Merge pull request #2223 from MicrosoftDocs/dex-scoped-coverage

vpattnai · web-flow · commit 5fd78d684b16 · 2024-12-20T14:58:41.000+05:30
Dex scoped coverage
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -430,10 +430,12 @@
                 items:
                 - name: Managed detection and response
                   href: managed-detection-and-response-xdr.md
-                - name: Reports
-                  href: reports-xdr.md
+                - name: Scoped coverage
+                  href: defender-experts-scoped-coverage.md  
                 - name: Communicate with Defender Experts for XDR
                   href: communicate-defender-experts-xdr.md
+                - name: Reports
+                  href: reports-xdr.md
                 - name: Defender Experts for Hunting
                   href: defender-experts-for-hunting.md
                 - name: Auditing
diff --git a/defender-xdr/defender-experts-scoped-coverage.md b/defender-xdr/defender-experts-scoped-coverage.md
@@ -0,0 +1,68 @@
+---
+title: Scoped coverage in Microsoft Defender Experts for XDR
+ms.reviewer:
+description: Defender Experts scoped coverage covers a specific section of the organization where SOC support is limited.
+ms.service: defender-experts
+ms.subservice: dex-xdr
+ms.author: vpattnaik
+author: vpattnai
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+  - m365-security
+  - tier1
+ms.topic: conceptual
+ms.custom: 
+- cx-ti
+- cx-dex
+search.appverid: met150
+ms.date: 12/19/2024
+---
+
+# Scoped coverage in Microsoft Defender Experts for XDR
+
+**Applies to:**
+
+- [Microsoft Defender XDR](microsoft-365-defender.md)
+
+Microsoft Defender Experts for XDR offers scoped coverage for customers who wish to have Defender Experts cover only a section of their organization (for example, specific geography, subsidiary, or function) that requires security operations center (SOC) support or where their security support is limited.
+
+You can define a specific set of devices and/or users for which Defender Experts will offer support. Any incident that impacts any of the defined set of devices and users will be considered in scope, and our experts will provide the necessary response actions to mitigate the threat.
+
+Devices and users that are out of scope won't be supported by Defender Experts. If they're part of an incident where at least one device or user in scope is impacted, we'll keep you informed about the out-of-scope assets but won't take any response actions or offer guidance.
+
+## Using Defender Experts scoped coverage
+
+Defender Experts create a predefined Microsoft Defender for Endpoint device group or a Microsoft Entra ID user group in the Microsoft Defender portal to which you can add devices and users, respectively. The default name assigned to the created device or user group begins with **Defender_Experts_Scoped_Coverage_**. 
+
+:::image type="content" source="media/defender_scoped_devices.png" alt-text="Screenshot of Defender Experts Scoped devices." lightbox="media/defender_scoped_devices.png":::
+
+The devices and users you add to these groups are then considered as the set of assets that are in scope for this service.
+
+> [!IMPORTANT]
+> Defender Experts need **System administrator** permissions to create the device and user groups. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts)
+>
+> The device group must also be in the highest order of priority for the devices under it to be considered in scope. This is a known product limitation.
+
+Currently, the service doesn't offer support to rename these predefined groups, so we recommend that you don't rename the created device or user group. It also doesn't support nested groups. The devices and users would have to be added individually to the groups created.
+
+The following section lists down questions that you or your SOC team might have regarding scoped coverage:
+
+1. **What aspects of the XDR service remain consistent with Defender Experts scoped coverage?**
+   - This service doesn't change our pricing structure. You still pay for Defender Experts service based on E5 (and servers, Microsoft Defender for Cloud, and Open XDR) for your desired user base.
+   - This service doesn't scope according to individual Microsoft Defender products and services (such as Defender for Endpoint, Microsoft Defender for Office 365, or Microsoft Defender for Cloud). That is, the minimum baseline for scoped coverage is still the E5 license.
+   - There's no change in permissions for analysts in Defender Experts for XDR. Defender Experts analysts will still have access to your entire tenant and not just the scoped assets.
+
+2. **Can I change the scoped assets later?**
+
+   You're allowed to change the scoped assets based on your needs. Keep in mind that the changes you make might take some time to take effect in our service. We recommend that you take into account your organization's rhythm of business for incidents before and after the changes are made.
+
+3. **What type of response actions does this service provide?**
+
+   There are no changes to existing response actions that are in scope. Read our [FAQs related to Microsoft Defender Experts for XDR Managed response](../defender-xdr/frequently-asked-questions.md) to learn more.
+
+### See also
+
+- [Get started with Microsoft Defender Experts for XDR service](managed-detection-and-response-xdr.md)
+- [Understanding and managing Defender Experts for XDR incident updates](faq-incident-notifications-xdr.md)
diff --git a/defender-xdr/media/defender_scoped_devices.png b/defender-xdr/media/defender_scoped_devices.png
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -32,9 +32,10 @@ You can also get product updates and important notifications through the [messag
 
 ## December 2024
 
+- Microsoft Defender Experts for XDR now offers [scoped coverage](defender-experts-scoped-coverage.md) for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support.
 - (Preview) The [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in [Defender XDR advanced hunting](advanced-hunting-link-to-incident.md), you can now specify whether an entity is an impacted asset or related evidence.
 - (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
--  New documentation library for Microsoft's unified security operations platform. Find centralized documentation about [Microsoft's unified SecOps platform in the Microsoft Defender portal](/unified-secops-platform/overview-unified-security). Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment.
+- New documentation library for Microsoft's unified security operations platform. Find centralized documentation about [Microsoft's unified SecOps platform in the Microsoft Defender portal](/unified-secops-platform/overview-unified-security). Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment.
 
 ## November 2024
 
