Merge pull request #2320 from MicrosoftDocs/main

Publish main to live, 01/06/25, 10:30 AM PT

Author: Ruchika-mittal01

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -31,7 +31,7 @@ Defender for Cloud Apps operates in the Microsoft Azure data centers in the foll
 |**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    Either the European Union and/or the United Kingdom      |
 |**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned    |
 
-In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions: 
+In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions listed below. Customer with App Governance enabled will have data stored within the data storage location the customer provisions in above, and in a second data storage location as described below: 
 
 |Customer provisioning location  |Data storage location  |
 |---------|---------|
@@ -65,7 +65,7 @@ Defender for Cloud Apps shares data, including customer data, among the followin
 - Microsoft Defender for Cloud
 - Microsoft Sentinel
 - Microsoft Defender for Endpoint
-- Microsoft Security Exposure Management (Preview)
+- Microsoft Security Exposure Management
 - Microsoft Purview
 - Microsoft Entra ID Protection
 

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 01/03/2025
+ms.date: 01/06/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -40,7 +40,7 @@ Recommendation cards prominently display any active alerts, ensuring you stay in
 
 The following screenshot is an example of what the user sees in their dashboard:
 
-:::image type="content" source="media/android-whatsnew/android-dashboard-screen.png" alt-text="Screenshot showing what the user sees on the device.":::
+:::image type="content" source="media/android-whatsnew/android-dashboard-screen.png" alt-text="Screenshot showing the user's dashboard in the Microsoft Defender app.":::
 
 **Recommendation cards for alerts**
 
@@ -59,10 +59,10 @@ The current enterprise dashboard experience now features a tile view for your se
 
 | Tile | Description |
 |---|---|
-| :::image type="content" source="media/android-whatsnew/android-tile-networkprotection.png" alt-text="Screenshot showing the network protection tile for security administrators."::: | **Network protection** <br/>Your security team can see whether a connection is secured or unsecured. |
-| :::image type="content" source="media/android-whatsnew/android-tile-webprotection.png" alt-text="Screenshot of a tile that shows whether web protection is enabled on a device."::: | **Web protection** <br/>Your security team can see whether web protection is enabled on a user's device. |
-| :::image type="content" source="media/android-whatsnew/android-tile-appsecurity.png" alt-text="Screenshot showing the app security tile."::: | **App security** <br/>Your security team can see whether any threats were found in apps installed on a user's device. |
-| :::image type="content" source="media/android-whatsnew/android-tile-globalsecureaccess.png" alt-text="Screenshot showing Global Secure Access status."::: | **Global secure access** <br/>Your security team can see current connection status. |
+| :::image type="content" source="media/android-whatsnew/android-tile-networkprotection.png" alt-text="Screenshot showing the network protection tile for security administrators."::: | **Network protection** <br/>The user can see whether a connection is secured or unsecured. |
+| :::image type="content" source="media/android-whatsnew/android-tile-webprotection.png" alt-text="Screenshot of a tile that shows whether web protection is enabled on a device."::: | **Web protection** <br/>The user can see whether web protection is enabled on a user's device. |
+| :::image type="content" source="media/android-whatsnew/android-tile-appsecurity.png" alt-text="Screenshot showing the app security tile."::: | **App security** <br/>The user can see whether any threats were found in apps installed on a user's device. |
+| :::image type="content" source="media/android-whatsnew/android-tile-globalsecureaccess.png" alt-text="Screenshot showing Global Secure Access status."::: | **Global secure access** <br/>The user can see current connection status. |
 
 ## Android low-touch onboarding is now GA
 
@@ -125,7 +125,7 @@ Read the announcement [Tech Community Blog: Defender for Endpoint is now availab
 
 ## Privacy controls
 
-Microsoft Defender for Endpoint on Android enables privacy controls for both administrators and end users, and includes controls for enrolled (MDM) and unenrolled (MAM) devices. Administrators can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](android-configure.md#privacy-controls) and [privacy controls (MAM)](android-configure-mam.md#configure-privacy-controls).
+Microsoft Defender for Endpoint on Android enables privacy controls for both administrators and end users, and includes controls for enrolled (MDM) and unenrolled (MAM) devices. Administrators can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls (MDM)](android-configure.md#privacy-controls) and [privacy controls (MAM)](android-configure-mam.md#configure-privacy-controls).
 
 ## Optional permissions and the ability to disable web protection
 

defender-endpoint/api/get-assessment-secure-config.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/04/2021
+ms.date: 01/06/2025
 ---
 
 # Export secure configuration assessment per device
@@ -245,18 +245,18 @@ GET /api/machines/SecureConfigurationsAssessmentExport
 ### 2.5 Properties
 
 > [!NOTE]
->
-> - The files are gzip compressed & in multiline Json format.
-> - The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+> - The files are GZIP compressed & in multiline JSON format.
+> - The download URLs are only valid for 1 hour; otherwise you can use the parameter.
 > - For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides.
 
