Merge pull request #3614 from MicrosoftDocs/main

[AutoPublish] main to live - 04/29 04:29 PDT | 04/29 16:59 IST

Author: padmagit77

ATPDocs/identity-security-initiative.md

@@ -0,0 +1,85 @@
+---
+title: Identity Security Initiative
+description: Learn how to enhance your organization's identity security using the Identity Security Initiative in Microsoft Defender XDR.
+ms.topic: overview
+ms.date: 04/05/2025
+---
+
+# Identity Security Initiative (Preview)
+
+Identity security is the practice of protecting the digital identities of individuals and organizations. This includes protecting passwords, usernames, and other credentials that can be used to access sensitive data or systems. Identity security is essential for protecting against a wide range of cyber threats, including phishing, malware, and data breaches.
+
+## Prerequisites
+
+- Your organization must have a Microsoft Defender for Identity license.
+- [Review prerequisites and permissions needed](/security-exposure-management/prerequisites) for working with Security Exposure Management.
+
+## View Identity Security Initiatives
+1. Navigate to the [Microsoft Defender portal](https://security.microsoft.com/).
+1. From the Exposure management section on the navigation bar, select **Exposure insights** **>** **Initiatives** to open the Identity Security page.
+
+   :::image type="content" source="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png" alt-text="Screenshot showing the Identity security initiative page." lightbox="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png":::
+
+## Review security metrics
+
+Metrics in security initiatives help you to measure exposure risk for different areas within the initiative. Each metric gathers together one or more recommendations for similar assets.
+Metrics can be associated with one or more initiatives.
+
+On the **Metrics** tab of an initiative, or in the Metrics section of Exposure Insights, you can see the metric state, its effect, and relative importance in an initiative, and recommendations to improve the metric.
+We recommend that you prioritize metrics with the highest impact on Initiative Score level. This composite measure considers both the weight value of each recommendation and the percentage of noncompliant recommendations.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png" alt-text="Screenshot showing the security metrics page." lightbox="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png":::
+
+
+|Metric property |Description  |
+|---------|---------|
+|**Metric name**    | The name of the metric.        |
+|**Progress**   |Shows the improvement of the exposure level for the metric from 0 (high exposure) to 100 (no exposure).         |
+|**State**   | Shows if the metric needs attention or if the target was met.       |
+|**Total assets**  | Total number of assets under the metric scope.        |
+|**Recommendations**   | Security recommendations associated with the metric.        |
+|**Weight**    | The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. Shown as High, Medium, and Low. It can also be defined as Risk accepted.        |
+|**14-day trend** | Shows the metric value changes over the last 14 days.        |
+|**Last updated** | Shows a timestamp of when the metric was last updated.
+
+> [!NOTE]
+> The Affected assets experience isn't fully supported during the Preview phase.
+
+## View Identity security recommendations 
+
+ The Security recommendations tab displays a list of prioritized remediation actions related to your identity security posture. Each recommendation is evaluated for compliance and mapped to its corresponding risk impact, workload, and domain. This view helps you triage and take action based on urgency and business relevance.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png" alt-text="Showing showing the security recommendations page." lightbox="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png":::
+
+Sort the recommendations by any of the headings or filter them based on your task needs. 
+
+| **Column**             | **Description**                                                                 |
+|------------------------|---------------------------------------------------------------------------------|
+| **Name**               | The name of the recommended action (for example, *Configure VPN integration*, *Enable MFA*). |
+| **State**              | Indicates whether the recommendation is *Compliant* or *Not Compliant*.         |
+| **Impact**             | The security impact level (Low, Medium, or High) of implementing the recommendation. |
+| **Workload**           | The Microsoft service area the recommendation applies to (for example, Defender for Identity, Microsoft Entra ID). |
+| **Domain**             | The security domain (for example, identity, apps) associated with the recommendation.   |
+| **Last calculated**    | The most recent time the recommendation's status was evaluated.                 |
+| **Last state change**  | When the recommendation’s compliance state last changed.                        |
+| **Related initiatives**| Number of security initiatives impacted by this recommendation.                 |
+| **Related metrics**    | Number of security metrics that this recommendation contributes to.             |
+
+Security Exposure Management categorizes recommendations by compliance status, as follows:
+
+- **Compliant**: Indicates that the recommendation was implemented successfully.
+- **Not complaint**: Indicates that the recommendation wasn't fixed.
+
+## Set target score
+
+You can set a customized target score for the initiative, taking your organization’s unique set of circumstances, priorities, and risk appetite into account.
+
+To set a target store, select the initiative, and then select **Set target score** from the top of the initiative pane.
+
+:::image type="content" source="media/identity-security-initiative/set-target-score.png" alt-text="Screenshot showing the set target score button." lightbox="media/identity-security-initiative/set-target-score.png":::
+
+## Related content
+
+- [Review security initiatives](/security-exposure-management/initiatives)
+
+- [Investigate security initiative metrics](/security-exposure-management/security-metrics)

ATPDocs/media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png

@@ -257,6 +257,8 @@ items:
            href: security-assessment-unsecure-account-attributes.md
          - name: Weak cipher usage assessment
            href: security-assessment-weak-cipher.md
+     - name: Identity security initiative (Preview)
+       href: identity-security-initiative.md
 - name: Reference
   items:
   - name: Operations guide

ATPDocs/media/identity-security-initiative/screenshot-of-the-security-metrics-page.png

@@ -10,7 +10,7 @@ ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 03/25/2025
+ms.date: 04/29/2025
 search.appverid: met150
 ---
 
@@ -69,7 +69,7 @@ The following table shows the different ways to configure behavior monitoring.
 | CSP | AllowBehaviorMonitoring | [Defender Policy CSP](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection)   |
 | Configuration Manager Tenant Attach | Turn on behavior monitoring | [Windows Antivirus policy settings from Microsoft Defender Antivirus for tenant attached devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows-tenant-attach#real-time-protection) |
 | Group Policy | Turn on behavior monitoring | [Download Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2)](https://www.microsoft.com/download/details.aspx?id=105668)   |
-| PowerShell | Set-Preference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
+| PowerShell | Set-MpPreference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) |
 | WMI | boolean  DisableBehaviorMonitoring;  | [MSFT\_MpPreference class](/previous-versions/windows/desktop/defender/msft-mppreference) |
 
 If you use Microsoft Defender for Business, see [Review or edit your next-generation protection policies in Microsoft Defender for Business](/defender-business/mdb-next-generation-protection).

ATPDocs/media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png

@@ -318,10 +318,10 @@ Defender for Endpoint on iOS enables admins to configure custom indicators on iO
 
 > [!NOTE]
 > Defender for Endpoint on iOS supports creating custom indicators only for URLs and domains. IP based custom indicators aren't supported on iOS. 
+> > IP `245.245.0.1` is an internal Defender IP and shouldn't be included in custom indicators by customers to avoid any functionality issues.
+> > For iOS, no alerts are generated in the Microsoft Defender portal when the URL or domain set in the indicator is accessed.
 > 
-> IP `245.245.0.1` is an internal Defender IP and shouldn't be included in custom indicators by customers to avoid any functionality issues.
-> 
-> For iOS, no alerts are generated in the Microsoft Defender portal when the URL or domain set in the indicator is accessed.
+> MDE portal Timeline doesn't display the URL for Custom URL Indicator Blocks for unsupervised devices, instead it marks hidden for privacy.
 
 ## Configure vulnerability assessment of apps
 
@@ -374,7 +374,7 @@ Defender for Endpoint on iOS supports vulnerability assessments of OS and apps.
    - The privacy approval screen appears only for unsupervised devices.
    - Only if end-user approves the privacy, the app information is sent to the Defender for Endpoint console.
 
-   :::image type="content" source="media/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="media/tvm-user-privacy2.png":::
+      :::image type="content" source="media/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen.":::
 
 Once the client versions are deployed to target iOS devices, processing starts. Vulnerabilities found on those devices start showing up in the Defender Vulnerability Management dashboard. The processing might take few hours (max 24 hours) to complete. This time frame is especially true for the entire list of apps to show up in the software inventory.
 

