Merge branch 'main' into maccruz-queryexp

Author: padmagit77

CloudAppSecurityDocs/troubleshooting-cloud-discovery.md

@@ -1,7 +1,7 @@
 ---
 title: Troubleshooting cloud discovery errors 
 description: This article provides a list of cloud discovery frequent errors and resolution recommendations for each.
-ms.date: 05/15/2024
+ms.date: 02/19/2025
 ms.topic: conceptual
 ---
 # Troubleshooting cloud discovery errors
@@ -18,7 +18,7 @@ If you integrated Microsoft Defender for Endpoint with Defender for Cloud Apps,
 
 |Issue|Resolution|
 |----|----|
-|**Defender-managed endpoints** reports do not appear in the list|Make sure the devices you're connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.|
+|**Defender-managed endpoints** reports don't appear in the list|Make sure the devices you're connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.|
 |**Discovery reports are empty** |If the endpoint device is behind a forward proxy, you can send logs from your forward proxy using a log collector|
 
 ## Log parsing errors
@@ -39,11 +39,11 @@ You can track the processing of cloud discovery logs using the governance log. T
 
 |Issue|Resolution|
 |----|----|
-|Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you are using is not set to SFTP.  |
+|Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you're using isn't set to SFTP (Secure File Transfer Protocol).  |
 |Failed updating collector configuration | 1. Verify that you entered the latest access token. <br />2. Verify in your firewall that the log collector is allowed to initiate outbound traffic on port 443.|
-|Logs sent to the collector do not appear in the portal | 1.  Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Data source page, verify that the name of data source is **NSS** and that it is configured correctly. <br />&nbsp;&nbsp;&nbsp;&nbsp;b. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
-|Log collector status: Created | The log collector deployment was not completed. Complete the on-premises deployment steps according to the deployment guide.|
-|Log collector status: Disconnected | No data received in the last 24 hours from any of the linked data sources. |
+|Logs sent to the collector don't appear in the portal | 1. Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Data source page, verify that the name of data source is **NSS** and that it's configured correctly. <br />&nbsp;&nbsp;&nbsp;&nbsp;b. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP, or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
+|Log collector status: Created | The log collector deployment wasn't completed. Complete the on-premises deployment steps according to the deployment guide.|
+|Log collector status: Disconnected | If you see this issue, it means no data has been received in the last 24 hours from any of the linked data sources. Contact Microsoft Defender for Cloud Apps support and provide the log files for investigation. Our team analyzes the logs to identify when the last sync occurred and what caused the disconnection. |
 |Failed pulling latest collector image| If you get this error during Docker deployment, it could be that you don't have enough memory on the host. To check this, run this command on the host: `docker pull mcr.microsoft.com/mcas/logcollector`. If it returns this error: `failed to register layer: Error processing tar file(exist status 1): write /opt/jdk/jdk1.8.0_152/src.zip: no space left on device` contact your host machine administrator to provide more space.|
 
 ## Discovery dashboard errors

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -47,12 +47,12 @@ For information on other tables in the advanced hunting schema, [see the advance
 |-------------|-----------|-------------|
 |`Timestamp` | `datetime`	| Date and time when the record was generated or updated |
 |`BehaviorId` | `string` | Unique identifier for the behavior |
-|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management |
+|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management. |
 |`StartTime`|	`datetime`	|Date and time of the first activity related to the behavior|
 |`EndTime`|	`datetime`|	Date and time of the last activity related to the behavior|
 |`AttackTechniques`|	`string`|	MITRE ATT&CK techniques associated with the activity that triggered the behavior. Refer to subtechniques in the insider risk management behavior catalog.|
 |`Categories`|	`string`|	Type of threat indicator or breach activity identified by the behavior|
-|`ActivityType`|	`enum`|	Activity category based on categories in Microsoft Purview Insider Risk Management|
+|`ActionCategory`|	`enum`|	Category of action that triggered the event |
 |`Description`|	`string`|	Description of the behavior|
 |`ServiceSource`|	`string`|	Product or service that identified the behavior|
 |`DetectionSource`|	`string`|	Detection technology or sensor that identified the notable component or activity|

defender-xdr/advanced-hunting-datasecurityevents-table.md

@@ -50,7 +50,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`DlpPolicyMatchInfo`|	`string`|	Information around the list of data loss prevention (DLP) policies matching this event|
 |`DlpPolicyEnforcementMode`|	`int`|	Indicates the Data Loss Prevention policy that was enforced; value can be: 0 (None), 1 (Audit), 2 (Warn), 3 (Warn and bypass), 4 (Block), 5 (Allow)|
 |`DlpPolicyRuleMatchInfo`|	`dynamic`|	Details of the data loss prevention (DLP)  rules that matched with this event; in JSON array format|
-|`FileRenameInfo`|`string`|	Details of the file (file name and extension) prior to this event|
+|`FileRenameInfo`|`string`|	Details of the file (file name and extension) before this event|
 |`PhysicalAccessPointId`|	`string`|	Unique identifier for the physical access point|
 |`PhysicalAccessPointName`|	`string`|	Name of the physical access point|
 |`PhysicalAccessStatus`	|`string`|	Status of physical access, whether it succeeded or failed|
@@ -67,7 +67,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Department`|`string`|	Name of the department that the account user belongs to|
 |`SourceCodeInfo`|	`string`|	Details of the source code repository involved in the event|
 |`CcPolicyMatchInfo`|	`dynamic` | Details of the Communications Compliance policy matches for this event; in JSON array format |
-|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts|
+|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple IPs if related to Microsoft Defender for Cloud Apps alerts|
 |`Timestamp`|	`datetime`|	Date and time when the event was recorded|
 |`DeviceSourceLocationType`|	`int`|	Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
 |`DeviceDestinationLocationType`|	`int`|	Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
@@ -82,8 +82,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`InternetMessageId`|`string`	|Public-facing identifier for the email or Teams message that is set by the sending email system |
 |`NetworkMessageId`|	`guid`|	Unique identifier for the email, generated by Microsoft 365 |
 |`EmailSubject`|	`string`|	Subject of the email|
-|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files it includes the extension|
-|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files it includes the extension|
+|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files, it includes the extension|
+|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files, it includes the extension|
 |`ObjectType`|	`string`|	Type of object, such as a file or a folder, that the recorded action was applied to|
 |`ObjectSize`|	`int`|	Size of the object in bytes|
 |`IsHidden`|	`bool`|	Indicates whether the user has marked the content as hidden (True) or not (False) |
@@ -102,6 +102,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Workload`|`string`|	The Microsoft 365 service where the event occurred|
 |`IrmActionCategory`|	`enum`|	A unique enumeration value indicating the activity category in Microsoft Purview Insider Risk Management|
 |`SequenceCorrelationId`|`string`	|Details of the sequence activity|
+|`CloudAppAlertId`|`string`	| Unique identifier for the alert in Microsoft Defender for Cloud Apps |
 
 
 ## Related articles

defender-xdr/autoad-results.md

@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 06/19/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -19,15 +19,14 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Details and results of an automatic attack disruption action
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 When an automatic attack disruption triggers in Microsoft Defender XDR, the details about the risk and the containment status of compromised assets are available during and after the process. You can view the details on the incident page, which provides the full details of the attack and the up-to-date status of associated assets.
 
 ## Review the incident graph
@@ -58,16 +57,18 @@ You can use specific queries in [advanced hunting](advanced-hunting-overview.md)
 Contain actions triggered by attack disruption are found in the [DeviceEvents table](advanced-hunting-deviceevents-table.md) in advanced hunting. Use the following queries to hunt for these specific contain actions:
 
 - Device contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedDevice"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedDevice"
+  ```
 
 - User contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedUser"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedUser"
+  ```
 
 ### Hunt for disable user account actions
 

defender-xdr/automatic-attack-disruption.md

@@ -7,28 +7,26 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
   - m365-security
   - tier1
   - usx-security
   - usx-security
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
 ms.date: 09/11/2024
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Automatic attack disruption in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
 
 Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online.
@@ -105,7 +103,7 @@ The Defender XDR user experience now includes additional visual cues to ensure v
 
     - A tag titled *Attack Disruption* appears next to affected incidents
 
-1. On the incident page:
+2. On the incident page:
 
     - A tag titled *Attack Disruption*
     - A yellow banner at the top of the page that highlights the automatic action taken
@@ -121,7 +119,7 @@ For more information, see [view attack disruption details and results](autoad-re
 
 ## Next steps
 
-- [Configuring automatic attack disruption in Microsoft Defender XDR](configure-attack-disruption.md)
+- [Configure automatic attack disruption](configure-attack-disruption.md)
 - [View details and results](autoad-results.md)
 - [Get email notifications for response actions](m365d-response-actions-notifications.md)
 

defender-xdr/configure-deception.md

@@ -1,6 +1,6 @@
 ---
 title: Configure the deception capability in Microsoft Defender XDR
-description: Learn how to create, edit, and delete deception rules in Microsoft Defender XDR.
+description: Learn how to create, edit, and delete deception rules in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
 - NOCSH
@@ -12,21 +12,20 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier1
-ms.topic: conceptual
+ms.topic: how-to
 search.appverid: 
 - MOE150
 - MET150
 ms.date: 01/12/2024
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a security analyst, I want to learn how to configure the deception capability so that I can protect my organization from high-impact attacks that use human-operated lateral movement.
 ---
 
 # Configure the deception capability in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/defender-endpoint/onboarding).
 

defender-xdr/custom-detection-rules.md

@@ -123,11 +123,11 @@ With the query in the query editor, select **Create detection rule** and specify
 
 - **Detection name** - Name of the detection rule; should be unique
 - **Frequency** -Interval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)
-- **Alert title** - Title displayed with alerts triggered by the rule; should be unique.
+- **Alert title** - Title displayed with alerts triggered by the rule; should be unique and in plaintext. Strings are sanitized for security purposes so HTML, Makrdown, and other code won't work.
 - **Severity** - Potential risk of the component or activity identified by the rule.
 - **Category** - Threat component or activity identified by the rule.
 - **MITRE ATT&CK techniques** - One or more attack techniques identified by the rule as documented in the [MITRE ATT&CK framework](https://attack.mitre.org/). This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software.
-- **Description** - More information about the component or activity identified by the rule.
+- **Description** - More information about the component or activity identified by the rule. Strings are sanitized for security purposes so HTML, Makrdown, and other code won't work.
 - **Recommended actions** - Additional actions that responders might take in response to an alert.
 
 #### Rule frequency