Merge pull request #3433 from MicrosoftDocs/main

Published main to live, Wednesday 5:00 PM IST, 04/09

Author: padmagit77

CloudAppSecurityDocs/activity-filters-queries.md

@@ -135,7 +135,7 @@ Defender for Cloud Apps also provides you with **Suggested queries**. Suggested
 - Successful log in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
   ![query activities.](media/queries-activity.png)
-
+  
 Additionally, you can use the suggested queries as a starting point for a new query. First, select one of the suggested queries. Then, make changes as needed and finally select **Save as** to create a new **Saved query**.
 
 ### Query activities six months back
@@ -184,37 +184,6 @@ Reports that include private activities are marked with an Eye icon in the repor
 
 ![eye-icon](media/activity-filters-queries/eye-icon-to-indicate-private-report.png)
 
-> [!NOTE] 
->Exporting and viewing activity data up to six months back is restricted to specific roles with elevated permissions.
-
-The following roles are supported:
-
-- `INVITED_ADMIN`
-
-- `GLOBAL_ADMINISTRATOR`
-
-- `SECURITY_ADMINISTRATOR`
-
-- `MCAS_ADMINISTRATOR`
-
-- `DISCOVERY_ADMIN`
-
-- `SECURITY_OPERATOR`
-
-- `COMPLIANCE_ADMIN`
-
-- `SECURITY_READER`
-
-- `GLOBAL_READER`
-
-- `URBAC_ROLES_GLOBAL_ADMINISTRATOR`
-
-- `URBAC_ROLES_COMPLIANCE_ADMINISTRATOR`
-
-- `URBAC_ROLES_SECURITY_READER`
-
-- `URBAC_ROLES_SECURITY_OPERATOR`
-
 ## Next steps
 
 > [!div class="nextstepaction"]

CloudAppSecurityDocs/attack-paths.md

@@ -10,9 +10,6 @@ ms.date: 03/23/2025
 [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) helps you to manage your company's attack surface and exposure risk effectively. By combining assets and techniques, [attack paths](/security-exposure-management/review-attack-paths) illustrate the end-to-end paths that attackers can use to move from an entry point within your organization to your critical assets.
 Microsoft Defender for Cloud Apps observed an increase in attackers using OAuth applications to access sensitive data in business-critical applications like Microsoft Teams, SharePoint, Outlook, and more. To support investigation and mitigation, these applications are integrated into the attack path and attack surface map views in Microsoft Security Exposure Management.
 
-### Critical Asset Management - Service Principals
-
-Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
 
 ### Prerequisites
 
@@ -44,21 +41,26 @@ Alternatively, you can use one of the following **Entra ID roles**:
 >[!NOTE]
 > Currently available in commercial cloud environments only. Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High, DoD, and China Gov.
 
-## View permissions for critical assets
+### Critical Asset Management - Service Principals
+
+Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
+
+#### View permissions for critical assets
 
 To view the full list of permissions, go to the  [Microsoft Defender portal](https://security.microsoft.com) and navigate to Settings > Microsoft Defender XDR > Rules > Critical asset management.
 
 :::image type="content" source="media/saas-securty-initiative/screenshot-of-the-critical-asset-management-page.png" alt-text="Screenshot of the Critical asset management page in the Defender XDR portal." lightbox="media/saas-securty-initiative/Screenshot-of-the-critical-asset-management-page.png":::
 
-> [!NOTE]  
-> OAuth apps appear in the attack path surface map only when specific conditions are detected.  
-> For example, an OAuth app may appear in the attack path only if a vulnerable component with an easily exploitable entry point is detected that allows lateral movement to service principals with high privileges.
 
 ## Investigation user flow: View attack paths involving OAuth applications
 
 Once you understand which permissions represent high-value targets, use the following steps to investigate how these applications appear in your environment’s attack paths.
 For smaller organizations with a manageable number of attack paths, we recommend following this structured approach to investigate each attack path:
 
+> [!NOTE]  
+> OAuth apps show in the attack path surface map only when specific conditions are detected.  
+> For example, an OAuth app might appear in the attack path if a vulnerable component with an easily exploitable entry point is detected. This entry point allows lateral movement to service principals with high privileges.
+
 1. Go to Exposure Management > Attack surface > Attack paths.
 
