Merge branch 'main' into unified-soc-opt

Author: batamig

.openpublishing.redirection.defender-endpoint.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-endpoint/configure-microsoft-threat-experts.md",
+      "redirect_url": "/defender-xdr/defender-experts-for-hunting",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "defender-endpoint/microsoft-defender-antivirus-using-mde-security-set-mngmnt.md",
       "redirect_url": "/defender-endpoint/evaluate-mdav-using-gp",

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -31,7 +31,7 @@ Defender for Cloud Apps operates in the Microsoft Azure data centers in the foll
 |**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    Either the European Union and/or the United Kingdom      |
 |**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned    |
 
-In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions: 
+In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions listed below. Customer with App Governance enabled will have data stored within the data storage location the customer provisions in above, and in a second data storage location as described below: 
 
 |Customer provisioning location  |Data storage location  |
 |---------|---------|
@@ -65,7 +65,7 @@ Defender for Cloud Apps shares data, including customer data, among the followin
 - Microsoft Defender for Cloud
 - Microsoft Sentinel
 - Microsoft Defender for Endpoint
-- Microsoft Security Exposure Management (Preview)
+- Microsoft Security Exposure Management
 - Microsoft Purview
 - Microsoft Entra ID Protection
 

CloudAppSecurityDocs/investigate-anomaly-alerts.md

@@ -40,7 +40,6 @@ Following proper investigation, all Defender for Cloud Apps alerts can be classi
 
 You should use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
 
-- Review the user's [investigation priority score](tutorial-ueba.md#understand-the-investigation-priority-score) and compare with the rest of the organization. This will help you identify which users in your organization pose the greatest risk.
 - If you identify a **TP**, review all the user's activities to gain an understanding of the impact.
 - Review all user activity for other indicators of compromise and explore the source and scope of impact. For example, review the following user device information and compare with known device information:
   - Operating system and version
@@ -712,74 +711,14 @@ Establishing a new user's activity pattern requires an initial learning period o
 1. Review the deletion activities and create a list of deleted files. If needed, recover the deleted files.
 1. Optionally, create a playbook using Power Automate to contact users and their managers to verify the activity.
 
-### Investigation priority score increase (preview)
+### Investigation priority score increase (legacy)
 
-Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants.
+Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information:
 
-When there's a significant and anomalous increase in the investigation priority score of a certain user, the alert will be triggered.
+- [Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk)
 
-This alert enables detecting potential breaches that are characterized by activities that don't necessarily trigger specific alerts but accumulate to a suspicious behavior for the user.
+- [Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies)
 
-**Learning period**
-
-Establishing a new user's activity pattern requires an initial learning period of seven days, during which alerts aren't triggered for any score increase.
-
-**TP**, **B-TP**, or **FP**?
-
-1. **TP**: If you're able to confirm that the activities of the user aren't legitimate.
-  
-    **Recommended action**: Suspend the user, mark the user as compromised, and reset their password.
-
-1. **B-TP**: If you're able to confirm that user indeed significantly deviated from usual behavior, but there's no potential breach.
-
-1. **FP**  (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline.
-
-    **Recommended action**: Dismiss the alert.
-
-**Understand the scope of the breach**
-
-1. Review all user activity and alerts for additional indicators of compromise.
-
-#### Deprecation timeline
-
-We're gradually retiring the **Investigation priority score increase** alert from Microsoft Defender for Cloud Apps by August 2024.
-
-After careful analysis and consideration, we decided to deprecate it due to the high rate of false positives associated with this alert, which we found wasn't contributing effectively to the overall security of your organization.
-
-Our research indicated that this feature wasn't adding significant value and wasn't aligned with our strategic focus on delivering high-quality, reliable security solutions.
-
-We're committed to continuously improving our services and ensuring that they meet your needs and expectations.
-
-For those who wish to continue using this alert, we suggest using the following advanced hunting query instead as a suggested template. Modify the query based on your needs.
-
-```kql    
-let time_back = 1d;
-let last_seen_threshold = 30;
-// the number of days which the resource is considered to be in use by the user lately, and therefore not indicates anomaly resource usage
-// anomaly score based on LastSeenForUser column in CloudAppEvents table
-let last_seen_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(LastSeenForUser)
-| mv-expand LastSeenForUser
-| extend resource = tostring(bag_keys(LastSeenForUser)[0])
-| extend last_seen = LastSeenForUser[resource]
-| where last_seen < 0 or last_seen > last_seen_threshold
-// score is calculated as the number of resources which were never seen before or breaching the chosen threshold
-| summarize last_seen_score = dcount(resource) by ReportId, AccountId;
-// anomaly score based on UncommonForUser column in CloudAppEvents table
-let uncommonality_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(UncommonForUser)
-| extend uncommonality_score = array_length(UncommonForUser)
-// score is calculated as the number of uncommon resources on the event
-| project uncommonality_score, ReportId, AccountId;
-last_seen_scores | join kind=innerunique uncommonality_scores on ReportId and AccountId
-| project-away ReportId1, AccountId1
-| extend anomaly_score = last_seen_score + uncommonality_score
-// joined scores
-```
 
