Merge branch 'main' into maccruz-datasecurity

Author: schmurky

.openpublishing.redirection.defender-xdr.json

@@ -10,7 +10,6 @@
       "redirect_url": "/defender-for-identity/microsoft-365-security-center-mdi",
       "redirect_document_id": false
     },
-
     {
       "source_path": "defender-xdr/eval-create-eval-environment.md",
       "redirect_url": "/defender-xdr/pilot-deploy-overview",
@@ -171,6 +170,31 @@
       "redirect_url": "/defender-xdr/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-threat-actor-naming.md",
+      "redirect_url": "/unified-secops-platform/microsoft-threat-actor-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/malware-naming.md",
+      "redirect_url": "/unified-secops-platform/malware-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/criteria.md",
+      "redirect_url": "/unified-secops-platform/criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/submission-guide.md",
+      "redirect_url": "/unified-secops-platform/submission-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/virus-initiative-criteria.md",
+      "redirect_url": "/unified-secops-platform/virus-initiative-criteria",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/tickets.md",
       "redirect_url": "/defender-xdr/troubleshoot",
@@ -181,10 +205,15 @@
       "redirect_url": "/defender-xdr/troubleshoot",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/portals.md",
+      "redirect_url": "/unified-secops-platform/overview-plan#understand-microsoft-security-portals-and-admin-centers",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
       "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
       "redirect_document_id": false
     }
   ]
-}
+}

defender-endpoint/TOC.yml

@@ -234,6 +234,8 @@
               href: mac-troubleshoot-mode.md
             - name: Troubleshoot macOS installation issues
               href: mac-support-install.md
+            - name: Troubleshoot macOS configuration
+              href: mac-support-configuration.md
             - name: Troubleshoot macOS performance issues overview
               href: mac-support-perf-overview.md
               displayName: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS

defender-endpoint/linux-installer-script.md

@@ -50,7 +50,7 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
 
     4. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`.
 
-   :::image type="content" source="media/linux-script-image.png" alt-text="Screenshot showing the options to select to download the onboarding package." lightbox="media/linux-script-image.png":::
+       :::image type="content" source="media/linux-script-image.png" alt-text="Screenshot showing the options to select to download the onboarding package." lightbox="media/linux-script-image.png":::
 
     5. From a command prompt, extract the contents of the archive:
 
@@ -77,19 +77,19 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
    chmod +x mde_installer.sh
    ```
 
-4. Execute the installer script and provide the onboarding package as a parameter to install the agent and onboard the device to the Defender portal.
+1. Execute the installer script and provide the onboarding package as a parameter to install the agent and onboard the device to the Defender portal.
 
    ```bash
-
-   sudo ./mde_installer.sh --install --onboard ~/MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req -y
-
+   
+   sudo ./mde_installer.sh --install --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req
+   
    ```
+   
+      This command deploys the latest agent version to the production channel, check for min system requisites and onboard the device to Defender Portal.
 
-   This command deploys the latest agent version to the production channel, check for min system requisites and onboard the device to Defender Portal.
-
-   Additionally you can pass more parameter based on your requirements to modify the installation. Check help for all the available options:
+      Additionally you can pass more parameter based on your requirements to modify the installation. Check help for all the available options:
 
-   ```bash
+      ```bash
 
     ❯ ./mde_installer.sh --help
    mde_installer.sh v0.7.0
@@ -108,7 +108,7 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
    -m|--min_req         enforce minimum requirements
    -x|--skip_conflict   skip conflicting application verification
    -w|--clean           remove repo from package manager for a specific channel
-   -y|--yes             assume yes for all mid-process prompts (default, depracated)
+   -y|--yes             assume yes for all mid-process prompts (default, deprecated)
    -n|--no              remove assume yes sign
    -s|--verbose         verbose output
    -v|--version         print out script version
@@ -124,19 +124,19 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
 
    | Scenario | Command |
    |---|---|
-   | Install a specific agent version | `sudo ~/mde_installer.sh --install --channel prod --onboard ~/MicrosoftDefenderATPOnboardingLinuxServer.py --min_req -y –-mdatp 101.24082.0004 ` |
-   | To upgrade to the latest version | `sudo ~/mde_installer.sh --upgrade -y` |
-   | For upgrading to a specific version | `sudo ~/mde_installer.sh --upgrade -y –-mdatp 101.24082.0004` |
-   | To downgrade to a specific version | `sudo ~/mde_installer.sh --downgrade -y –-mdatp 101.24082.0004` |
-   | To remove `mdatp` | `sudo ~/mde_installer.sh --remove -y` |
-
-
-   > [!NOTE]
-   > Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to uninstall the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux.
+   |Install a specific agent version | `sudo ./mde_installer.sh --install --channel prod --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --min_req –-mdatp 101.24082.0004 ` |
+   |Upgrade to the latest agent version | `sudo ./mde_installer.sh --upgrade` |
+   |Upgrade to a specific agent version | `sudo ./mde_installer.sh --upgrade –-mdatp 101.24082.0004` |
+   |Downgrade to a specific agent version | `sudo ./mde_installer.sh --downgrade –-mdatp 101.24082.0004` |
+   |Uninstall agent | `sudo ./mde_installer.sh --remove` |
+   
+   
+      > [!NOTE]
+      > Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to uninstall the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux.
 
 ## Verify deployment status
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), open the device inventory. It might take 5-20 mins for the device to show up in the portal.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), open the device inventory. It might take 5-20 minutes for the device to show up in the portal.
 
 2. Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
 
@@ -170,14 +170,22 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
       mdatp threat list
       ```
 
-3. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+1. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
 
-   1. Verify that the onboarded Linux server appears in the Microsoft Defender portal. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
-
-   2. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server, and run the following command: 
-   
-      `./mde_linux_edr_diy.sh`
+   1. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server.
+      
+   1. Grant executable permissions to the script:
 
