Merge pull request #950 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 07/15

Author: Stacyrch140

.openpublishing.redirection.defender.json

@@ -194,6 +194,11 @@
       "source_path": "defender-endpoint/collect-diagnostic-data-update-compliance.md",
       "redirect_url": "/defender-endpoint/collect-diagnostic-data",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/attack-simulations.md",
+      "redirect_url": "/defender-endpoint/defender-endpoint-demonstrations",
+      "redirect_document_id": true
     }
   ]
 }

defender-endpoint/TOC.yml

@@ -321,8 +321,6 @@
     items:
     - name: Integration with Microsoft Defender for Cloud
       href: azure-server-integration.md
-    - name: Run simulated attacks on devices
-      href: attack-simulations.md
     - name: Create an onboarding or offboarding notification rule
       href: onboarding-notification.md
     - name: Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Intune

defender-endpoint/attack-simulations.md

@@ -7,9 +7,11 @@
     - name: Overview
       items:
       - name: What is Microsoft Defender for IoT in the Defender portal?
-        href: microsoft-defender-iot.md      
+        href: microsoft-defender-iot.md    
+      - name: What's new
+        href: whats-new.md  
       - name: Site security
-        href: site-security-overview.md      
+        href: site-security-overview.md  
     - name: Get started
       items:
       - name: Prerequisites

defender-for-iot/TOC.yml

@@ -59,4 +59,17 @@ Defender for IoT generates its own unique alert.
 
 | Name | Description |
 |----|----|
-|**Possible operational impact due to a compromised device** |A compromised device communicated with an operational technology (OT) asset. An attacker might be attempting to control or disrupt physical operations. |
+|**Possible operational impact due to a compromised device** |A compromised device communicated with an operational technology (OT) asset. An attacker might be attempting to control or disrupt physical operations. |
+
+## Advanced hunting
+
+Use the **Site** property listed in the **DeviceInfo** table to write queries for advanced hunting. This allows you to filter devices according to a specific site, for example, all devices that communicated with malicious devices at a specific site.
+
+The following query lists all endpoint devices with the specific IP address at the San Francisco site.
+
+```kusto
+DeviceInfo
+|where Site == "SanFrancisco" and PublicIP == "192.168.1.1" and DeviceCategory == "Endpoint"
+```
+
+This is relevant for both the device inventory and site security. For more information, see [Advanced hunting](/../defender-xdr/advanced-hunting-overview) and the [Advanced hunting DeviceInfo schema](/../defender-xdr/advanced-hunting-deviceinfo-table).

defender-for-iot/investigate-threats.md

@@ -0,0 +1,31 @@
+---
+title: What's new in Microsoft Defender for IoT in the Defender portal
+description: This article describes new features available in Microsoft Defender for IoT in the Defender portal, including both OT and Enterprise IoT networks.
+ms.topic: whats-new
+ms.service: defender-for-iot
+author: lwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 03/07/2024
+ms.custom: enterprise-iot
+---
+
+# What's new in Microsoft Defender for IoT?
+
+This article describes features available in Microsoft Defender for IoT in the Defender portal, across both OT and Enterprise IoT networks.
+
+[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
+
+## July 2024
+
+|Service area  |Updates  |
+|---------|---------|
+| **OT networks** | - [Site property added DeviceInfo schema](#new-site-property-added-deviceinfo-schema) |
+
+### New Site property added DeviceInfo schema
+
+In the advanced hunting tables, the **Site** property is added to the **DeviceInfo** schema. For more information, see [investigate threats](investigate-threats.md#advanced-hunting).
+
+## Next steps
+
+[Get started with Defender for IoT](get-started.md)

defender-for-iot/whats-new.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that shouldn't be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes.
 ms.service: defender-office-365
-ms.date: 11/2/2023
+ms.date: 07/16/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -128,7 +128,7 @@ There must be a match on at least one **Domain** and one **Sending IP**, but no
 If your MX record doesn't point to Microsoft 365, the IP address in the `Authentication-results` header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so the correct IP address is detected.
 
 > [!NOTE]
-> Enhanced Filtering for Connectors doesn't work for third-party phishing simulations in complex email routing scenarios (for example, email from the internet is routed to Microsoft 365, then to an on-premises environment or third-party security service, and then back to Microsoft 365). EOP can't identify the true IP address of the message source. Don't try to work around this limitation by adding the IP addresses of the on-premises or third-party sending infrastructure to the third-party phishing simulation. Doing so effectively bypasses spam filtering for any internet sender who impersonates the domain that's specified in the third-party phishing simulation.
+> Enhanced Filtering for Connectors doesn't work for third-party phishing simulations in email routing scenarios that involve mail coming to Exchange online twice (for example, internet email routed to Microsoft 365, then to an on-premises environment or third-party security service, and then back to Microsoft 365). EOP can't identify the true IP address of the message source. Don't try to work around this limitation by adding the IP addresses of the on-premises or third-party sending infrastructure to the third-party phishing simulation. Doing so effectively bypasses spam filtering for any internet sender who impersonates the domain that's specified in the third-party phishing simulation. Routing scenarios where the MX record points to a third party service and then mail is routed to Exchange Online are supported if Enhanced Filtering for Connectors is configured.
 >
 > Currently, the advanced delivery policy for third-party phishing simulations doesn't support simulations within the same organization (`DIR:INT`), especially when email is routed through an Exchange Server gateway before Microsoft 365 in Hybrid mail flow. To work around this issue, you have the following options:
 >

defender-office-365/advanced-delivery-policy-configure.md

@@ -109,7 +109,7 @@ Custom payloads have the option to add the External tag to messages. For more in
 
 There are no built-in options to add safety tips to payloads, but you can use the following methods on the **Configure payload** page of the payload setup wizard::
 
-- Use an existing email message that contains the safety tip as a template. Safe the message as HTML and copy the information.
+- Use an existing email message that contains the safety tip as a template. Save the message as HTML and copy the information.
 - Use the following sample code for the First contact safety tip:
 
   ```html
@@ -148,7 +148,7 @@ Yes. For more information, see [Training campaigns in Attack simulation training
 
 The [Users tab](attack-simulation-training-simulations.md#users-tab) for the simulation is filterable by **Simulation message delivery: Failed to deliver**.
 
-If you won the sender domain, the undelivered simulation report is returned in a non-delivery report (also known as an NDR or bounce message). For more information about the codes in the NDR, see [Email non-delivery reports and SMTP errors in Exchange Online](/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online).
+If you own the sender domain, the undelivered simulation report is returned in a non-delivery report (also known as an NDR or bounce message). For more information about the codes in the NDR, see [Email non-delivery reports and SMTP errors in Exchange Online](/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online).
 
 ## Issues with Attack simulation training reporting
 
@@ -326,14 +326,14 @@ A: See the following table:
 |Simulation metadata|18 months unless the [simulation is deleted sooner by an admin](attack-simulation-training-simulations.md#remove-simulations).|
 |Simulation automation|18 months unless the [simulation automation is deleted sooner by an admin](attack-simulation-training-simulation-automations.md#remove-simulation-automations).|
 |Payload automation|18 months unless the [payload automation is deleted sooner by an admin](attack-simulation-training-payload-automations.md#remove-payload-automations).|
-|User activity in simulation metadata|18 months unless deleted by an admin.|
+|User activity in simulation metadata|18 months unless the [simulation is deleted sooner by an admin](attack-simulation-training-simulations.md#remove-simulations).|
 |Global payloads|Persisted unless deleted by Microsoft.|
 |Tenant payloads|18 months unless the [archived payload is deleted sooner by an admin](attack-simulation-training-payloads.md#remove-archived-payloads).|
 |User activity in training metadata|18 months unless the [simulation is deleted sooner by an admin](attack-simulation-training-simulations.md#remove-simulations).|
 |MDO recommended payloads|6 months.|
 |Global end user notifications|Persisted unless deleted by Microsoft.|
 |Tenant end user notifications|18 months unless the [notification is deleted sooner by an admin](attack-simulation-training-end-user-notifications.md#remove-end-user-notifications).|
-|Global login pages|Persisted unless deleted by the service.|
+|Global login pages|Persisted unless deleted by Microsoft.|
 |Tenant login pages|18 months unless the [login page is deleted sooner by an admin](attack-simulation-training-login-pages.md#remove-login-pages).|
 |Global landing pages|Persisted unless deleted by Microsoft|
 |Tenant landing pages|18 months unless the [landing page is deleted sooner by an admin](attack-simulation-training-landing-pages.md#remove-landing-pages).|

defender-office-365/attack-simulation-training-faq.md

@@ -51,7 +51,7 @@ For more information on what's new with other Microsoft Defender security produc
 
 - **Automated end user feedback**: The user submission automatic feedback response capability in Microsoft Defender for Office 365 enables organizations to automatically respond to end user submissions of phishing based on the verdict from the automated investigation. [Learn more](air-user-automatic-feedback-response.md).
 
-- We are introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use Soft delete and Move to inbox actions. For more information, see [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md). Key highlights:
+- We are introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use the actions **Move to mailbox folder** \> **Soft delete** and **Move to mailbox folder** \> **Inbox**. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard). Key highlights:
 - Integration with Soft delete: Sender's copy clean-up will be incorporated as part of the Soft delete action.
   - Wide support: This action will be supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
   - Undo capability: An undo action will be available, allowing you to reverse the clean-up by moving items back to the Sent folder.

defender-office-365/defender-for-office-365-whats-new.md

@@ -80,7 +80,7 @@ The details pane on the left side of the page contains collapsible sections with
     - **Quarantine**
     - **Unknown**
   - **Latest Threats**
-  - **Latest delivery location**: The location of the message after system actions on the message (for example, [ZAP](zero-hour-auto-purge.md)), or admin actions on the message (for example, [Move to Deleted Items](threat-explorer-threat-hunting.md#email-remediation)). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the _current location_ of the message.
+  - **Latest delivery location**: The location of the message after system actions on the message (for example, [ZAP](zero-hour-auto-purge.md)), or admin actions on the message (for example, [Move to Deleted Items](threat-explorer-threat-hunting.md#the-take-action-wizard)). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the _current location_ of the message.
 
     > [!TIP]
     > There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example:
@@ -459,7 +459,7 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 The following actions are available at the top of the Email entity page:
 
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 - :::image type="icon" source="media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ ²
 - :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**:
   - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Go to quarantined email**: Available only if the message was quarantined. Selecting this action opens the **Email** tab on the **Quarantine** page at <https://security.microsoft.com/quarantine>, filtered by the unique **Message ID** value of the message. For more information, see [View quarantined email](quarantine-admin-manage-messages-files.md#view-quarantined-email).