Merge branch 'main' into be05f827-4373-44dd-9391-a9be873d2fc7_13

Author: dstrome

ATPDocs/deploy/create-directory-service-account-gmsa.md

@@ -11,8 +11,10 @@ This article describes how to create a [group managed service account (gMSA)](/w
 
 For more information, see [Directory Service Accounts for Microsoft Defender for Identity](../directory-service-accounts.md).
 
->[!TIP]
->In multi-forest, multi-domain environments, we recommend creating the gMSAs with a unique name for each forest or domain. Also, create a universal group in each domain, containing all sensors' computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
+>[!NOTE]
+>In multi-forest, multi-domain environments, the sensors that need to use the gMSA need to have their computer accounts trusted by the domain where the gMSA was created.
+>We recommend creating a universal group in each domain, containing all sensors' computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
+>We also recommend creating the gMSAs with a unique name for each forest or domain.
 
 ## Prerequisites: Grant permissions to retrieve the gMSA account's password
 

ATPDocs/deploy/remote-calls-sam.md

@@ -9,6 +9,13 @@ ms.topic: how-to
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
+> [!NOTE]
+> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> The new Defender for Identity sensor is not affected by this issue as it uses different detection methods.
+> 
+> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
+> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
+
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 
 > [!TIP]
@@ -20,7 +27,7 @@ This article describes the configuration changes required to allow the Defender
 To ensure that Windows clients and servers allow your Defender for Identity Directory Services Account (DSA) to perform SAM-R queries, you must modify the **Group Policy** and add the DSA, in **addition to the configured accounts** listed in the **Network access** policy. Make sure to apply group policies to all computers **except domain controllers**.
 
 > [!IMPORTANT]
-> Perform this procedure in [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, verifying the compatibility of the proposed configuration before making the changes to your production environment.
+> Perform this procedure in the [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, by verifying the compatibility of the proposed configuration before making the changes to your production environment.
 >
 > Testing in audit mode is critical in ensuring that your environment remains secure, and any changes will not impact your application compatibility. You may observe increased SAM-R traffic, generated by the Defender for Identity sensors.
 >
@@ -31,9 +38,9 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
 
     :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
 
-1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode
+1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
 
-For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
+   For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
 
 ## Make sure the DSA is allowed to access computers from the network (optional)
 
@@ -48,10 +55,10 @@ For more information, see [Network access: Restrict clients allowed to make remo
 
 1. Add the Defender for Identity Directory Service account to the list of approved accounts.
 
-> [!IMPORTANT]
-> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone
->
-> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
+    > [!IMPORTANT]
+    > When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone.
+    >
+    > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
 
 ## Configure a Device profile for Microsoft Entra hybrid joined devices only
 
@@ -86,7 +93,7 @@ This procedure describes how to use the [Microsoft Intune admin center](https://
 
 1. Continue the wizard to select the **scope tags** and **assignments**, and select **Create** to create your profile.
 
-For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
+   For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
 
 ## Next step
 

ATPDocs/media/prevent-certificate-enrollment-esc15/image.png

@@ -0,0 +1,50 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security Assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)'
+description: 'This recommendation directly addresses the recently published CVE-2024-49019, which highlights security risks associated with vulnerable AD CS configurations. '
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     12/04/2024
+---
+
+# Security assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+
+This article describes Microsoft Defender for Identity's Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) security posture assessment report.
+
+## Why is it important to review the Certificate templates?
+
+This recommendation directly addresses the recently published [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019)__,__ which highlights security risks associated with vulnerable AD CS configurations. This security posture assessment lists all vulnerable certificate templates found in customer environments due to unpatched AD CS servers.
+
+Certificate templates that are vulnerable to [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019) allow an attacker to issue a certificate with arbitrary Application Policies and Subject Alternative Name. The certificate can be used to escalate privileges, possibly resulting with full domain compromise. 
+
+These certificate templates expose organizations to significant risks, as they enable attackers to issue certificates with arbitrary Application Policies and Subject Alternative Names (SANs). Such certificates can be exploited to escalate privileges and potentially compromise the entire domain. In particular, these vulnerabilities allow non-privileged users to issue certificates that can authenticate as high-privileged accounts, posing a severe security threat.
+
+## Prerequisites
+
+This assessment is available only to customers who installed a sensor on an AD CS server. For more information, see [New sensor type for Active Directory Certificate Services (AD CS)](/defender-for-identity/whats-new).
+
+## **How do I use this security assessment to improve my organizational security posture?**
+
+1. Review the recommended action at [Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)](https://security.microsoft.com/securescore?viewid=actions).  
+
+2. **Identify the vulnerable certificate templates:**  
+   - Remove enrollment permission for unprivileged users.  
+   - Disable the **“Supply in the request”** option.
+
+3. Identify the AD CS servers which are vulnerable to CVE-2024-49019 and apply the relevant patch. 
+
+   For example:  
+
+   :::image type="content" source="media/prevent-certificate-enrollment-esc15/image.png" alt-text="Screenshot of servers." lightbox="media/prevent-certificate-enrollment-esc15/image.png":::
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/media/prevent-certificate-enrollment-esc15/image1.png

@@ -216,6 +216,8 @@ items:
       href: security-assessment-edit-misconfigured-enrollment-agent.md
     - name: Overly permissive certificate template with privileged EKU (ESC2)
       href: security-assessment-edit-overly-permissive-template.md
+    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+      href: prevent-certificate-enrollment-esc15.md
     - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
       href: security-assessment-prevent-users-request-certificate.md
     - name: Remove local admins on identity assets

ATPDocs/prevent-certificate-enrollment-esc15.md

@@ -53,7 +53,6 @@ The response object defines the following properties.
 | intent               | list   | A field that specifies the kill chain related intent behind the alert. Multiple values can be reported in this field. The **intent** enumeration values follow the [MITRE att@ck enterprise matrix model](https://attack.mitre.org/matrices/enterprise/). Further guidance on the different techniques that make up each intent can be found in MITRE's documentation.<br>  Possible values include:<br/><br>**0**: UNKNOWN<br />**1**: PREATTACK<br />**2**: INITIAL_ACCESS<br />**3**: PERSISTENCE<br />**4**: PRIVILEGE_ESCALATION<br />**5**: DEFENSE_EVASION<br />**6**: CREDENTIAL_ACCESS<br />**7**: DISCOVERY<br />**8**: LATERAL_MOVEMENT<br />**9**: EXECUTION<br />**10**: COLLECTION<br />**11**: EXFILTRATION<br />**12**: COMMAND_AND_CONTROL<br />**13**: IMPACT |
 | isPreview            | bool   | Alerts that have been recently released as GA                |
 | audits *(optional)*  | list   | List of event IDs that are related to the alert              |
-| threatScore          | int    | User investigation priority                                  |
 
 ## Filters
 

ATPDocs/toc.yml

@@ -1,7 +1,7 @@
 ---
 title: Entities API
 description: This article provides information about using the Entities API.
-ms.date: 01/29/2023
+ms.date: 11/28/2024
 ms.topic: reference
 ---
 # Entities API
@@ -32,11 +32,10 @@ The following table describes the supported filters:
 | entity | entity pk | eq, neq | Filter entities with specific entities pks. If a user is selected, this filter also returns all of the user's accounts. Example: `[{ "id": "entity-id", "inst": 0 }]` |
 | userGroups |string | eq, neq | Filter entities by their associated group IDs |
 | app | integer | eq, neq | Filter entities using services with the specified SaaS ID for example: 11770 |
-| instance | integer | eq, neq | Filter entities using services with the specified Appstances (SaaS ID and Instance ID), for example: 11770, 1059065 |
+| instance | integer | eq, neq | Filter entities using services with the specified app instances (SaaS ID and Instance ID). For example: 11770, 1059065 |
 | isExternal | boolean | eq | The entity's affiliation. Possible values include:<br /><br />**true**: External<br />**false**: Internal<br />**null**: No value |
 | domain | string | eq, neq, isset, isnotset | The entity's related domain |
 | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |
 | status | string | eq, neq | Filter entities by status. Possible values include:<br /><br />**0**: N/A<br />**1**: Staged<br />**2**: Active<br />**3**: Suspended<br />**4**: Deleted |
-| score | integer | lt, gt, isset, isnotset | Filter entities by their Investigation Priority Score |
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/api-alerts.md

@@ -11,6 +11,15 @@ To provide data protection, Microsoft Defender for Cloud Apps gives you visibili
 
 > [!IMPORTANT]
 > Starting **September 1, 2024**, we'll be phasing out the **Files** **page** from Microsoft Defender for Cloud Apps. Core functionalities of the Files page will be available on the **Cloud apps > Policies > Policy Management** page. We recommend using the Policy Management page to investigate files and to create, modify, and filter Information Protection policies and Malware files. For more information, see [File policies in Microsoft Defender for Cloud Apps](data-protection-policies.md).
+>
+
+>[!NOTE]
+> **Query Size Limitation in Files Policy Filters and "Edit and Preview Results"**
+>
+> - When creating or editing a file policy, or when using the "Edit and preview results" option, there is a query size limitation. This limitation ensures optimal performance and prevents system overload.
+> - If your query exceeds the allowed size, you may need to refine your criteria or use other filters to fit within the acceptable limits. For example, if the policy involves "collaborators" criteria that includes the group "everyone" or "everyone except external users" it may cause a failure due to  query size limitation.
+> - Please note that if the query exceeds the size limitation, the system will not specify which filter caused the failure.
+
 ## Enable file monitoring
 
 To enable file monitoring for Defender for Cloud Apps, first turn on file monitoring in the **Settings** area. In the Microsoft Defender portal, select **Settings** > **Cloud Apps** > **Information Protection** > **Files** > **Enable file monitoring** > **Save**.

CloudAppSecurityDocs/api-entities.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your Egnyte environment (Preview) | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your Egnyte app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 12/12/2024
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your Egnyte environment
@@ -77,9 +77,9 @@ This section describes how to connect Microsoft Defender for Cloud Apps to your
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
 >[!NOTE]
->Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice.
->To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token).
->Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>- Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice. To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token). Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>
+>- Defender for Cloud Apps intentionally provides a lower rate limit than Egnyte's maximum to avoid exceeding the API constraints. For more infomration, see the relevant Egnyte documentation: [Rate limiting](https://developers.egnyte.com/docs/read/Best_Practices) | [Audit Reporting API v2](https://developers.egnyte.com/docs/read/Audit_Reporting_API_V2)
 
 ## Next steps