 1. Filter by 'Target type: AAD Service principal'

defender-endpoint/respond-machine-alerts.md

@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 03/12/2025
+ms.date: 04/09/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -291,7 +291,7 @@ Once devices are contained, we recommend investigating and remediating the threa
 
 3. On the contain device popup, type a comment, and select **Confirm**.
 
-:::image type="content" alt-text="Screenshot of the contain device menu item." source="/defender/media/defender-endpoint/contain_device_popup.png" lightbox="/defender/media/defender-endpoint/contain_device_popup.png":::
+   :::image type="content" alt-text="Screenshot of the contain device menu item." source="/defender/media/defender-endpoint/contain_device_popup.png" lightbox="/defender/media/defender-endpoint/contain_device_popup.png":::
 
 > [!IMPORTANT]
 > Containing a large number of devices might cause performance issues on Defender for Endpoint-onboarded devices. To prevent any issues, Microsoft recommends containing up to 100 devices at any given time.
@@ -307,19 +307,53 @@ A device can also be contained from the device page by selecting **Contain devic
 
 > [!IMPORTANT]
 >
-> - If a contained device changes its IP address, then all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes).
-> - In cases where the contained device's IP is used by another device on the network, there will be a warning while containing the device, with a link to advanced hunting (with a pre-populated query). This will provide visibility to the other devices using the same IP to help you make a conscious decision if you'd like to continue with containing the device.
-> - In cases where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway). At this point, you'll be able to choose whether to contain the device or not.
+> - If a contained device changes its IP address, all Microsoft Defender for Endpoint onboarded devices recognize this and start blocking communications with the new IP address. The original IP address is no longer be blocked (It may take up to 5 minutes to see these changes).
+> - In cases where the contained device's IP is used by another device on the network, a warning while containing the device with a link to advanced hunting (with a pre-populated query) is displayed. This provides visibility to other devices using the same IP to help you make a conscious decision if you'd like to continue containing the device.
+> - In cases where the contained device is a network device, a warning appears with a message that containment can cause network connectivity issues (for example, containing a router that is acting as a default gateway). At this point, you're able to choose whether to contain the device or not.
 
 After you contain a device, if the behavior isn't as expected, verify the Base Filtering Engine (BFE) service is enabled on the Defender for Endpoint onboarded devices.
 
 ### Stop containing a device
 
-You'll be able to stop containing a device at any time.
+You're be able to stop containing a device at any time.
 
 1. Select the device from the **Device inventory** or open the device page.
 
-2. Select **Release from containment** from the action menu. This action will restore this device's connection to the network.
+2. Select **Release from containment** from the action menu. This action restores the device's connection to the network.
+
+### Contain IP addresses of undiscovered devices
+
+> [!IMPORTANT]
+> Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Defender for Endpoint can also contain IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint. The capability to contain an IP address prevents attackers from spreading attacks to other non-compromised devices. Containing an IP address results in Defender for Endpoint-onboarded devices blocking incoming and outgoing communication with devices using the contained IP address
+
+> [!NOTE]
+> Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Defender for Endpoint Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+ devices.
+
+Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through [automatic attack disruption](/defender-xdr/automatic-attack-disruption). The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded.
+
+A message indicating that the action is applied appears on the applicable incident, device, or IP page. Here’s an example.
+
+:::image type="content" source="/defender/media/defender-endpoint/contain-ip-attack-disrupt-small.png" alt-text="Highlighting a contained IP address in the incident graph." lightbox="/defender/media/defender-endpoint/contain-ip-attack-disrupt.png":::
+
+After an IP address is contained, you can view the action in the History view of the Action Center. You can see when the action occurred and identify the IP addresses that were contained.
+
+:::image type="content" source="/defender/media/defender-endpoint/contain-ip-action-center-small.png" alt-text="View the contained IP address in the Action center." lightbox="/defender/media/defender-endpoint/contain-ip-action-center.png":::
+
+If a contained IP address is part of an incident, an indicator is present on the [incident graph](/defender-xdr/investigate-incidents#attack-story) and on the incident's [evidence and response](/defender-xdr/investigate-incidents#evidence-and-response) tab. Here’s an example.
+
+:::image type="content" source="/defender/media/defender-endpoint/contain-ip-evidence-small.png" alt-text="Highlighting a contained IP address in the Evidence and response tab of an incident." lightbox="/defender/media/defender-endpoint/contain-ip-evidence.png":::
+
+You can stop an IP address' containment at any time. To stop containment, select the **Contain IP** action in the **Action Center**. In the flyout, select **Undo**. This action restores the IP address’ connection to the network.
+
+### Containing critical assets
+
+When a critical asset is compromised and used to spread threats within an organization, stopping the spread can be challenging because these assets must continue to function to avoid productivity loss. Defender for Endpoint addresses this by granularly containing the critical asset, preventing the spread of the attack while ensuring the asset remains operational for business continuity.
+
+Through automatic attack disruption, Defender for Endpoint incriminates a malicious device, identifies the role of the device to apply a matching policy to automatically contain a critical asset. The granular containment is done by blocking only specific ports and communication directions.
+
+You can identify critical assets by the **critical asset** tag on the device or IP page. Device containment currently supports critical asset types like domain controllers, DNS servers, and DHCP servers.
 
