added cloud faq

poliveria · poliveria · commit 6b8b5f468c7d · 2025-07-21T18:52:25.000+05:30
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -366,7 +366,11 @@
           - name: Ask Defender Experts
             href: experts-on-demand.md
         - name: Frequently asked questions
-          href: faq-defender-experts-hunting.md    
+          items: 
+          - name: General information
+            href: faq-defender-experts-hunting.md
+          - name: Server and cloud workload coverage
+            href: faq-server-cloud-workload-coverage.md
         - name: Understand Defender Experts for Hunting reports
           href: defender-experts-report.md
       - name: Collaborate with Microsoft Defender Experts for XDR
@@ -401,6 +405,8 @@
             href: faq-incident-notifications-xdr.md
           - name: Managed response
             href: faq-managed-response.md
+          - name: Server and cloud workload coverage
+            href: faq-server-cloud-workload-coverage.md
         - name: Additional information on Defender Experts for XDR
           items:
           - name: Important considerations
diff --git a/defender-xdr/before-you-begin-xdr.md b/defender-xdr/before-you-begin-xdr.md
@@ -63,7 +63,7 @@ The following product isn't covered by this service:
 
 To enable the Defender Experts for Severs coverage, Defender for Servers Plan 1 or Plan 2 in Defender for Cloud must be enabled. Endpoint protection should also be turned on for both Windows and Linux devices that allow protection powered by Defender for Endpoint, including automatic agent deployment to your servers, and security data integration with Defender for Cloud. 
 
-Depending on the coverage you're looking for, you can enable the Defender for Servers plan for an Microsoft Azure subscription, Amazon Web Services account, or Google Cloud Platform project.
+Depending on the coverage you're looking for, you can enable the Defender for Servers plan for a Microsoft Azure subscription, Amazon Web Services account, or Google Cloud Platform project.
 
 ### Product configuration and service coverage
 
diff --git a/defender-xdr/dex-xdr-overview.md b/defender-xdr/dex-xdr-overview.md
@@ -27,12 +27,12 @@ ms.date: 08/01/2025
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 
 > [!IMPORTANT]
-> Microsoft Defender Experts for XDR is sold separately from other Microsoft Defender XDR products. If you're a Microsoft Defender XDR customer and are interested in purchasing Defender Experts for XDR and the cloud workload add-on, please complete this [customer interest form](https://aka.ms/IWantDefenderExperts).
+> Microsoft Defender Experts for XDR is sold separately from other Microsoft Defender XDR products. If you're a Microsoft Defender XDR customer and are interested in purchasing Defender Experts for XDR and the cloud workload add-on, complete this [customer interest form](https://aka.ms/IWantDefenderExperts).
 
 > [!NOTE]
 > Any incident response services offered by Defender Experts will be offered under the Defender Experts Service Terms.
 
-**Microsoft Defender Experts for XDR** is a managed extended detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft Defender XDR services: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID. The service also offers an add-on service, **Microsoft Defender Experts for Servers**, which provides coverage for cloud workloads, beginning with on-premises and multi-cloud servers protected by Microsoft Defender for Cloud.
+**Microsoft Defender Experts for XDR** is a managed extended detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft Defender XDR services: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID. It also offers an add-on service, **Microsoft Defender Experts for Servers**, which provides coverage for cloud workloads, beginning with on-premises and multicloud servers protected by Microsoft Defender for Cloud.
 
 Defender Experts for XDR augments your SOC by combining automation and Microsoft's security analyst expertise. This combination helps you detect and respond to threats with confidence and improve your security posture. With deep product expertise powered by threat intelligence, we're uniquely positioned to help you:
 
diff --git a/defender-xdr/faq-cloud-coverage-defender-experts.md b/defender-xdr/faq-cloud-coverage-defender-experts.md
@@ -1,7 +1,7 @@
 ---
-title: FAQs related to Microsoft Defender Experts coverage for cloud workloads
+title: FAQs related to Microsoft Defender Experts server coverage for servers and cloud workloads
 ms.reviewer:
-description: Frequently asked questions related to server coverage in Microsoft Defender Experts
+description: Frequently asked questions related to server and cloud workload coverage in Microsoft Defender Experts
 ms.service: defender-experts-for-xdr
 ms.author: pauloliveria
 author: poliveria
@@ -19,26 +19,25 @@ search.appverid: met150
 ms.date: 08/01/2025
 ---
 
