Merge branch 'main' into docs-editor/manage-protection-updates-micr-1741662957

denisebmsft · web-flow · commit 486f04d75827 · 2025-03-11T09:33:37.000-07:00
diff --git a/CloudAppSecurityDocs/behaviors.md b/CloudAppSecurityDocs/behaviors.md
@@ -147,10 +147,14 @@ BehaviorEntities
 | project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain
 ```
 
+### Role-Based Access Control (RBAC) scoping for 'Behaviors'
+
+Starting March 2025, Defender for Cloud Apps customers can configure Role-Based Access Control (RBAC) scoping for 'Behaviors'. This new capability empowers administrators to define and manage access permissions more precisely, ensuring that users have the appropriate level of access to specific application data based on their roles and responsibilities. Read more here on how to configure - [Configure admin access](https://learn.microsoft.com/defender-cloud-apps/manage-admins).
+
 ## Next steps
 
 - [TechCommunity Blog](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/transform-the-way-you-investigate-by-using-behaviors-amp-new/ba-p/3825154)
 - [Tutorial: Detect suspicious user activity with behavioral analytics](tutorial-suspicious-activity.md)
 
-[!INCLUDE [Open support ticket](includes/support.md)].
+[!INCLUDE [Open support ticket](includes/support.md)]
 
diff --git a/CloudAppSecurityDocs/manage-admins.md b/CloudAppSecurityDocs/manage-admins.md
@@ -75,7 +75,7 @@ The following specific admin roles can be configured in the Microsoft Defender p
 |**Compliance administrator**     |  Grants the same permissions as the Microsoft Entra Compliance administrator role but only to Defender for Cloud Apps.       |
 |**Security reader**     |  Grants the same permissions as the Microsoft Entra Security reader role but only to Defender for Cloud Apps.       |
 |**Security operator**     |  Grants the same permissions as the Microsoft Entra Security operator role but only to Defender for Cloud Apps.       |
-|**App/instance admin**     |  Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific app or instance of an app selected. <br><br>For example, you give a user admin permission to your Box European instance. The admin will see only data that relates to the Box European instance, whether it's files, activities, policies, or alerts: <ul><li>Activities page - Only activities about the specific app<li> Alerts - Only alerts relating to the specific app. In some cases, alert data related to another app if the data is correlated with the specific app. Visibility to alert data related to another app is limited, and there is no access to drill down for more details<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with the app/instance<li>Accounts page - Only accounts for the specific app/instance<li> App permissions - Only permissions for the specific app/instance<li> Files page - Only files from the specific app/instance<li>Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li> Security extensions - Only permissions for API token with user permissions<li>Governance actions - Only for the specific app/instance<li> Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions   </ul>    |
+|**App/instance admin**     |  Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific app or instance of an app selected. <br><br>For example, you give a user admin permission to your Box European instance. The admin will see only data that relates to the Box European instance, whether it's files, activities, policies, behaviors or alerts: <ul><li>Activities page - Only activities about the specific app<li> Alerts/Behaviors - Only  relating to the specific app. In some cases, alert/behavior data related to another app if the data is correlated with the specific app. Visibility to alert data related to another app is limited, and there is no access to drill down for more details<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with the app/instance<li>Accounts page - Only accounts for the specific app/instance<li> App permissions - Only permissions for the specific app/instance<li> Files page - Only files from the specific app/instance<li>Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li> Security extensions - Only permissions for API token with user permissions<li>Governance actions - Only for the specific app/instance<li> Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions   </ul>    |
 |**User group admin**     | Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific groups assigned to them. For example, if you assign a user admin permissions to the group "Germany - all users", the admin can view and edit information in Defender for Cloud Apps only for that user group. The User group admin has the following access: <br><br> <ul><li>Activities page - Only activities about the users in the group<li>Alerts - Only alerts relating to the users in the group. In some cases, alert data related to another user if the data is correlated with the users in the group. Visibility to alert data related to another users is limited, and there is no access to drill down for more details.<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with users in the group<li>Accounts page - Only accounts for the specific users in the group<li>App permissions – No permissions<li>Files page – No permissions<li> Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li>Security extensions - Only permissions for API token with users in the group<li> Governance actions - Only for the specific users in the group<li>Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions   </ul> <br><br>**Notes**: <ul><li>To assign groups to user group admins, you must first [import user groups](user-groups.md) from connected apps. <li>You can only assign user group admins permissions to imported Microsoft Entra groups.</ul>   |
