Merge branch 'main' into public-pr132

denisebmsft · web-flow · commit 3e14386dcdcb · 2024-11-06T12:04:28.000-08:00
diff --git a/defender-endpoint/controlled-folders.md b/defender-endpoint/controlled-folders.md
@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 07/30/2024
+ms.date: 11/06/2024
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -33,12 +33,11 @@ search.appverid: met150
 **Applies to**
 - Windows
 
-
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
 
 ## What is controlled folder access?
 
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, 
 
 > [!NOTE]
 > Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](indicator-certificates.md).
@@ -66,15 +65,6 @@ The [protected folders](#review-controlled-folder-access-events-in-windows-event
 
 You can use [audit mode](overview-attack-surface-reduction.md) to evaluate how controlled folder access would impact your organization if it were enabled.
 
-Controlled folder access is supported on the following versions of Windows:
-
-- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) and later
-- Windows 11
-- Windows 2012 R2
-- Windows 2016
-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
-- Windows Server 2022
-
 ## Windows system folders are protected by default
 
 Windows system folders are protected by default, along with several other folders:
@@ -91,9 +81,9 @@ The protected folders include common system folders (including boot sectors), an
 - `c:\Users\Public\Music`
 - `c:\Users\<username>\Favorites`
 
-Default folders appear in the user's profile, under **This PC**.
-   > [!div class="mx-imgBorder"]
-   > ![Protected Windows default systems folders](media/defaultfolders.png)
+Default folders appear in the user's profile, under **This PC**, as shown in the following image:
+
+![Protected Windows default systems folders](media/defaultfolders.png)
 
 > [!NOTE]
 > You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
@@ -122,33 +112,45 @@ DeviceEvents
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
+
 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
 3. On the left panel, under **Actions**, select **Import custom view...**.
+
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](overview-attack-surface-reduction.md).
+
 5. Select **OK**.
 
 The following table shows events related to controlled folder access:
 
 |Event ID|Description|
 |---|---|
-|5007|Event when settings are changed|
-|1124|Audited controlled folder access event|
-|1123|Blocked controlled folder access event|
-|1127|Blocked controlled folder access sector write block event|
-|1128|Audited controlled folder access sector write block event|
+|`5007`|Event when settings are changed|
+|`1124`|Audited controlled folder access event|
+|`1123`|Blocked controlled folder access event|
+|`1127`|Blocked controlled folder access sector write block event|
+|`1128`|Audited controlled folder access sector write block event|
 
 ## View or change the list of protected folders
 
 You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
 
 1. On your Windows 10 or Windows 11 device, open the Windows Security app.
+
 2. Select **Virus & threat protection**.
+
 3. Under **Ransomware protection**, select **Manage ransomware protection**.
+
 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
+
 5. Do one of the following steps:
+
    - To add a folder, select **+ Add a protected folder**.
    - To remove a folder, select it, and then select **Remove**.
 
-> [!NOTE]
-> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
+   > [!IMPORTANT]
+   > Do not add local share paths (loopbacks) as protected folders. Use the local path instead. For example, if you have shared `C:\demo` as `\\mycomputer\demo`, do not add `\\mycomputer\demo` to the list of protected folders. Instead add `C:\demo`.
+
+[Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/manage-indicators.md b/defender-endpoint/manage-indicators.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 01/18/2024
+ms.date: 11/05/2024
 ---
 
 # Create indicators
@@ -150,9 +150,10 @@ The functionality of pre-existing IoCs won't change. However, the indicators wer
 The IoC API schema and the threat IDs in advance hunting are updated to align with the renaming of the IoC response actions. The API scheme changes apply to all IoC Types.
 
 > [!NOTE]
->
-> There is a limit of 15,000 indicators per tenant. File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
->
+> There is a limit of 15,000 indicators per tenant. Increases to this limit are not supported.
+> 
+> File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
+> 
 > The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel.
 
 ## Known issues and limitations
diff --git a/defender-office-365/quarantine-faq.yml b/defender-office-365/quarantine-faq.yml
@@ -141,6 +141,8 @@ sections:
 
           - Some mail flow rules that quarantined a message can cause the released message to be quarantined again.
 
+          - Inform admins that routing released quarantine messages to onpremises recipients can cause messages to lose anti-spam headers, which makes the messages land in quarantine again after release.
+
           Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.
 
       - question: |
@@ -219,6 +221,8 @@ sections:
           >
           > For messages quarantined by zero-hour auto purge (ZAP), quarantine notifications are generated based on when the message was quarantined, not when the message was delivered to the mailbox.
 
+          You can also set up quarantine notifications for internal (intra-organization) messages only in quarantine policies.
+
       - question: |
           Why aren't users receiving notifications about their quarantined messages?
         answer: |
diff --git a/defender-xdr/streaming-api-storage.md b/defender-xdr/streaming-api-storage.md
@@ -16,7 +16,7 @@ ms.topic: conceptual
 ms.date: 06/21/2024
 ---
 
-# Configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account
+# Stream Microsoft Defender XDR events to your storage account
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -30,41 +30,47 @@ ms.date: 06/21/2024
 
 ## Before you begin
 
-1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
-
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+- Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
+- Sign in to your [Azure tenant](https://ms.portal.azure.com/), and go to **Subscriptions** > **Your subscription** > **Resource Providers** > **Register to Microsoft.Insights**.
 
 ### Add contributor permissions
 
-Once the Storage account is created, you'll need to:
+Once the storage account is created, you need to define the user who is signing in as a contributor.
 
-1. Define the user who is logging into Microsoft Defender XDR as Contributor.
+1. Go to **Storage Account** > **Access control (IAM)**, and then select **Add**.
 
-    Go to **Storage Account > Access control (IAM) > Add** and verify under **Role assignments**.
+2. Verify the user is listed under **Role assignments**.
 
 ## Enable raw data streaming
 
-1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> as a ***Security Administrator*** at a minimum.
+> [!NOTE]
+> When using the Streaming API to an Azure Storage account, ensure the option `Allow trusted Microsoft services to access this storage account` is enabled in the storage account settings to allow for data to be streamed from Microsoft Defender for Endpoint.
+
+1. Go to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in using an account with at least Security Administrator permissions.
 
-  >[!IMPORTANT]
-  >Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+   > [!IMPORTANT]
+   > Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-2. Go to **Settings** \> **Microsoft Defender XDR** \> **Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.
+2. Go to **Settings** > **Microsoft Defender XDR** > **Streaming API**. To go directly to the **Streaming API** page, use [https://security.microsoft.com/settings/mtp_settings/raw_data_export](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
 
 3. Select **Add**.
 
 4. In the **Add new Streaming API settings** flyout that appears, configure the following settings:
-   1. **Name**: Choose a name for your new settings.
-   2. Select **Forward events to Azure Storage**.
-4. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:
 
-   1. Navigate to your storage account in the Azure portal.
-   2. On the **Overview** page, in the **Essentials** section, select the **JSON View** link.
-   3. The resource ID for the storage account is displayed at the top of the page, copy the text under **Storage Account Resource ID**.
+   - **Name**: Choose a name for your new settings.
+   - Select **Forward events to Azure Storage**.
+
+5. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:
+
+   1. Navigate to your storage account in the [Azure portal](https://portal.azure.com).
+
+   2. In the **Overview** page, in the **Essentials** section, select the **JSON View** link.
 
-   4. Back on the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
+   3. The resource ID for the storage account is displayed at the top of the page. Copy the text under **Storage Account Resource ID**.
 
-   When you're finished, select **Submit**.
+   4. In the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
+
+   5. When you're finished, select **Submit**.
 
 ## The schema of the events in the Storage account
 
@@ -74,14 +80,14 @@ Once the Storage account is created, you'll need to:
 
 - The schema of each row in a blob is the following JSON:
 
-  ```JSON
-  {
+   ```JSON
+   {
           "time": "<The time Microsoft Defender XDR received the event>"
           "tenantId": "<Your tenant ID>"
           "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
           "properties": { <Microsoft Defender XDR Advanced Hunting event as Json> }
-  }
-  ```
+   }
+   ```
 
 - Each blob contains multiple rows.
 
@@ -91,9 +97,11 @@ Once the Storage account is created, you'll need to:
 
 ## Data types mapping
 
-In order to get the data types for our events properties do the following:
+To get the data types for events properties, follow these steps:
+
+1. Go to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in.
 
-1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> and go to **Hunting** \> **Advanced hunting**. To go directly to the **Advanced hunting** page, use <security.microsoft.com/advanced-hunting>.
+2. Go to **Hunting** \> **Advanced hunting**. To go directly to the **Advanced hunting** page, use [https://security.microsoft.com/advanced-hunting](https://security.microsoft.com/advanced-hunting).
 
 2. On the **Query** tab, run the following query to get the data types mapping for each event:
 
@@ -103,21 +111,20 @@ In order to get the data types for our events properties do the following:
    | project ColumnName, ColumnType
    ```
 
-- Here's an example for Device Info event:
+   Here's an example for Device Info event:
 
-  :::image type="content" source="/defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="/defender-endpoint/media/machine-info-datatype-example.png":::
+   :::image type="content" source="/defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="/defender-endpoint/media/machine-info-datatype-example.png":::
 
 ## Monitoring created resources
 
-You can monitor the resources created by the streaming API using **Azure Monitor**. 
-For more information, see [Monitor destinations - Azure Monitor | Microsoft Docs](/azure/azure-monitor/logs/logs-data-export?tabs=portal#monitor-destinations).
+You can monitor the resources created by the streaming API using **Azure Monitor**. For more information, see [Monitor destinations - Azure Monitor](/azure/azure-monitor/logs/logs-data-export?tabs=portal#monitor-destinations).
 
-## Related topics
+## Related articles
 
 - [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)
-
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Microsoft Defender XDR Streaming API](streaming-api.md)
 - [Stream Microsoft Defender XDR events to your Azure storage account](streaming-api-storage.md)
 - [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
