Merge branch 'main' into docs-editor/troubleshoot-av-performance-is-1736179983

Author: denisebmsft

.openpublishing.redirection.defender-endpoint.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-endpoint/configure-microsoft-threat-experts.md",
+      "redirect_url": "/defender-xdr/defender-experts-for-hunting",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "defender-endpoint/microsoft-defender-antivirus-using-mde-security-set-mngmnt.md",
       "redirect_url": "/defender-endpoint/evaluate-mdav-using-gp",

CloudAppSecurityDocs/network-requirements.md

@@ -11,6 +11,15 @@ ms.topic: reference
 
 This article provides a list of ports and IP addresses you need to allow and allowlist to work with Microsoft Defender for Cloud Apps.
 
+In order to stay up to date on IP ranges, it's recommended to refer to the following Azure service tags for Microsoft Defender for Cloud Apps services. The latest IP ranges are found in the service tag. For more information, see [Azure IP ranges](https://azureipranges.azurewebsites.net/).
+
+| Service tag name    |    Defender for Cloud Apps services included   |
+|:---|:---|
+| MicrosoftCloudAppSecurity | Portal access, Access and session controls, SIEM agent connection, App connector, Mail server, Log collector. |
+
+The following tables list the current static IP ranges covered by the MicrosoftCloudAppSecurity service tag. For latest list, refer to the [Azure service tags](/azure/virtual-network/service-tags-overview) documentation.
+
+
 ## View your data center
 
 Some of the requirements below depend on which data center you're connected to.

defender-endpoint/TOC.yml

@@ -938,6 +938,11 @@
             href: troubleshoot-av-performance-issues-with-wprui.md
             displayName: Troubleshoot antivirus performance issues with WPRUI windows
               performance recorder UI WPR windows performance recorder
+          - name: Troubleshoot Microsoft Defender Antivirus performance issues with Process
+              Monitor
+            href: troubleshoot-av-performance-issues-with-procmon.md
+            displayName: Troubleshoot Microsoft Defender Antivirus MDAV performance perf
+              issues with Process Monitor ProcMon
         - name: Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
           href: troubleshoot-microsoft-defender-antivirus.yml
         - name: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution

defender-endpoint/adv-tech-of-mdav.md

@@ -1,8 +1,9 @@
 ---
 title: Advanced technologies at the core of Microsoft Defender Antivirus
 description: Microsoft Defender Antivirus engines and advanced technologies
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: yongrhee
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview

defender-endpoint/amsi-on-mdav.md

@@ -1,8 +1,8 @@
 ---
 title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
 description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 manager: deniseb
 ms.reviewer: yongrhee
 ms.date: 12/05/2024

defender-endpoint/analyzer-feedback.md

@@ -4,8 +4,9 @@ description: Provide feedback on the Microsoft Defender for Endpoint client anal
 ms.service: defender-endpoint
 f1.keywords:
 - NOCSH
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
+ms.reviewer: yongrhee
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro

defender-endpoint/api/export-firmware-hardware-assessment.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 11/24/2022
+ms.date: 01/08/2025
 ---
 
 # Export Hardware and firmware assessment inventory per device
@@ -153,39 +153,31 @@ Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability
 GET /api/machines/HardwareFirmwareInventoryExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
-
-### 2.5 Properties (JSON response)
+### 2.4 Properties (JSON response)
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
 >
-> Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hour.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|DateTime|The time the export was generated.
 
 
+## 2.5 Examples
 
-## 2.6 Example
-
-### 2.6.1 Request example
+### 2.5.1 Request example
 
 ```http
 GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryExport
 ```
 
-### 2.6.2 Response example
+### 2.5.2 Response example
 
 ```json
     {

defender-endpoint/api/export-security-baseline-assessment.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 05/02/2022
+ms.date: 01/08/2025
 ---
 
 # Export security baselines assessment per device
@@ -158,35 +158,29 @@ Returns all security baselines assessments for all devices, on a per-device basi
 GET /api/machines/BaselineComplianceAssessmentExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
-
-### 2.5 Properties (via files)
+### 2.4 Properties (via files)
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> 
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hours.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|String|The time that the export was generated.
 
-## 2.6 Example
+## 2.5 Examples
 
-### 2.6.1 Request example
+### 2.5.1 Request example
 
 ```http
 GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentExport
 ```
 
-### 2.6.2 Response example
+### 2.5.2 Response example
 
 ```json
 {

defender-endpoint/api/get-assessment-browser-extensions.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/01/2022
+ms.date: 01/08/2025
 ---
 
 # Export browser extensions assessment per device
@@ -39,7 +39,7 @@ Different API calls get different types of data. Because the amount of data can
 
 - [Export browser extensions assessment **JSON response**](#1-export-browser-extensions-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
 
-- [Export browser extensions assessment **via files**](#2-export-browser-extension-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+- [Export browser extensions assessment **via files**](#2-export-browser-extension-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. This is recommended for large organizations with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
   - Call the API to get a list of download URLs with all your organization data.
   - Download all the files using the download URLs and process the data as you like.
 
@@ -57,7 +57,7 @@ This API response contains all the data for installed browser extensions per dev
 #### 1.1.1 Limitations
 
 - Maximum page size is 200,000.
-- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+- Rate limitations for this API are 30 calls per minute and 1,000 calls per hour.
 
 ### 1.2 Permissions
 
@@ -83,11 +83,11 @@ GET /api/Machines/BrowserExtensionsInventoryByMachine
 
 > [!NOTE]
 >
-> - Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
-> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
-> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+> - Each record is 0.5KB of data. You should take this size into account when choosing the correct pageSize parameter for you.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output isn't necessarily returned in the same order listed in this table.
+> - Some other columns might be returned in the response. These columns are temporary and might be removed so use only the documented columns.
 
-<br>
+</br>
 
 ****
 
@@ -103,7 +103,7 @@ ExtensionRisk|string|The highest risk level generated by the browser extension.
 ExtensionVersion|string|Version number of a specific browser extension.
 IsActivated|Boolean|Indicates whether a browser extension is active.
 RbacGroupId|integer|The role-based access control (RBAC) group ID.
-RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value is "Unassigned." If the organization doesn't contain any RBAC groups, the value is "None."
 InstallationTime|string|The time the browser extension was installed.
 Permissions|Array[string]|The set of permissions requested by a specific browser extension.
 
@@ -182,17 +182,13 @@ Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability
 GET /api/machines/browserextensionsinventoryExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
-
-### 2.5 Properties
+### 2.4 Properties
 
 > [!NOTE]
 >
 > - The files are gzip compressed & in multiline JSON format.
-> - The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
-> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+> - The download URLs are only valid for 1 hour.
+> - For maximum download speed of your data, you can make sure you're downloading from the same Azure region that your data resides.
 
 <br>
 

defender-endpoint/api/get-assessment-information-gathering.md

@@ -15,8 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-
-ms.date: 07/26/2022
+ms.date: 01/08/2025
 ---
 
 # Information gathering assessment per device
@@ -70,35 +69,29 @@ Delegated (work or school account)|Vulnerability.Read|\'Read Threat and Vulnerab
 GET /api/Machines/InfoGatheringExport
 ```
 
-### 1.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
-
-### 1.5 Properties
+### 1.4 Properties
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> 
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hour.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|DateTime|The time the export was generated.
 
-### 1.6 Examples
+### 1.5 Examples
 
-#### 1.6.1 Request example
+#### 1.5.1 Request example
 
 ```http
 GET https://api.securitycenter.microsoft.com/api/machines/InfoGatheringExport?$sasValidHours=1
 ```
 
-#### 1.6.2 Response example
+#### 1.5.2 Response example
 
 ```json
 {