-# Understanding Defender Experts coverage for cloud workloads
+# Understanding Defender Experts coverage for servers and cloud workloads
 
 **Applies to:**
 
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 
-The following section lists down questions you or your SOC team might have regarding Micorosft Defender Experts coverage for cloud workloads.
+The following section lists down questions you or your SOC team might have regarding Microsoft Defender Experts coverage for servers and cloud workloads.
 
 | Questions | Answers |
 |---------|---------|
-|**What is Managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|
-|**What actions are in scope for Managed response?** | All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Available now)*<ul><li>Disable user<br><li>Enable user</ul><br>*For users (Coming soon)*<ul><li>Revoke refresh token<br><li>Soft delete emails</ul> |
-|**Can I customize the extent of Managed response?** | You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](get-started-xdr.md#exclude-devices-and-users-from-remediation) |
-|**What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
-|**How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](faq-incident-notifications-xdr.md).|
-|**Can I customize Managed response based on actions?** | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.|
+|**What does the server and cloud workload coverage add-on mean for the Microsoft Defender Experts service? Can I purchase this coverage only?** | The server and cloud coverage service, called **Microsoft Defender Experts for Servers** and **Microsoft Defender Experts for Hunting – Servers**, is only available as an add-on to existing [Microsoft Defender Experts for XDR](dex-xdr-overview.md) and [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) customers, respectively. To avail of this add-on, you need at least one Defender Experts for XDR or Defender Experts for Hunting license to enable coverage of all your servers in Microsoft Defender for Cloud.|
+|**Can I configure which servers the Defender Experts will cover?** | This add-on service covers **all** your servers in your tenant that have [Defender for Servers](/azure/defender-for-cloud/defender-for-servers-overview) protection enabled in Defender for Cloud. |
+|**Do the Defender Experts investigate all Defender for Servers alerts** | There are some Defender for Servers alerts that our analysts aren't able to investigate. Currently, DNS alerts are out of scope due to limited data available for investigation.  |
+|**I only have Microsoft Defender Endpoint. How can I get server coverage?** | If you have servers that have Defender for Endpoint deployed on them with a Microsoft Defender for Endpoint for Server license, you can get the server coverage through the Defender Experts for XDR service. The service doesn't cover Microsoft Defender for Cloud workloads. [Learn more](before-you-begin-xdr.md#product-configuration-and-service-coverage)<br><br>If you want coverage for servers in Defender for Cloud, you need to avail the Microsoft Defender Experts for Servers or Defender Experts for Hunting - Servers add-on. |
+
 
 ### See also
 
-- [Managed detection and response](managed-detection-and-response-xdr.md)
-- [FAQs related to Microsoft Defender Experts for XDR incident notifications](faq-incident-notifications-xdr.md)
+- [General information on Defender Experts for XDR service](frequently-asked-questions.md)
+- [General information on Microsoft Defender Experts for Hunting service](faq-defender-experts-hunting.md)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/frequently-asked-questions.md b/defender-xdr/frequently-asked-questions.md
@@ -16,7 +16,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 06/27/2025
+ms.date: 08/01/2025
 ---
 
 # General information on Defender Experts for XDR service
@@ -42,4 +42,5 @@ ms.date: 06/27/2025
 ### See also
 
 [How Microsoft Defender Experts for XDR permissions work](dex-xdr-permissions.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/get-started-xdr.md b/defender-xdr/get-started-xdr.md
@@ -26,7 +26,7 @@ ms.date: 08/01/2025
 
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 
-This document applies for Microsoft Defender Experts for XDR and its add-on service, Microsoft Defedner Experts for Servers. 
+This document applies for Microsoft Defender Experts for XDR and its add-on service, Microsoft Defender Experts for Servers. 
 
 For onboarding instructions, check out this short video:
 
@@ -55,11 +55,11 @@ You also need to grant our experts one or both of the following permissions:
 > [!IMPORTANT]
 > If you skip providing additional permissions, our experts won't be able to take certain response actions to secure your organization.  
 >
-> Even though our experts are granted these relatively powerful permissions, they will only have individual access to specific areas for a limited period. [Learn more about how Defender Experts for XDR permissions work](dex-xdr-permissions.md)
+> Even though our experts are granted these relatively powerful permissions, they'll only have individual access to specific areas for a limited period. [Learn more about how Defender Experts for XDR permissions work](dex-xdr-permissions.md)
 
 **To grant our experts permissions:**
 
-1. In the same Defender Experts settings setup, under **Permissions**, choose the access level(s) you want to grant our experts.
+1. In the same Defender Experts settings setup, under **Permissions**, choose one or more access levels you want to grant our experts.
 
 1. If you wish to [exclude device and user groups](#exclude-devices-and-users-from-remediation) in your organization from remediation actions, select **Manage exclusions**.
 
@@ -75,7 +75,7 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
 
 1. In the same Defender Experts settings setup, under **Exclusions**, go to the **Device groups** tab.
 
-2. Select **+ Add device groups**, then search for and choose the device group(s) that you wish to exclude.
+2. Select **+ Add device groups**, then search for and choose one or more device groups that you wish to exclude.
    > [!NOTE]
    > This page only lists existing device groups. If you wish to create a new device group, you first need to go to the Defender for Endpoint settings in your Microsoft Defender portal. Then, refresh this page to search for and choose the newly created group. [Learn more about creating device groups](/defender-endpoint/machine-groups)
 
@@ -90,7 +90,7 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
 **To exclude user groups:**
 
 1. In the same Defender Experts settings setup, under **Exclusions**, go to the **User groups** tab.
-2. Select **+ Add user groups**, then search for and choose the user group(s) that you wish to exclude.
+2. Select **+ Add user groups**, then search for and choose one or more user groups that you wish to exclude.
    > [!NOTE]
    > This page only lists existing user groups. If you wish to create a new user group, you first need to sign into the Microsoft Entra ID admin center as a Global Administrator. Then, refresh this page to search for and choose the newly created group. [Learn more about creating user groups](/entra/fundamentals/groups-view-azure-portal)
 
@@ -101,7 +101,7 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
 :::image type="content" source="media/exclude-user-groups.png" alt-text="Screenshot to exclude user groups in Defender Experts for XDR." lightbox="media/exclude-user-groups.png":::
 
 > [!NOTE]
-> You can only exclude users by adding them to a Microsoft Entra ID security group. On-prem Entra ID users cannot be excluded at this time.
+> You can only exclude users by adding them to a Microsoft Entra ID security group. On-premises Microsoft Entra ID users can't be excluded at this time.
 
 To edit or update exclusions after the initial setup, go to **Settings** > **Defender Experts** > **Exclusions**, then go to the **Device groups** or **User groups** tab.
 
@@ -160,7 +160,7 @@ To edit or update your notification contacts after the initial setup, go to **Se
 Apart from email and [in-portal chat](communicate-defender-experts-xdr.md#in-portal-chat), you also have to option to use Microsoft Teams to receive updates about managed responses and communicate with our experts in real time. When this setting is turned on, a new team named **Defender Experts team** is created, where managed response notifications related to ongoing incidents are sent as new posts in the **Managed response** channel. [Learn more about using Teams chat](communicate-defender-experts-xdr.md#teams-chat)
 
 > [!IMPORTANT]
-> Defender Experts will have access to all messages posted on any channel in the created **Defender Experts team**. To prevent Defender Experts from accessing messages in this team, go to **Apps** in Teams then navigate to **Manage your apps** > **Defender Experts** > **Remove**. This removal action cannot be reversed.
+> Defender Experts will have access to all messages posted on any channel in the created **Defender Experts team**. To prevent Defender Experts from accessing messages in this team, go to **Apps** in Teams then navigate to **Manage your apps** > **Defender Experts** > **Remove**. This removal action can't be reversed.
 
 **To turn on Teams notifications and chat:**
 