+      ```bash
+      chmod +x mde_linux_edr_diy.sh
+      ```
+      
+   1. Run the following command: 
+
+      ```bash
+      ./mde_linux_edr_diy.sh
+      ```
+      
    3. After a few minutes, a detection should be raised in the Microsoft Defender XDR.
 
    4. Check the alert details, machine timeline, and perform your typical investigation steps.

defender-endpoint/mac-support-configuration.md

@@ -0,0 +1,129 @@
+---
+title: Troubleshoot configuration issues for Microsoft Defender for Endpoint on Mac
+description: Troubleshoot configuration issues in Microsoft Defender for Endpoint on Mac.
+ms.service: defender-endpoint
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
+manager: deniseb
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+- mde-macos
+ms.topic: conceptual
+ms.subservice: macos
+search.appverid: met150
+ms.date: 04/30/2024
+---
+
+# Troubleshoot configuration issues for Microsoft Defender for Endpoint on macOS
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)
+- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender XDR](/defender-xdr)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
+
+## Configuration isn't applied as expected
+
+You configured Microsoft Defender with settings that you need, and you don't see some (or all) of them applied.
+How to troubleshoot it?
+
+### Sources of configuration
+
+Microsoft Defender collects configuration from multiple sources.
+
+In almost all cases you can change configuration dynamically, and it will be applied immediately, with no restart required.
+
+Different sources have different priorities.
+When the same setting comes from more than one source, Microsoft Defender will merge values from different sources.
+In most cases it means that the value with the higher priority prevails, and sources from lower priorities are ignored. In some cases (for example, [Antivirus Exclusions](mac-preferences.md#exclusion-merge-policy)). Refer to configuration documentation for details.
+
+Configuration sources in the order of priority ("1" is the highest priority):
+
+1) MDE Attach, Defender configured in Intune portal
+2) [MDM configuration profile](mac-jamfpro-policies.md), configured using your MDM software
+3) [Local configuration](mac-resources.md#supported-output-types), that you made using `mdatp config ...` command as local administrator, or through Microsoft Defender's application
+4) Default setting that is used when you provided no explicit setting
+
+### MDE Attach and MDM Configuration profile
+
+> [!CAUTION]
+> MDE Attach and MDM Configuration Profile are mutually excluded. If you provide *some* configuration for both, then only MDE Attach settings are used, and *all* MDM settings are ignored! Don't use them together.
+
+Use `mdatp health --field managed_by` to find out if you use MDE Attach.
+
+1) "MDE" indicates MDE Attach. Any configuration specified with an MDM configuration profile is ignored.
+2) "MEM" indicates MDM Configuration Profile, or only local configuration
+
+You can run `mdatp health` to get the configuration that Microsoft Defender is currently used. If you see "[managed]" next to a value, then it's currently configured through an MDM Configuration Profile. If there's no "[managed]", then it's configured locally or via MDE Attach.
+
+### MDE Attach and MDM configurations troubleshooting
+
+Check the following files:
+
+1) `/Library/Preferences/com.microsoft.mdeattach.plist` - Microsoft Defender reads this file for settings delivered by MDE Attach. If you expect some setting and you don't see it configured, then check that it's there
+2) `/Library/Managed Preferences/com.microsoft.wdav.plist` and `/Library/Managed Preferences/com.microsoft.wdav.ext.plist` - Microsoft Defender reads these files for settings delivered by MDM.
+
+The file paths and names must be exactly like described! If you see a similar but a bit different file path, then it means that Microsoft Defender ignores it.
+
+If you expect some MDM settings and don't see those files, it means that MDM has not delivered configuration profiles to your machine at all. 
+To troubleshoot profiles delivery, consult your MDM software (JAMF, Intune, etc.) resources.
+
+If you expect some settings and you see those files, then check their content:
+
+```
+> plutil -p '/Library/Managed Preferences/com.microsoft.wdav.plist
+{
+  "antivirusEngine" => {
+    "enforcementLevel" => "real_time"
+  }
+}
+```
+
+Those settings must match those settings that you configured.
+Their names, level of indirection, type must be exactly as [documented](mac-preferences.md).
+
+For example, if `plist` tells you that "antivirusEngine" is inside a different group, then you can be confident that Microsoft Defender *ignores* "enforcementLevel" setting altogether:
+```
+# Bad configuration!
+> plutil -p '/Library/Managed Preferences/com.microsoft.wdav.plist
+{
+  "Forced" => {
+    "mcx_preference_settings" => {
+      "antivirusEngine" => {
+        "enforcementLevel" => "real_time"
+      }
+    }
+  }
+}
+```
+
+### MDM Configuration - where does it come from?
+
+macOS updates /Library/Managed Preferences/ files based on Profiles deployed over MDM.
+
+If you don't see an expected managed preferences file, or its content is different from what you expect, then open  => System Settings => Profiles.
+
+You can see all profiles deployed over MDM under "Device (Managed)." Find a profile that you configured in MDM for Microsoft Defender configuration.
+You can open it and inspect its content. It must match what is in /Library/Managed Preferences/com.microsoft.wdav.plist and what you configured in MDM.
+
+If you don't see any managed profile for com.microsoft.wdav, then MDM didn't deliver it. Consult your MDM software documentation for troubleshooting, there can be multiple reasons why it happened, troubleshooting of MDM is out of scope for Microsoft Defender documentation.
+
+If you see *more than one* configuration profile for the same com.microsoft.wdav, then it can be the reason of not expected configuration of Microsoft Defender.
+macOS performs some merging of those profiles into a single .plist, but it can properly merge only the top level of configuration.
+I.e., you can't spread different "antivirusEngine" settings across two com.microsoft.wdav configuration profiles, MDM uses only one of them randomly, and ignore the rest. You can use extra com.microsoft.wdav.ext profile if you need to put settings to two profiles (again, there must be at most one configuration profile with com.microsoft.wdav.ext as well).
+
+In other words, avoid having more than one configuration profile for the same identifier.
+
+### MDE Attach Configuration - where does it come from?
+
+It isn't delivered over MDM. Consult MDE Attach documentation for how to troubleshoot it.