Merge pull request #1927 from MicrosoftDocs/main

Published main to live, Monday 05:00 PM IST, 11/18

Author: padmagit77

defender-xdr/activate-defender-rbac.md

@@ -59,7 +59,7 @@ You can activate your workloads in two ways from the Permissions and roles page:
 - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
 - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-:::image type="content" source="/defender/media/defender/urbac-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen":::
+:::image type="content" source="/defender/media/defender/defender-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen.":::
 
    > [!NOTE]
    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.

defender-xdr/investigate-incidents.md

@@ -1,6 +1,6 @@
 ---
-title: Investigate incidents in Microsoft Defender XDR
-description: Investigate incidents related to devices, users, and mailboxes.
+title: Investigate incidents in the Microsoft Defender portal
+description: Investigate incidents on various assets from correlated signals of various Defender services and other Microsoft security products like Microsoft Sentinel.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -16,20 +16,19 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 12/04/2023
+ms.date: 11/13/2024
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Investigate incidents in Microsoft Defender XDR
+# Investigate incidents in the Microsoft Defender portal
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
+The Microsoft Defender portal presents correlated alerts, assets, investigations, and evidence from across all your assets into an incident to give you a comprehensive look into the entire breadth of an attack.
 
-Microsoft Defender XDR aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
-
-Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
+Within an incident, you analyze the alerts, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
 
 ## Initial investigation
 
@@ -84,7 +83,9 @@ From the graph, you can:
 
 - Hunt for entity information of a device, file, IP address, or URL.
 
-The *go hunt* option takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity you're investigating. You can select any of the options to find relevant information about the entity:
+### Go hunt
+
+The ***go hunt*** action takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity you're investigating. You can select any of the options to find relevant information about the entity:
 
   - See all available queries – the option returns all available queries for the entity type you're investigating.
   - All Activity – the query returns all activities associated with an entity, providing you with a comprehensive view of the incident's context.
@@ -96,7 +97,7 @@ The resulting logs or alerts can be linked to an incident by selecting a results
 
 :::image type="content" source="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png" alt-text="Highlighting the link to incident option in go hunt query results" lightbox="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png":::
 
-If the incident or related alerts were the result of an analytics rule you've set, you can also select **Run query** to see other related results.
+If the incident or related alerts were the result of an analytics rule you've set, you can also select ***Run query*** to see other related results.
 
 ## Summary
 

defender-xdr/manage-incidents.md

@@ -19,7 +19,7 @@ ms.topic: how-to
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 08/21/2024
+ms.date: 11/18/2024
 appliesto: 
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -291,12 +291,10 @@ When doing a postmortem of an incident, view the incident's **Activity log** to
 
 You can also [add your own comments](#add-comments-to-an-incident) using the comment box available within the activity log. The comment box accepts text and formatting, links, and images.
 
-### Export incident data to PDF
-
 > [!IMPORTANT]
 > Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
->
-> The export incident data feature is currently available to Microsoft Defender XDR and Microsoft unified security operations center (SOC) platform customers with the Microsoft Copilot for security license.
+
+## Export incident data to PDF
 
 You can export an incident's data to PDF through the **Export incident as PDF** function and save it into PDF format. This function allows security teams to review an incident's details offline at any given time.
 
@@ -343,9 +341,7 @@ The report is cached for a couple of minutes. The system provides the previously
 
 ## Next steps
 
-For new incidents, begin your [investigation](investigate-incidents.md).
-
-For in-process incidents, continue your [investigation](investigate-incidents.md).
+For new and in-process incidents, continue your [incident investigation](investigate-incidents.md).
 
 For resolved incidents, perform a [post-incident review](respond-first-incident-remediate.md).
 

defender-xdr/whats-new.md

@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 10/17/2024
+ms.date: 11/18/2024
 manager: dansimp
 audience: ITPro
 ms.collection:
@@ -31,6 +31,8 @@ You can also get product updates and important notifications through the [messag
 
 ## November 2024
 
+- (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**.
+- (GA) The **last update time** column in the [incident queue](incident-queue.md#incident-queue) is now generally available.
 - (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, see [Investigate and respond to container threats in the Microsoft Defender portal](investigate-respond-container-threats.md).
 - (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender.
 - (Preview) The [CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md) table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. 