 ## See also
 

CloudAppSecurityDocs/network-requirements.md

@@ -11,6 +11,15 @@ ms.topic: reference
 
 This article provides a list of ports and IP addresses you need to allow and allowlist to work with Microsoft Defender for Cloud Apps.
 
+In order to stay up to date on IP ranges, it's recommended to refer to the following Azure service tags for Microsoft Defender for Cloud Apps services. The latest IP ranges are found in the service tag. For more information, see [Azure IP ranges](https://azureipranges.azurewebsites.net/).
+
+| Service tag name    |    Defender for Cloud Apps services included   |
+|:---|:---|
+| MicrosoftCloudAppSecurity | Portal access, Access and session controls, SIEM agent connection, App connector, Mail server, Log collector. |
+
+The following tables list the current static IP ranges covered by the MicrosoftCloudAppSecurity service tag. For latest list, refer to the [Azure service tags](/azure/virtual-network/service-tags-overview) documentation.
+
+
 ## View your data center
 
 Some of the requirements below depend on which data center you're connected to.

CloudAppSecurityDocs/tutorial-ueba.md

@@ -46,12 +46,6 @@ Defender for Cloud Apps uses the following to measure risk:
 
 Select the investigation priority score for an alert or an activity to view the evidence that explains how Defender for Cloud Apps scored the activity.
 
-> [!NOTE]
-> We're gradually retiring the [**Investigation priority score increase**](investigate-anomaly-alerts.md#investigation-priority-score-increase-preview) alert from Microsoft Defender for Cloud Apps by August 2024. The investigation priority score and the procedure described in this article are not affected by this change.
->
-> For more information, see [Investigation priority score increase deprecation timeline](investigate-anomaly-alerts.md#deprecation-timeline).
-
-
 ## Phase 1: Connect to the apps you want to protect<a name="connect-apps-protect"></a>
 
 Connect at least one app to Microsoft Defender for Cloud Apps using the [API connectors](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md). We recommend that you start by connecting [Microsoft 365](./connect-office-365.md).

defender-endpoint/TOC.yml

@@ -934,6 +934,15 @@
               antivirus windows defender antivirus
           - name: Troubleshoot performance issues related to real-time protection
             href: troubleshoot-performance-issues.md
+          - name: Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
+            href: troubleshoot-av-performance-issues-with-wprui.md
+            displayName: Troubleshoot antivirus performance issues with WPRUI windows
+              performance recorder UI WPR windows performance recorder
+          - name: Troubleshoot Microsoft Defender Antivirus performance issues with Process
+              Monitor
+            href: troubleshoot-av-performance-issues-with-procmon.md
+            displayName: Troubleshoot Microsoft Defender Antivirus MDAV performance perf
+              issues with Process Monitor ProcMon
         - name: Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
           href: troubleshoot-microsoft-defender-antivirus.yml
         - name: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution

defender-endpoint/adv-tech-of-mdav.md

@@ -1,8 +1,9 @@
 ---
 title: Advanced technologies at the core of Microsoft Defender Antivirus
 description: Microsoft Defender Antivirus engines and advanced technologies
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: yongrhee
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview

defender-endpoint/amsi-on-mdav.md

@@ -1,8 +1,8 @@
 ---
 title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
 description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 manager: deniseb
 ms.reviewer: yongrhee
 ms.date: 12/05/2024

defender-endpoint/analyzer-feedback.md

@@ -4,8 +4,9 @@ description: Provide feedback on the Microsoft Defender for Endpoint client anal
 ms.service: defender-endpoint
 f1.keywords:
 - NOCSH
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
+ms.reviewer: yongrhee
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro

defender-endpoint/android-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 01/03/2025
+ms.date: 01/06/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -40,7 +40,7 @@ Recommendation cards prominently display any active alerts, ensuring you stay in
 
 The following screenshot is an example of what the user sees in their dashboard:
 
-:::image type="content" source="media/android-whatsnew/android-dashboard-screen.png" alt-text="Screenshot showing what the user sees on the device.":::
+:::image type="content" source="media/android-whatsnew/android-dashboard-screen.png" alt-text="Screenshot showing the user's dashboard in the Microsoft Defender app.":::
 
 **Recommendation cards for alerts**
 
@@ -59,10 +59,10 @@ The current enterprise dashboard experience now features a tile view for your se
 
 | Tile | Description |
 |---|---|
-| :::image type="content" source="media/android-whatsnew/android-tile-networkprotection.png" alt-text="Screenshot showing the network protection tile for security administrators."::: | **Network protection** <br/>Your security team can see whether a connection is secured or unsecured. |
-| :::image type="content" source="media/android-whatsnew/android-tile-webprotection.png" alt-text="Screenshot of a tile that shows whether web protection is enabled on a device."::: | **Web protection** <br/>Your security team can see whether web protection is enabled on a user's device. |
-| :::image type="content" source="media/android-whatsnew/android-tile-appsecurity.png" alt-text="Screenshot showing the app security tile."::: | **App security** <br/>Your security team can see whether any threats were found in apps installed on a user's device. |
-| :::image type="content" source="media/android-whatsnew/android-tile-globalsecureaccess.png" alt-text="Screenshot showing Global Secure Access status."::: | **Global secure access** <br/>Your security team can see current connection status. |
+| :::image type="content" source="media/android-whatsnew/android-tile-networkprotection.png" alt-text="Screenshot showing the network protection tile for security administrators."::: | **Network protection** <br/>The user can see whether a connection is secured or unsecured. |
+| :::image type="content" source="media/android-whatsnew/android-tile-webprotection.png" alt-text="Screenshot of a tile that shows whether web protection is enabled on a device."::: | **Web protection** <br/>The user can see whether web protection is enabled on a user's device. |
+| :::image type="content" source="media/android-whatsnew/android-tile-appsecurity.png" alt-text="Screenshot showing the app security tile."::: | **App security** <br/>The user can see whether any threats were found in apps installed on a user's device. |
+| :::image type="content" source="media/android-whatsnew/android-tile-globalsecureaccess.png" alt-text="Screenshot showing Global Secure Access status."::: | **Global secure access** <br/>The user can see current connection status. |
 
 ## Android low-touch onboarding is now GA
 
@@ -125,7 +125,7 @@ Read the announcement [Tech Community Blog: Defender for Endpoint is now availab
 
 ## Privacy controls
 
-Microsoft Defender for Endpoint on Android enables privacy controls for both administrators and end users, and includes controls for enrolled (MDM) and unenrolled (MAM) devices. Administrators can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](android-configure.md#privacy-controls) and [privacy controls (MAM)](android-configure-mam.md#configure-privacy-controls).
+Microsoft Defender for Endpoint on Android enables privacy controls for both administrators and end users, and includes controls for enrolled (MDM) and unenrolled (MAM) devices. Administrators can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls (MDM)](android-configure.md#privacy-controls) and [privacy controls (MAM)](android-configure-mam.md#configure-privacy-controls).
 
 ## Optional permissions and the ability to disable web protection