Merge pull request #2991 from MicrosoftDocs/main

Publish main to live, 03/03/25, 3:30 PM PT

Author: Ruchika-mittal01

defender-endpoint/api/management-apis.md

@@ -33,7 +33,7 @@ Defender for Endpoint supports a wide variety of deployment, configuration, and
 
 ## Endpoint onboarding and portal access
 
-Device onboarding is fully integrated into Microsoft Intune and Microsoft Configuration Manager for client devices. For servers, you can choose from several options, such as Defender for Endpoint Server, Defender for Servers (as part of the Defender for Cloud offering), or Defender for Business servers (for small and medium-sized businesses). 
+Device onboarding is fully integrated into Microsoft Intune and Microsoft Configuration Manager for client devices. You can onboard both client and server devices using the Microsoft Defender portal. Or, for servers, you can use Defender for Cloud, which integrates with Defender for Endpoint and Defender for Business. (Server licenses are required; for more information, see [Onboard servers to Defender for Endpoint](/defender-endpoint/onboard-server) and [Onboard devices to Defender for Business](/defender-business/mdb-onboard-devices).)
 
 The Microsoft Defender portal provides your security team with a robust, end-to-end experience for configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other non-Microosft tools used for managing devices.
 
@@ -47,7 +47,7 @@ Defender for Endpoint provides fine-grained control over what users with access
 
 Defender for Endpoint is built on top of an integration-ready platform. 
 
-Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs enable you to automate workflows and innovate based on Defender for Endpoint capabilities. You can also the Defender for Endpoint APIs with Defender for Business, for the capabilities that are supported in Defender for Business.
+Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs enable you to automate workflows and innovate based on Defender for Endpoint capabilities. You can also use the Defender for Endpoint APIs with Defender for Business for the capabilities that are supported in Defender for Business.
 
 :::image type="content" source="../media/mdatp-apis.png" alt-text="The available API and integration in Microsoft Defender for Endpoint" lightbox="../media/mdatp-apis.png":::
 
@@ -73,7 +73,7 @@ The **Response API** exposes the ability to take actions in the service and on d
 
 Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
 
-The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
+The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or other data processing engines.
 
 For more information, see [Raw data streaming API](raw-data-export.md).
 
@@ -82,9 +82,9 @@ For more information, see [Microsoft Defender XDR Streaming API](/defender-xdr/s
 
 ## SIEM API
 
-When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender XDR using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Microsoft Entra tenant. 
+When you enable security information and event management (SIEM) integration, you can pull detections from Microsoft Defender XDR using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Microsoft Entra tenant. 
 
-## Related topics
+## Related articles
 
 - [Access the Microsoft Defender for Endpoint APIs](apis-intro.md)
 - [Supported APIs](exposed-apis-list.md)

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -6,7 +6,7 @@ ms.subservice: ngp
 ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
-ms.date: 01/30/2025
+ms.date: 03/03/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -37,36 +37,27 @@ search.appverid: met150
 
 In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Defender for Endpoint](microsoft-defender-endpoint.md).
 
- If you have Microsoft Defender XDR, review the "Alerts sources" as described in [Investigate alerts in Microsoft Defender XDR](/defender-xdr/investigate-alerts?tabs=settings).
+ If you have Microsoft Defender XDR, review the "Alerts sources" as described in [Investigate alerts in Microsoft Defender XDR](/defender-xdr/investigate-alerts?tabs=settings). If the alert source is Defender for Endpoint, continue to read this article. 
 
-Continue here if the "Alert source" is "Microsoft Defender for Endpoint".
+## Identify the detection source
 
-The next step is to review the "detection source":
+When you have a false positive, a good first step is to try to determine its detection source. The following table lists detection sources and potential solutions.
 
 |Detection source| Information|
 | -------- | -------- |
-|EDR|The alert is related to Microsoft Defender for Endpoint – Endpoint Detection and Response <br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/> • Work-around: Add an EDR exclusion|
-|Antivirus|The alert relates to Microsoft Defender Antivirus in Active mode (Primary) where it will block.  If Microsoft Defender Antivirus is in Passive mode, EDR in block mode might just detect.<br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/> • Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/defender-endpoint-false-positives-negatives)or an [AV exclusion](/defender-endpoint/defender-endpoint-false-positives-negatives)|
-| Custom TI| Custom indicators (Indicators - [file hash](/defender-endpoint/indicator-file) or [ip address or URL](/defender-endpoint/indicator-ip-domain) or [certificates](/defender-endpoint/indicator-certificates)) <br/> • Solution: How to[ manage indicators](/defender-endpoint/indicator-manage).   <br/><br/> Or if you see CustomEnterpriseBlock, it could be  <br/> <br/> 1) Automated Investigation and Response (AutoIR) –  <br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/> • Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/> 2) Custom detection rules deriving from Advanced Hunting (AH) –  <br/> • Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/> 3) EDR in block mode –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> 4) Live Response –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> 5) PUA protection –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
-| Smartscreen|[ Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) [report unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or it could be related to a [Network Protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
+|Endpoint Detection and Response (EDR) | The alert is related to EDR in Defender for Endpoint <br/>- Solution: Submit the false positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>- Work-around: Tune the alerts|
+|Antivirus|The alert relates to Microsoft Defender Antivirus in active mode (primary) where it blocks. <br/>- Solution: Submit the false positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/>- Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/defender-endpoint-false-positives-negatives)or an [Antivirus exclusion](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>If Microsoft Defender Antivirus is in passive mode, EDR in block mode might just detect.|
+| Custom TI| Custom indicators (Indicators <br/>- [file hash](/defender-endpoint/indicator-file)<br/>- [ip address or URL](/defender-endpoint/indicator-ip-domain)<br/>- [certificates](/defender-endpoint/indicator-certificates)) <br/><br/>Solution: [Manage indicators](/defender-endpoint/indicator-manage). <br/><br/> Or, if you see `CustomEnterpriseBlock`, your detection source could be one of the following capabilities in Defender for Endpoint: <br/><br/>1. [Automated investigation and remediation](automated-investigations.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/>-- Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/><br/>2. Custom detection rules deriving from [Advanced Hunting](/defender-xdr/advanced-hunting-overview) <br/>-- Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/><br/>3. [EDR in block mode](/defender-endpoint/edr-in-block-mode) <br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>4. [Live response](live-response.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/><br/>5. [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)<br/>-- Solution: Submit the false positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/>-- Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [Antivirus exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
+| Smartscreen|[Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx): You can [Report an unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or [submit a network protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
 
