Merge branch 'main' into v-smandalika-9477468

Author: v-smandalika

defender-xdr/advanced-hunting-behaviorentities-table.md

@@ -20,7 +20,7 @@ ms.topic: reference
 ms.date: 12/29/2023
 ---
 
-# BehaviorEntities
+# BehaviorEntities (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -32,6 +32,9 @@ The `BehaviorEntities` table in the [advanced hunting](advanced-hunting-overview
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+> [!IMPORTANT]
+> Behaviors feature is now in preview. Have feedback to share? Fill out our [feedback form](https://forms.office.com/r/x0mX5hBkGu).
+
 Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. [Read more about behaviors](/defender-cloud-apps/behaviors)
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).

defender-xdr/advanced-hunting-behaviorinfo-table.md

@@ -20,7 +20,7 @@ ms.topic: reference
 ms.date: 12/29/2023
 ---
 
-# BehaviorInfo
+# BehaviorInfo (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -36,6 +36,9 @@ The `BehaviorInfo` table in the [advanced hunting](advanced-hunting-overview.md)
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+> [!IMPORTANT]
+> Behaviors feature is now in preview. Have feedback to share? Fill out our [feedback form](https://forms.office.com/r/x0mX5hBkGu).
+
 Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. [Read more about behaviors](/defender-cloud-apps/behaviors)
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).

defender-xdr/advanced-hunting-schema-tables.md

@@ -57,8 +57,8 @@ The following reference lists all the tables in the schema. Each table name link
 | **[AADSpnSignInEventsBeta](advanced-hunting-aadspnsignineventsbeta-table.md)** | Microsoft Entra service principal and managed identity sign-ins |
 | **[AlertEvidence](advanced-hunting-alertevidence-table.md)** | Files, IP addresses, URLs, users, or devices associated with alerts |
 | **[AlertInfo](advanced-hunting-alertinfo-table.md)** | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization  |
-| **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** | Behavior data types in Microsoft Defender for Cloud Apps |
-| **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** | Alerts from Microsoft Defender for Cloud Apps |
+| **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** (Preview) | Behavior data types in Microsoft Defender for Cloud Apps |
+| **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps |
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
 | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
 | **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |

exposure-management/exposure-insights-overview.md

@@ -49,17 +49,15 @@ Security Exposure Management provides initiatives that currently include:
 > [!IMPORTANT]
 > Initiatives that are in preview are marked accordingly. Preview initiatives are still in development, and are subject to change.
 
-
 ### Initiative elements
 
 **Element** | **Goal** | **Details**
 --- | --- | ---
-**Initiative** | Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.| Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/>	The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.
+**Initiative** | Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.| Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/> The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.
 **Metric** | Metrics in security initiatives help you to measure exposure risk for different areas within the initiative.| Each metric gathers together one or more recommendations for similar assets.<br/><br/>Metrics can be associated with one or more initiatives.<br/><br/>**Important**: Threat analytics initiatives don't have metrics. They have recommendations only.
 **Recommendations** |Security recommendations help you to understand the compliance state for a specific security initiative.  | All security initiatives have recommendations associated with them.<br/><br/>Recommendations can be associated with one or more initiatives.<br/><br/> Within initiatives, recommendations are assigned a compliance state.
 **Events** | Events help you to  monitor initiative changes.  | Events notify you when there's a drop in an all-up initiative score or metric score, indicating that exposure risk grew.
 
-
 ## Working with initiatives
 
 You can prioritize which initiatives you want to see on the **Overview** dashboard. Review the initiative score, and drill down into initiatives to see associated metrics and understand where gaps or risks reside.
@@ -69,15 +67,15 @@ You can prioritize which initiatives you want to see on the **Overview** dashboa
 On the **Metrics** tab of an initiative, or in the **Metrics** section of **Exposure Insights**, you can see the metric state, its effect and relative importance in an initiative, and recommendations to improve the metric. For each metric you can:
 
