Merge branch 'main' into patch-1

Author: denisebmsft

CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md

@@ -46,7 +46,7 @@ If you require more than 10 data sources, we recommend that you split the data s
         To work with a network appliance that isn't listed, select **Other > Customer log format** or **Other (manual only)**. For more information, see [Working with the custom log parser](custom-log-parser.md).
 
     >[!NOTE]
-    >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings or your firewall/proxy.
+    >Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings on your firewall/proxy. For more information, see [Advanced log collector management](log-collector-advanced-management.md).
 
 Repeat this process for each firewall and proxy whose logs can be used to detect traffic on your network.
 

CloudAppSecurityDocs/index.yml

@@ -48,6 +48,8 @@ landingContent:
         links:
           - text: Basic setup
             url: general-setup.md
+          - text: Connect cloud apps
+            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: View and manage security posture
             url: security-saas.md
       - linkListType: concept
@@ -70,8 +72,6 @@ landingContent:
         links:
           - text: Calculate risk scores
             url: risk-score.md
-          - text: Connect cloud apps
-            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: Collect logs
             url: discovery-docker.md
           - text: Discover and manage shadow IT
@@ -137,4 +137,4 @@ landingContent:
           - text: Monitor and respond to unusual data usage
             url: app-governance-monitor-apps-unusual-data-usage.md
           - text: Secure apps with app hygiene
-            url: app-governance-secure-apps-app-hygiene-features.md
+            url: app-governance-secure-apps-app-hygiene-features.md

CloudAppSecurityDocs/log-collector-advanced-management.md

@@ -50,9 +50,9 @@ You should be able to view the following contents:
 - `ssl_update`
 - `config.json`
 
-### Customize certificate files
+### Add certificate files
 
-This procedure describes how to customize the certificate files used for secure connections to the cloud discovery Docker instance.
+This procedure describes how to add the required certificate files used for secure connections to the cloud discovery Docker instance.
 
 1. Open an FTP client and connect to the log collector host.
 
@@ -63,7 +63,7 @@ This procedure describes how to customize the certificate files used for secure
     | **FTP** |- **pure-ftpd.pem**: Includes the key and certificate data |
     | **Syslog** |- **ca.pem**: The certificate authority's certificate that was used to sign the client’s certificate. <br>- **server-key.pem** and **server-cert.pem**: The log collector's certificate and key <br><br>Syslog messages are sent over TLS to the log collector, which requires mutual TLS authentication, including authenticating both the client and server certificates. |
 
-    Filenames are mandatory. If any of the files are missing, the update fails.
+Files are mandatory. If any of the files for the receiver type are missing, the update fails.
 
 1. In a terminal window, run:
 
@@ -161,7 +161,7 @@ docker cp Proxy-CA.crt Ubuntu-LogCollector:/var/adallom/ftp/discovery
 
 To secure the docker image and ensure that only one IP address is allowed to send the syslog messages to the log collector, create an IP table rule on the host machine to allow input traffic and drop the traffic coming over specific ports, such as TCP/601 or UDP/514, depending on the deployment.
 
