Merge branch 'main' into docs-editor/whats-new-in-microsoft-defende-1716322379

Author: denisebmsft

defender-endpoint/uefi-scanning-in-defender-for-endpoint.md

@@ -11,12 +11,13 @@ ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
 ms.custom:
-  - admindeeplinkDEFENDER
+- admindeeplinkDEFENDER
+ - partner-contribution
 ms.collection: 
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 04/30/2024
+ms.date: 05/22/2024
 ---
 
 # UEFI scanning in Defender for Endpoint
@@ -91,13 +92,16 @@ To detect unknown threats in SPI flash, signals from the UEFI scanner are analyz
 These events can likewise be queried through advanced hunting as shown:
 
 ```kusto
-DeviceAlertEvents
-
+let AlertStats = AlertInfo
+| where Timestamp > ago(30d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+| where DetectionSource == "Antivirus"
 | where Title has "UEFI"
-
+| join AlertEvidence on AlertId;
+AlertStats
+| join DeviceInfo on DeviceId
+| distinct DeviceName, DeviceId, AlertId, Title, Severity, DetectionSource, Timestamp
 | summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
-
-| limit 100
 ```
 
 ## Comprehensive security levels up with low-level protections

defender-office-365/defender-for-office-365-whats-new.md

@@ -39,6 +39,13 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 
+## May 2024
+
+- We are introducing Sender's copy clean-up features in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use Soft delete and Move to inbox actions. For more information, see [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md). Key highlights:
+  - Integration with Soft delete: Sender's copy clean-up will be incorporated as part of the Soft delete action.
+  - Wide support: This action will be supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
+  - Undo capability: An undo action will be available, allowing you to reverse the clean-up by moving items back to the Sent folder.
+
 ## April 2024
 
 - **Last used date** added to Tenant Allow/Block List entries for domains and email addresses, files, and URLs.

defender-office-365/remediate-malicious-email-delivered-office-365.md

@@ -79,11 +79,8 @@ Open any remediation item to view details about it, including its remediation na
   - **Actionable**: Emails in the following cloud mailbox locations can be acted on and moved:
     - Inbox
     - Junk
-    - Deleted folder
-    - Soft-deleted folder
-
-      > [!NOTE]
-      > Currently, only a user with access to the mailbox can recover items from a soft-deleted folder.
+    - Deleted Items folder
+    - Recoverable Items\Deletions folder (soft deleted items)
 
   - **Not actionable**: Emails in the following locations can't be acted on or moved in remediation actions:
     - Quarantine
@@ -96,8 +93,11 @@ Open any remediation item to view details about it, including its remediation na
     - **Move to junk folder**: Moves messages to the user's Junk Email folder.
     - **Move to inbox**: Moves messages to the users Inbox folder.
     - **Move to deleted items**: Moves messages to the user's Deleted Items folder.
-    - **Soft delete**: Moves messages to a deleted folder in the cloud.
-    - **Hard delete**: Permanently deletes the messages.
+    - **Soft delete**: Delete the message from the Deleted items folder (move to the Recoverable Items\Deletions folder). The message is recoverable by the user and admins.
+
+      **Delete sender's copy**: Also try to soft delete the message from the sender's Sent Items folder if the sender is the organization.
+
+    - **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
 
   Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Explorer retention period for your organization.
 

defender-office-365/submissions-admin.md

@@ -27,7 +27,7 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-For more information about what Microsoft does to your submissions, [check this out](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).
+For more information about how Microsoft stores and handle your submissions, [check this out](submissions-report-messages-files-to-microsoft.md#report-suspicious-email-messages-to-microsoft).
 
 In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the **Submissions** page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. There are two basic types of admin submissions:
 
@@ -39,7 +39,7 @@ In Microsoft 365 organizations with Exchange Online mailboxes, admins can use th
 
   After an admin submits the message from the **User reported** tab, an entry is also created on the corresponding tab on the **Submissions** page (for example, the **Emails** tab). These types of admin submissions are described in the [Admin options for user reported messages](#admin-options-for-user-reported-messages) section.
 
-When admins submit messages to Microsoft for analysis, we do the following checks:
+When admins submit messages or sends user report to Microsoft for analysis, we do the following checks:
 
 - **Email authentication check** (email messages only): Whether email authentication passed or failed when it was delivered.
 - **Policy hits**: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.

defender-office-365/threat-explorer-threat-hunting.md

@@ -7,7 +7,7 @@ author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 4/26/2024
+ms.date: 05/20/2024
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -176,15 +176,13 @@ Selecting :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" b
 |---|:---:|:---:|
 |**Move to mailbox folder**|✔¹||
 |**Submit to Microsoft for review**|✔|✔|
-|  **Allow or block entries in the Tenant Allow/Block List**³|✔|✔|
+|  **Allow or block entries in the Tenant Allow/Block List**²|✔|✔|
 |**Initiate automated investigation**|✔||
-|**Propose remediation**|✔|²|
+|**Propose remediation**|✔||
 
 ¹ This action requires the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned only to the **Data Investigator** and **Organization Management** role groups. You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.
 
-² Although this action might appear available in Real-time detections, it's not available in Defender for Office 365 Plan 1.
-
-³ This action is available under **Submit to Microsoft for review**.
+² This action is available under **Submit to Microsoft for review**.
 
 The **Take action** wizard is described in the following list:
 
@@ -205,8 +203,14 @@ The **Take action** wizard is described in the following list:
    - **Move to mailbox folder**: Select one of the available values that appear:
      - **Junk**: Move the message to the Junk Email folder.
      - **Inbox**: Move the message to the Inbox.
+
+       **Move back to Sent Items folder**: Also try to move the message from the sender's Recoverable Items\Deletions folder to the Sent Items folder if the sender is the organization.
+
      - **Deleted items**: Move the message to the Deleted items folder.
      - **Soft deleted items**: Delete the message from the Deleted items folder (move to the Recoverable Items\Deletions folder). The message is recoverable by the user and admins.
+
+       **Delete sender's copy**: Also try to soft delete the message from the sender's Sent Items folder if the sender is the organization.
+
      - **Hard deleted items**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
 
    - **Submit to Microsoft for review**: Select one of the available values that appear:

defender-xdr/advanced-hunting-take-action.md

@@ -80,6 +80,8 @@ Apart from device-focused remediation steps, you can also take some actions on e
 
 - `Delete email` - select this to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**)
 
+   Selecting **Soft delete** also offers the option to **Delete sender's copy**, which also tries to soft delete the message from the sender's Sent Items folder if the sender is the organization.
+
    :::image type="content" source="/defender/media/advanced-hunting-take-actions-email-del.png" alt-text="The Take actions option in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-take-actions-email-del.png":::
 
 You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard: