Merge pull request #1774 from MicrosoftDocs/main

publish main to live, spooky 10/31/2024, 10:30 am

Author: rjagiewich

defender-endpoint/TOC.yml

@@ -10,6 +10,8 @@
       href: zero-trust-with-microsoft-defender-endpoint.md
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
+    - name: Pilot and deploy Defender for Endpoint
+      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform

defender-endpoint/breadcrumb/toc.yml

@@ -5,6 +5,10 @@
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /defender-endpoint/
       topicHref: /defender-endpoint/index
+      items:
+       - name: 'Microsoft Defender XDR'
+         tocHref: /defender-xdr/
+         topicHref: /defender-xdr/pilot-deploy-defender-office-365
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /mem/intune/protect/
-      topicHref: /mem/intune/protect/
+      topicHref: /mem/intune/protect/

defender-office-365/TOC.yml

@@ -36,7 +36,9 @@
        href: trial-user-guide-defender-for-office-365.md
 
    - name: Deploy
-     items:
+     items: 
+     - name: Pilot and deploy Defender for Office 365
+       href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
      - name: Get started with Microsoft Defender for Office 365
        href: mdo-deployment-guide.md
      - name: Step 1 - Configure email authentication

defender-office-365/breadcrumb/toc.yml

@@ -5,3 +5,7 @@
    - name: 'Microsoft Defender for Office 365'
      tocHref: /defender-office-365/
      topicHref: /defender-office-365/index
+     items:
+      - name: 'Microsoft Defender XDR'
+        tocHref: /defender-xdr/
+        topicHref: /defender-xdr/pilot-deploy-defender-endpoint

defender-xdr/advanced-hunting-aadsignineventsbeta-table.md

@@ -14,7 +14,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier3
-ms.custom: 
+ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: reference

defender-xdr/advanced-hunting-aadspnsignineventsbeta-table.md

@@ -14,7 +14,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier3
-ms.custom: 
+ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: reference

defender-xdr/advanced-hunting-errors.md

@@ -17,7 +17,7 @@ ms.collection:
 ms.custom:
 - cx-ti
 ms.topic: error-reference
-ms.date: 04/22/2024
+ms.date: 10/29/2024
 ---
 
 # Handle advanced hunting errors
@@ -36,8 +36,8 @@ Advanced hunting displays errors to notify for syntax mistakes and whenever quer
 | Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-tables.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
 | Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. |  `'project' operator: Failed to resolve scalar expression named 'x'`|
 | Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
-| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated quota. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU quotas](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`<br>- `You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.` |
-| Result size limit exceeded  | The aggregate size of the result set for the query has exceeded the maximum size. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
+| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated quota. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU quotas](advanced-hunting-best-practices.md) | `You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.` | 
+| Result size limit exceeded  | The aggregate size of the result set for the query has exceeded the maximum size. This error can occur if the result set is so large that truncation at the 30,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
 | Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`<br>-`Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.` |
 | Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.`
 

defender-xdr/advanced-hunting-limits.md

@@ -17,7 +17,7 @@ ms.collection:
 ms.custom:
 - cx-ti
 ms.topic: how-to
-ms.date: 09/10/2024
+ms.date: 10/29/2024
 ---
 
 # Use the advanced hunting query resource report
@@ -35,10 +35,10 @@ Refer to the following table to understand existing quotas and usage parameters.
 
 | Quota or parameter | Size | Refresh cycle | Description |
 |--|--|--|--|
-| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
+| Date range | 30 days for Defender XDR data unless streamed through Microsoft Sentinel  | Every query | Each query can look up Defender XDR data from up to the past 30 days, or longer if streamed through Microsoft Sentinel  |
 | Result set | 30,000 rows | Every query | Each query can return up to 30,000 records. |
 | Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it doesn't complete within 10 minutes, the service displays an error.
-| CPU resources | Based on tenant size | Every 15 minutes | The [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant consumes over 10% of allocated resources. Queries are blocked if the tenant reaches 100% until after the next 15-minute cycle. |
+| CPU resources | Based on tenant size | Every 15 minutes | The portal displays a warning whenever a query runs and the tenant consumes over 10% of allocated resources. [Queries are blocked](advanced-hunting-errors.md) if the tenant reaches 100% until after the next 15-minute cycle. |
 
 > [!NOTE]
 > A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)

defender-xdr/autoad-results.md

@@ -60,13 +60,13 @@ Contain actions triggered by attack disruption are found in the [DeviceEvents ta
 - Device contain actions:
 ```Kusto
 DeviceEvents
-| where ActionType contains "ContainDevice"
+| where ActionType contains "ContainedDevice"
 ```
 
 - User contain actions:
 ```Kusto
 DeviceEvents
-| where ActionType contains "ContainUser"
+| where ActionType contains "ContainedUser"
 ```
 
 ### Hunt for disable user account actions

defender-xdr/create-custom-rbac-roles.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 09/30/2024
+ms.date: 10/31/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -40,7 +40,7 @@ The following steps guide you on how to create custom roles in Microsoft Defende
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
 
-2. In the navigation pane, select **Permissions**.
+2. In the navigation pane, go to **System > Permissions**.
 
 3. Select **Roles** under Microsoft Defender XDR to get to the Permissions and roles page.
 
@@ -69,7 +69,7 @@ The following steps guide you on how to create custom roles in Microsoft Defende
 
 8. Once you have selected your permissions, select **Apply** and then **Next** to assign users and data sources.
 
-9. Select **Add assignments** and Enter the Assignment name.
+9. Select **Add assignments** and add the Assignment name.
 
 10. Under **data sources**, choose if the assigned users will have the selected permissions across all the available products, or only for specific data sources:
 
@@ -78,7 +78,7 @@ The following steps guide you on how to create custom roles in Microsoft Defende
     If a user selects all read-only permissions for a single data source, for example, Microsoft Defender for Endpoint, they will not be able to read alerts for Microsoft Defender for Office 365 or Microsoft Defender for Identity.
 
     > [!NOTE]
-    > By selecting **Choose all data sources** all supported data sources within Microsoft Defender XDR Unified RBAC and any future data sources that are added are automatically assigned to this assignment.
+    > By selecting **Include future data sources automatically** all supported data sources within Microsoft Defender XDR Unified RBAC and any future data sources that are added are automatically assigned to this assignment.
 
 11. In **Assigned users and groups** choose the Microsoft Entra security groups or individual users to assign the role to, and select **Add**.