+
 <br>
 
 ****
 
 Property (ID)|Data type|Description|Example of a returned value
 ---|---|---|---
-Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization|["Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
+Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization|["Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
 GeneratedTime|string|The time that the export was generated.|2021-05-20T08:00:00Z
 |
 

defender-endpoint/view-incidents-queue.md

@@ -15,14 +15,15 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/05/2024
+ms.date: 01/06/2025
 ---
 
 # View and organize the Microsoft Defender for Endpoint Incidents queue
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 **Applies to:**
+
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
@@ -31,12 +32,13 @@ ms.date: 06/05/2024
 
 The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
 
-By default, the queue displays incidents seen in the last 6 months, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
+By default, the queue displays incidents seen in the last six months, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
 
 There are several options you can choose from to customize the Incidents queue view. 
 
 On the top navigation you can:
-- Customize columns to add or remove columns 
+
+- Customize columns to add or remove columns
 - Modify the number of items to view per page
 - Select the items to show per page
 - Batch-select the incidents to assign 
@@ -46,7 +48,11 @@ On the top navigation you can:
 
 :::image type="content" source="media/atp-incident-queue.png" alt-text="The Incidents queue" lightbox="media/atp-incident-queue.png":::
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](/defender-xdr/incident-queue#defender-boxed) highlights.
+
 ## Sort and filter the incidents queue
+
 You can apply the following filters to limit the list of incidents and get a more focused view.
 
 ### Severity
@@ -55,32 +61,36 @@ Incident severity | Description
 :---|:---
 High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
 Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
+Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that don't necessarily indicate an advanced threat targeting the organization.
 Informational </br>(Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
 
 ## Assigned to
+
 You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
 
 ### Category
+
 Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
 
 ### Status
+
 You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
 
 ### Data sensitivity
+
 Use this filter to show incidents that contain sensitivity labels.
 
 ## Incident naming
 
-To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories.
 
 For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
 
 > [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-
+> Incidents that existed prior to the rollout of automatic incident naming retains their original name.
 
 ## See also
+
 - [Incidents queue](view-incidents-queue.md)
 - [Manage incidents](manage-incidents.md)
 - [Investigate incidents](investigate-incidents.md)

defender-for-iot/media/set-up-rbac/permissions-mde-rbac2-add-role.png

@@ -28,49 +28,78 @@ To make general changes to RBAC roles and permissions that relate to all other a
 
 ## Access management options
 
-There are two ways to manage user access to the Defender portal, depending on the type of tenent you're using. Each system has different named permissions that allow access for site security. The two systems are:
+There are three ways to manage user access to the Defender portal, depending on the type of tenent you're using. Each system has different named permissions that allow access for site security. The systems are:
 
 - [Global Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference).
-- [Microsoft Defender XDR Unified RBAC](/defender-xdr/custom-roles): Use Defender XDR Unified role-based access control (RBAC) to manage access to specific data, tasks, and capabilities in the Defender portal.
+- [Microsoft Defender XDR Unified RBAC](/defender-xdr/manage-rbac): Use Defender XDR Unified role-based access control (RBAC) to manage access to specific data, tasks, and capabilities in the Defender portal.
+- [Microsoft Defender for Endpoint XDR RBAC](/defender-endpoint/user-roles): Use Defender for Endpoint XDR role-based access control (RBAC) to manage access to specific data, tasks, and capabilities in the Defender portal.
 
-The instructions and permission settings listed in this article apply to Defender XDR Unified RBAC.
-
-### RBAC for version 1 or 2
-
-Depending on your tenant, you might have access to RBAC version 1 or 2 instead of Defender XDR Unified RBAC. For more information, see [permissions for RBAC version 1](/defender-endpoint/prepare-deployment), or [permissions for RBAC version 2](/defender-endpoint/user-roles#permission-options).
-
-If you're using the Defender portal for the first time, you need to set up all of your roles and permissions. For more information, see [manage portal access using role-based access control](/defender-xdr/manage-rbac).
+The instructions and permission settings listed in this article apply to both Defender XDR Unified and Microsoft Defender for Endpoint XDR RBAC.
 
 ## Set up Defender XDR Unified RBAC roles for site security
 
-Assign RBAC permissions and roles, based on the [summary table](#summary-of-roles-and-permissions-for-site-security), to give users access to site security features:
+Assign RBAC permissions and roles, based on the [summary table](#summary-of-rbac-roles-and-permissions-for-site-security), to give users access to site security features:
 
-1. In the Defender portal, select **Settings** \> **Microsoft XDR** \> **Permissions and roles**.
+1. In the Defender portal, select **Settings** \> **Microsoft Defender XDR** \> **Permissions and roles**.
 1. Enable **Endpoints & Vulnerability Management**.
 1. Select **Go to Permissions and roles**.
 1. Select **Create custom role**.
 1. Type a **Role name**, and then select **Next** for Permissions.
 
     :::image type="content" source="media/set-up-rbac/permissions-set-up.png" alt-text="Screenshot of the permissions set up page for site security." lightbox="media/set-up-rbac/permissions-set-up.png":::
 
-1. Select **Security operations**, and select **Select custom permissions**.
-1. In **Security settings**, select **Security data basics** and select **Apply**
-1. Select **Authorization and settings**, select **Select custom permissions**.
-1. In **Security data** ,select **Core security settings (manage)** and select **Apply**
+1. For read permissions, select **Security operations**, and select **Select custom permissions**.
+1. In **Security data**, select **Security data basics(read)** and select **Apply**.
+
+    :::image type="content" source="media/set-up-rbac/permissions-unified-read-options.png" alt-text="Screenshot of the permissions set up page with the specific read permissions chosen for site security." lightbox="media/set-up-rbac/permissions-unified-read-options.png":::
+
+1. For write permissions, in **Authorization and settings**, select **Select custom permissions**.
+1. In **Security data**, select **Core security settings (manage)** and select **Apply**.
 
-    :::image type="content" source="media/set-up-rbac/permissions-choose-options.png" alt-text="Screenshot of the permissions set up page with the specific permissions chosen for site security." lightbox="media/set-up-rbac/permissions-choose-options.png":::
+    :::image type="content" source="media/set-up-rbac/permissions-choose-options.png" alt-text="Screenshot of the permissions set up page with the specific write permissions chosen for site security." lightbox="media/set-up-rbac/permissions-choose-options.png":::
 
 1. Select **Next** for Assignments.
 1. Select **Add assignment**, type a name, choose users and groups and select the Data sources.
 1. Select **Add**.
 1. Select **Next** to **Review and finish**.
 1. Select **Submit**.
 
-### Summary of roles and permissions for site security
+## Set up Microsoft Defender for Endpoint XDR RBAC (Version 2) roles for site security
+
+Assign RBAC permissions and roles, based on the [summary table](#summary-of-rbac-roles-and-permissions-for-site-security), to give users access to site security features:
+
+1. In the Defender portal, select **Settings** \> **Endpoints** \> **Roles**.
+1. Select **Add role**.
+1. Type a **Role name**, and a **Description**.
+1. Select **Next** for Permissions.
+
+    :::image type="content" source="media/set-up-rbac/permissions-mde-rbac2-add-role.png" alt-text="Screenshot of the Microsoft Defender for Endpoint XDR RBAC (version2) permissions set up page for site security." lightbox="media/set-up-rbac/permissions-mde-rbac2-add-role.png":::
+
+1. For read permissions, in **View Data**, select **Security Operations**.
+
+    :::image type="content" source="media/set-up-rbac/permissions-mde-rbac2-read-options.png" alt-text="Screenshot of the Microsoft Defender for Endpoint XDR RBAC (version2) permissions set up page with the specific read permissions chosen for site security." lightbox="media/set-up-rbac/permissions-mde-rbac2-read-options.png":::
+
+1. For write permissions, select **Manage security settings in Security Center**.
+
+    :::image type="content" source="media/set-up-rbac/permissions-mde-rbac2-write-options.png" alt-text="Screenshot of the Microsoft Defender for Endpoint XDR RBAC (version2) permissions set up page with the specific read and write permissions chosen for site security." lightbox="media/set-up-rbac/permissions-mde-rbac2-write-options.png":::
+
+1. Select **Next**.
+1. In **Assigned user groups**, select the user groups from the list to assign to this role.
+1. Select **Submit**.
+
+### Summary of RBAC roles and permissions for site security
+
+**For Unified RBAC**:
+
+|Write permissions |Read permissions |
+|----|----|
+| **Defender permissions**: Core security settings (manage) under Authorization and Settings and scoped to all device groups. <br>**Entra ID roles**: Global Administrator, Security Administrator, Security Operator and scoped to all device groups.| Write roles (including roles that are non-scoped to all device groups). <br> **Defender permissions**: Security data basics (under Security Operations).<br>**Entra ID roles**: Global Reader, Security Reader.|
+
+**For Microsoft Defender for Endpoint XDR RBAC (version 2)**:
 
 |Write permissions |Read permissions |
 |----|----|
-| **Defender Permissions**: Core security settings scoped to all device groups. <br>**Entra ID roles**: Global Administrator, Security Administrator, Security Operator scoped to all device groups.| Write roles (including roles that aren't scoped to all device groups). <br> **Defender Permissions**: Security data basics (under Security Operations).<br>**Entra ID roles**: Global Reader, Security Reader.|
+| **Defender for Endpoint roles**: Manage security settings in Security Center and scoped to all device groups.<br>**Entra ID roles**: Global Administrator, Security Administrator.| Write roles (including roles that are non-scoped to all device groups). <br> **Defender for Endpoint roles**: View data - Security operations (read). <br>**Entra ID roles**: Global Reader, Security Reader.|
 
 ## Next steps