images

Author: DebLanger

defender-xdr/data-privacy.md

@@ -19,7 +19,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 08/19/2024
+ms.date: 11/03/2024
 appliesto: 
 - Microsoft Defender XDR 
 ---
@@ -28,22 +28,66 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-Microsoft Defender XDR operates in Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, and Switzerland. Customer data collected by the service is stored at rest in (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Microsoft Defender XDR to process such data.
+Microsoft Defender XDR integrates with several different Microsoft security services, which collect data using various technologies. Integrated services allow Microsoft Defender XDR to access their data for the purpose of identifying cross-product correlations.
 
-Customer data in pseudonymized form might also be stored in central storage and processing systems in the United States.
+## Collected data
 
-The table below shows the general information on the data retention of specific service sources in Defender XDR:
+Customer data collected from integrated services includes *processed data*, such as incidents and alerts, and *configuration data*, such as connector settings, rules and so on.
 
-|Product|Default data retention period|More information|
-|:---|:---|:---|
-|Microsoft Defender for Endpoint|180 days|[Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)|
-|Microsoft Defender for Office 365|Varies according to feature and license|[Defender for Office 365 data retention information](/defender-office-365/mdo-data-retention)|
-|Microsoft Defender for Identity|180 days|[Defender for Identity data storage and privacy](/defender-for-identity/privacy-compliance)|
-|Microsoft Defender for Cloud Apps|180 days|[Defender for Cloud Apps data storage and privacy](/defender-cloud-apps/cas-compliance-trust)|
-|Microsoft Entra|Varies according to feature and license|[Microsoft Entra data storage and privacy](/entra/identity/monitoring-health/reference-reports-data-retention)|
-|Microsoft Sentinel|90 days for Basic logs, varies depending on pricing|[Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/)|
+## Data storage location
 
-> [!NOTE]
-> [Advanced hunting](advanced-hunting-overview.md) lets you query up to 30 days of raw data.
+Microsoft Defender XDR operations in Microsoft Azure data centers in the following geographical regions:
+
+- **European Union**: North Europe and West Europe
+- **United Kingdom**: UK South and UK West
+- **United States**: East US 2 and Central US
+- **Australia**: Australia East and Australia Southeast
+- **Switzerland**: Switzerland North and Switzerland West
+- **India**: Central India and South India
+
+Once created, the Microsoft Defender XDR tenant isn't movable to a different region. Your geographical region is shown in the Microsoft Defender portal, under **Settings > Microsoft Defender XDR > Account**.
+
+Customer data stored by integrated services might also be stored in the following locations:
+
+- The original location for the relevant service.
+- A region defined by data storage rules of an integrated service, if Microsoft Defender XDR shares data with that service.
+
+## Data retention
+
+Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in **Advanced hunting** queries. 
+
+In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft's unified security operations platform with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
+
+Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.
+
+Most Defender services also have a default data retention period of 180 days. More information on data retention period per product is found in [relevant service docs](#related-content).
+
+## Data sharing
+
+Microsoft Defender XDR shares data among the following Microsoft products, also licensed by the customer:
+
+- Microsoft Defender for Cloud
+- Microsoft Defender for Identity
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Office 365
+- Microsoft Defender for IoT
+- Microsoft Sentinel
+- Microsoft Intune
+- Microsoft Purview
+- Microsoft Entra
+- Microsoft Defender Vulnerability Management
+- Microsoft Copilot for Security
+
+## Related content
+
+For more information, see:
+
+- [Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)
+- [Defender for Office 365 data retention information](/defender-office-365/mdo-data-retention)
+- [Defender for Identity data storage and privacy](/defender-for-identity/privacy-compliance)
+- [Defender for Cloud Apps data storage and privacy](/defender-cloud-apps/cas-compliance-trust)
+- [Microsoft Entra data storage and privacy](/entra/identity/monitoring-health/reference-reports-data-retention)
+- [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

exposure-management/exposure-insights-overview.md

@@ -6,7 +6,7 @@ author: dlanger
 manager: rayne-wiselman
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 08/20/2024
+ms.date: 11/04/2024
 ---
 
 # Overview - Exposure insights
@@ -88,6 +88,12 @@ In some cases, metrics display grayed out because the underlying data for the me
 
 Grayed out metrics aren't considered for score calculation.
 