defender/media/defender/defender-activate-workloads.png

@@ -66,10 +66,9 @@
           href: exposure-insights-overview.md
         - name: Review security initiatives
           href: initiatives.md
-        - name: Investigate security metrics
         - name: Security initiatives catalog
           href: initiatives-list.md
-        - name: Investigate initiative metrics
+        - name: Investigate security initiative metrics
           href: security-metrics.md
         - name: Review security recommendations
           href: security-recommendations.md

exposure-management/TOC.yml

@@ -77,6 +77,44 @@ Currently, Security Exposure Management consolidates security posture informatio
 In addition to Microsoft services, Security Exposure Management allows you to connect to external data sources to further enrich and extend your security posture management.
 For more information on data connectors, see [Data connectors overview](overview-data-connectors.md).
 
+## How do I buy Microsoft Security Exposure Management?
+
+Exposure Management is available in the Microsoft Defender portal at [https://security.microsoft.com](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.microsoft.com%2F&data=05|02|[email protected]|535bfb9f198d4313d96108dd05e1a9d4|72f988bf86f141af91ab2d7cd011db47|1|0|638673189066169502|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=vOA7%2FeI4WU4tRMWSPiHTs4jrZX8%2B%2FN70wheiTBFPSDk%3D&reserved=0)
+
+Access to the exposure management blade and features in the Microsoft Defender portal is available with any of these licenses:
+
+- Microsoft 365 E5 o*r A5*
+- Microsoft 365 E3
+- Microsoft 365 E3 with the Microsoft Enterprise Mobility + Security E5 add-on
+- Microsoft 365 A3 with the Microsoft 365 A5 security add-on
+- Microsoft Enterprise Mobility + Security E5 or A5
+- Microsoft Defender for Endpoint (Plan 1 and 2)
+- Microsoft Defender for Identity
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Office 365 (Plans 1 and 2)
+- Microsoft Defender Vulnerability Management
+
+Integration of data from the above tools and other Microsoft Security tools like Microsoft Defender for Cloud, Microsoft Defender Cloud Security Posture Management and Microsoft Defender External Attack Surface Management is available with those licenses.
+
+Integration of non-Microsoft security tools will be a consumption-based cost based on number of assets in the connected security tool. The external connectors are in public preview with plan to be generally available (GA) end of Q1 2025. Pricing will be announced before billing of external connectors starts at GA.
+
+### Data freshness, retention, and related functionality
+
+We currently ingest and process supported data from first-party Microsoft products, making it available within the enterprise exposure graph and applicable Microsoft Security Exposure Management experiences built on top of graph data within 72 hours of its production at the source product.
+
+Microsoft product data is retained for no less than 14 days in the enterprise exposure graph and/or Microsoft Security Exposure Management. Only the latest data snapshot received from Microsoft products is retained; we do not store historical data.
+
+Some enterprise exposure graph and/or Microsoft Security Exposure Management experiences data is available for querying via Advanced Hunting and is subject to [Advanced Hunting service limitations](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fdefender-xdr%2Fadvanced-hunting-limits&data=05|02|[email protected]|2eeaacf0c0f2494a51a308dd06ea1a99|72f988bf86f141af91ab2d7cd011db47|1|0|638674324732464247|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=cPz7p6NX%2BvUWkVwR4Wx0%2F5pJ0wbP6h8ZXsFSa4JrLxA%3D&reserved=0).
+
+We reserve the right to modify some or all of these parameters in the future, including:
+
+- Data ingestion frequency and freshness: We may increase the current 72-hour latency (decrease the frequency of data ingestion) for some or all Microsoft data sources.
+- Data retention period: We may decrease the current 14-day data retention period.
+- Service features and functionality: We may alter, limit, or discontinue specific features, capabilities, or functionalities of the service built on top of the enterprise exposure graph and/or Microsoft Security Exposure Management data.
+- Data query limits: We may impose limitations on the number, frequency, or type of data queries that can be performed against enterprise exposure graph or Microsoft Security Exposure Management data.
+
+ We will make reasonable efforts to provide advance notice of any significant changes to the service. However, you acknowledge and agree that you are solely responsible for monitoring any such notifications.
+
 ## Next steps
 
 Review [prerequisites](prerequisites.md) to get started with Security Exposure Management.