Merge branch 'main' into users/mevasude/2408RelNotes

Author: denisebmsft

.openpublishing.publish.config.json

@@ -112,6 +112,18 @@
       },
       "build_entry_point": "docs",
       "template_folder": "_themes"
+    },
+    {
+      "docset_name": "unified-secops-platform",
+      "build_source_folder": "unified-secops-platform",
+      "build_output_subfolder": "unified-secops-platform",
+      "locale": "en-us",
+      "monikers": [],
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      },
+      "build_entry_point": "docs"
     }
   ],
   "notification_subscribers": [],

defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md

@@ -9,7 +9,7 @@ manager: deniseb
 ms.author: deniseb
 ms.topic: conceptual
 ms.custom: nextgen
-ms.date: 05/17/2024
+ms.date: 10/08/2024
 ms.reviewer: yongrhee; pahuijbr
 ms.collection:
 - m365-security
@@ -22,33 +22,31 @@ search.appverid: met150
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - Microsoft Defender Antivirus
 
+> [!IMPORTANT]
+> This article contains information about configuring network connections only for Microsoft Defender Antivirus, when used without Microsoft Defender for Endpoint. If you are using **Microsoft Defender for Endpoint** (which includes Microsoft Defender Antivirus), see [Configure device proxy and Internet connectivity settings for Defender for Endpoint](configure-proxy-internet.md).
+
 **Platforms**
 
 - Windows
 
-To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly ensures you receive the best value from your cloud-delivered protection services.
-
-> [!IMPORTANT]
-> This article contains information about configuring network connections only for Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see [Configure device proxy and Internet connectivity settings for Defender for Endpoint](configure-proxy-internet.md).
+To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists which destinations much be accessible. It also provides instructions for validating connections. Configuring connectivity properly ensures you receive the best value from Microsoft Defender Antivirus cloud-delivered protection services.
 
 ## Allow connections to the Microsoft Defender Antivirus cloud service
 
-The Microsoft Defender Antivirus cloud service provides fast, and strong protection for your endpoints. It's optional to enable the cloud-delivered protection service. Microsoft Defender Antivirus cloud service is recommended, because it provides important protection against malware on your endpoints and network. For more information, see [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for enabling service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. While it's optional to enable and use the cloud-delivered protection services provided by Microsoft Defender Antivirus, it's highly recommended because it provides important and timely protection against emerging threats on your endpoints and network. For more information, see [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md), which describes how to enable the service by using Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.
 
-After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft cloud services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Computers must have access to the internet and reach the Microsoft cloud services for proper operation.
 
 > [!NOTE]
-> The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as only protection for your files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates.
+> The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as protection for or against files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates, and applies to file-based and file-less threats, regardless of where they originate from.
 
 ## Services and URLs
 
 The table in this section lists services and their associated website addresses (URLs).
 
-Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication. (Port 80 is also required for some URLs, as noted in the following table.)
+Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs. The URLs in the following table use port `443` for communication. (Port `80` is also required for some URLs, as noted in the following table.)
 
 |Service and description|URL|
 |---|---|

defender-endpoint/defender-endpoint-demonstration-controlled-folder-access.md

@@ -14,7 +14,7 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: asr
-ms.date: 02/16/2024
+ms.date: 10/11/2024
 ---
 
 # Controlled folder access (CFA) demonstrations (block ransomware)
@@ -44,10 +44,10 @@ Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
 ## Rule states
 
 |State | Mode| Numeric value |
-|:---|:---|:---|
-| Disabled | = Off | 0 |
-| Enabled | = Block mode | 1 |
-| Audit | = Audit mode | 2 |
+|---|---|---|
+| Disabled | Off | 0 |
+| Enabled | Block mode | 1 |
+| Audit | Audit mode | 2 |
 
 ## Verify configuration
 
@@ -63,65 +63,86 @@ Get-MpPreference
 
 ### Setup
 
-Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script set execution policy to Unrestricted using this PowerShell command: 
+Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script, set execution policy to `Unrestricted` by using this PowerShell command: 
 
 ```powershell
 Set-ExecutionPolicy Unrestricted
 ```
 
-You can perform these manual steps instead:
+Or, you can perform these manual steps instead:
 
-1. Create a folder under c: named demo, "c:\demo".
+1. Create a folder under `c:` named `demo`, as in `c:\demo`.
 
-2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt).
+2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into `c:\demo` (we need something to encrypt).
 
-3. Execute PowerShell commands listed earlier in this article.
+3. Run the PowerShell commands listed earlier in this article.
+
+Next, check that status of the *Aggressive Ransomware Prevention* ASR rule and disable it for the duration of this test if it's enabled:
 
-### Scenario 1: CFA blocks ransomware test file
 
-1. Turn on CFA using PowerShell command:
-  
 ```powershell
-Set-MpPreference -EnableControlledFolderAccess Enabled
+$idx = $(Get-MpPreference).AttackSurfaceReductionRules_Ids.IndexOf("C1DB55AB-C21A-4637-BB3F-A12568109D35")
+if ($idx -ge 0) {Write-Host "Rule Status: " $(Get-MpPreference).AttackSurfaceReductionRules_Actions[$idx]} else {Write-Host "Rule does not exist on this machine"}
 ```
 
-2. Add the demo folder to protected folders list using PowerShell command:
+If the rule exists and the status is `1 (Enabled)` or `6 (Warn)`, it must be disabled to run this test:
 
 ```powershell
-Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
+Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
 ```
 
-3. Download the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)
-4. Execute the ransomware test file *this isn't ransomware, it simple tries to encrypt c:\demo
+### Scenario 1: CFA blocks ransomware test file
+
+1. Turn on CFA using PowerShell command:
+
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Enabled
+   ```
+
+2. Add the demo folder to protected folders list using PowerShell command:
+
+   ```powershell
+   Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
+   ```
+
+3. Download the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe).
+
+4. Execute the ransomware test file. Note that it isn't ransomware; it simply tries to encrypt `c:\demo`.
 
 #### Scenario 1 expected results
 
-5 seconds after executing the ransomware test file you should see a notification CFA blocked the encryption attempt.
+About five seconds after executing the ransomware test file, you should see a notification that CFA blocked the encryption attempt.
 
 ### Scenario 2: What would happen without CFA
 
 1. Turn off CFA using this PowerShell command:
 
-```powershell
-Set-MpPreference -EnableControlledFolderAccess Disabled
-```
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Disabled
+   ```
 
-2. Execute the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)
+2. Execute the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe).
 
 #### Scenario 2 expected results
 
-- The files in c:\demo are encrypted and you should get a warning message
+- The files in `c:\demo` are encrypted and you should get a warning message
 - Execute the ransomware test file again to decrypt the files
 
 ## Clean-up
 
-Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:
+1. Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:
 
-```powershell
-Set-MpPreference -EnableControlledFolderAccess Disabled
-```
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Disabled
+   ```
+
+2. Clean up `c:\demo` encryption by using the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)
+
+3. If the *Aggressive Ransomware Prevention* ASR rule was enabled and you disabled it at the beginning of this test, enable it again:
 
-Clean up c:\demo encryption by using the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)
+   ```powershell
+   Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
+   ```
 
 ## See also
 

defender-endpoint/device-control-policies.md

@@ -4,7 +4,7 @@ description: Learn about Device control policies in Defender for Endpoint
 author: denisebmsft
 ms.author: deniseb
 manager: deniseb
-ms.date: 09/18/2024
+ms.date: 10/11/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -136,7 +136,7 @@ The following code snippet shows the syntax for a device control policy rule in
   </IncludedIdList>
   <ExcludedIdList>
       <GroupId>{3f5253e4-0e73-4587-bb9e-bb29a2171695}</GroupId>
-  <ExcludedIdList>
+  </ExcludedIdList>
   <Entry Id="{e3837e60-5e56-43ce-8095-043ccd793eac}">
    ...
   </Entry>

defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md

@@ -15,15 +15,15 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 05/01/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Defender for Endpoint on Linux with Chef
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)]
 

defender-endpoint/linux-exclusions.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 07/31/2024
+ms.date: 10/11/2024
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -24,9 +24,8 @@ ms.date: 07/31/2024
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)
 
@@ -141,7 +140,7 @@ For more information, see [Set preferences for Defender for Endpoint on Linux](l
 Run the following command to see the available switches for managing exclusions:
 
 > [!NOTE]
-> `--scope` is an optional flag with accepted value as `epp` or `global`. It provides the same scope used while adding the exclusion to remove the same exclusion. In the command line approach, if the scope isn’t mentioned, the scope value is set as `epp`.
+> `--scope` is an optional flag with accepted value as `epp` or `global`. It provides the same scope used while adding the exclusion to remove the same exclusion. In the command line approach, if the scope isn't mentioned, the scope value is set as `epp`.
 > Exclusions added through CLI before the introduction of `--scope` flag remain unaffected and their scope is considered `epp`.
 
 ```bash

defender-endpoint/linux-install-manually.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 08/01/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -24,9 +24,8 @@ ms.date: 08/01/2024
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)
 

defender-endpoint/linux-install-with-ansible.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 09/19/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Ansible
@@ -24,9 +24,8 @@ ms.date: 09/19/2024
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)
 

defender-endpoint/linux-install-with-puppet.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 07/15/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Puppet
@@ -25,9 +25,8 @@ ms.date: 07/15/2024
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)
 

defender-endpoint/linux-install-with-saltack.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 07/15/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Saltstack
@@ -24,9 +24,8 @@ ms.date: 07/15/2024
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender XDR](/defender-xdr)
+- Microsoft Defender for Servers
+- Microsoft Defender XDR
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)