+> [!NOTE]
+> The versioning feature in Exposure Management provides proactive notifications to users about upcoming version updates, providing advanced visibility into the expected metric changes and their impact on related initiatives.
+> A dedicated side panel offers more details about the update, including the expected date of the change, release notes, and current and new metric values, as well as changes to the related initiatives' scores.
+> Users can share feedback about the update directly through the platform.
+> The information is dynamic and may vary depending on when it is accessed.
+
 ## Working with recommendations
 
 Security Exposure Management ingests security recommendations from multiple sources, including Microsoft Defender for Cloud running the  [Defender for Cloud Security Posture Management (CSPM) plan](/azure/defender-for-cloud/concept-cloud-security-posture-management), [Microsoft Secure Score](/defender-xdr/microsoft-secure-score), Microsoft threat analytics, and other Microsoft workloads. Security Exposure Management integrates all of these recommendations into a single security catalog.
@@ -103,7 +109,7 @@ Security Exposure Management categorizes recommendations by compliance status, a
 - **Mitigated by organization**: Displays when steps to mitigate recommendations were taken elsewhere, and Security Exposure Management can't know whether recommendations are compliant. For example, by changing a status in Secure score.
 - **Not available**: Means there isn't enough information to determine the compliance status.
 
-:::image type="content" source="./media//exposure-insights-overview/recommendation-ransomeware-advanced-protection.png" alt-text="Screenshot of the ransomware advanced protection recommendation details ":::
+:::image type="content" source="./media//exposure-insights-overview/recommendation-ransomware-advanced-protection.png" alt-text="Screenshot of the ransomware advanced protection recommendation details ":::
 
 ### Secure score
 
@@ -145,9 +151,9 @@ When you drill down into a specific change, you can see the percentage effects o
 - **Metric removed** - The metric is no longer relevant for that specific initiative. For instance, if a better suggestion is introduced or it becomes irrelevant.
 - **Metric depreciated** - The metric is removed globally.
 
-Selecting the metric that changed provides more details about the change. For instance, it might display the new weight of a property change, or the number of affected assets before or after the change.
+Selecting the metric that changed provides more details about the change. For instance, it might display the new weight of a property change, and the number of affected assets before and after the change. It also offers a dropdown for changes to exposed assets, displaying up to the top 100 assets and indicating whether the asset exposure was added or removed.
 
-:::image type="content" source="media/exposure-insights-overview/initiatives-history-details.png" alt-text="Screenshot of the metric change side panel in the Initiatives history tab." lightbox="media/exposure-insights-overview/initiatives-history-details.png":::
+:::image type="content" source="media/exposure-insights-overview/Initiatives-history-updated.png" alt-text="Screenshot of initative history side panel" lightbox="media/exposure-insights-overview/Initiatives-history-updated.png":::
 
 You can't control the metric or score changes in advance.
 

exposure-management/initiatives.md

@@ -77,8 +77,9 @@ The changes in your score provide you with useful feedback about how well you're
     1. If needed, filter for specific time points.
     1. Choose the time point and select to examine the percent effect on the initiative score and the reason for the change.
     1. Select a metric to explore the change's effect further, if applicable.
+    1. Open the **Changes to exposed assets** dropdown to view up to the top 100 changed assets. The status will indicate whether the asset exposure has been added or removed.
 
-:::image type="content" source="media/initiatives/history-details.png" alt-text="Screenshot of the history metric change details side panel.":::
+:::image type="content" source="media/exposure-insights-overview/initiatives-history-details-redcued.jpg" alt-text="Screenshot of history side panel" lightbox="media/initiatives/initiatives-history-details.png":::
 
 ## Review metrics and recommendations
 

exposure-management/media/exposure-insights-overview/Initiatives-history-updated.png

@@ -27,6 +27,18 @@ Security Exposure Management is currently in public preview.
 
 ## November 2024
 
+### Content versioning notifications
+
+The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs.
+
+For more information on exposure insights, see [Overview - Exposure insights](exposure-insights-overview.md)
+
+### Exposure history for metrics
+
+User can investigate metric changes by reviewing the asset exposure change details. From the initiative's **History** tab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time.
+
+For more information, see, [Reviewing initiative history](exposure-insights-overview.md#reviewing-initiative-history)
+
 ### SaaS security initiative
 
 The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture.