Merge branch 'main' into pr/1892

Author: denisebmsft

ATPDocs/whats-new.md

@@ -22,6 +22,22 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## December 2024
+
+### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+
+Defender for Identity has added the new **Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)** recommendation in Microsoft Secure Score.
+
+This recommendation directly addresses the recently published [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019), which highlights security risks associated with vulnerable AD CS configurations. This security posture assessment lists all vulnerable certificate templates found in customer environments due to unpatched AD CS servers.
+
+The new recommendation is added to other AD CS-related recommendations. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that post risks to the entire organization, together with related detections.
+
+For more information, see:
+
+- [Security assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)](https://go.microsoft.com/fwlink/?linkid=2296922)
+
+- [Microsoft Defender for Identity's security posture assessments](security-assessment.md)
+
 ## October 2024
 
 ### MDI is expanding coverage with new 10 Identity posture recommendations (preview)
@@ -532,6 +548,7 @@ This version includes improvements and bug fixes for cloud services and the Defe
 
 - [What is Microsoft Defender for Identity?](what-is.md)
 - [Frequently asked questions](technical-faq.yml)
+
 - [Defender for Identity prerequisites](prerequisites.md)
 - [Defender for Identity capacity planning](capacity-planning.md)
 - [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)

CloudAppSecurityDocs/api-entities.md

@@ -1,7 +1,7 @@
 ---
 title: Entities API
 description: This article provides information about using the Entities API.
-ms.date: 01/29/2023
+ms.date: 11/28/2024
 ms.topic: reference
 ---
 # Entities API
@@ -32,7 +32,7 @@ The following table describes the supported filters:
 | entity | entity pk | eq, neq | Filter entities with specific entities pks. If a user is selected, this filter also returns all of the user's accounts. Example: `[{ "id": "entity-id", "inst": 0 }]` |
 | userGroups |string | eq, neq | Filter entities by their associated group IDs |
 | app | integer | eq, neq | Filter entities using services with the specified SaaS ID for example: 11770 |
-| instance | integer | eq, neq | Filter entities using services with the specified Appstances (SaaS ID and Instance ID), for example: 11770, 1059065 |
+| instance | integer | eq, neq | Filter entities using services with the specified app instances (SaaS ID and Instance ID). For example: 11770, 1059065 |
 | isExternal | boolean | eq | The entity's affiliation. Possible values include:<br /><br />**true**: External<br />**false**: Internal<br />**null**: No value |
 | domain | string | eq, neq, isset, isnotset | The entity's related domain |
 | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |

CloudAppSecurityDocs/file-filters.md

@@ -11,6 +11,15 @@ To provide data protection, Microsoft Defender for Cloud Apps gives you visibili
 
 > [!IMPORTANT]
 > Starting **September 1, 2024**, we'll be phasing out the **Files** **page** from Microsoft Defender for Cloud Apps. Core functionalities of the Files page will be available on the **Cloud apps > Policies > Policy Management** page. We recommend using the Policy Management page to investigate files and to create, modify, and filter Information Protection policies and Malware files. For more information, see [File policies in Microsoft Defender for Cloud Apps](data-protection-policies.md).
+>
+
+>[!NOTE]
+> **Query Size Limitation in Files Policy Filters and "Edit and Preview Results"**
+>
+> - When creating or editing a file policy, or when using the "Edit and preview results" option, there is a query size limitation. This limitation ensures optimal performance and prevents system overload.
+> - If your query exceeds the allowed size, you may need to refine your criteria or use other filters to fit within the acceptable limits. For example, if the policy involves "collaborators" criteria that includes the group "everyone" or "everyone except external users" it may cause a failure due to  query size limitation.
+> - Please note that if the query exceeds the size limitation, the system will not specify which filter caused the failure.
+
 ## Enable file monitoring
 
 To enable file monitoring for Defender for Cloud Apps, first turn on file monitoring in the **Settings** area. In the Microsoft Defender portal, select **Settings** > **Cloud Apps** > **Information Protection** > **Files** > **Enable file monitoring** > **Save**.

CloudAppSecurityDocs/protect-egnyte.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your Egnyte environment (Preview) | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your Egnyte app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 12/12/2024
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your Egnyte environment
@@ -77,9 +77,9 @@ This section describes how to connect Microsoft Defender for Cloud Apps to your
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
 >[!NOTE]
->Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice.
->To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token).
->Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>- Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice. To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token). Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>
+>- Defender for Cloud Apps intentionally provides a lower rate limit than Egnyte's maximum to avoid exceeding the API constraints. For more infomration, see the relevant Egnyte documentation: [Rate limiting](https://developers.egnyte.com/docs/read/Best_Practices) | [Audit Reporting API v2](https://developers.egnyte.com/docs/read/Audit_Reporting_API_V2)
 
 ## Next steps
 

CloudAppSecurityDocs/protect-servicenow.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 12/26/2023
+ms.date: 12/12/2024
 ms.topic: how-to
 ---
 
@@ -45,7 +45,8 @@ In Secure Score, select **Recommended actions** and filter by **Product** = **Se
 
 For more information, see:
 -	[Security posture management for SaaS apps](security-saas.md)
--	[Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+-	[Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score
+)
 
 ## Control ServiceNow with built-in policies and policy templates
 
@@ -154,11 +155,11 @@ For more information, see the [ServiceNow product documentation](https://docs.se
 1. Establish an internal procedure to ensure that the connection remains alive. A couple of days before the expected expiration of the refresh token lifespan.
 Revoke to the old refresh token. We don't recommend keeping old keys for security reasons.
 
-    1. On the ServiceNow pane, search for System OAuth, and then select Manage Tokens.
+    1. On the ServiceNow pane, search for **System OAuth**, and then select **Manage Tokens**.
 
     1. Select the old token from the list according to the OAuth name and expiration date.
 
-    1. Select Revoke Access > Revoke.
+    1. Select **Revoke Access > Revoke**.
       
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.
 
@@ -181,7 +182,7 @@ Revoke to the old refresh token. We don't recommend keeping old keys for securit
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
-After connecting ServiceNow, you'll receive events for seven days prior to connection.
+After connecting ServiceNow, you'll receive events for 1 hour prior to connection.
 
 ### Legacy ServiceNow connection
 
@@ -210,7 +211,7 @@ To connect ServiceNow with Defender for Cloud Apps, you must have admin-level pe
 
 1. Select **Connect**.
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
-After connecting ServiceNow, you'll receive events for seven days prior to connection.
+After connecting ServiceNow, you'll receive events for one hour prior to connection.
 
 If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

defender-business/mdb-onboard-devices.md

@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: overview
 ms.service: defender-business
 ms.localizationpriority: medium
-ms.date: 06/19/2024
+ms.date: 12/12/2024
 ms.reviewer: efratka, nehabha, muktaagarwal
 f1.keywords: NOCSH
 ms.collection:
@@ -274,7 +274,7 @@ After a device is enrolled in Intune, you can add it to a device group. [Learn m
 ## Servers
 
 > [!NOTE]
-> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
+> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). 
 
 Choose the operating system for your server:
 

defender-endpoint/TOC.yml

@@ -137,9 +137,10 @@
             - name: Migrating devices to streamlined method
               href: migrate-devices-streamlined.md
 
-        - name: Onboarding Windows Client
+        - name: Onboard client devices
+          href: onboard-client.md
           items:
-          - name: Onboarding Windows Client overview
+          - name: Onboarding Windows client overview
             href: onboard-windows-client.md
           - name: Defender for Endpoint plug-in for WSL
             href: mde-plugin-wsl.md
@@ -158,7 +159,8 @@
           - name: Onboard previous versions of Windows
             href: onboard-downlevel.md
 
-        - name: Onboarding Windows Server
+        - name: Onboard server devices
+          href: onboard-server.md
           items:
           - name: Onboarding Windows Server overview
             href: onboard-windows-server.md

defender-endpoint/android-configure.md

@@ -37,6 +37,8 @@ For more information about how to set up Defender for Endpoint on Android and Co
 
 > [!NOTE]
 > Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.
+> 
+> Also, alerts for custom indicators are currently not supported for Defender for Endpoint on Android.
 
 Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Overview of indicators](indicators-overview.md).
 

defender-endpoint/behavior-monitor-macos.md

@@ -1,12 +1,12 @@
 ---
 title: Behavior Monitoring in Microsoft Defender Antivirus on macOS
 description: Behavior Monitoring in Microsoft Defender Antivirus on macOS
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 05/29/2024
+ms.date: 12/11/2024
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -35,26 +35,26 @@ f1.keywords: NOCSH
 > [!IMPORTANT]
 > Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-## Prerequisites
+## Overview of behavior monitoring
 
-- Device is onboarded to Microsoft Defender for Endpoint.
-- [Preview features](/defender-endpoint/preview) is enabled in the Microsoft XDR portal ([https://security.microsoft.com](https://security.microsoft.com)).
-- Device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly InsiderFast).
-- Minimal Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. Version number refers to the **app_version** (also known as **Platform update**).
-- Ensure that Real-Time Protection (RTP) is enabled.
-- Ensure [cloud-delivered protection](/defender-endpoint/mac-preferences) is enabled.
-- Device must be explicitly enrolled into the preview.
+Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
 
-## Overview
+## Prerequisites
 
-Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
+- The device must be onboarded to Microsoft Defender for Endpoint.
+- [Preview features](/defender-endpoint/preview) must be enabled in the [Microsoft Defender portal](https://security.microsoft.com).
+- The device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly `InsiderFast`). 
+- The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24042.0002](/defender-endpoint/mac-whatsnew#may-2024-build-101240420008---release-version-2012404280) or newer. The version number refers to the `app_version` (also known as **Platform update**).
+- Real-time protection (RTP) must be enabled.
+- [Cloud-delivered protection](/defender-endpoint/mac-preferences) must be enabled.
+- The device must be explicitly enrolled in the preview program.
 
-## Deployment instructions
+## Deployment instructions for behavior monitoring
 
 To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
 
 - [Intune](#intune-deployment)
-- [JamF or other 3<sup>rd</sup> party MDM](#via-jamf-deployment)
+- [JamF or other non-Microsoft MDM](#jamf-deployment)
 - [Manually](#manual-deployment)
 
 The following sections describe each of these methods in detail.
@@ -148,7 +148,7 @@ The following sections describe each of these methods in detail.
 
 8. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices or to a Device Group or User Group.**
 
-#### Via JamF deployment
+#### JamF deployment
 
 1. Copy the following XML to create a _.plist_ file and save it as **Save as BehaviorMonitoring_for_MDE_on_macOS.plist**
 
@@ -209,19 +209,82 @@ For more information, see: [Resources for Microsoft Defender for Endpoint on mac
 
 See [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
 
-### Verifying Behavior Monitoring detection
+### Verifying behavior monitoring detections
 
 The existing Microsoft Defender for Endpoint on macOS command line interface can be used to review behavior monitoring details and artifacts.
 
 ```bash
+
 sudo mdatp threat list
+
 ```
 
 ### Frequently Asked Questions (FAQ)
 
 #### What if I see an increase in cpu utilization or memory utilization?
 
-Disable Behavior Monitoring and see if the issue goes away.
+Disable behavior monitoring and see if the issue goes away.
+
+- If the issue doesn't go away, it isn't related to behavior monitoring.
+- If the issue goes away, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+
+## Network real-time inspection for macOS
+
+> [!IMPORTANT]
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The network real-time inspection (NRI) for macOS feature enhances real-time protection (RTP) by using [behavior monitoring](behavior-monitor-macos.md) in concert with file, process, and other events to detect suspicious activity. Behavior monitoring triggers both telemetry and sample submissions on suspicious files for Microsoft to analyze from the cloud protection backend, and is delivered to the client device, resulting in a removal of the threat.
+
+### Is there an impact on performance?
+
+NRI should have a low impact on network performance. Instead of holding the connection and blocking, NRI makes a copy of the packet as it crosses the network, and NRI performs an asynchronous inspection.
 
-- If the issue doesn't go away, it is not related to Behavior Monitoring.
-- If the issue goes away, take an aka.ms/xMDEClientAnalyzer and contact Microsoft support.
+> [!NOTE]
+> When network real-time inspection (NRI) for macOS is enabled, you might see a slight increase in memory utilization. 
+
+### Requirements for NRI for macOS
+
+- The device must be onboarded to Microsoft Defender for Endpoint.
+- Preview features must be turned on in the [Microsoft Defender portal](https://security.microsoft.com).
+- The device must be in the Beta channel (formerly `InsiderFast`).
+- The minimum version number for Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24092.0004](/defender-endpoint/mac-whatsnew#oct-2024-build-101240920004---release-version-2012409240) or newer. The version number refers to the `app version` (also known as Platform update).
+- Real-time protection must be enabled.
+- Behavior monitoring must be enabled.
+- Cloud-delivered protection must be enabled.
+- The device must be explicitly enrolled into the preview.
+
+### Deployment instructions for NRI for macOS
+
+1. E-mail us at `[email protected]` with information about your Microsoft Defender for Endpoint OrgID where you would like to have network real-time inspection (NRI) for macOS enabled. 
+
+   > [!IMPORTANT]
+   > In order to evaluate NRI for macOS, send email to `[email protected]`. Include your Defender for Endpoint Org ID. We're enabling this feature on a per-request basis for each tenant.
+ 
+2. Enable behavior monitoring if it's not already enabled:
+
+   ```Bash
+
+   sudo mdatp config behavior-monitoring --value enabled
+   
+   ```
+ 
+3. Enable network protection in block mode:
+
+   ```Bash
+
+   sudo mdatp config network-protection enforcement-level --value block
+   
+   ```
+
+1. Enable network real-time inspection (NRI):
+
+   ```Bash
+   
+   sudo mdatp network-protection remote-settings-override set --value "{\"enableNriMpengineMetadata\" : true}"
+   
+   
+   ```
+   
+   > [!NOTE]
+   > While in Public Preview, since the setting is set via a command line, network real-time inspection (NRI) will not persist reboots. You will need to re-enable it.
+