 ## Contain user from the network
 

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -46,6 +46,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
+## April 2025
+
+- (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.
+
 ## February 2025
 
 - (GA) **Aggregated reporting in Microsoft Defender for Endpoint** is now generally available. For more information, see [Aggregated reporting in Microsoft Defender for Endpoint](aggregated-reporting.md).

defender-xdr/automatic-attack-disruption.md

@@ -18,7 +18,7 @@ ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 09/11/2024
+ms.date: 02/20/2025
 appliesto:
   - Microsoft Defender XDR
 ---
@@ -61,15 +61,16 @@ Investigations are integral to monitoring our signals and the attack threat land
 
 Automatic attack disruption uses Microsoft-based XDR response actions. Examples of these actions are:
 
-- [Device contain](/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device.
+- [Device contain](/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device. 
+  - In addition, Defender for Endpoint automatically contains malicious IP addresses associated with undiscovered/not onboarded devices to block any lateral movement and encryption activity to other Defender for Endpoint-onboarded/discovered devices. It does this through its **[Contain IP](/defender-endpoint/respond-machine-alerts#contain-ip-addresses-of-undiscovered-devices)** (Preview) policy. Moreover, [compromised critical assets' IP addresses are also automatically contained](/defender-endpoint/respond-machine-alerts#containing-critical-assets) with specific blocking mechanisms to stop the spread of an attack while avoiding productivity loss.
 
 - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution. The disable user action behaves differently depending on how the user is hosted in your environment.
   - When the user account is hosted in Active Directory: Defender for Identity triggers the disable user action on domain controllers running the Defender for Identity agent.
   - When the user account is hosted in Active Directory and is synced on Microsoft Entra ID:  Defender for Identity triggers the disable user action via onboarded domain controllers. Attack disruption also disables the user account on the Entra ID synced account.
-  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disables the user account on the Entra ID synced account.
- 
-> [!NOTE]
-> Disabling the user account in Microsoft Entra ID is not dependent on the deployment of Microsoft Defender for Identity. 
+  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disable the user account on the Entra ID synced account.
+
+  > [!NOTE]
+  > Disabling the user account in Microsoft Entra ID is not dependent on the deployment of Microsoft Defender for Identity. 
 
 - [Contain user](/defender-endpoint/respond-machine-alerts#contain-user-from-the-network) - based on Microsoft Defender for Endpoint's capability, this response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices.
 
@@ -123,5 +124,4 @@ For more information, see [view attack disruption details and results](autoad-re
 - [View details and results](autoad-results.md)
 - [Get email notifications for response actions](m365d-response-actions-notifications.md)
 
-
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/whats-new.md

@@ -34,7 +34,11 @@ You can also get product updates and important notifications through the [messag
 
 
 ## April 2025
+
+- (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](automatic-attack-disruption.md#automated-response-actions) for more information.
+
 - (Preview) The [OAuthAppInfo](advanced-hunting-oauthappinfo-table.md) table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability.
+
 - The `OnboardingStatus` and `NetworkAdapterDnsSuffix` columns are now available in the [`DeviceNetworkInfo`](advanced-hunting-devicenetworkinfo-table.md) table in advanced hunting.