Merge branch 'main' into mde-sap

Author: denisebmsft

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 05/02/2025
+ms.date: 05/20/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -33,6 +33,12 @@ This article provides information on inaccuracies that have been reported. You c
  
 The following tables present the relevant vulnerability information organized by month.
 
+## May 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 92212 | Fixed inaccuracy in NetData vulnerabilities- CVE-2019-9834, CVE-2023-22496, CVE-2023-22497 & CVE-2024-32019 | 18-May-25 |
+
 ## April 2025
 
 | Inaccuracy report ID | Description | Fix date |
@@ -44,9 +50,13 @@ The following tables present the relevant vulnerability information organized by
 | 92184 | Fixed inaccurate detections in Amazon Send to Kindle | 23-Apr-25 |
 | 91112 | Fixed incorrect detections in Vendor- Jabra | 23-Apr-25 |
 | 88590 | Fixed incorrect detections in Vendor- PDF Exchange Editor | 23-Apr-25 |
+| 90101 | Fixed bad detections in Vendor- JetBrains | 23-Apr-25 |
 | - | Fixed inaccuracy in Mattermost Desktop vulnerability- CVE-2023-5920 | 24-Apr-25 |
 | - | Fixed inaccuracy in OpenSSL vulnerabilities- CVE-2024-9143, CVE-2024-13176 & CVE-2024-12797 | 24-Apr-25 |
 | 94679 | Fixed inaccuracy in Secure Client by adding 1.0 as invalid version | 29-Apr-25 |
+| - | Fixed inaccuracy in VMware Tools vulnerabilities- CVE-2025-31334 & CVE-2024-33899 | 29-Apr-25 |
+| 94769 | Fixed inaccuracy in Micro Focus Operations Agent vulnerability- CVE-2024-0622 | 30-Apr-25 |
+| 96209 | Fixed inaccuracy in AnyDesk vulnerability- CVE-2024-52940 | 30-Apr-25 |
 
 ## March 2025
 

defender-xdr/advanced-hunting-cloudappevents-table.md

@@ -30,13 +30,13 @@ ms.date: 05/15/2025
 
 The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about events involving accounts and objects in Office 365 and other [cloud apps and services](#apps-and-services-covered). Use this reference to construct queries that return information from this table.
 
-## Get access
+## Prerequisites
 
 To make sure the `CloudAppEvents` data is populated:
 
 1.  Go to the Defender portal and select **Settings > Cloud apps > App connectors**.
 
-1.  In the Microsoft 365 connector portal, select the **Pull activities** checkbox.
+1.  In the **Select Microsoft 365 components** page, select the **Microsoft 365 activities** checkbox.
 
  For detailed instructions, see: [Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-office-365#prerequisites)
 

defender-xdr/advanced-hunting-cloudauditevents-table.md

@@ -17,24 +17,26 @@ ms.collection:
 ms.custom: 
 - cx-ti
 - cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 12/29/2023
+ms.date: 05/20/2025
 ---
 
 # CloudAuditEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 
 
 The `CloudAuditEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about cloud audit events for various cloud platforms protected by the organization's [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). Use this reference to construct queries that return information from this table.
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+This advanced hunting table is populated by records from Microsoft Defender for Cloud. If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender-xdr/advanced-hunting-cloudprocessevents-table.md

@@ -17,22 +17,27 @@ ms.collection:
 ms.custom: 
 - cx-ti
 - cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 11/11/2024
+ms.date: 05/20/2025
 ---
 
 # CloudProcessEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
+
 
 The `CloudProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process events in multicloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine as protected by the organization's [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). Use this reference to construct queries that return information from this table.
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+This advanced hunting table is populated by records from Microsoft Defender for Cloud. If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
+
 For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender-xdr/advanced-hunting-oauthappinfo-table.md

@@ -34,7 +34,14 @@ The `OAuthAppInfo` table in the advanced hunting schema contains information abo
 
 The `OAuthAppInfo` table might not include all the app or service principal-related properties that are available on Entra ID. It also does not include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance. 
 
+## Prerequisities
 
+This advanced hunting table is populated by app governance records from Microsoft Defender for Cloud Apps. To turn on app governance, follow the steps in [Turn on app governance](/defender-cloud-apps/app-governance-get-started).
+
+If your organization hasn’t deployed Microsoft Defender for Cloud Apps in Microsoft Defender XDR or turned on app governance, queries that use the table aren’t going to work or return any results.
+
+
+## Schema
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender/index.yml

@@ -185,8 +185,8 @@ conceptualContent:
            text: See more
            url: /defender-for-iot/    
 
-        - title: Microsoft's unified security operations platform
-          summary: End-to-end SecOps with Microsoft Sentinel
+        - title: Microsoft Sentinel
+          summary: End-to-end security operations
           links:
           - url: /unified-secops-platform/overview-unified-security
             itemType: overview

exposure-management/get-started-exposure-management.md

@@ -19,6 +19,10 @@ On the Exposure Management > **Overview** dashboard, you can review the overall
 
 Use the dashboard as a starting point for a snapshot of organizational posture and exposure, and drill down to details as needed.
 
+You can filter the list of affected devices based on their scope, ensuring that data presentation is aligned with your specific needs. The filter selection persists even when switching between Exposure Management experiences, allowing you to maintain you preferred view and focus on specific devices without reapplying filters.
+
+Initiative scores will reflect the selected scope, whether defined by the admin or adjusted by the end user, ensuring users see accurate and relevant scores based on their access scope.
+
 :::image type="content" source="./media/get-started-exposure-management/exposure-management-overview.png" alt-text="Screenshot of the security exposure management overview page." lightbox="./media/get-started-exposure-management/exposure-management-overview.png":::
 
 ## Connecting your external security and asset management products

exposure-management/initiatives.md

@@ -1,12 +1,13 @@
 ---
-title: Review security initiatives in Microsoft Security Exposure Management
-description: Learn how to work with security Initiatives in Microsoft Security Exposure Management.
+title: Review security initiatives in Security Exposure Management
+description: Learn how to effectively manage and track security initiatives using Microsoft Security Exposure Management to improve your organization's security posture.
+#customer intent: As a security administrator, I want to understand and manage security initiatives so that I can improve my organization's security posture.
 ms.author: dlanger
 author: dlanger
-manager: rayne-wiselman
-ms.topic: overview
+manager: ornat-spodek
+ms.topic: how-to
 ms.service: exposure-management
-ms.date: 11/04/2024
+ms.date: 05/04/2025
 ---
 
 # Review security initiatives
@@ -21,24 +22,37 @@ ms.date: 11/04/2024
 
 ## View initiatives page
 
+The initiatives page provides detailed insights into your security initiatives and their progress.
+
+> [!NOTE]
+> All information shown on the Initiative pages that is related to Endpoints data is based on the user's scope. This includes, initiative scores, metrics progress, and history reasoning.
+
 1. Navigate to the [Microsoft Defender portal](https://security.microsoft.com/).
 
-1. From the Exposure management section on the navigation bar, select **Exposure insights -> Initiatives** to open the [initiatives](https://security.microsoft.com/exposure-initiatives) page.
+2. From the Exposure management section on the navigation bar, select **Exposure insights -> Initiatives** to open the [initiatives](https://security.microsoft.com/exposure-initiatives) page.
 
     :::image type="content" source="./media/initiatives/initiatives-window.png" alt-text="Screenshot of the Security Exposure Management Initiatives window.":::
 
-1. At the top of the initiatives page, review the highlighted key initiatives by scrolling and drilling down per your needs.
+3. Use the **Filter by device groups** positioned at the top right corner to refine the filter.
+
+:::image type="content" source="media/initiatives/filter-by-dg.png" alt-text="Screenshot of device group filter":::
+
+4. Choose the device groups relevant for you, and the iniatives data will be recalculated (only when related to Endpoints data).
 
-1. To set an initiative to appear in the top initiative bar in the dashboard or on the initiatives page, select the **star** icon in the initiatives window or **Mark as favorite** in the individual initiative.
+:::image type="content" source="media/initiatives/filter-by-dg-pane.png" alt-text="Screenshot of the filter by device groups side pane.":::
 
-1. You can review the following information for all initiatives:
+5. At the top of the initiatives page, review the highlighted key initiatives by scrolling and drilling down per your needs.
+
+6. To set an initiative to appear in the top initiative bar in the dashboard or on the initiatives page, select the **star** icon in the initiatives window or **Mark as favorite** in the individual initiative.
+
+7. You can review the following information for all initiatives:
     - **14 day change trend graph** highlighting how the initiative score changes over the past 14 days
     - **Initiative name**
     - **Favorite** indicator (toggle on/off) to display in the key initiatives banner
     - **Current score** of the initiative
     - **Programs** or workloads contributing to or required by this initiative
 
-1. Select an initiative to open the small overview and then select **Open initiative page** to review or remediate issues. The initiative page includes additional information including:
+8. Select an initiative to open the small overview and then select **Open initiative page** to review or remediate issues. The initiative page includes additional information including:
     - Your target score for the initiative
     - A means to set a custom target score appropriate to your organization's needs
     - Description
@@ -67,7 +81,7 @@ The changes in your score provide you with useful feedback about how well you're
 
 ## Check history
 
-1. Select an initiative to open the small overview and then select **Open initiative page-> History** to view changes over time.
+1. Select an initiative to open the small overview and then select **Open initiative page-> History** to view changes over time. 
 
 1. Browse to the time table to choose a specific time point to examine.
     1. If needed, filter for specific time points.
@@ -81,6 +95,7 @@ The changes in your score provide you with useful feedback about how well you're
 
 1. To review metrics associated with your initiative, select **Exposure insights -> Initiatives-> Security metrics**.
 1. Sort by heading, as needed.
+
 1. Select **Exposure insights -> Initiatives-> Security recommendations** to view recommendations related to your initiative.
 
     You only see those recommendations that are *currently* applied to assets and active in Microsoft Secure Score or Microsoft Defender for Cloud.