-The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4`` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port.
+The following command shows an example of how to create an IP table rule that can be added to the host machine. This table rule allows the IP address `1.2.3.4` to connect to the log collector container over TCP port 601, and drop all other connections coming from other IP addresses over the same port.
 
 ```bash
 iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP
@@ -171,7 +171,7 @@ iptables -I DOCKER-USER \! --src 1.2.3.4 -m tcp -p tcp --dport 601 -j DROP
 
 The container is now ready.
 
-Run the **collector_config** command using the API token that you used during the creation of your log collector. For example:
+Run the `collector_config` command using the API token that you used during the creation of your log collector. For example:
 
 :::image type="content" source="media/log-collector-advanced-tasks/docker-3.png" alt-text="Screenshot of the Create log collector dialog." border="false":::
 
@@ -520,7 +520,7 @@ Compare the output file (`/tmp/log.log`) to the messages stored in the `/var/ada
 When updating your log collector:
 
 - **Before installing the new version**, make sure to stop your log collector and remove the current image.
-- **After installing the new version**, [update your certificate files](#customize-certificate-files).
+- **After installing the new version**, [update your certificate files](#add-certificate-files).
 
 ## Next steps
 

defender-endpoint/aggregated-reporting.md

@@ -61,9 +61,9 @@ Aggregated reporting supports the following event types:
 > [!div class="mx-tdBreakAll"]
 > |Action type|Advanced hunting table|Device timeline presentation|Properties|
 > |:---|:---|:-------|:-------------------------------|
-> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
->|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
-> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
+> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+>|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
 > |ProcessCreatedAggregatedReport|DeviceProcessEvents|{InitiatingProcessName} created {Occurrences} {ProcessName} processes|1. Initiating process command line </br> 2. Initiating process SHA1 </br> 3. Initiating process file path </br> 4. Process command line </br> 5. Process SHA1 </br> 6. Folder path|
 > |ConnectionSuccessAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} established {Occurrences} connections with {RemoteIP}:{RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
 > |ConnectionFailedAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} failed to establish {Occurrences} connections with {RemoteIP:RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
@@ -92,7 +92,7 @@ You can use the following KQL queries to gather specific information using aggre
 
 The following query highlights noisy process activity, which can be correlated with malicious signals.
 
-```KQL
+```Kusto
 DeviceProcessEvents
 | where Timestamp > ago(1h)
 | where ActionType == "ProcessCreatedAggregatedReport"
@@ -105,7 +105,7 @@ DeviceProcessEvents
 
 The following query identifies repeated sign-in attempt failures.
 
-```KQL
+```Kusto
 DeviceLogonEvents
 | where Timestamp > ago(30d)
 | where ActionType == "LogonFailedAggregatedReport"
@@ -119,7 +119,7 @@ DeviceLogonEvents
 
 The following query identifies suspicious RDP connections, which might indicate malicious activity.
 
-```KQL
+```Kusto
 DeviceNetworkEvents
 | where Timestamp > ago(1d)
 | where ActionType endswith "AggregatedReport"

defender-endpoint/mac-device-control-faq.md

@@ -2,8 +2,9 @@
 title: macOS Device control policies frequently asked questions (FAQ)
 description: Get answers to common questions about device control policies using JAMF or Intune.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -39,7 +40,7 @@ Answer: Run _mdatp device-control policy preferences list_ to see all the iOS po
 
 :::image type="content" source="media/macos-device-control-faq-enabled-default-enforcement.png" alt-text="Shows how to run mdatp device-control policy preferences list to see if a device is Device Control enabled. " lightbox="media/macos-device-control-faq-enabled-default-enforcement.png":::
 
-### How do I know whether the policy has been delivered to the client machine?
+### How do I know if the policy is delivered to the client machine?
 
 Answer: Run _mdatp device-control policy rules list_ to see all the iOS policies on this machine:
 

defender-endpoint/mac-device-control-intune.md

@@ -2,8 +2,9 @@
 title: Deploy and manage Device Control using Intune 
 description: Learn how to deploy and manage device control policies using Intune.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -44,7 +45,7 @@ Before you get started with Removable Storage Access Control, you must confirm y
 Now, you have `groups`, `rules`, and `settings`, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema and make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
 > [!NOTE]
-> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Deploy the mobileconfig file using Intune
 

defender-endpoint/mac-device-control-jamf.md

@@ -2,8 +2,9 @@
 title: Deploy and manage device control using JAMF 
 description: Learn how to use device control policies using JAMF.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -42,27 +43,27 @@ Before you get started with Removable Storage Access Control, you must confirm y
 
 ### Step 1: Create policy JSON
 
-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
+Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Step 2: Update MDE Preferences Schema
 
-The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
+The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 
 ### Step 3: Add Device Control Policy to MDE Preferences
 
-A new 'Device Control' property will now be available to add to the UX.  
+A new 'Device Control' property is now available to add to the UX.  
 
 1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**.
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
 
-2. Next, scroll down until you see the **Device Control** property (it will be the bottommost entry), and select **Add/Remove properties** directly underneath it.
+2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it.
 
-3. Select **Device Control Policy**, and then click **Apply**.  
+3. Select **Device Control Policy**, and then select **Apply**.  
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
 

defender-endpoint/mac-device-control-manual.md

@@ -2,8 +2,9 @@
 title: Deploy and manage device control manually
 description: Learn how to use device control policies manually.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro