Merge pull request #5257 from MicrosoftDocs/main

[AutoPublish] main to live - 10/14 13:31 PDT | 10/15 02:01 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/linux-preferences.md

@@ -1,4 +1,4 @@
----
+---
 title: Configure security settings in Microsoft Defender for Endpoint on Linux
 ms.reviewer: gopkr, ardeshmukh
 description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
@@ -581,10 +581,8 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 
 ### Exclusion setting preferences
 
-**Exclusion setting preferences are currently in preview**.
-
 > [!NOTE] 
-> Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
+> Global exclusions are available in Defender for Endpoint beginning with version `101.24092.0001` or above.
 
 The `exclusionSettings` section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
 

defender-xdr/TOC.yml

@@ -86,6 +86,8 @@
         href: incident-queue.md
       - name: Manage incidents
         href: manage-incidents.md
+      - name: Use tasks to handle incident workflow
+        href: split-incidents-into-tasks.md
       - name: Investigate and respond to incidents
         items:
         - name: Plan incident response

defender-xdr/incidents-overview.md

@@ -4,8 +4,8 @@ description: An introduction to incidents and alerts, and the differences betwee
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
-ms.author: yelevin
-author: yelevin
+ms.author: guywild
+author: guywi-ms
 ms.localizationpriority: medium
 manager: raynew
 audience: ITPro
@@ -68,6 +68,7 @@ The Microsoft Defender portal includes tools and methods to automate or otherwis
 | Tool/Method | Description |
 | ----------- | ----------- |
 | **[Manage](manage-incidents.md) and [investigate](investigate-incidents.md) incidents** | Make sure that you prioritize your incidents according to severity and then work through them to investigate. Use advanced hunting to search for threats, and get ahead of emerging threats with threat analytics. |
+| **[Split incidents into tasks](split-incidents-into-tasks.md)** | Use tasks in the Microsoft Defender portal to investigate and resolve incidents collaboratively across your operations teams. Managing incidents with tasks helps to improve efficiency in incident response and ensure accountability for investigation outcomes. |
 | **[Automatically investigate and resolve alerts](/defender-xdr/m365d-autoir)** | If enabled to do so, Microsoft Defender XDR can automatically investigate and resolve alerts from Microsoft 365 and Entra ID sources through automation and artificial intelligence. |
 | **[Configure automatic attack disruption actions](automatic-attack-disruption.md)** | Use high-confidence signals collected from Microsoft Defender XDR and Microsoft Sentinel to automatically disrupt active attacks at machine speed, containing the threat and limiting the impact. |
 | **[Configure Microsoft Sentinel automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules)** | Use automation rules to automate triage, assignment, and management of incidents, regardless of their source. Help your team's efficiency even more by configuring your rules to apply tags to incidents based on their content, suppress noisy (false positive) incidents, and close resolved incidents that meet the appropriate criteria, specifying a reason and adding comments. |

defender-xdr/media/manage-incidents-using-tasks/add-task-page-defender-portal.png

@@ -0,0 +1,80 @@
+---
+title: Streamline incident response using tasks in the Microsoft Defender portal (Preview)
+description: Create and manage tasks in the Microsoft Defender portal to investigate and resolve incidents collaboratively.
+search.appverid: met150
+ms.service: unified-secops-platform
+ms.author: guywild
+author: guywi-ms
+ms.date: 09/04/2025
+ms.collection:
+- M365-security-compliance
+- tier1
+- usx-security
+ms.topic: how-to
+
+# customer intent: As a security operations analyst, I want to manage incidents using tasks in the Microsoft Defender portal so that I can improve collaboration, efficiency, and accountability in incident investigations.    
+---
+
+# Streamline incident response using tasks in the Microsoft Defender portal (Preview)
+
+Use tasks in the Microsoft Defender portal to investigate and resolve incidents collaboratively across your operations teams. Breaking incidents into actionable tasks boosts operational efficiency and reinforces accountability throughout the process.
+
+This article explains how tasks work and how to use tasks to manage incidents in the Microsoft Defender portal.
+
+## How tasks work
+
+Break down investigations into clear, actionable steps and assign them across your team. 
+
+Using tasks is particularly useful for: 
+
+- Onboarding junior analysts
+- Working with managed security service providers (MSSPs)
+- Tracking work in compliance-oriented organizations
+
+The task panel presents tasks alongside [Security Copilot summaries, guided responses, and reports](./security-copilot-in-microsoft-365-defender.md) to provide a comprehensive view of progress and remaining actions required to close the incident.  
+
+Categorize, prioritize, assign, and track each task to ensure consistency, collaboration, and accountability. When you close a task, add Closing notes to document the outcome. These notes support thorough postmortems and help teams learn from each investigation.
+
+## Permissions required 
+
+| Action | Permissions required |
+|---|---|
+| View tasks | **Read-only** permissions or **Security data basics (read)** under the **Security operations** permissions group in the Defender portal. |
+| Create tasks | **All read and manage permissions** permissions or **Response (manage)** under the **Security operations** permissions group in the Defender portal. |
+
+For more information about unified RBAC in the Defender portal, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
+
+
+## View and manage tasks
+
+To view and manage tasks:
+
+1. From the Defender portal menu, select **Incidents & alerts** > **Incidents** to open the Incident queue.
+1. Select an incident from the queue.
+1. Select **Tasks** to open the **Tasks** side panel, which lists all of the tasks and Security Copilot insights associated with the incident.
+
+   :::image type="content" source="media/manage-incidents-using-tasks/task-pane-defender-portal.png" alt-text="Screenshot showing the Tasks side panel and incident details in Microsoft Defender portal." lightbox="media/manage-incidents-using-tasks/task-pane-defender-portal.png":::  
+
+1. To create a new task, select **Add task**.
+
+    :::image type="content" source="media/manage-incidents-using-tasks/add-task-page-defender-portal.png" alt-text="Screenshot showing the Add task pane in Microsoft Defender portal." lightbox="media/manage-incidents-using-tasks/add-task-page-defender-portal.png":::
+
+    Fill in the task details and select **Save**.
+
+1. To update a task's status, select a status from the **Status** dropdown on task preview card.
+
+   :::image type="content" source="media/manage-incidents-using-tasks/update-task-status-defender-portal.png" alt-text="Screenshot showing the Update task status dropdown in Microsoft Defender portal." lightbox="media/manage-incidents-using-tasks/update-task-status-defender-portal.png":::
+
+1. To edit or delete a task, select the ellipsis (**...**) > **Edit** or **Delete**.
+
+## Automate and synchronize tasks created in Microsoft Sentinel using the Azure portal
+
+When you onboard Microsoft Sentinel to the Defender portal, the Defender portal automatically synchronizes tasks you create in Sentinel using the Azure portal. 
+
+The Defender portal doesn't yet support automatic task creation, but you can continue to use [task automation rules](/azure/sentinel/create-tasks-automation-rule), [Logic App playbooks](/azure/sentinel/automation/create-tasks-playbook), or the [Incident Tasks REST API](/rest/api/securityinsights/incident-tasks) in Azure to create tasks, which are synchronized to the Defender portal.
+
+## Related content
+
+- [Incidents and alerts in the Microsoft Defender portal](./incidents-overview.md)
+- [Microsoft Copilot in Microsoft Defender](./security-copilot-in-microsoft-365-defender.md)
+- [Use tasks to manage incidents in Microsoft Sentinel in the Azure portal](/azure/sentinel/incident-tasks)

defender-xdr/media/manage-incidents-using-tasks/task-pane-defender-portal.png

@@ -33,6 +33,8 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## September 2025
+
+- (Preview) You can now use tasks in the Microsoft Defender portal to break down incident investigations into actionable steps and assign them across your operations teams. Tasks are displayed alongside Security Copilot insights, guided responses, and reports - giving your team a unified view of progress and next steps. When you onboard Microsoft Sentinel to the Defender portal, tasks you create in Microsoft Sentinel through the Azure portal are automatically synchronized to the Defender portal. For more information, see [Streamline incident response using tasks in the Microsoft Defender portal (Preview)](./split-incidents-into-tasks.md)
 - (Preview) You can investigate incidents using [Blast radius analysis](investigate-incidents.md#blast-radius-analysis), which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions.
 - (Preview) In advanced hunting, you can now hunt using the [hunting graph](advanced-hunting-graph.md), which renders rendering predefined threat scenarios as interactive graphs.
 

defender-xdr/media/manage-incidents-using-tasks/update-task-status-defender-portal.png

@@ -69,6 +69,8 @@
           href: plan-incident-response.md
         - name: Correlation and merging
           href: /defender-xdr/alerts-incidents-correlation?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal
+        - name: Use tasks to handle incident workflow
+          href: /defender-xdr/split-incidents-into-tasks?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json
         - name: Investigate incidents in Security Copilot
           href: /azure/sentinel/sentinel-security-copilot?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json
         - name: Investigate with Microsoft Copilot in Microsoft Defender

defender-xdr/split-incidents-into-tasks.md

@@ -21,6 +21,14 @@ ms.topic: concept-article
 
 This article lists recent features added for unified security operations in the Microsoft Defender portal.
 
+
+## September 2025
+
+
+### Manage Incident Workflows with Tasks in Microsoft Defender (Preview)
+
+You can now use tasks in the Microsoft Defender portal to break down incident investigations into actionable steps and assign them across your operations teams. Tasks are displayed alongside Security Copilot insights, guided responses, and reports - giving your team a unified view of progress and next steps. When you onboard Microsoft Sentinel to the Defender portal, tasks you create in Microsoft Sentinel through the Azure portal are automatically synchronized to the Defender portal. For more information, see [Streamline incident response using tasks in the Microsoft Defender portal (Preview)](/defender-xdr/split-incidents-into-tasks?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json).
+
 ## August 2025