ATPDocs/media/identity-security-initiative/set-target-score.png

@@ -68,10 +68,14 @@ For detailed licensing information, see [Product Terms: Microsoft Defender for E
 
 The following Linux server distributions and x64 (AMD64/EM64T) versions are supported:
 
-- Red Hat Enterprise Linux 7.2 or higher 
+- Red Hat Enterprise Linux 7.2 and higher 
+
 - Red Hat Enterprise Linux 8.x 
 - Red Hat Enterprise Linux 9.x 
-- CentOS 7.2 or higher, excluding CentOS Stream 
+- CentOS 7.2 and higher, excluding CentOS Stream 
+
+- CentOS 8.x
+
 - Ubuntu 16.04 LTS 
 - Ubuntu 18.04 LTS 
 - Ubuntu 20.04 LTS 
@@ -80,7 +84,8 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 - Debian 9 - 12 
 - SUSE Linux Enterprise Server 12.x 
 - SUSE Linux Enterprise Server 15.x 
-- Oracle Linux 7.2 or higher 
+- Oracle Linux 7.2 and higher 
+
 - Oracle Linux 8.x 
 - Oracle Linux 9.x 
 - Amazon Linux 2 
@@ -174,13 +179,6 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende
 - For RHEL6 the mdatp RPM package requires `policycoreutils`, `libselinux`, and `mde-netfilter`.
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, and `mde-netfilter`.
 
-> [!NOTE]
-> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or older, the following additional dependency on the auditd package exists for mdatp:
-> - The mdatp RPM package requires `audit`, `semanage`.
-> - For DEBIAN, the mdatp package requires `auditd`.
-> - For Mariner, the mdatp package requires `audit`.
-
 The `mde-netfilter` package also has the following package dependencies:
 
 - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`

ATPDocs/toc.yml

@@ -6,7 +6,7 @@ author: emmwalshh
 ms.author: ewalsh
 ms.reviewer: yongrhee
 manager: deniseb
-ms.date: 09/16/2024
+ms.date: 04/29/2025
 ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
@@ -19,28 +19,35 @@ ms.collection:
 
 # Use safe deployment practices to safeguard and manage your environment
 
-Microsoft follows safe deployment practices (SDP) to minimize the risk of security updates having an unexpected impact. This article describes Microsoft Defender for Endpoint's approach to SDP and what customers can do to manage their own roll-out processes to add an extra layer of control.
+<!-- Added introductory text to emphasize why updates are important. Mirrors language from https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint%e2%80%99s-safe-deployment-practices/4220342 -->
+
+Microsoft Defender for Endpoint helps protect organizations against sophisticated adversaries while optimizing for resiliency, performance, and compatibility, following [best practices for managing security tools in Windows](https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/). Keeping Microsoft Defender for Endpoint up to date is essential to ensure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+
+Microsoft follows safe deployment practices (SDP) to deliver critical new product capabilities while minimizing the risk of updates having unexpected impacts to endpoint performance and availability. This article describes Defender for Endpoint's approach to SDP and how customers can manage their own roll-out processes to add extra layers of control to meet their own business, technical, and security requirements.
+
+## Approach and update types
 
 Microsoft Defender for Endpoint ships updates externally only after all the certification and validation tests are completed across multiple iterations of internal devices.
 
 Defender for Endpoint applies SDP to two distinct update mechanisms:
 
-- Software and driver updates that are updated monthly (can potentially update kernel-mode components).
-- Security intelligence and detection logic updates that can be updated multiple times a day (updates only apply to user-mode components).
+- Software and driver updates that are updated monthly and can potentially update kernel-mode components.
+
+- Security intelligence and detection logic updates that can be updated multiple times a day and apply only to user-mode components.
 
 ## Monthly SDP software and driver updates
 
 Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs.
 
-Defender for Endpoint's kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
+Defender for Endpoint's kernel drivers captures system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations. 
 
 The process for rolling out software and driver updates for Defender for Endpoint is shown in this image:
 
 :::image type="content" alt-text="Screenshot that shows the process for rolling out software and driver updates for Defender for Endpoint." source="/defender/media/defender-endpoint/mde-software-driver-updates.png" lightbox="/defender/media/defender-endpoint/mde-software-driver-updates.png":::
 
 ### Microsoft SDP for monthly updates
 
-All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft's hundreds of thousands of employees and millions of internal devices. This helps ensure Microsoft discovers and addresses issues first, before customers.
+All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft's hundreds of thousands of employees and millions of internal devices. This helps ensure your devices are equipped with the latest technology and features necessary to defend against emerging malware and attack techniques.
 
 Within each ring, Microsoft closely monitors quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices.