Merge branch 'main' into docs-editor/microsoft-defender-endpoint-an-1738152940

Author: emmwalshh

CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md

@@ -46,7 +46,7 @@ If you require more than 10 data sources, we recommend that you split the data s
         To work with a network appliance that isn't listed, select **Other > Customer log format** or **Other (manual only)**. For more information, see [Working with the custom log parser](custom-log-parser.md).
 
     >[!NOTE]
-    >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings or your firewall/proxy.
+    >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings on your firewall/proxy. For more information, see [Advanced log collector management](log-collector-advanced-management.md).
 
 Repeat this process for each firewall and proxy whose logs can be used to detect traffic on your network.
 

CloudAppSecurityDocs/index.yml

@@ -48,6 +48,8 @@ landingContent:
         links:
           - text: Basic setup
             url: general-setup.md
+          - text: Connect cloud apps
+            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: View and manage security posture
             url: security-saas.md
       - linkListType: concept
@@ -70,8 +72,6 @@ landingContent:
         links:
           - text: Calculate risk scores
             url: risk-score.md
-          - text: Connect cloud apps
-            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: Collect logs
             url: discovery-docker.md
           - text: Discover and manage shadow IT
@@ -137,4 +137,4 @@ landingContent:
           - text: Monitor and respond to unusual data usage
             url: app-governance-monitor-apps-unusual-data-usage.md
           - text: Secure apps with app hygiene
-            url: app-governance-secure-apps-app-hygiene-features.md
+            url: app-governance-secure-apps-app-hygiene-features.md

CloudAppSecurityDocs/log-collector-advanced-management.md

@@ -50,9 +50,9 @@ You should be able to view the following contents:
 - `ssl_update`
 - `config.json`
 
-### Customize certificate files
+### Add certificate files
 
-This procedure describes how to customize the certificate files used for secure connections to the cloud discovery Docker instance.
+This procedure describes how to add the required certificate files used for secure connections to the cloud discovery Docker instance.
 
 1. Open an FTP client and connect to the log collector host.
 
@@ -63,7 +63,7 @@ This procedure describes how to customize the certificate files used for secure
     | **FTP** |- **pure-ftpd.pem**: Includes the key and certificate data |
     | **Syslog** |- **ca.pem**: The certificate authority's certificate that was used to sign the client’s certificate. <br>- **server-key.pem** and **server-cert.pem**: The log collector's certificate and key <br><br>Syslog messages are sent over TLS to the log collector, which requires mutual TLS authentication, including authenticating both the client and server certificates. |
 
-    Filenames are mandatory. If any of the files are missing, the update fails.
+Files are mandatory. If any of the files for the receiver type are missing, the update fails.
 
 1. In a terminal window, run:
 
@@ -161,7 +161,7 @@ docker cp Proxy-CA.crt Ubuntu-LogCollector:/var/adallom/ftp/discovery
 
 To secure the docker image and ensure that only one IP address is allowed to send the syslog messages to the log collector, create an IP table rule on the host machine to allow input traffic and drop the traffic coming over specific ports, such as TCP/601 or UDP/514, depending on the deployment.
 
-The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4`` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port.
+The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port.
 
 ```bash
 iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP
@@ -171,7 +171,7 @@ iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP
 
 The container is now ready.
 
-Run the **collector_config** command using the API token that you used during the creation of your log collector. For example:
+Run the `collector_config` command using the API token that you used during the creation of your log collector. For example:
 
 :::image type="content" source="media/log-collector-advanced-tasks/docker-3.png" alt-text="Screenshot of the Create log collector dialog." border="false":::
 
@@ -520,7 +520,7 @@ Compare the output file (`/tmp/log.log`) to the messages stored in the `/var/ada
 When updating your log collector:
 
 - **Before installing the new version**, make sure to stop your log collector and remove the current image.
-- **After installing the new version**, [update your certificate files](#customize-certificate-files).
+- **After installing the new version**, [update your certificate files](#add-certificate-files).
 
 ## Next steps
 

defender-endpoint/linux-support-offline-security-intelligence-update.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 01/30/2025
 ---
 
 # Configure offline security intelligence update for Microsoft Defender for Endpoint on Linux 
@@ -187,7 +187,7 @@ Use the following sample `mdatp_managed.json` and update the parameters as per t
   },
   "antivirusEngine": {
     "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/",
-    "offlineDefintionUpdateFallbackToCloud":false,
+    "offlineDefinitionUpdateFallbackToCloud":false,
     "offlineDefinitionUpdate": "enabled"
   },
   "features": {

defender-endpoint/mac-whatsnew.md

@@ -2,9 +2,8 @@
 title: What's new in Microsoft Defender for Endpoint on Mac
 description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Mac.
 ms.service: defender-endpoint
-author: emmwalshh
-ms.author: ewalsh
-ms.reviewer: joshbregman
+author: deniseb
+ms.author: deniseb
 manager: deniseb
 ms.localizationpriority: medium
 ms.date: 01/24/2025
@@ -16,6 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: macos
 search.appverid: met150
+ms.reviewer: mavel
 ---
 
 # What's new in Microsoft Defender for Endpoint on Mac
@@ -64,18 +64,32 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Jan-2025 (Build: 101.24122.0005  | Release version: 20.124122.5.0)
+
+| Build:             | **101.24122.0005**    |
+|--------------------|-----------------------|
+| Release version:   | **20.124122.4.0**     |
+| Engine version:    | **1.1.24080.11**      |
+| Signature version: | **1.419.351.0**       |
+
+##### What's new
+
+- Removed support of macOS 12, the minimal requirement is now macOS 13.0 or later
+- Fix: Defender quarantines a file even if it is marked as immutable
+- `mdatp health` can return [`out_of_date`](device-health-microsoft-defender-antivirus-health.md#up-to-date-definitions) status for `definitions_status`
+- Bug and performance fixes
+
 ### Dec-2024 (Build: 101.24102.0018  | Release version: 20.124102.18.0)
 
-| Build:             | **101.24102.0018**         |
+| Build:             | **101.24102.0018**    |
 |--------------------|-----------------------|
-| Release version:   | **20.124102.18.0** |
-| Engine version:    | **1.1.24080.10**       |
-| Signature version: | **1.419.298.0**      |
+| Release version:   | **20.124102.18.0**    |
+| Engine version:    | **1.1.24080.10**      |
+| Signature version: | **1.419.298.0**       |
 
 ##### What's new
 
 - **Improved User/Group Permission Handling** - Added reporting in `mdatp-health` for user/group permission issues for Defender files. On restart Defender attempts to cure these issues.
-
 - Bug and performance fixes.
 
 

defender-office-365/anti-malware-policies-configure.md

@@ -17,7 +17,7 @@ ms.collection:
 description: Admins can learn how to view, create, modify, and remove anti-malware policies in Exchange Online Protection (EOP).
 ms.custom: 
 ms.service: defender-office-365
-ms.date: 01/06/2025
+ms.date: 01/29/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -81,6 +81,9 @@ You can configure anti-malware policies in the Microsoft Defender portal or in P
      - The specified Microsoft 365 Groups.
    - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
 
+     > [!TIP]
+     > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
+
    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
 
    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

defender-office-365/anti-phishing-policies-eop-configure.md

@@ -16,7 +16,7 @@ ms.custom:
 description: Admins can learn how to create, modify, and delete the anti-phishing policies that are available in Exchange Online Protection (EOP) organizations with or without Exchange Online mailboxes.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 01/06/2025
+ms.date: 01/29/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
 ---
@@ -78,6 +78,9 @@ For anti-phishing policy procedures in organizations with Microsoft Defender for
      - The specified Microsoft 365 Groups.
    - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
 
+     > [!TIP]
+     > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
+
    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
 
    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

defender-office-365/anti-phishing-policies-mdo-configure.md

@@ -16,7 +16,7 @@ ms.custom:
 description: Admins can learn how to create, modify, and delete the advanced anti-phishing policies that are available in organizations with Microsoft Defender for Office 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 4/8/2024
+ms.date: 01/29/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -84,6 +84,9 @@ For anti-phishing policy procedures in organizations without Defender for Office
      - The specified Microsoft 365 Groups.
    - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
 
+     > [!TIP]
+     > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
+
    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
 
    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

defender-office-365/anti-spam-policies-configure.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 01/06/2025
+ms.date: 01/29/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -86,6 +86,9 @@ You can configure anti-spam policies in the Microsoft Defender portal or in Powe
      - The specified Microsoft 365 Groups.
    - **Domains**: All recipients in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
 
+     > [!TIP]
+     > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
+
    Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
 
    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

defender-office-365/outbound-spam-policies-configure.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to view, create, modify, and delete outbound spam policies in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 08/01/2024
+ms.date: 01/29/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -78,6 +78,9 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
      - The specified Microsoft 365 Groups.
    - **Domains**: All senders in the organization with a primary email address in the specified [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
 
+     > [!TIP]
+     > Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
+
    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.
 
    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.