Customer data collected by Defender for Cloud Apps is either stored in your tenant location, as described in the previous table, or in the geographic location of another online service that Defender for Cloud Apps shares data with, as defined by the data storage rules of that online service.
+In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions: 
+
+|Customer provisioning location  |Data storage location  |
+|---------|---------|
+|**Customers whose tenants are provisioned in the United States** | United States |
+|**Customers whose tenants are provisioned in in the European Union** | European Union |
+|**Customers whose tenants are provisioned in the United Kingdom** | United Kingdom |
+|**Customers whose tenants are provisioned in Australia** | Australia |
+|**Customers whose tenants are provisioned in Germany** | Germany |
+|**Customers whose tenants are provisioned in Canada** |Canada  |
+|**Customers whose tenants are provisioned in France**  | France  |
+| **Customers whose tenants are provisioned in Japan** | Japan  |
+| **Customers whose tenants are provisioned in India** | India  |
+| **Customers whose tenants are provisioned in Asia Pacific**  | Asia Pacific  |
+|**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned   |
+
+Customer data collected by Defender for Cloud Apps is either stored in your tenant location, as described in the previous tables, or in the geographic location of another online service that Defender for Cloud Apps shares data with, as defined by the data storage rules of that online service.
 
 If Defender for Cloud Apps data is stored in your tenant location, your tenant isn't movable after having been created. To view your Defender for Cloud Apps tenant location in the Microsoft Defender portal, go to **Settings > Cloud Apps > About > Region**.
 
@@ -58,4 +71,4 @@ Defender for Cloud Apps shares data, including customer data, among the followin
 
 ## Related content
 
-For more information, see the [Microsoft Service Trust portal](https://www.microsoft.com/en-us/trust-center/product-overview).
+For more information, see the [Microsoft Service Trust portal](https://www.microsoft.com/en-us/trust-center/product-overview).

CloudAppSecurityDocs/get-started.md

@@ -1,14 +1,12 @@
 ---
 title: Get started | Microsoft Defender for Cloud Apps
 description: This quickstart outlines the process for getting Defender for Cloud Apps up and running so you have cloud app use, insight, and control.
-ms.date: 05/15/2024
+ms.date: 11/28/2024
 ms.topic: quickstart
 ---
 
 # Get started with Microsoft Defender for Cloud Apps
 
-
-
 This quickstart describes how to start working with Microsoft Defender for Cloud Apps on the Microsoft Defender Portal. 
 
 Defender for Cloud Apps can help you use the benefits of cloud applications while maintaining control of your corporate resources. Defender for Cloud Apps improves your visibility into cloud activity and helps increase protection over your corporate data.
@@ -22,8 +20,15 @@ To set up Defender for Cloud Apps, you must at least be a Security Administrator
 
 Users with admin roles have the same admin permissions across any cloud apps your organization is subscribed to, regardless of where you've assigned the role. For more information, see [Assign admin roles](/microsoft-365/admin/add-users/assign-admin-roles) and [Assigning administrator roles in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference).
 
+
 Microsoft Defender for Cloud Apps is a security tool and therefore doesn't require Microsoft 365 productivity suite licenses. For Microsoft 365 Cloud App Security (Microsoft Defender for Cloud Apps only for Microsoft 365), see [What are the differences between Microsoft Defender for Cloud Apps and Microsoft 365 Cloud App Security?](editions-cloud-app-security-o365.md).
 
+Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID applications to function properly. Do not disable these applications in Microsoft Entra ID:
+
+- Microsoft Defender for Cloud Apps - APIs
+- Microsoft Defender for Cloud Apps - Customer Experience
+- Microsoft Defender for Cloud Apps - Information Protection
+- Microsoft Defender for Cloud Apps - MIP Server
 
 ## Access Defender for Cloud Apps
 

CloudAppSecurityDocs/protect-google-workspace.md

@@ -24,6 +24,7 @@ Connecting Google Workspace to Defender for Cloud Apps gives you improved insigh
 
 ## How Defender for Cloud Apps helps to protect your environment
 
+
 - [Detect cloud threats, compromised accounts, and malicious insiders](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware)
 - [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](best-practices.md#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)
 - [Discover and manage OAuth apps that have access to your environment](manage-app-permissions.md)
@@ -183,7 +184,9 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 
     1. Upload the P12 **Certificate** file that you saved earlier.
 
-    1. Enter one **admin account email** of your Google Workspace admin.
+    1. Enter the email address of your **Google Workspace Super Admin**.
+
+        Deploying with an account that is not a Google Workspace Super Admin will lead to failure in the API test and does not allow Defender for Cloud Apps to correctly function. We request specific scopes so even as Super Admin, Defender for Cloud Apps is still limited.
 
     1. If you have a Google Workspace Business or Enterprise account, select the check box. For information about which features are available in Defender for Cloud Apps for Google Workspace Business or Enterprise, see [Enable instant visibility, protection, and governance actions for your apps](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md).
 

CloudAppSecurityDocs/what-is-defender-for-cloud-apps.md

@@ -1,7 +1,7 @@
 ---
 title: Overview
 description: This article describes Microsoft Defender for Cloud Apps and how it works.
-ms.date: 06/14/2023
+ms.date: 06/14/2024
 ms.topic: overview
 ---
 # Microsoft Defender for Cloud Apps overview

defender-endpoint/linux-install-manually.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/28/2024
+ms.date: 12/02/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -495,9 +495,16 @@ Download the onboarding package from Microsoft Defender portal.
 
 The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
-- For Mariner the mdatp package requires `attr`, `audit`, `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `selinux-policy-targeted`, `mde-netfilter`
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `mde-netfilter`
+- For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+
+> [!NOTE]
+> Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+> If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following additional dependency on the auditd package exists for mdatp:
+> - The mdatp RPM package requires `audit`, `semanage`.
+> - For DEBIAN the mdatp package requires `auditd`.
+> - For Mariner the mdatp package requires `audit`.
 
 The mde-netfilter package also has the following package dependencies:
 

defender-endpoint/linux-support-ebpf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux
@@ -116,7 +116,9 @@ Post reboot, run the following command to check if audit rules were cleared:
 The output of previous command should show no rules or any user added rules. In case where the rules weren't removed, do the following steps to clear the audit rules file:
 
 1. Switch to ebpf mode.
+
 2. Remove the file `/etc/audit/rules.d/mdatp.rules`.
+
 3. Reboot the machine.
 
 ### Troubleshooting and Diagnostics
@@ -131,23 +133,29 @@ uname -a
 
 1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a distro version higher than RHEL 8.1.
-    - Switch to AuditD mode if you need to use RHEL 8.1 version.
+   - Use a distro version higher than RHEL 8.1.
+   - Switch to AuditD mode if you need to use RHEL 8.1 version.
 
 2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
-    - Switch to AuditD mode if you need to use the same kernel version
+   - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
+   - Switch to AuditD mode if you need to use the same kernel version
 
-```bash
-sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-```
+      ```bash
+      sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+      ```
+
+   - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+
+      1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-The following two sets of data help analyze potential issues and determine the most effective resolution options.
+      2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 
-2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+    - Auto-install patching of ksplice simply adds a cron job to the endpoint.
+    - To mitigate the hang issue, you can create a cron job which will first stop the mdatp service, apply ksplice based patching, then start the service.  
+    - As kernel patching is few seconds activity so this will not have major exposure in terms of security.  
 
 #### Troubleshooting performance issues
 

defender-endpoint/linux-support-offline-security-intelligence-update.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux 
@@ -165,7 +165,9 @@ Once hosted, copy the absolute path of the hosted server (up to and not includin
 
 For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/`
 
-Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints using the Managed Configuration as described in the next section.
+We can also use the absolute path of directory (local / remote mount point) like `/tmp/wdav-update/linux/production`.
+
+Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
 
 ## Configure the Endpoints
 
@@ -182,17 +184,17 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
         "offlineDefintionUpdateFallbackToCloud":false,
         "offlineDefinitionUpdate": "enabled"
       },
-    "features": {
-    "offlineDefinitionUpdateVerifySig": "enabled"
-    }
+      "features": {
+        "offlineDefinitionUpdateVerifySig": "enabled"
+      }
     }
     ```
 
 | Field Name                                | Values               | Comments                                            |
 |-------------------------------------------|----------------------|-----------------------------------------------------|
 | `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
 | `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. This can be either in terms of the remote server URL, or a directory (local / remote mount point). |
 | `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
 | `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
 | `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |
@@ -287,16 +289,6 @@ offline_definition_update_fallback_to_cloud : false[managed]
   mdatp definitions update
   ```
 
-### Known Issues:
-
-Offline signature update might fail in the following scenario:  
-
-   You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
-
-Mitigation steps:  
-
-A fix for this issue is planned to release soon. 
-
 ## Useful Links
 
 ### Downloader script