-:::image type="content" source="media/false-positives-overview.png" alt-text="The definition of false positive and negatives in the Microsoft Defender portal" lightbox="media/false-positives-overview.png":::
+## False positives and how to address them
 
-Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives occurring with Defender for Endpoint, your security operations can take steps to address them by using the following process:
+:::image type="content" source="media/false-positives-overview.png" alt-text="Screenshot displaying the definitions of false positives and false negatives in the Microsoft Defender portal." lightbox="media/false-positives-overview.png":::
 
-1. [Review and classify alerts](#part-1-review-and-classify-alerts)
-2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
-3. [Review and define exclusions](#part-3-review-or-define-exclusions)
-4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
-5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
-
-You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help)
+Fortunately, steps can be taken to address and reduce these kinds of issues. 
 
 :::image type="content" source="media/false-positives-step-diagram.png" alt-text="The steps to address false positives and negatives" lightbox="media/false-positives-step-diagram.png":::
 
-> [!NOTE]
-> This article is intended as guidance for security operators and security administrators who are using [Defender for Endpoint](microsoft-defender-endpoint.md).
-
 ## Part 1: Review and classify alerts
 
 If you see an [alert](api/alerts.md) that arose because something's detected as malicious or suspicious and it shouldn't be, you can suppress the alert for that entity. You can also suppress alerts that aren't necessarily false positives, but are unimportant. We recommend that you also classify alerts.
@@ -153,7 +144,7 @@ When you're done reviewing and undoing actions that were taken as a result of fa
 
 2. On the **History** tab, select an action that you want to undo.
 
-3. In the flyout pane, select **Undo**. If the action can't be undone with this method, you won't see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
+3. In the flyout pane, select **Undo**. If the action can't be undone with this method, you don't see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
 
 ### Undo multiple actions at one time
 
@@ -182,7 +173,7 @@ When you're done reviewing and undoing actions that were taken as a result of fa
 
 ### Restore file from quarantine
 
-You can roll back and remove a file from quarantine if you've determined that it's clean after an investigation. Run the following command on each device where the file was quarantined.
+You can roll back and remove a file from quarantine if you determine that it's clean after an investigation. Run the following command on each device where the file was quarantined.
 
 1. Open Command Prompt as an administrator on the device:
 
@@ -196,8 +187,8 @@ You can roll back and remove a file from quarantine if you've determined that it
     ```
 
     > [!IMPORTANT]
-    > In some scenarios, the **ThreatName** may appear as `EUS:Win32/CustomEnterpriseBlock!cl`. Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
-    > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
+    > In some scenarios, the **ThreatName** might appear as `EUS:Win32/CustomEnterpriseBlock!cl`. Defender for Endpoint restores all custom blocked files that were quarantined on this device in the last 30 days.
+    > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary sign-in a system or shared folder and the access tokens expired.
 
 3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
 
@@ -206,7 +197,7 @@ You can roll back and remove a file from quarantine if you've determined that it
 > [!CAUTION]
 > Before you define an exclusion, review the detailed information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). Keep in mind that every exclusion that is defined lowers your level of protection. 
 
-An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won't be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
+An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process isn't stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
 
 To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
 
@@ -216,7 +207,7 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi
 
 > [!NOTE]
 > Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use [custom indicators](indicators-overview.md) for Microsoft Defender for Endpoint and exclusions for Microsoft Defender Antivirus.
-> ASR Rules can leverage ASR Rule Exclusions - where the exclusions apply to all ASR Rules; ASR per Rule Exclusions; Defender AV exclusions; as well as allow indicators defined in Custom Indicators.
+> ASR Rules can leverage ASR Rule Exclusions where exclusions apply to all ASR Rules, ASR per rule exclusions, Microsoft Defender Antivirus exclusions, and allow indicators defined in Custom Indicators.
 
 The procedures in this section describe how to define indicators and exclusions.
 
@@ -338,7 +329,7 @@ If something was detected as malware based on behavior, and you don't have a fil
 
 3. Review the guidelines here: [Submit files for analysis](/unified-secops-platform/submission-guide).
 
-4. Visit the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission) (https://www.microsoft.com/wdsi/filesubmission), and submit your .cab files.
+4. Visit the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission), and submit your .cab files.
 
 ### What happens after a file is submitted?
 

defender-office-365/TOC.yml

@@ -81,7 +81,7 @@
        items:
        - name: Email - user reported settings
          href: submissions-user-reported-messages-custom-mailbox.md
-       - name: Deploy the Report Message and Report Phishing add-ins
+       - name: Transition from the Report Message and Report Phishing add-ins
          href: submissions-users-report-message-add-in-configure.md
        - name: Teams - user reported settings
          href: submissions-teams.md