 |**Cloud Discovery global admin**     | Has permission to view and edit all cloud discovery settings and data. The Global Discovery admin has the following access: <br><br><ul><li>Settings: System settings - View only; Cloud Discovery settings - View and edit all (anonymization permissions depend on whether it was allowed during role assignment) <li> Cloud discovery activity - full permissions<li>Alerts - view and manage only alerts related to the relevant cloud discovery report<li> Policies - Can view all policies and can edit or create only cloud discovery policies <li> Activities page - No permissions<li>Accounts page - No permissions<li> App permissions – No permissions<li> Files page – No permissions<li> Conditional access app control - No permissions<li> Security extensions - Creating and deleting their own API tokens<li> Governance actions - Only Cloud Discovery related actions<li> Security recommendations for cloud platforms - No permissions<li> IP ranges - No permissions</ul>        |
 |**Cloud Discovery report admin**     |  <ul><li> Settings: System settings - View only; Cloud discovery settings - View all (anonymization permissions depend on whether it was allowed during role assignment)<li>Cloud discovery activity - read permissions only<li> Alerts – view only alerts related to the relevant cloud discovery report<li>Policies - Can view all policies and can create only cloud discovery policies, without the possibility to govern application (tagging, sanction and unsanctioned)<li> Activities page - No permissions<li> Accounts page - No permissions<li>App permissions – No permissions<li>Files page – No permissions<li> Conditional access app control - No permissions<li> Security extensions - Creating and deleting their own API tokens<li>Governance actions – view only actions related to the relevant cloud discovery report<li>Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions     |
diff --git a/CloudAppSecurityDocs/release-notes.md b/CloudAppSecurityDocs/release-notes.md
@@ -19,6 +19,17 @@ For more information on what's new with other Microsoft Defender security produc
 
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
+## March 2025
+
+### RBAC scoping for "Behaviors" (Preview)
+
+Defender for Cloud Apps customers can now configure Role-Based Access Control (RBAC) scoping for 'Behaviors'. This new capability empowers administrators to define and manage access permissions more precisely, ensuring that users have the appropriate level of access to specific application data based on their roles and responsibilities. By leveraging RBAC scoping, organizations can enhance their security posture, streamline operations, and reduce the risk of unauthorized access.
+
+For more information, see:
+
+- [Configure admin access](https://learn.microsoft.com/defender-cloud-apps/manage-admins)
+- [Investigate behaviors with advanced hunting (Preview)](https://learn.microsoft.com/defender-cloud-apps/behaviors)
+
 ## November 2024
 
 ### Internal Session Controls application notice
diff --git a/defender-endpoint/api/isolate-machine.md b/defender-endpoint/api/isolate-machine.md
@@ -14,7 +14,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 02/28/2025
+ms.date: 03/11/2025
 ---
 
 # Isolate machine API
@@ -36,7 +36,7 @@ Isolates a device from accessing external network.
 
 ## Limitations
 
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
 
 [!include[Device actions note](../../includes/machineactionsnote.md)]
 
@@ -45,8 +45,7 @@ Isolates a device from accessing external network.
 > - Full isolation is available for all supported Linux devices. See [Microsoft Defender for Endpoint on Linux](/defender-endpoint/microsoft-defender-endpoint-linux).
 > - Selective isolation is available for devices on Windows 10, version 1709 or later, and on Windows 11.
 > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
-> - Calling this API on unmanaged devices triggers the [contain device from the network](../respond-machine-alerts.md#contain-devices-from-the-network) action.
-
+> - Calling this API on unmanaged devices triggers the [contain device from the network](../respond-machine-alerts.md#contain-devices-from-the-network) action. The IsolationType value should be set to 'UnManagedDevice.'
 
 ## Permissions
 
@@ -59,10 +58,9 @@ Delegated (work or school account)|Machine.Isolate|'Isolate machine'
 
 > [!NOTE]
 > When obtaining a token using user credentials:
->
-> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](../user-roles.md) for more information)
-> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information)
->
+> - The user needs to have at least the following role permission: 'Active remediation actions.' For more information, see [Create and manage roles](../user-roles.md).
+> - The user needs to have access to the device, based on device group settings. See [Create and manage device groups](../machine-groups.md) for more information.
+> 
 > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. 
 
 ## HTTP request
@@ -82,15 +80,16 @@ Content-Type|string|application/json. **Required**.
 
 In the request body, supply a JSON object with the following parameters:
 
-Parameter|Type|Description
-:---|:---|:---
-Comment|String|Comment to associate with the action. **Required**.
-IsolationType|String|Type of the isolation. Allowed values are: 'Full' or 'Selective'.
+|Parameter|Type|Description|
+|:---|:---|:---|
+|Comment|String|Comment to associate with the action. **Required**.|
+|IsolationType|String|Type of the isolation. Allowed values are: **Full**, **Selective**, or **UnManagedDevice**.|
 
 **IsolationType** controls the type of isolation to perform and can be one of the following:
 
-- Full: Full isolation
-- Selective: Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](../respond-machine-alerts.md#isolate-devices-from-the-network) for more details)
+- Full: Full isolation. Works for managed devices.
+- Selective: Restrict only limited set of applications from accessing the network on managed devices. For more information, see [Isolate devices from the network](../respond-machine-alerts.md#isolate-devices-from-the-network).
+- UnManagedDevice: The isolation targets unmanaged devices only.
 
 ## Response
 
@@ -100,7 +99,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti
 
 ### Request
 
-Here is an example of the request.
+Here's an example of the request.
 
 ```http
 POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
@@ -2,11 +2,11 @@
 title: What's new in Microsoft Defender for Endpoint on Linux
 description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 02/20/2025
+ms.date: 03/11/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,6 +43,26 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### Mar-2025 Build: 101.25012.0000 | Release version: 30.125012.0000.0
+
+| Build:             | **101.25012.0000**    |
+| -------- | -------- |
+|Released:|March 11, 2025|
+|Released:| **March 11, 2025**|
+| Released:          |**March 11, 2025** |
+| Published:         | **March 11, 2025** |
+| Release version:   | **30.125012.0000.0** |
+| Engine version:    | **1.1.24090.13**   |
+| Signature version: | **1.421.226.0**      |
+
+What's new
+
+- The MDATP package rollout into production will be done gradually. From the time the release notes are published, it might take up to a week for the package to be pushed to all production machines.
+
+- The vulnerability in curl, CVE-2024-7264, has been addressed.
+
+- Other stability improvements and bug fixes.
+
 ### Feb-2025 Build: 101.24122.0008 | Release version: 30.124112.0008.0
 
 | Build:             | **101.24122.0008**    |
@@ -96,10 +116,10 @@ What's new
   - Enabled: When eBPF is enabled as working as expected.
   - Disabled: When eBPF is disabled due to one of the following reasons:
     - When MDE is using auditD as a supplementary sensor
-    - When eBPF is not present and we fallback to Netlink as supplementary event provider
-    - There is no supplementary sensor present.
+    - When eBPF isn't present and we fallback to Netlink as supplementary event provider
+    - There's no supplementary sensor present.
 
-- Beginning with 2411, the MDATP package release to Production on `packages.microsoft.com` follows a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
+- Beginning with 2411, the MDATP package release to Production on `packages.microsoft.com` follows a gradual rollout mechanism which spans over a week. The other release rings, insiderFast, and insiderSlow, are unaffected by this change.
 
 - Stability and performance improvements.
 
@@ -211,7 +231,7 @@ There are multiple fixes and new changes in this release.
 
 There are multiple fixes and new changes in this release.
 
-- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only impacted the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Update to the latest MDE version to avoid any impact.
+- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only affected the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Update to the latest MDE version to avoid any impact.
 
 - We have now simplified the output of `mdatp health --detail features`
 
@@ -1040,7 +1060,7 @@ sudo systemctl disable mdatp
 
 #### Known issues
 
-- While upgrading mdatp to version `101.94.13`, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: `/etc/audit/rules.d/audit.rules` as these steps are only to identify failures.
+- While upgrading mdatp to version `101.94.13`, you might notice that health is false, with health_issues as "no active supplementary event provider. This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: `/etc/audit/rules.d/audit.rules` as these steps are only to identify failures.
 
   ```bash
   echo -c >> /etc/audit/rules.d/audit.rules
@@ -1333,7 +1353,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
 
 ##### What's new 
 
-- Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
+- Added a capability to detect vulnerable Log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded Log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
 
 #### Build: 101.47.76  | Release version: 30.121092.14776.0
 
@@ -1343,7 +1363,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
   
 ##### What's new
 
-- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.
+- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives--value [enabled/disabled]. By default, this setting is set to enabled.
 
 - Bug fixes
 
diff --git a/defender-endpoint/migrate-devices-streamlined.md b/defender-endpoint/migrate-devices-streamlined.md
diff --git a/defender-endpoint/troubleshoot-asr.md b/defender-endpoint/troubleshoot-asr.md
