Merge branch 'main' into v-smandalika-9283901

Author: denisebmsft

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 03/20/2024
+ms.date: 08/26/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -115,17 +115,15 @@ Choose if to Generate an alert on the file block event and define the alerts set
 :::image type="content" source="media/indicators-generate-alert.png" alt-text="The Alert settings for file indicators" lightbox="media/indicators-generate-alert.png":::
 
 > [!IMPORTANT]
->
-> - Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
-> - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
-> - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
-> - If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
->
+> - Typically, file blocks are enforced and removed within15 minutes, average 30 minutes but can take upwards of 2 hours.
+- If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
+- In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
+- If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
+
 > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
->
-> For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
+> > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
 
-## Advanced hunting capabilities (preview)
+> ## Advanced hunting capabilities (preview)
 
 > [!IMPORTANT]
 > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -158,11 +156,17 @@ The response action activity can also be viewable in the device timeline.
 Cert and File IoC policy handling conflicts follow this order:
 
 1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then **Block**.
+
 2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then **Allow**.
+
 3. Else, if the file is blocked or warned by a block or warn file IoCs, then **Block/Warn**.
+
 4. Else, if the file is blocked by SmartScreen, then **Block**.
+
 5. Else, if the file is allowed by an allow file IoC policy, then **Allow**.
+
 6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then **Block**.
+
 7. Else, **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).
 
 > [!NOTE]
@@ -184,15 +188,13 @@ Microsoft Defender Vulnerability Management's block vulnerable application featu
 |Windows Defender Application Control|Allow|Block|Allow|
 |Windows Defender Application Control|Block|Allow|Block|
 |Microsoft Defender Antivirus exclusion|Allow|Block|Allow|
-|
 
 ## See also
 
 - [Create indicators](manage-indicators.md)
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
 - [Create indicators based on certificates](indicator-certificates.md)
 - [Manage indicators](indicator-manage.md)
-
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/indicator-ip-domain.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: 
 search.appverid: met150
-ms.date: 10/06/2023
+ms.date: 08/26/2024
 ---
 
 # Create indicators for IPs and URLs/domains
@@ -46,38 +46,42 @@ You can block malicious IPs/URLs through the settings page or by machine groups,
 > [!NOTE]
 > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
 
-## Before you begin
-
-It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
-
-### Network Protection requirements
-
-URL/IP allow and block requires that the Microsoft Defender for Endpoint component _Network Protection_ is enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
-
 ### Supported operating systems
 
-- Windows 10, version 1709 or later
 - Windows 11
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2019
+- Windows 10, version 1709 or later
 - Windows Server 2022
+- Windows Server 2019
+- Windows Server 2016 running [Defender for Endpoint modern unified solution](/defender-endpoint/configure-server-endpoints) (requires installation through MSI)
+- Windows Server 2012 R2 running [Defender for Endpoint modern unified solution](/defender-endpoint/configure-server-endpoints) (requires installation through MSI)
 - macOS
 - Linux
 - iOS 
 - Android
 
-### Windows Server 2016 and Windows Server 2012 R2 requirements
+## Before you begin
 
-Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2).
+It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains.
 
 ### Microsoft Defender Antivirus version requirements
 
-The _Antimalware client version_ must be 4.18.1906.x or later.
+This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows) (in active mode)
+
+[Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled
+
+[Cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus) is turned on.
+
+[Cloud Protection network connectivity](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is functional
+
+The antimalware client version must be `4.18.1906.x` or later. See [Monthly platform and engine versions](/defender-endpoint/microsoft-defender-antivirus-updates).
+
+### Network Protection requirements
+
+URL/IP allow and block requires that the Microsoft Defender for Endpoint component _Network Protection_ is enabled in **block mode**. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
 
 ### Custom network indicators requirements
 
-Ensure that **Custom network indicators** is enabled in **Microsoft Defender XDR** \> **Settings** \> **Advanced features**. For more information, see [Advanced features](advanced-features.md).
+To start blocking IP addresses and/or URL's, turn on "**Custom network indicators"** feature in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features**. For more information, see [Advanced features](advanced-features.md).
 
 For support of indicators on iOS, see [Microsoft Defender for Endpoint on iOS](ios-configure-features.md#configure-custom-indicators).
 
@@ -138,7 +142,7 @@ In the case where multiple different action types are set on the same indicator
 2. Warn
 3. Block
 
-_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, Microsoft.com would be allowed.
+_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, `Microsoft.com` would be allowed.
 
 ### Defender for Cloud Apps Indicators
 

defender-office-365/anti-spam-policies-asf-settings-about.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the Advanced Spam Filter (ASF) settings that are available in anti-spam policies in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 06/10/2024
+ms.date: 08/26/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -73,7 +73,7 @@ The following **Increase spam score** ASF settings result in an increase in spam
 |**Image links to remote websites** (_IncreaseScoreWithImageLinks_)|Messages that contain `<Img>` HTML tag links to remote sites (for example, using http) are marked as spam.|`X-CustomSpam: Image links to remote sites`|
 |**Numeric IP address in URL** (_IncreaseScoreWithNumericIps_)|Messages that contain numeric-based URLs (typically, IP addresses) are marked as spam.|`X-CustomSpam: Numeric IP in URL`|
 |**URL redirect to other port** (_IncreaseScoreWithRedirectToOtherPort_)|Messages that contain hyperlinks that redirect to TCP ports other than 80 (HTTP), 8080 (alternate HTTP), or 443 (HTTPS) are marked as spam.|`X-CustomSpam: URL redirect to other port`|
-|**Links to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam.|`X-CustomSpam: URL to .biz or .info websites`|
+|**Links to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam. <br/><br/> Note that URLs such as `contoso.info.com` (where `.biz` or `.info` is not the top-level domain) will also match. |`X-CustomSpam: URL to .biz or .info websites`|
 
 ## Mark as spam settings