Merge branch 'main' into Bulk-chrisda

chrisda · chrisda · commit 8acae39bbebd · 2024-07-25T09:59:05.000-07:00
diff --git a/defender-business/mdb-asr.md b/defender-business/mdb-asr.md
@@ -4,7 +4,7 @@ description: Get an overview of attack surface reduction capabilities, including
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 06/07/2024
+ms.date: 07/23/2024
 ms.topic: conceptual
 ms.service: defender-business
 ms.localizationpriority: medium 
@@ -23,9 +23,6 @@ Your attack surfaces are all the places and ways that your organization's networ
 
 To help protect your network and devices, Microsoft Defender for Business includes several attack surface reduction capabilities, including attack surface reduction rules. This article describes how to set up your attack surface reduction rules and describes attack surface reduction capabilities.
 
-> [!NOTE]
-> Intune is not included in the standalone version of Defender for Business, but it can be added on.
-
 ## Standard protection ASR rules
 
 There are lots of attack surface reduction rules available. You don't have to set them all up at once. And, you can set up some rules in audit mode just to see how they work for your organization, and change them to work in block mode later. That said, we recommend enabling the following standard protection rules as soon as possible:
diff --git a/defender-business/mdb-mtd.md b/defender-business/mdb-mtd.md
@@ -4,7 +4,7 @@ description: Get an overview of mobile threat defense in Defender for Business.
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 06/19/2024
+ms.date: 07/23/2024
 ms.topic: conceptual
 ms.service: defender-business
 ms.localizationpriority: medium 
@@ -37,17 +37,17 @@ The following table summarizes the capabilities that are included in mobile thre
 | **Microsoft Defender Vulnerability Management**<br/>Vulnerability assessment of onboarded mobile devices. Includes vulnerability assessments for operating systems and apps for Android and iOS. <br/>See [Use your vulnerability management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md). | :::image type="content" source="/defender/media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |  See note 1 (below) |
 | **Network Protection** <br/>Protection against rogue Wi-Fi related threats and rogue certificates. <br/>Network protection is turned on by default with [next-generation protection](mdb-next-generation-protection.md). <br/>As part of mobile threat defense, network protection also includes the ability to allow root certification authority and private root certification authority certificates in Intune. It also establishes trust with endpoints. | See note 2 (below) | See note 2 (below) |
 | **Unified alerting** <br/>Alerts from all platforms are listed in the unified Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, choose **Incidents**). <br/>See [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md) | :::image type="content" source="/defender/media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="/defender/media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |
-| **Conditional Access** and **conditional launch** <br/>[Conditional Access](/mem/intune/protect/conditional-access) and [conditional launch](/mem/intune/apps/app-protection-policies-access-actions) block risky devices from accessing corporate resources.<br/>-  Conditional Access policies require certain criteria to be met before a user can access company data on their mobile device. <br/>- Conditional launch policies enable your security team to block access or wipe devices that don't meet certain criteria.<br/>Defender for Business risk signals can also be added to app protection policies. | Requires Intune  | Requires Intune |
+| **Conditional Access** and **conditional launch** <br/>[Conditional Access](/mem/intune/protect/conditional-access) and [conditional launch](/mem/intune/apps/app-protection-policies-access-actions) block risky devices from accessing corporate resources.<br/>-  Conditional Access policies require certain criteria to be met before a user can access company data on their mobile device. <br/>- Conditional launch policies enable your security team to block access or wipe devices that don't meet certain criteria.<br/>- Defender for Business risk signals can also be added to app protection policies. | Requires Intune  | Requires Intune |
 | **Privacy controls** <br/>Configure privacy in threat reports by controlling the data sent by Defender for Business. Privacy controls are available for admin and end users, and for both enrolled and unenrolled devices. | Requires Intune | Requires Intune |
 | **Integration with Microsoft Tunnel** <br/>Integration with [Microsoft Tunnel](/mem/intune/protect/microsoft-tunnel-overview), a VPN gateway solution for Intune. | Requires Intune VPN Tunnel <br/>(see note 3 below) | Requires Intune VPN Tunnel <br/>(see note 3 below) |
 
 > [!NOTE]
-> 1. Intune is required for software/app vulnerabilities to be reported. Operating system vulnerabilities are included by default.
+> 1. Intune is used for software/app vulnerabilities to be reported. Operating system vulnerabilities are included by default.
 > 
-> 2. Intune is required to configure or manage an allow list of root certification authority and private root certification authority certificates.
+> 1. Use Intune to configure or manage an allow list of root certification authority and private root certification authority certificates.
 > 
 > 3. See [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).
->
+
 
 ## How to get mobile threat defense capabilities
 
diff --git a/defender-office-365/anti-phishing-policies-about.md b/defender-office-365/anti-phishing-policies-about.md
@@ -17,7 +17,7 @@ ms.custom:
 description: Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 5/10/2024
+ms.date: 07/24/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -226,6 +226,9 @@ An impersonated domain might otherwise be considered legitimate (the domain is r
 
 The impersonation settings described in the following sections are available only in anti-phishing policies in Defender for Office 365.
 
+> [!TIP]
+> Details about detected impersonation attempts are available in the impersonation insight. For more information, see [Impersonation insight in Defender for Office 365](anti-phishing-mdo-impersonation-insight.md).
+
 #### User impersonation protection
 
 User impersonation protection prevents specific internal or external email addresses from being impersonated **as message senders**. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.
diff --git a/defender-office-365/anti-phishing-protection-about.md b/defender-office-365/anti-phishing-protection-about.md
@@ -18,7 +18,7 @@ ms.custom:
   - TopSMBIssues
 description: Admins can learn about the anti-phishing protection features in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 7/5/2023
+ms.date: 07/24/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -59,7 +59,10 @@ Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP
 
 Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features:
 
-- **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](anti-phishing-policies-about.md).
+- **Anti-phishing policies in Microsoft Defender for Office 365**:
+  - Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md).
+  - Details about detected impersonation attempts are available in the impersonation insight. For more information, see [Impersonation insight in Defender for Office 365](anti-phishing-mdo-impersonation-insight.md).
+  - For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](anti-phishing-policies-about.md).
 - **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md).
 - **Attack simulation training**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
 
diff --git a/defender-office-365/mdo-about.md b/defender-office-365/mdo-about.md
@@ -22,7 +22,7 @@ ms.custom:
 description: Is Microsoft Defender for Office 365 worth it? Let's find out.
 ms.service: defender-office-365
 adobe-target: true
-ms.date: 5/7/2024
+ms.date: 07/24/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -105,7 +105,7 @@ The additional features that you get in **Defender for Office 365 Plan 1** on to
 
 |Prevent/Detect|Investigate|Respond|
 |---|---|---|
-|<ul><li>The following [additional features in anti-phishing policies](anti-phishing-protection-about.md#additional-anti-phishing-protection-in-microsoft-defender-for-office-365): <ul><li>User and domain impersonation protection</li><li>Mailbox intelligence impersonation protection (contact graph)</li><li>Advanced phishing thresholds</li></ul></li><li>[Safe Attachments in email](safe-attachments-about.md)</li><li>[Safe Attachments for files in SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links in email, Office clients, and Teams](safe-links-about.md)</li><li>Email & collaboration alerts at <https://security.microsoft.com/viewalertsv2><li>SIEM integration API for **alerts**</li></ul>|<ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)<sup>\*</sup></li><li>[The Email entity page](mdo-email-entity-page.md)</li><li>SIEM integration API for **detections**</li><li>[URL trace](/defender-endpoint/investigate-domain)</li><li>[Defender for Office 365 reports](reports-defender-for-office-365.md)</li></ul>|<ul><li>Same</li></ul>|
+|<ul><li>The following [additional features in anti-phishing policies](anti-phishing-protection-about.md#additional-anti-phishing-protection-in-microsoft-defender-for-office-365), including the [impersonation insight](anti-phishing-mdo-impersonation-insight.md): <ul><li>User and domain impersonation protection</li><li>Mailbox intelligence impersonation protection (contact graph)</li><li>Advanced phishing thresholds</li></ul></li><li>[Safe Attachments in email](safe-attachments-about.md)</li><li>[Safe Attachments for files in SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links in email, Office clients, and Teams](safe-links-about.md)</li><li>Email & collaboration alerts at <https://security.microsoft.com/viewalertsv2><li>SIEM integration API for **alerts**</li></ul>|<ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)<sup>\*</sup></li><li>[The Email entity page](mdo-email-entity-page.md)</li><li>SIEM integration API for **detections**</li><li>[URL trace](/defender-endpoint/investigate-domain)</li><li>[Defender for Office 365 reports](reports-defender-for-office-365.md)</li></ul>|<ul><li>Same</li></ul>|
 
 <sup>\*</sup> The presence of **Email & collaboration** \> **Real-time detections** in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 1 and Plan 2.
 
diff --git a/defender-xdr/manage-incidents.md b/defender-xdr/manage-incidents.md
@@ -104,9 +104,17 @@ You can then save the resulting URL in your browser as a bookmark to quickly see
 
 ## Resolve an incident
 
-Select **Resolve incident** to move the toggle to the right when an incident is remediated. Resolving an incident also resolves all the linked and active alerts related to the incident.
+When an incident is remediated and resolved, select **Resolved** from the **Status** drop-down list. Resolving an incident also resolves all the linked and active alerts related to the incident.
 
-An incident that isn't resolved displays as **Active**.
+When you change an incident's status to **Resolved**, a new field is displayed immediately following the **Status** field. Enter a note in this field that explains why you consider the incident resolved.
+
+:::image type="content" source="/defender/media/incidents-queue/resolve-incidents.png" alt-text="Screenshot of incident management panel with incident resolution note.":::
+
+This note is visible in the activity log of the incident, near the entry recording the incident's resolution.
+
+:::image type="content" source="/defender/media/incidents-queue/resolution-note-in-log.png" alt-text="Screenshot of appearance of resolution note in the activity log.":::
+
+Resolving an incident also resolves all the linked and active alerts related to the incident. An incident that isn't resolved displays as **Active**.
 
 ## Specify the classification
 
diff --git a/defender/media/incidents-queue/resolution-note-in-log.png b/defender/media/incidents-queue/resolution-note-in-log.png
diff --git a/defender/media/incidents-queue/resolve-incidents.png b/defender/media/incidents-queue/resolve-incidents.png
