Merge pull request #582 from MicrosoftDocs/main

Publish main to live, Wednesday 3:30PM PDT, 05/29

Author: Stacyrch140

defender-endpoint/behavior-monitor-macos.md

@@ -1,16 +1,12 @@
 ---
-# Required metadata
-# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
-# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
-
 title: Behavior Monitoring in Microsoft Defender Antivirus on macOS
 description: Behavior Monitoring in Microsoft Defender Antivirus on macOS
-author:      YongRhee-MSFT # GitHub alias
-ms.author:   yongrhee # Microsoft alias
+author: YongRhee-MSFT # GitHub alias
+ms.author: yongrhee # Microsoft alias
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date:     05/08/2024
+ms.date: 05/29/2024
 ms.subservice: ngp
 audience: ITPro
 ms.collection: 
@@ -139,11 +135,17 @@ The following sections describe each of these methods in detail.
 ```
 
 2. Open **Devices** > **Configuration profiles**. 
+
 3. Select **Create profile** and select **New Policy**.
+
 4. Give the profile a name. Change **Platform=macOS** to **Profile type=Templates** and choose **Custom** in the template name section. Select **Configure**.
-5. Go to the plist file you saved earlier and save it as com.microsoft.wdav.xml.
+
+5. Go to the plist file you saved earlier and save it as `com.microsoft.wdav.xml`.
+
 6. Enter `com.microsoft.wdav` as the **custom configuration profile name**.
+
 7. Open the configuration profile and upload the `com.microsoft.wdav.xml` file and select **OK**.
+
 8. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices or to a Device Group or User Group.**
 
 #### Via JamF deployment
@@ -163,7 +165,7 @@ The following sections describe each of these methods in detail.
                 <key>features</key>
                      <dict>
                          <key>behaviorMonitoring</key>
-                         string>enabled</string>
+                         <string>enabled</string>
                          <key>behaviorMonitoringConfigurations</key>
                              <dict>
                                  <key>blockExecution</key>
@@ -203,6 +205,9 @@ sudo mdatp config behavior-monitoring --value disabled
 
 For more information, see: [Resources for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-resources).
 
+### To test behavior monitoring (prevention/block) detection
+
+See [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
 
 ### Verifying Behavior Monitoring detection
 
@@ -211,11 +216,11 @@ The existing Microsoft Defender for Endpoint on macOS command line interface can
 ```bash
 sudo mdatp threat list
 ```
-For more information on how to test for a behavior monitoring (prevention/block) detection, see [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
-
 ### Frequently Asked Questions (FAQ):
 
 #### What if I see an increase in cpu utilization or memory utilization?
+
 Disable Behavior Monitoring and see if the issue goes away.
+
 - If the issue doesn't go away, it is not related to Behavior Monitoring.
 - If the issue goes away, take an aka.ms/xMDEClientAnalyzer and contact Microsoft support.

defender-endpoint/mac-support-perf.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 03/20/2024
+ms.date: 05/29/2024
 ---
 
 # Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
@@ -27,7 +27,6 @@ ms.date: 03/20/2024
 - [Microsoft Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 
-
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
 This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint on macOS.
@@ -41,7 +40,7 @@ Depending on the applications that you're running and your device characteristic
 
 **Applies to:**
 
-- Only performance issues related to Microsoft Defender Antivirus (`wdavdaemon_unpriviliged`).
+- Only performance issues related to Microsoft Defender Antivirus (`wdavdaemon_unprivileged`).
 
 Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
 
@@ -50,7 +49,10 @@ Prerequisites:
 - Microsoft Defender for Endpoint version (Platform Update) 100.90.70 or newer
 - If you have [Tamper protection](tamperprotection-macos.md) turned on in block mode, use [Troubleshooting mode](mac-troubleshoot-mode.md) to capture real-time-protection-statistics. Otherwise, you will get null results. 
 
-To troubleshoot and mitigate such issues, follow these steps:
+> [!TIP]
+> As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further.
+
+To troubleshoot and mitigate performance issues, follow these steps:
 
 1. Disable real-time protection by using one of the methods in the following table, and then observe whether performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint on macOS is contributing to the performance issues.
 
@@ -59,51 +61,53 @@ To troubleshoot and mitigate such issues, follow these steps:
    | Device isn't managed by organization | **User interface**: Open Microsoft Defender for Endpoint on macOS and navigate to **Manage settings**. |
    | Device isn't managed by organization | **Terminal**: In Terminal, run the following command: `mdatp config real-time-protection --value disabled` |
    | Device is managed by organization | See [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). |
-
+   
    If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, contact customer support for further instructions and mitigation.
-
+   
 2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
 
 3. This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
 
    ```bash
    mdatp health --field real_time_protection_enabled
    ```
-
+   
    Verify that the **real_time_protection_enabled** entry is *true*. Otherwise, run the following command to enable it:
-
+   
    ```bash
    mdatp config real-time-protection --value enabled
    ```
-
+   
    ```output
    Configuration property updated
    ```
-
-4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command:
+   
+4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command to enable it:
 
    ```bash
    mdatp config real-time-protection-statistics --value enabled.
    ```
+   
+   > [!TIP]
+   > Before proceeding to capture the data, make sure that the high cpu utilization is occurring in the wdavdaemon_unprivileged by either running top or opening `activity monitor`.
 
-   This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: 
+5. To output to a json file, run the following command: 
 
    ```bash
    mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
    ```
-
+   
    > [!NOTE]
    > Using `--output json` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. 
+6. On your Mac system, download the sample Python parser `high_cpu_parser.py` using the command:
 
-5. On your Mac system, download the sample Python parser `high_cpu_parser.py` using the command:
-
-   ```bash
+      ```bash
    curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
    ```
 
-   The output of this command should be similar to the following:
+      The output of this command should be similar to the following:
 
-   ```Output
+      ```Output
    --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
    mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
@@ -115,7 +119,7 @@ To troubleshoot and mitigate such issues, follow these steps:
    0s
    ```
 
-6. Type the following commands:
+7. Type the following commands:
 
    ```bash
    chmod +x high_cpu_parser.py
@@ -141,12 +145,12 @@ To troubleshoot and mitigate such issues, follow these steps:
    125  CrashPlanService 164
    ```
 
-7. To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the **Total files scanned** row, and then add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md).
+8. To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the **Total files scanned** row, and then add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md).
 
    > [!NOTE]
    > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
 
-7. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. 
+9. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. 
 
    See [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md).
 
@@ -157,8 +161,4 @@ The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces,
 To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).
 
 > [!NOTE]
->
-> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
-> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further.
-
-
+> The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited    to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

defender-office-365/reports-email-security.md

@@ -19,7 +19,7 @@ description: "Admins can learn how to find and use the email security reports th
 ms.custom: 
 - seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 4/8/2024
+ms.date: 05/29/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -91,7 +91,7 @@ Select :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="fa
 
 - **Date (UTC)**: **Start date** and **End date**.
 - **Activity**: **Restricted** or **Suspicious**
-- **Tag**: Select **All** or the specified user tag (including Priority account). For more information, see [User tags](user-tags-about.md).
+- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md).
 
 When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
 
@@ -992,7 +992,7 @@ For each chart, the details table below the chart shows the following informatio
 Select :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
 
 - **Date (UTC)** **Start date** and **End date**
-- **Tag**: Select **All** or the specified user tag (including Priority account). For more information, see [User tags](user-tags-about.md).
+- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md).
 
 When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
 

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -112,13 +112,16 @@ For editable queries, more options are available:
 
 To help discover threats and anomalous behaviors in your environment, you can create custom detection policies. 
 
-For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**. 
+For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
 
 :::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
 
 The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
 
-For custom detection rules that apply to Microsoft Defender XDR data, select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+
+If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.
+
 
 ## Explore results
 
@@ -143,11 +146,14 @@ For Microsoft Defender XDR data, you can take further action by selecting the ch
 
 - The `IdentityInfo table` from [Microsoft Sentinel](/azure/sentinel/ueba-reference#identityinfo-table) isn't available, as the `IdentityInfo` table remains as is in Defender XDR. Microsoft Sentinel features like analytics rules that query this table aren't impacted as they're querying the Log Analytics workspace directly.
 - The Microsoft Sentinel `SecurityAlert` table is replaced by `AlertInfo` and `AlertEvidence` tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. 
-- Guided hunting mode is supported for Defender XDR data only.
-- Custom detections, links to incidents, and take actions capabilities are supported for Defender XDR data only.
+- Guided hunting mode, links to incidents, and take actions capabilities are supported for Defender XDR data only.
+- Custom detections have the following limitations:
+    - Custom detections are not available for KQL queries that do not include Defender XDR data.
+    - Near real-time detection frequency is not available for detections that include Microsoft Sentinel data. 
+    - Custom functions that were created and saved in Microsoft Sentinel are not supported.
+    - Defining entities from Sentinel data is not yet supported in custom detections.
 - Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature.
 - If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column.
-- The Microsoft Graph API for running an advanced hunting query doesn't support querying data from Microsoft Sentinel yet.
 - When prompting [Copilot for Security](advanced-hunting-security-copilot.md) for advanced hunting queries, you might find that not all Microsoft Sentinel tables are currently supported. However, support for these tables can be expected in the future.
 
 

defender-xdr/automatic-attack-disruption.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/21/2024
+ms.date: 05/29/2024
 ---
 
 # Automatic attack disruption in Microsoft Defender XDR
@@ -71,7 +71,7 @@ Automatic attack disruption uses Microsoft-based XDR response actions. Examples
 
 For more information, see [remediation actions](m365d-remediation-actions.md) in Microsoft Defender XDR.
 
-### Automated response actions for SAP with Microsoft Sentinel (Preview)
+### Automated response actions for SAP with Microsoft Sentinel
 
 If you're using the [unified security operations platform](microsoft-sentinel-onboard.md) and you deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP.
 

defender-xdr/entity-page-device.md

@@ -314,6 +314,6 @@ Response actions run along the top of a specific device page and include:
 - [User entity page in Microsoft Defender](investigate-users.md)
 - [IP address entity page in Microsoft Defender](entity-page-ip.md)
 - [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md)
-- [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](microsoft-sentinel-onboard.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/entity-page-ip.md

@@ -127,5 +127,5 @@ Response actions run along the top of a specific IP entity page and include:
 - [Device entity page in Microsoft Defender](entity-page-device.md)
 - [User entity page in Microsoft Defender](investigate-users.md)
 - [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md)
-- [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](microsoft-sentinel-onboard.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]