Merge pull request #1736 from MicrosoftDocs/main

padmagit77 · web-flow · commit 6f84c36b5f01 · 2024-10-29T22:58:00.000+05:30
Publish main to live, Tuesday 10:30 AM PST, 10/29
diff --git a/CloudAppSecurityDocs/release-notes.md b/CloudAppSecurityDocs/release-notes.md
@@ -20,6 +20,30 @@ For more information on what's new with other Microsoft Defender security produc
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
 
+## October 2024
+
+### New anomaly data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
+The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New Conditional Access app control / inline data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.   
+Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New data in advanced hunting CloudAppEvents table - OAuthAppId
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new _OAuthAppId_ column for queries and detection rules.
+
+Using _OAuthAppId_ allows the queries that consider specific OAuth applications, making queries and detection rules more accurate.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
 ## September 2024
 
 ### Enforce Edge in-browser when accessing business apps
@@ -28,7 +52,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
 For more information see: 
-[Enforce Edge in-browser protection when accessing business apps](https://learn.microsoft.com/defender-cloud-apps/in-browser-protection#enforce-edge-in-browser-when-accessing-business-apps)
+[Enforce Edge in-browser protection when accessing business apps](/defender-cloud-apps/in-browser-protection)
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -146,7 +170,7 @@ Microsoft Defender for Cloud Apps log collector now supports [Azure Kubernetes S
 
 For more information, see [Configure automatic log upload using Docker on Azure Kubernetes Service (AKS)](discovery-kubernetes.md).
 
-### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table
+### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules. Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
 
@@ -224,7 +248,7 @@ Automatic log collection is supported using a Docker container on multiple opera
 
 For more information, see [Configure automatic log upload using Podman](discovery-linux-podman.md).
 
-### New anomaly data for the advanced hunting CloudAppEvents table
+### New anomaly data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules. Using this data helps to rule out false positives and find anomalies.
 
diff --git a/defender-office-365/attack-simulation-training-get-started.md b/defender-office-365/attack-simulation-training-get-started.md
@@ -102,7 +102,7 @@ The following social engineering techniques are available:
 
 - **How-to Guide**: A teaching guide that contains instructions for users (for example, how to report phishing messages).
 
-<sup>\*</sup> The link can be a URL or a QR code. QR code support in Attack simulation training is currently in preview.
+<sup>\*</sup> The link can be a URL or a QR code.
 
 The URLs that are used by Attack simulation training are listed in the following table:
 
@@ -180,9 +180,6 @@ In simulations that use **Credential Harvest** or **Link in Attachment** social
 
 The best training experience for simulated phishing messages is to make them as close as possible to real phishing attacks that your organization might experience. What if you could capture and use harmless versions of real-world phishing messages that were detected in Microsoft 365 and use them in simulated phishing campaigns? You can, with _payload automations_ (also known as _payload harvesting_). To create payload automations, see [Payload automations for Attack simulation training](attack-simulation-training-payload-automations.md).
 
-> [!TIP]
-> QR code payloads are currently in Preview, aren't available in all organizations, and are subject to change.
-
 Attack simulation training also supports using QR codes in payloads. You can choose from the list of built-in QR code payloads, or you can create custom QR code payloads. For more information, see [QR code payloads in Attack simulation training](attack-simulation-training-payloads.md#qr-code-payloads).
 
 ### Reports and insights
diff --git a/defender-office-365/attack-simulation-training-insights.md b/defender-office-365/attack-simulation-training-insights.md
@@ -281,9 +281,6 @@ For more information about the **Users** and **Details** tabs, see the following
 
 ### Reporting for QR code simulations
 
-> [!TIP]
-> QR code payloads are currently in Preview, aren't available in all organizations, and are subject to change.
-
 You can select QR code payloads to use in simulations. The QR code replaces the phishing URL as the payload that's used in the simulation email message. For more information, see [QR code payloads](attack-simulation-training-payloads.md#qr-code-payloads).
 
 Because QR codes are a different type of a phishing URL, user events around read, delete, compromise, and click events remain the same. For example, scanning the QR code opens the phishing URL, so the event is tracked as a click event. The existing mechanisms for tracking compromise, deletes, and report events remain the same.
@@ -426,7 +423,7 @@ When you export information from the reports, the CSV file contains more informa
 |EmailLinkClicked_Browser|The web browser that was used to click the link payload in **Credential Harvest**, **Link to Malware**, **Drive-by-url**, and **OAuth Consent Grant** simulations. This information comes from UserAgent.|
 |EmailLinkClicked_IP|The IP address where the link payload was clicked in **Credential Harvest**, **Link to Malware**, **Drive-by-url**, and **OAuth Consent Grant** simulations. This information comes from UserAgent.|
 |EmailLinkClicked_Device|The device where the link payload was clicked in **Credential Harvest**, **Link to Malware**, **Drive-by-url**, and **OAuth Consent Grant** simulations. This information comes from UserAgent.|
-|EmailLinkClicked_ClickSource|Whether the payload link was selected by clicking on a URL or scanning a QR Code in **Credential Harvest**, **Link to Malware**, **Drive-by-url**, and **OAuth Consent Grant** simulations. Values are `PhishingURL` or `QRCode`. QR code support is currently in Preview.|
+|EmailLinkClicked_ClickSource|Whether the payload link was selected by clicking on a URL or scanning a QR Code in **Credential Harvest**, **Link to Malware**, **Drive-by-url**, and **OAuth Consent Grant** simulations. Values are `PhishingURL` or `QRCode`.|
 |CredSupplied_TimeStamp(Compromised)|When the user entered their credentials.|
 |CredSupplied_Browser|The web browser that was used when the user entered their credentials. This information comes from UserAgent.|
 |CredSupplied_IP|The IP address where the user entered their credentials. This information comes from UserAgent.|
@@ -472,7 +469,7 @@ How user activity signals are captured is described in the following table.
 |Deleted message|The user deleted the message.|The signal comes from the Outlook activity of the user. If the user reports the message as phishing, the message might be moved to the Deleted Items folder, which is identified as a deletion.|
 |Permissions granted|The user shared permissions in an **OAuth Consent Grant** simulation.||
 
-¹ The clicked link can be a selected URL or a scanned QR code (QR code support in Attack simulation training is currently in Preview).
+¹ The clicked link can be a selected URL or a scanned QR code.
 
 ## Related Links
 
diff --git a/defender-office-365/attack-simulation-training-payloads.md b/defender-office-365/attack-simulation-training-payloads.md
@@ -22,7 +22,7 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the link, QR code (currently in Preview), or attachment in the simulated phishing email message that's presented to users. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that work better for your organization.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the link, QR code, or attachment in the simulated phishing email message that's presented to users. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that work better for your organization.
 
 For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
 
@@ -133,9 +133,6 @@ To see payloads that have been archived (the **Status** value is **Archive**), u
 
 ## QR code payloads
 
-> [!TIP]
-> QR code payloads are currently in Preview, aren't available in all organizations, and are subject to change.
-
 On the **Global payloads** tab of **Content library** \> **Payloads** at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>, you can see the built-in, unmodifiable QR code payloads by typing **QR** in the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: **Search** box, and then pressing the ENTER key.
 
 QR code payloads are available in five languages to address real-world scenarios that involve QR code attacks.
@@ -178,7 +175,7 @@ You can also create custom payloads that use QR codes as phishing links as descr
    - **OAuth Consent Grant**<sup>\*</sup>
    - **How-to Guide**
 
-   <sup>\*</sup> This social engineering technique allows you to use QR codes (currently in Preview).
+   <sup>\*</sup> This social engineering technique allows you to use QR codes.
 
    For more information about the different social engineering techniques, see [Simulations](attack-simulation-training-get-started.md#simulations).
 
@@ -239,7 +236,7 @@ You can also create custom payloads that use QR codes as phishing links as descr
        - **Text** tab: A rich text editor is available to create the payload. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
 
          > [!TIP]
-         > The **Formatting controls** bar contains an **Insert QR code** action that you can use instead of selecting **Insert QR code** control from the **Dynamic tag** dropdown list for applicable social engineering techniques (currently in Preview):
+         > The **Formatting controls** bar contains an **Insert QR code** action that you can use instead of selecting **Insert QR code** control from the **Dynamic tag** dropdown list for applicable social engineering techniques:
          >
          > :::image type="content" source="media/attack-sim-training-payloads-formatting-controls-insert-qr-code.png" alt-text="The Insert QR code action in the formatting controls on the Configure payload page of the new payload creation wizard.":::
          >
@@ -262,7 +259,7 @@ You can also create custom payloads that use QR codes as phishing links as descr
             |**Insert City**|`${city}`|
             |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
 
-         - The **Insert QR code** control (currently in Preview) is available only in the **Credential Harvest**, **Drive-by URL**, **OAuth Consent Grant**, or **How-to Guide** techniques.
+         - The **Insert QR code** control is available only in the **Credential Harvest**, **Drive-by URL**, **OAuth Consent Grant**, or **How-to Guide** techniques.
 
            Instead of using a link as the phishing payload in the message, you can use a QR code. Selecting the **Insert QR code** control opens the **Insert QR code** flyout where you configure the following information:
 
diff --git a/defender-office-365/attack-simulation-training-simulations.md b/defender-office-365/attack-simulation-training-simulations.md
@@ -54,7 +54,7 @@ On the **Select technique** page, select an available social engineering techniq
 - **OAuth Consent Grant**<sup>\*</sup>
 - **How-to Guide**<sup>\*</sup>
 
-<sup>\*</sup> This social engineering technique allows you to use QR codes (currently in Preview). For more information, see the [QR code simulations and training](#qr-code-simulations-and-training) section later in this article.
+<sup>\*</sup> This social engineering technique allows you to use QR codes. For more information, see the [QR code simulations and training](#qr-code-simulations-and-training) section later in this article.
 
 If you select the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
 
@@ -632,9 +632,6 @@ Back on the **Simulations** tab, the simulation that you created is now listed.
 
 ## QR code simulations and training
 
-> [!TIP]
-> QR code payloads are currently in Preview, aren't available in all organizations, and are subject to change.
-
 You can select payloads with QR codes to use in simulations. The QR code replaces the phishing URL as the payload that's used in the simulation email message in the following social engineering techniques:
 
 - **Credential Harvest**
