Merge pull request #1805 from MicrosoftDocs/main

rjagiewich · web-flow · commit 699e1d2086de · 2024-11-04T15:42:07.000-08:00
publish main to live, 11/4/24, 3:30 pm
diff --git a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md
@@ -13,7 +13,7 @@ This article lists daily operational activities that we recommend you perform wi
 
 Alerts and incidents are two of the most important items your security operations (SOC) team should be reviewing on a daily basis.
 
-- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents-queue) in Microsoft Defender XDR, prioritizing high and medium severity alerts.
+- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents) in Microsoft Defender XDR, prioritizing high and medium severity alerts.
 
 - If you're working with a SIEM system, your SIEM system is usually the first stop for triage. SIEM systems provide more context with extra logs and SOAR functionality. Then, use Microsoft Defender XDR for a deeper understanding of an alert or incident timeline.
 
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
@@ -11,7 +11,7 @@
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
     - name: Pilot and deploy Defender for Endpoint
-      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
+      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-endpoint/TOC.json&bc=/defender-endpoint/breadcrumb/toc.json
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform
diff --git a/defender-endpoint/breadcrumb/toc.yml b/defender-endpoint/breadcrumb/toc.yml
@@ -5,10 +5,9 @@
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /defender-endpoint/
       topicHref: /defender-endpoint/index
-      items:
-       - name: 'Microsoft Defender XDR'
-         tocHref: /defender-xdr/
-         topicHref: /defender-xdr/pilot-deploy-defender-office-365
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /mem/intune/protect/
       topicHref: /mem/intune/protect/
+    - name: 'Microsoft Defender for Endpoint'
+      tocHref: /defender-xdr/
+      topicHref: /defender-xdr/pilot-deploy-defender-endpoint
diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 05/06/2021
+ms.date: 11/04/2024
 ---
 
 # Investigate agent health issues
@@ -24,53 +24,59 @@ ms.date: 05/06/2021
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-The following table provides information on the values returned when you run the `mdatp health` command and their corresponding descriptions.
+The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions.
 
-|Value|Description|
+| Value | Description |
 |---|---|
-|automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.|
-|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that don't contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|
-|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
-|cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.|
-|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
-|definitions_status|Status of antivirus definitions.|
-|definitions_updated|Date and time of last antivirus definition update.|
-|definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.|
-|definitions_version|Antivirus definition version.|
-|edr_client_version|Version of the EDR client running on the device.|
-|edr_configuration_version|EDR configuration version.|
-|edr_device_tags|List of tags associated with the device.|
-|edr_group_ids|Group ID that the device is associated with.|
-|edr_machine_id|Device identifier used in Microsoft Defender XDR.|
-|engine_version|Version of the antivirus engine.|
-|healthy|True if the product is healthy, false otherwise.|
-|licensed|True if the device is onboarded to a tenant, false otherwise.|
-|log_level|Current log level for the product.|
-|machine_guid|Unique machine identifier used by the antivirus component.|
-|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection isn't running</li></ul>|
-|org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
-|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.|
-|product_expiration|Date and time when the current product version reaches end of support.|
-|real_time_protection_available|True if the real-time protection component is healthy, false otherwise.|
-|real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.|
-|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.|
-|release_ring|Release ring. For more information, see [Deployment rings](onboarding.md).|
+| `app_version` | Displays Microsoft Defender application version.|
+|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.|
+|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.<br/><br/>Can have one of the following values: <br/>- **disabled** - default <br/>- **enabled** |
+|`cloud_automatic_sample_submission_consent`|Current sample submission level. <br/><br/>Can have one of the following values: <br/>- **None**: No suspicious samples are submitted to Microsoft.<br/>- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.<br/>- **All**: All suspicious samples are submitted to Microsoft.|
+|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`. <br/><br/>For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
+|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.|
+|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
+|`definitions_status`|Status of antivirus definitions. Can have one of the following values: <br/>- **up_to_date**<br/>- **updating**<br/>- **unavailable**|
+|`definitions_updated`|Date and time of last antivirus definition update.|
+|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.|
+|`definitions_version`|Antivirus definition version.|
+|`edr_client_version`|Version of the EDR client running on the device.|
+|`edr_configuration_version`|EDR configuration version.|
+|`edr_device_tags`|List of tags associated with the device.|
+|`edr_early_preview_enabled`|Setting of edr early preview. Can have one of the following values: <br/>- **disabled** <br/>- **enabled**|
+|`edr_group_ids`|Group ID that the device is associated with.|
+|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.|
+|`engine_load_status`|Status of antivirus engine to determine whether it's running. <br/><br/>Can have one of the following values: <br/>- **Engine not loaded** - antivirus engine process is down<br/>- **Engine load succeeded** - antivirus engine process is up and running|
+|`engine_version`|Version of the antivirus engine.|
+|`healthy`|`True` if the product is healthy; otherwise, `false`.|
+|`health_issues`|Lists health issues if any.|
+|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.|
+|`log_level`|Current log level for the product. <br/><br/>Can have one of the following values: <br/>- **info** <br/>- **debug**|
+|`machine_guid`|Unique machine identifier used by the antivirus component.|
+|`network_protection_enforcement_level`|Mode of network protection. <br/><br/>Can have one of the following: <br/>- **disabled** - all components associated with network protection are disabled<br/>- **block** - network protection prevents connection to malicious websites<br/>- **audit** - Check how blocks occur|
+|`network_protection_status`|Status of the network protection component (macOS only).<br/><br/> Can have one of the following values: <br/>- **starting** - Network protection is starting<br/>- **failed_to_start** - Network protection couldn't be started due to an error<br/>- **started** - Network protection is running on the device<br/>- **restarting** - Network protection is restarting<br/>- **stopping** - Network protection is stopping<br/>- **stopped** - Network protection isn't running|
+|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
+|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.|
+|`product_expiration`|Date and time when the current product version reaches end of support.|
+|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.|
+|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`.|
+|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.|
+|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).|
+|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can have one of the following values: <br/>- **ebpf** - Default from app version: `101.2408.0000`<br/>- **auditd**|
 
 ## Component specific health
 
 You can get more detailed health information for different Defender's features with `mdatp health --details <feature>`. For example:
 
 ```bash
+
 mdatp health --details edr
 
-edr_early_preview_enabled                   : "disabled"
-edr_device_tags                             : []
-edr_group_ids                               : ""
-edr_configuration_version                   : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25"
-edr_machine_id                              : "a47ba049f43319ac669b6291ce73275cd445c9cd"
-edr_sense_guid                              : "298a1a8c-04dd-4929-8efd-3bb14cb54b94"
-edr_preferred_geo                           : "unitedstates"
+mdatp health --details definitions
+
+mdatp health --details help
+
 ```
 
-You can run `mdatp health --help` on recent versions to list all supported `feature`s.
+You can run `mdatp health --help` on recent versions to list all supported features.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/troubleshoot-onboarding.md b/defender-endpoint/troubleshoot-onboarding.md
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 09/18/2024
+ms.date: 11/04/2024
 ---
 
 # Troubleshoot Microsoft Defender for Endpoint onboarding issues
@@ -85,7 +85,7 @@ If the script fails and the event is an error, you can check the event ID in the
 |`10`|Onboarding data couldn't be written to registry|Check the permissions on the registry, specifically <p> `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. <p> Verify that the script has been run as an administrator.|
 |`15`|Failed to start SENSE service|Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <p> If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.|
 |`15`|Failed to start SENSE service|If the message of the error is: System error 577  or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.|
-|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.|
+|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.|
 |`30`|The script failed to wait for the service to start running|The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).|
 |`35`|The script failed to find needed onboarding status registry value|When the SENSE service starts for the first time, it writes onboarding status to the registry location <p> `HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`. <p> The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).|
 |`40`|SENSE service onboarding status isn't set to **1**|The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).|
diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml
@@ -38,7 +38,7 @@
    - name: Deploy
      items: 
      - name: Pilot and deploy Defender for Office 365
-       href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
+       href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-office-365/TOC.json&bc=/defender-office-365/breadcrumb/toc.json
      - name: Get started with Microsoft Defender for Office 365
        href: mdo-deployment-guide.md
      - name: Step 1 - Configure email authentication
diff --git a/defender-office-365/breadcrumb/toc.yml b/defender-office-365/breadcrumb/toc.yml
@@ -5,7 +5,7 @@
    - name: 'Microsoft Defender for Office 365'
      tocHref: /defender-office-365/
      topicHref: /defender-office-365/index
-     items:
-      - name: 'Microsoft Defender XDR'
-        tocHref: /defender-xdr/
-        topicHref: /defender-xdr/pilot-deploy-defender-endpoint
+   - name: 'Microsoft Defender for Office 365'
+     tocHref: /defender-xdr/
+     topicHref: /defender-xdr/pilot-deploy-defender-endpoint
+    
diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md