 - Review metrics properties, including:
-    - **14-day trend**: Shows the metric value changes over the last 14 days.
-    - **Affected items**: The number of items within the metric. In most cases, these items would be assets that are exposed or that create a risk factor. In other cases, affected items would be the number of missing Microsoft secure score points to effectively implement recommended controls.
-    - **Total**:  Total number of assets under the metric scope.
-    - **Weight**: The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. From one (lowest) to ten (highest). 
-    - **Score impact**: The impact that completing the metric (getting it to 0%) has on the security initiative. Meaning if a given metric is completed, the score impact is the addition seen to the initiative score.
-    - **State**: Shows whether the metric needs attention, the risk was mitigated outside Security Exposure Management and shouldn't affect the initiative score, or was mitigated and the initiative score should be adjusted accordingly.
-    - **Current value**: Current percentage of exposed assets within the total assets covered by the metric, with the state for each metric. Zero percent is best since there's no exposure, while 100% is worst.
-    - **Recommendations**: Security recommendations associated with the metric.
-    - **Last Updated** shows the last date the metric was updated.
+  - **14-day trend**: Shows the metric value changes over the last 14 days.
+  - **Affected items**: The number of items within the metric. In most cases, these items would be assets that are exposed or that create a risk factor. In other cases, affected items would be the number of missing Microsoft secure score points to effectively implement recommended controls.
+  - **Total**:  Total number of assets under the metric scope.
+  - **Weight**: The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. From one (lowest) to ten (highest).
+  - **Score impact**: The impact that completing the metric (getting it to 0%) has on the security initiative. Meaning if a given metric is completed, the score impact is the addition seen to the initiative score.
+  - **State**: Shows whether the metric needs attention, the risk was mitigated outside Security Exposure Management and shouldn't affect the initiative score, or was mitigated and the initiative score should be adjusted accordingly.
+  - **Current value**: Current percentage of exposed assets within the total assets covered by the metric, with the state for each metric. Zero percent is best since there's no exposure, while 100% is worst.
+  - **Recommendations**: Security recommendations associated with the metric.
+  - **Last Updated** shows the last date the metric was updated.
 
 - Filter metrics for specific findings.
 - Drill down into metrics to review and fix associated issues.
@@ -90,7 +88,6 @@ In some cases, metrics display grayed out because the underlying data for the me
 
 Grayed out metrics aren't considered for score calculation.
 
-
 ## Working with recommendations
 
 Security Exposure Management ingests security recommendations from multiple sources, including Microsoft Defender for Cloud running the  [Defender for Cloud Security Posture Management (CSPM) plan](/azure/defender-for-cloud/concept-cloud-security-posture-management), [Microsoft Secure Score](/defender-xdr/microsoft-secure-score), Microsoft threat analytics, and other Microsoft workloads. Security Exposure Management integrates all of these recommendations into a single security catalog.
@@ -122,7 +119,7 @@ Security Exposure Management uses secure score as one of its sources for initiat
 
 The exposure state for a security initiative is reflected in the initiative score.
 
-- **Initiatives with metrics**: For initiatives with metrics, the score is calculated based on the value and weight of metrics within the initiative. 
+- **Initiatives with metrics**: For initiatives with metrics, the score is calculated based on the value and weight of metrics within the initiative.
 - **Initiatives without metrics**: For threat initiatives that don't have metrics, the initiative score is calculated in the same way that [Secure Score is calculated](/defender-xdr/microsoft-secure-score#how-recommended-actions-are-scored).
 
 For initiatives with metrics:
@@ -139,7 +136,6 @@ On the **History** tab of an initiative, you can:
 - Filter for specific time points.
 - Drill down to specific changes.
 
-
 :::image type="content" source="media/exposure-insights-overview/initiatives-history.png" alt-text="Screenshot of the Initiative history tab showing the graph and dates of changes." lightbox="media/exposure-insights-overview/initiatives-history.png":::
 
 When you drill down into a specific change, you can see the percentage effects of metrics in the initiative score, along with the change reason. Reasons include:
@@ -149,22 +145,19 @@ When you drill down into a specific change, you can see the percentage effects o
 - **Metric removed** - The metric is no longer relevant for that specific initiative. For instance, if a better suggestion is introduced or it becomes irrelevant.
 - **Metric depreciated** - The metric is removed globally.
 
-
 Selecting the metric that changed provides more details about the change. For instance, it might display the new weight of a property change, or the number of affected assets before or after the change.
 
 :::image type="content" source="media/exposure-insights-overview/initiatives-history-details.png" alt-text="Screenshot of the metric change side panel in the Initiatives history tab." lightbox="media/exposure-insights-overview/initiatives-history-details.png":::
 
 You can't control the metric or score changes in advance.
 
-
 ## Reviewing events
 
-
 Events measure the score drop or worsening in the metric status. Events include:
 
 - **Metric score drop events**: These events are issued with there's a decrease of at least 2% in metric score (exposure grew by 2%) since yesterday.
 - **Initiative score drop events**: These events are issued when there's a decrease of at least 2% in initiative score since yesterday.
-- **New Initiave event**: These events are issued when a new inititave is available in MSEM.
+- **New Initiative event**: These events are issued when a new initiative is available in MSEM.
 
 ## Next steps
 

exposure-management/media/review-attack-paths/attack-path-list.png

@@ -25,23 +25,42 @@ Security Exposure Management is currently in public preview.
   - If you don't have licenses defined for workloads integrated and represented in the attack path.
   - If you don't fully define critical assets.
 
-## View attack paths
+### Attack path dashboard
 
-1. To access [attack paths](https://security.microsoft.com/attack-paths), select  **Attack surface -> Attack path**.
+The dashboard provides a high-level overview of all identified attack paths within the environment. It enables security teams to gain valuable insights into the types of paths identified, top entry points, target assets, and more, helping to prioritize risk mitigation efforts effectively. The overview includes:
 
-    :::image type="content" source="./media/review-attack-paths/attack-paths.png" alt-text="Screenshot of the Security Exposure Management attack path window" lightbox="media/review-attack-paths/attack-paths.png":::
+- Graph of attack paths over time
+- Top choke points
+- Top attack path scenarios
+- Top targets
+- Top entry points
+
+:::image type="content" source="media/work-attack-paths-overview/attack-paths-dashboard.png" alt-text="Screenshot of attack path dashboard" lightbox="media/work-attack-paths-overview/attack-paths-dashboard.png":::
+
+### View attack paths
+
+1. You can access [attack paths](https://security.microsoft.com/attack-paths) from the attack path dashboard, or by selecting  **Attack surface -> Attack path**.
+
+   :::image type="content" source="media/review-attack-paths/attack-path-list.png" alt-text="Screenshot of attack path list" lightbox="media/review-attack-paths/attack-path-list.png":::
 
 1. To change how attack paths are displayed, you can select a heading name to sort by a specific column heading.
 
-## Group by choke points
+### Group attack paths
+
+To group attack paths by specific criteria:
+
+Select **Group** to group by **Attack path name**, **Entry point**,**Entry point type**, **Target type**, **Risk level**, **Status**, **Target criticality**, **Target**.
 
-To group by choke point:
+### View choke points and blast radius
 
-1. Select **Attack surface -> Attack path**.
+1. Go the choke points tab to view a list of choke points on the attack path dashboard. By focusing on these choke points, you can reduce risk by addressing high-impact assets, thus preventing attackers from progressing through various paths.
+1. Select a choke point to open the side panel, select **View blast radius** and explore the attack paths from a choke point. The blast radius provides a detailed visualization showing how the compromise of one asset could affect others. This enables security teams to assess the broader implications of an attack and prioritize mitigation strategies more effectively.
+ 
+:::image type="content" source="media/review-attack-paths/choke points and blast radius.png" alt-text="Screenshot of choke point and blast radius " lightbox="media/review-attack-paths/choke points and blast radius.png":::
 
-1. Select **Group** to group by **Name**, **Entry point type**, **Target type**, **Target criticality**, **Status**, or **choke point**.
+:::image type="content" source="media/review-attack-paths/choke-points on map.png" alt-text="Screenshot of choke point on attack map" lightbox="media/review-attack-paths/choke-points on map.png":::
 
-## Examine an attack path
+### Examine an attack path
 
 1. Select a specific attack path to examine it further for potential exploitable vulnerabilities.
 

exposure-management/media/review-attack-paths/choke points and blast radius.png

@@ -25,6 +25,21 @@ Security Exposure Management is currently in public preview.
 >
 > `https://aka.ms/msem/rss`
 
+## October 2024
+
+### New in attack paths
+
+We have introduced four new features designed to enhance your security management and risk mitigation efforts. These features provide valuable insights into the attack paths identified within your environment, enabling you to prioritize risk mitigation strategies effectively and reduce the impact of potential threats. 
+
+The new features include:
+
+- **Attack path widget on exposure management overview page**: Provides users with an at-a-glance, high-level view of discovered attack paths. It displays a timeline of newly identified paths, key entry points, target types, and more, ensuring security teams stay informed about emerging threats and can respond quickly.
+- **Attack path dashboard**: Provides a high-level overview of all identified attack paths within the environment. This feature enables security teams to gain valuable insights into the types of paths identified, top entry points, target assets, and more, helping to prioritize risk mitigation efforts effectively.
+- **Choke points**: Highlights critical assets that multiple attack paths intersect, identifying them as key vulnerabilities within the environment. By focusing on these choke points, security teams can efficiently reduce risk by addressing high-impact assets, thus preventing attackers from progressing through various paths.
+- **Blast radius**: Allows users to visually explore the paths from a choke point. It provides a detailed visualization showing how the compromise of one asset could affect others, enabling security teams to assess the broader implications of an attack and prioritize mitigation strategies more effectively.
+ 
+For more information, see [Overview of attack paths](work-attack-paths-overview.md).
+
 ## September 2024
 
 ### New Enterprise IoT Security Initiative