Merge pull request #1587 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 10/14

Author: Stacyrch140

defender-endpoint/linux-exclusions.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 10/14/2024
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -32,7 +32,7 @@ ms.date: 10/11/2024
 This article provides information on how to define antivirus and global exclusions for Microsoft Defender for Endpoint. Antivirus exclusions apply to on-demand scans, real-time protection (RTP), and behavior monitoring (BM). Global exclusions apply to real-time protection (RTP), behavior monitoring (BM), and endpoint detection and response (EDR), thus stopping all the associated antivirus detections, EDR alerts, and visibility for the excluded item.
 
 > [!IMPORTANT]
-> The antivirus exclusions described in this article apply to only antivirus capabilities and not endpoint detection and response (EDR). Files that you exclude using the antivirus exclusions described in this article can still trigger EDR alerts and other detections. Whereas the global exclusions described in this section apply to antivirus as well as endpoint detection and response capabilities thus stopping all associated AV protection, EDR alerts and detection. Global exclusions are available from Defender for Endpoint version `101.23092.0012` or later till Insider Slow Ring.  For EDR exclusions, [contact support](/microsoft-365/admin/get-help-support).
+> The antivirus exclusions described in this article apply to only antivirus capabilities and not to endpoint detection and response (EDR). Files that you exclude using the antivirus exclusions described in this article can still trigger EDR alerts and other detections. Global exclusions described in this section apply to antivirus **and** endpoint detection and response capabilities, thus stopping all associated antivirus protection, EDR alerts, and detections. Global exclusions are currently in public preview, and are available in Defender for Endpoint version `101.23092.0012` or later, in the Insiders Slow and Production rings. For EDR exclusions, [contact support](/microsoft-365/admin/get-help-support).
 
 You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux.
 

defender-endpoint/linux-preferences.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 10/11/2024
+ms.date: 10/14/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -220,7 +220,7 @@ Specifies the behavior of RTP on mount point marked as noexec. There are two val
 
 - Unmuted (`unmute`): The default value, all mount points are scanned as part of RTP.
 - Muted (`mute`): Mount points marked as noexec aren't scanned as part of RTP, these mount point can be created for:
-  - Database files on Database servers for keeping data base files.
+  - Database files on Database servers for keeping database files.
   - File server can keep data files mountpoints with noexec option.
   - Backup can keep data files mountpoints with noexec option.
 
@@ -384,9 +384,9 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 **Exlusion setting preferences are currently in preview**.
 
 > [!NOTE] 
-> Available in Defender for Endpoint version `101.23092.0012` or later till Insider Slow Ring.
+> Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
 
-The *exclusionSettings* section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
+The `exclusionSettings` section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
 
 |Description|JSON Value|
 |---|---|

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 10/11/2024
+ms.date: 10/14/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -34,16 +34,36 @@ This article is updated frequently to let you know what's new in the latest rele
 - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
 
 > [!IMPORTANT]
-> Starting with version `101.2408.0000`, Microsoft defender for Endpoint for Linux no longer supports the Auditd event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023 and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options: 
+> Starting with version `101.2408.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
 > 
-> 1.    Continue to use Defender for Endpoint on Linux build `101.24072.0000` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
+> 1. Continue to use Defender for Endpoint on Linux build `101.24072.0000` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
 >
-> 2.    If you are on versions later than `101.24072.0000`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
+> 2. If you are on versions later than `101.24072.0000`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
 >
 > Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf).
 >
 > If you have any concerns or need assistance during this transition, contact support.
 
+<details>
+<summary> Oct-2024 (Build: 101.24082.0004 | Release version: 30.124082.0004.0)</summary>
+
+## Sept-2024 Build: 101.24082.0004 | Release version: 30.124082.0004.0
+
+&ensp;Released: **October 15, 2024**<br/>
+&ensp;Published: **October 15, 2024**<br/>
+&ensp;Build: **101.24082.0004**<br/>
+&ensp;Release version: **30.124082.0004**<br/>
+&ensp;Engine version: **1.1.24080.9**<br/>
+&ensp;Signature version: **1.417.659.0**<br/>
+
+**What's new**
+
+- Starting this version, Defender for Endpoint on Linux no longer supports `AuditD` as a supplementary event provider. For improved stability and performance, we have completely transitioned to eBPF. If you disable eBPF, or in the event eBPF is not supported on any specific kernel, Defender for Endpoint on Linux automatically switches back to Netlink as a fallback supplementary event provider. Netlink provides reduced functionality and tracks only process-related events. In this case, all process operations continue to flow seamlessly, but you could miss specific file and socket-related events that eBPF would otherwise capture. For more details, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](linux-support-ebpf.md). If you have any concerns or need assistance during this transition, contact support.
+- Stability and performance improvements
+- Other bug fixes
+
+</details>
+
 <details>
 <summary> Sept-2024 (Build: 101.24072.0001 | Release version: 30.124072.0001.0)</summary>
 

defender-xdr/copilot-in-defender-device-summary.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 04/01/2024
+ms.date: 10/04/2024
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -30,13 +30,27 @@ appliesto:
 
 [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities.
 
+## Know before you begin
+
+If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
+
+- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot)
+- [Copilot for Security experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Copilot for Security](/security-copilot/authentication)
+- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot)
+
 Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks.
 
 The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts.
 
-The device summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin.
+## Copilot for Security integration in Microsoft Defender
+
+The device summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. 
+
+This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
 
-## Summarize device information
+## Key features
 
 The device summary generated by Copilot contains noteworthy information about the device, including:
 
@@ -61,18 +75,24 @@ You can access the device summary capability through the following ways:
 
    :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png":::
 
-Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
+Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
 
-You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png).
+## Sample device summary prompt
+
+In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary:
+
+- *Summarize device information in Defender incident {incident number.*
+
+> [!TIP]
+> When investigating devices in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the device summary capability delivers the results.
+
+## Provide feedback
+
+Your feedback helps improve the quality of the results generated by Copilot. You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png).
 
 ## See also
 
-- [Run script analysis](security-copilot-m365d-script-analysis.md)
-- [Analyze files](copilot-in-defender-file-analysis.md)
-- [Summarize an incident](security-copilot-m365d-incident-summary.md)
-- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)
-- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
 - [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)
-- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)
+- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/copilot-in-defender-file-analysis.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 04/01/2024
+ms.date: 10/04/2024
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -30,13 +30,27 @@ appliesto:
 
 [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.
 
+## Know before you begin
+
+If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
+
+- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot)
+- [Copilot for Security experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Copilot for Security](/security-copilot/authentication)
+- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot)
+
 Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.
 
 The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.
 
-The file analysis capability is available in Microsoft Defender through the [Copilot for Security license](/security-copilot/faq-security-copilot). Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin.
+## Copilot for Security integration in Microsoft Defender
+
+The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Copilot for Security. 
+
+Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
 
-## Analyze a file
+## Key features
 
 The file analysis results generated by Copilot usually contains the following information:
 
@@ -59,16 +73,22 @@ You can access the file analysis capability through the following ways:
 
 You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card.
 
-Always review the results generated by Copilot in Defender. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) at the bottom of the Copilot pane to provide feedback.
+## Sample file analysis prompt
+
+In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary:
+
+- *Tell me about the files in Defender incident {incident number). Which files are malicious?*
+
+> [!TIP]
+> When investigating files in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the file analysis capability delivers the results.
+
+## Provide feedback
+
+Always review the results generated by Copilot in Defender. Your feedback helps improve the quality of the results generated by Copilot. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) at the bottom of the Copilot pane to provide feedback.
 
 ## See also
 
-- [Run script analysis](security-copilot-m365d-script-analysis.md)
-- [Summarize an incident](security-copilot-m365d-incident-summary.md)
-- [Generate device summary](copilot-in-defender-device-summary.md)
-- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)
-- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
-- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)
 - [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)
+- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/experts-on-demand.md

@@ -19,7 +19,7 @@ ms.collection:
   - essentials-manage
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 09/12/2024
+ms.date: 10/14/2024
 ---
 
 # Collaborate with experts on demand
@@ -52,6 +52,13 @@ You need to select one of the following Microsoft Entra ID roles to view and sub
 
 To learn more about how Microsoft Entra ID roles map to Microsoft Defender Unified RBAC permissions, see [Microsoft Entra Global roles access](compare-rbac-roles.md#microsoft-entra-global-roles-access).
 
+Microsoft Defender Experts customers using Ask Defender Experts capability will also be able to use the following permissions from [Microsoft Defender XDR Unified RBAC](../defender-xdr/custom-permissions-details.md).
+
+|Microsoft Unified RBAC role|Permission level|
+|---|---|---|
+| Security data basics | Read |
+| Alerts or Response | Read and submit |
+
 ### Where to submit inquiries to Ask Defender Experts
 
 The option to **Ask Defender Experts** is available in several places throughout the portal: