Merge pull request #3581 from MicrosoftDocs/main

[AutoPublish] main to live - 04/25 10:30 PDT | 04/25 23:00 IST

Author: Ruchika-mittal01

defender-office-365/threat-explorer-real-time-detections-about.md

@@ -7,7 +7,7 @@ author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 02/18/2025
+ms.date: 04/25/2025
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -70,15 +70,16 @@ To use Explorer or Real-time detections, you need to be assigned permissions. Yo
     - _Move messages in and delete messages from mailboxes_: Requires the **Search and Purge** role, which is assigned only to the **Data Investigator** or **Organization Management** role groups by default. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.
   - _Read-only access_: Membership in the **Security Reader** role group.
 - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
-  - _Full access_: Membership in the **Global Administrator**<sup>\*</sup> or **Security Administrator** roles.
+  - _Full access_: Membership in the **Global Administrator**<sup>\*</sup> or **Security Administrator** roles. More permissions are required to do all available actions:
+    - _Preview and download messages_: Requires the **Preview** role, which is assigned only to the **Data Investigator** or **eDiscovery Manager** role groups by default.
   - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Administrator** or **Security Reader** roles.
   - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles.
 
     > [!IMPORTANT]
     > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 > [!TIP]
-> End-user spam notifications and system generated messages aren't avaialble in Threat Explorer. These types of messages are available if there's a mail flow rule (also known as a transport rule) to override.
+> End-user spam notifications and system generated messages aren't available in Threat Explorer. These types of messages are available if there's a mail flow rule (also known as a transport rule) to override.
 >
 > Audit log entries are generated when admins preview or download email messages. You can search the admin audit log by user for **AdminMailAccess** activity. For instructions, see [Audit New Search](/purview/audit-new-search).
 
@@ -187,7 +188,7 @@ The filterable properties that are available in the **Delivery action** box in t
 |Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**: The message was retroactively identified as good.</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>|
 |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-org**</li><li>**Outbound**</li></ul>|
 |Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|
-|Threat classification|Select one or more values: <ul><li>**Business inteligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|
+|Threat classification|Select one or more values: <ul><li>**Business intelligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|
 |Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|
 |Latest delivery location¹|Same values as **Original delivery location**</li></ul>|
 |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|
@@ -446,7 +447,7 @@ When you select an entry by clicking on the **Recipient** value, a details flyou
     If the recipient has more than three audit log entries, select **View all recent activity** to see all of them.
 
    > [!TIP]
-   > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with with the **Audit Logs** role assigned.
+   > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with the **Audit Logs** role assigned.
 
 :::image type="content" source="media/te-rtd-all-email-view-email-tab-details-area-recipient-details-flyout.png" alt-text="Screenshot of the recipient details flyout after you select a Recipient value in the Email tab of the details area in the All email view." lightbox="media/te-rtd-all-email-view-email-tab-details-area-recipient-details-flyout.png":::
 
@@ -917,7 +918,7 @@ The filterable properties that are available in the **Sender address** box in th
 |Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**</li></ul>|✔|✔|
 |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-org**</li><li>**Outbound**</li></ul>|✔|✔|
 |Detection technology|Select one or more values: <ul><li>**Advanced filter**</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**</li><li>**File detonation reputation**</li><li>**File reputation**</li><li>**Fingerprint matching**</li><li>**General filter**</li><li>**Impersonation brand**</li><li>**Impersonation domain**</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**</li><li>**Mixed analysis detection**</li><li>**spoof DMARC**</li><li>**Spoof external domain**</li><li>**Spoof intra-org**</li><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>|✔|✔|
-|Threat classification|Select one or more values: <ul><li>**Business inteligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|✔|✔|
+|Threat classification|Select one or more values: <ul><li>**Business intelligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|✔|✔|
 |Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|✔|✔|
 |Latest delivery location|Same values as **Original delivery location**</li></ul>|✔|✔|
 |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|✔||
@@ -1372,7 +1373,7 @@ When you select a filename value from the **Name** column, a details flyout open
     If the recipient has more than three audit log entries, select **View all recent activity** to see all of them.
 
    > [!TIP]
-   > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with with the **Audit Logs** role assigned.
+   > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with the **Audit Logs** role assigned.
 
 :::image type="content" source="media/te-rtd-content-malware-view-details-area-documents-tab-filename-flyout.png" alt-text="Screenshot of the details flyout from the Document view for the details area of the Content malware view in Threat Explorer and Real-time detections." lightbox="media/te-rtd-content-malware-view-details-area-documents-tab-filename-flyout.png":::
 

defender-xdr/api-articles.md

@@ -18,27 +18,23 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 02/08/2024
+ms.date: 04/25/2025
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Other security and threat protection APIs
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR API
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 > [!NOTE]
-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
+> The **Microsoft Graph security API** is a unified schema and interface that integrates with various Microsoft security solutions and Microsoft security partners. To get started, see [Use the Microsoft Graph security API](/graph/api/resources/security-api-overview).
 
 The following resources provide more information about APIs available for other Microsoft security solutions, beyond the Microsoft Defender XDR API.
 
 - [Microsoft Defender for Endpoint](/defender-endpoint/api/apis-intro)
 - [Microsoft Defender for Office 365](/office/office-365-management-api/)
 - [Microsoft Defender for Cloud Apps](/cloud-app-security/api-introduction)
+- [Microsoft Defender Threat Intelligence](/graph/api/resources/security-threatintelligence-overview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/api-overview.md

@@ -28,7 +28,7 @@ appliesto:
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 > [!NOTE]
-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
+> The **Microsoft Graph security API** is a unified schema and interface that integrates with various Microsoft security solutions and Microsoft security partners. To get started, see [Use the Microsoft Graph security API](/graph/api/resources/security-api-overview).
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

defender-xdr/api-update-incidents.md

@@ -18,17 +18,15 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 04/09/2024
+ms.date: 04/25/2025
+appliesto:
+ - Microsoft Defender XDR
 ---
 
 # Update incidents API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
 > [!NOTE]
 > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview). For information about the new _update incident_ API using MS Graph security API, see [Update incident](/graph/api/security-incident-update).
 

defender-xdr/autoad-results.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 06/19/2024
+ms.date: 04/25/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -31,9 +31,9 @@ When an automatic attack disruption triggers in Microsoft Defender XDR, the deta
 
 ## Review the incident graph
 
-Microsoft Defender XDR automatic attack disruption is built in in the incident view. Review the incident graph to get the entire attack story and assess the attack disruption impact and status.
+Microsoft Defender XDR automatic attack disruption is built-in in the incident view. Review the incident graph to get the entire attack story and assess the attack disruption impact and status.
 
-Here are some examples of what it looks like:
+The incident page includes the following information:
 
 - Disrupted incidents include a tag for 'Attack Disruption' and the specific threat type identified (i.e., ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.
 - A highlighted notification below the incident title indicating that the incident was disrupted.
@@ -96,6 +96,7 @@ IdentityDirectoryEvents
 
 The above query was adapted from a [Microsoft Defender for Identity - Attack Disruption query](https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Identity/MDI-AttackDisruption.md#microsoft-365-defender).
 
-## Next step
+## Related content
 
-- [Get email notifications for response actions](m365d-response-actions-notifications.md)
+- [Exclude assets from automated response actions](automatic-attack-disruption-exclusions.md)
+- [Get email notifications for response actions](m365d-response-actions-notifications.md)

defender-xdr/automatic-attack-disruption.md

@@ -18,7 +18,7 @@ ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/20/2025
+ms.date: 04/25/2025
 appliesto:
   - Microsoft Defender XDR
 ---

defender-xdr/configure-attack-disruption.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 02/16/2025
+ms.date: 04/25/2025
 ms.collection:
 - m365-security
 - tier2

defender-xdr/configure-deception.md

@@ -16,7 +16,7 @@ ms.topic: how-to
 search.appverid: 
 - MOE150
 - MET150
-ms.date: 01/12/2024
+ms.date: 04/25/2025
 appliesto:
 - Microsoft Defender XDR
 #customer intent: As a security analyst, I want to learn how to configure the deception capability so that I can protect my organization from high-impact attacks that use human-operated lateral movement.