Merge branch 'main' into diannegali-updatetenantgroup

Author: diannegali

defender-endpoint/evaluate-exploit-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 11/15/2024
+ms.date: 11/21/2024
 ---
 
 # Evaluate exploit protection
@@ -37,7 +37,7 @@ In audit, you can see how mitigation works for certain apps in a test environmen
 
 Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.  
 
-#### What kinds of Software shouldn't be protected by exploit protection?
+#### What kinds of software shouldn't be protected by exploit protection?
 
 - Anti-malware and intrusion prevention or detection software
 - Debuggers
@@ -55,6 +55,40 @@ Services
 - System services
 - Network services
 
+## Exploit protection mitigations enabled by default
+
+| Mitigation | Enabled by default |
+| -------- | -------- |
+| Data Execution Prevention (DEP) | 64-bit and 32-bit applications |
+| Validate exception chains (SEHOP) | 64-bit applications |
+| Validate heap integrity | 64-bit and 32-bit applications |
+
+## Deprecated "Program settings" mitigations
+
+| “Program settings” mitigations | Reason |
+| -------- | -------- |
+| Export address filtering (EAF) | Application compatibility issues |
+| Import address filtering (IAF) | Application compatibility issues |
+| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) |
+| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) |
+
+## Office application best practices
+
+Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules):
+
+- [Block executable content from email client and webmail ](attack-surface-reduction-rules-reference.md#block-executable-content-from-email-client-and-webmail)
+- [Block Office applications from creating executable content](attack-surface-reduction-rules-reference.md#block-office-applications-from-creating-executable-content)
+- [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes)
+- [Block Office communication application from creating child processes](attack-surface-reduction-rules-reference.md#block-office-communication-application-from-creating-child-processes)
+- [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes)
+- [Block execution of potentially obfuscated scripts](attack-surface-reduction-rules-reference.md#block-execution-of-potentially-obfuscated-scripts)
+- [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros)
+
+For Adobe Reader use the following ASR rule:
+
+•	[Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes)
+
 ## Application compatibility list
 
 The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -69,7 +103,7 @@ The following table lists specific products that have compatibility issues with
 | DropBox   | EAF  |
 | Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
 | Google Chrome   | EAF+   |
-| Immidio Flex+   | Cell 4   |
+| Immidio Flex+   | EAF   |
 | Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
 | Microsoft PowerPoint   | EAF   |
 | Microsoft Teams   | EAF+   |
@@ -82,7 +116,38 @@ The following table lists specific products that have compatibility issues with
 
 ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
-## Enable exploit protection for testing
+## Enable exploit protection system settings for testing
+
+These Exploit Protection system settings are enabled by default on Windows 10 and later, Windows Server 2019 and later, and on Windows Server version 1803 core edition and later.
+
+| System settings | Setting |
+| -------- | -------- |
+| Control flow guard (CFG) | Use default (On) |
+| Data Execution Prevention (DEP) | Use default (On) |
+| Force randomization for images (Mandatory ASRL) | Use default (On) |
+| Randomize memory allocations (Bottom-up ASRL) | Use default (On) |
+| High-entropy ASRL | Use default (On) |
+| Validate exception chains (SEHOP) | Use default (On) |
+
+The xml sample is available below
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<MitigationPolicy>
+  <SystemConfig>
+    <DEP Enable="true" EmulateAtlThunks="false" />
+    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
+    <ControlFlowGuard Enable="true" SuppressExports="false" />
+    <SEHOP Enable="true" TelemetryOnly="false" />
+    <Heap TerminateOnError="true" />
+  </SystemConfig>
+</MitigationPolicy>
+```
+
+## Enable exploit protection program settings for testing
+
+> [!TIP] 
+> We highly recommend reviewing the modern approach for vulnerability mitigations, which is to use [Attack Surface Reduction rules (ASR rules)](attack-surface-reduction.md).
 
 You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
 

defender-endpoint/exploit-protection.md

@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 11/21/2024
 ---
 
 # Protect devices from exploits
@@ -60,6 +60,23 @@ DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
 
+### Exploit Protection and advanced hunting
+
+Below are the advanced hunting actiontypes available for Exploit Protection.
+
+| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes | 
+|:---|:---|
+| Arbitrary code guard | ExploitGuardAcgAudited <br/> ExploitGuardAcgEnforced <br/>|
+| Don't allow child processes | ExploitGuardChildProcessAudited <br/> ExploitGuardChildProcessBlocked <br/> |
+| Export address filtering (EAF) | ExploitGuardEafViolationAudited <br/> ExploitGuardEafViolationBlocked <br/> |
+| Import address filtering (IAF) | ExploitGuardIafViolationAudited <br/> ExploitGuardIafViolationBlocked <br/> |
+| Block low integrity images | ExploitGuardLowIntegrityImageAudited <br/> ExploitGuardLowIntegrityImageBlocked <br/> |
+| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited <br/> ExploitGuardNonMicrosoftSignedBlocked <br/> |
+|•	Simulate execution (SimExec)<br/> •	Validate API invocation (CallerCheck) <br/> •	Validate stack integrity (StackPivot) <br/> | ExploitGuardRopExploitAudited <br/> ExploitGuardRopExploitBlocked <br/> |
+| Block remote images | ExploitGuardSharedBinaryAudited <br/> ExploitGuardSharedBinaryBlocked <br/> |
+| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited <br/> ExploitGuardWin32SystemCallBlocked <br/>|
+
+
 ## Review exploit protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:<br/><br/>
@@ -126,7 +143,6 @@ The table in this section indicates the availability and support of native mitig
 |Validate image dependency integrity | Yes | No |
 
 > [!NOTE]
-
 > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the [Mitigation threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit).
 
 ## See also

defender-vulnerability-management/defender-vulnerability-management-faq.md

@@ -130,7 +130,7 @@ The [Windows authenticated scan](windows-authenticated-scan.md) deprecation proc
 
 ### Why is this product being deprecated?
 
-The deprecation is to streamline offerings and focus on features that provide greater value to customers. This change allows our teams to allocate resources to innovations that better meet customer needs. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance.
+We're deprecating Windows authenticated scan to allow our teams to allocate resources to other product innovations. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance with this change.
 
 ### When will the product be officially deprecated?
 

defender-xdr/TOC.yml

@@ -305,7 +305,13 @@
                 - name: CloudAuditEvents
                   href: advanced-hunting-cloudauditevents-table.md
                 - name: CloudProcessEvents
-                  href: advanced-hunting-cloudprocessevents-table.md                  
+                  href: advanced-hunting-cloudprocessevents-table.md                     
+                - name: DeviceBaselineComplianceAssessment
+                  href: advanced-hunting-devicebaselinecomplianceassessment-table.md
+                - name: DeviceBaselineComplianceAssessmentKB
+                  href: advanced-hunting-devicebaselinecomplianceassessmentkb-table.md
+                - name: DeviceBaselineComplianceProfiles
+                  href: advanced-hunting-devicebaselinecomplianceprofiles-table.md     
                 - name: DeviceEvents
                   href: advanced-hunting-deviceevents-table.md
                 - name: DeviceFileCertificateInfo
@@ -326,6 +332,12 @@
                   href: advanced-hunting-deviceprocessevents-table.md
                 - name: DeviceRegistryEvents
                   href: advanced-hunting-deviceregistryevents-table.md
+                - name: DeviceTvmBrowserExtensions
+                  href: advanced-hunting-devicetvmbrowserextensions-table.md
+                - name: DeviceTvmBrowserExtensionsKB
+                  href: advanced-hunting-devicetvmbrowserextensionskb-table.md
+                - name: DeviceTvmCertificateInfo
+                  href: advanced-hunting-devicetvmcertificateinfo-table.md
                 - name: DeviceTvmHardwareFirmware
                   href: advanced-hunting-devicetvmhardwarefirmware-table.md
                 - name: DeviceTvmInfoGathering

defender-xdr/advanced-hunting-cloudauditevents-table.md

@@ -21,7 +21,7 @@ ms.topic: reference
 ms.date: 12/29/2023
 ---
 
-# CloudAuditEvents
+# CloudAuditEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 

defender-xdr/advanced-hunting-devicebaselinecomplianceassessment-table.md

@@ -0,0 +1,64 @@
+---
+title: DeviceBaselineComplianceAssessment table in the advanced hunting schema
+description: Learn about the baseline compliance assessment snapshot, indicating the status of various security configurations related to baseline profiles on devices in Microsoft Defender XDR.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceBaselineComplianceAssessment (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceAssessment` table in the advanced hunting schema contains baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices. 
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `DeviceId` | `string` | Unique identifier for the device in the service |
+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |
+| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
+| `OSVersion` | `string` | Version of the operating system running on the device |
+| `ConfigurationId` | `string` | Unique identifier for a specific configuration |
+| `ProfileId` | `string` | Unique identifier for the profile |
+| `IsCompliant` | `boolean` | Indicates whether the device that initiated the event is compliant or not |
+| `IsApplicable` | `boolean` | Indicates whether the configuration or policy is applicable |
+| `Source` | `dynamic` | The registry path or other location used to determine the current device setting |
+| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant |
+| `CurrentValue` | `dynamic` | Set of detected values found on the device |
+| `IsExempt` | `boolean` | Indicates whether the device is exempt from having the baseline configuration |
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-devicebaselinecomplianceassessmentkb-table.md

@@ -0,0 +1,62 @@
+---
+title: DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema
+description: Learn about the various security configurations used by baseline compliance to assess devices in the DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceBaselineComplianceAssessmentKB (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceAssessmentKB` table in the advanced hunting schema contains information about various security configurations used by baseline compliance to assess devices.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `ConfigurationId` | `string` | Unique identifier for a specific configuration |
+| `ConfigurationName` | `string` | Display name of the configuration |
+| `ConfigurationDescription` | `string` | Description of the configuration |
+| `ConfigurationRationale` | `string` | Description of any associated risks and rationale behind the configuration |
+| `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs |
+| `BenchmarkProfileLevels` | `dynamic` | List of benchmark compliance levels for which the configuration is applicable |
+| `CCEReference` | `string` | Unique Common Configuration Enumeration (CCE) identifier for the configuration |
+| `RemediationOptions` | `string` | Recommended actions to reduce or address any associated risks |
+| `ConfigurationBenchmark` | `string` | Industry benchmark recommending the configuration |
+| `Source` | `dynamic` | The registry path or other location used to determine the current device setting |
+| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant |
+
+
+## Related topics
+
+- [DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]