Merge branch 'main' into docs-editor/review-detected-threats-1718974858

Author: denisebmsft

defender-endpoint/run-analyzer-macos-linux.md

@@ -297,7 +297,7 @@ Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
 
 - report.html
 
-  Description: The main HTML output file that contains the findings and guidance that the analyzer script run on the machine can produce.
+  Description: The main HTML output file that contains the findings and guidance from running the client analyzer tool on the device. This file is only generated when running the Python-based version of the client analyzer tool.
 
 - mde_diagnostic.zip
 

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -32,14 +32,36 @@ This article provides information on inaccuracies that have been reported. You c
 
 The following tables present the relevant vulnerability information organized by month:
 
+## June 2024
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 55309 | Fixed inaccuracy in Google One | 01-June-24 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2020-17381 | 02-June-24 |
+| - | Fixed inaccuracy in CVE-2024-21410 | 10-June-24 |
+
+
 ## May 2024
 
 | Inaccuracy report ID | Description | Fix date |
 |---|---|---|
+| - | Fixed inaccuracy in CVE-2023-46838 | 05-May-24 |
+| - | Fixed inaccuracy in CVE-2024-3094 | 05-May-24 |
 | - | Fixed inaccuracy in Microsoft Visual Studio Code | 06-May-24 |
+| - | Fixed inaccuracy in CVE-2024-1403 | 06-May-24 |
 | - | Added Microsoft Defender Vulnerability Management support to NextGen Mirth Connect | 08-May-24 |
 | 54538 | Fixed inaccuracy in Pippo product | 08-May-24 |
 | - | Fixed inaccuracy in FortiClient Endpoint Management | 08-May-24 |
+| - | Added accurate EOS details for D-Link products | 15-May-24 |
+| 54786 | Fixed inaccuracy in CVE-2024-31497 | 16-May-24 |
+| 56667 | Fixed inaccuracy in CURL vulnerabilities - CVE-2023-28319 & CVE-2023-28320 | 16-May-24 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2024-20666 | 20-May-24 |
+| 56287 | Fixed inaccuracy in CVE-2021-32823 | 20-May-24 |
+| 57278 | Defender Vulnerability Management doesn't currently support Lenovo Thinkpad P16 Gen1 Firmware | 20-May-24 |
+| 50565 | Fixed inaccuracy in Adobe experience Manager Desktop | 21-May-24 |
+| 55190 | Fixed inaccuracy in Abbyy Finereader PDF and Engine | 21-May-24 |
+| 49836 | Fixed inaccuracy in Progress OpenEdge | 26-May-24 |
+| 57299 | Fixed inaccuracy in CVE-2021-33214 & CVE-2020-14498 | 29-May-24 |
 
 ## April 2024
 
@@ -62,6 +84,7 @@ The following tables present the relevant vulnerability information organized by
 | 48996 | Fixed inaccuracy in Connectwise ScreenConnect Client | 16-Apr-24 |
 | - | Fixed inaccurate product considerations in Apple | 16-Apr-24 |
 | 49565 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2012-2055 and CVE-2024-0727 | 16-Apr-24 |
+| 54684 | Defender Vulnerability Management doesn't currently support Lenovo Thinkpad T590 Firmware | 30-Apr-24 |
 
 ## March 2024
 

defender-xdr/TOC.yml

@@ -410,8 +410,6 @@
                   href: communicate-defender-experts-xdr.md
                 - name: Defender Experts for Hunting
                   href: defender-experts-for-hunting.md
-                - name: Ask Defender Experts
-                  href: experts-on-demand.md
                 - name: Auditing
                   href: auditing.md
               - name: Frequently asked questions

defender-xdr/managed-detection-and-response-xdr.md

@@ -15,7 +15,7 @@ ms.collection:
   - essentials-manage
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 05/28/2024
+ms.date: 06/20/2024
 ---
 
 # Managed detection and response
@@ -42,32 +42,40 @@ When our experts conclude their investigation on an incident, the incident's **C
 
 The **Determination** field corresponding to each classification is also updated to provide more insights on the findings that led our experts to determine the said classification.
 
-:::image type="content" source="/defender/media/xdr/incidents-xdr-1.png" alt-text="Screenshot of Incidents page showing the Tags, Status, Assigned to, Classification, and Determination fields." lightbox="/defender/media/xdr/incidents-xdr-1.png":::
+:::image type="content" source="media/incidents-xdr-1.png" alt-text="Screenshot of Incidents page showing the Tags, Status, Assigned to, Classification, and Determination fields." lightbox="media/incidents-xdr-1.png":::
 
-If an incident is classified as _False Positive_ or _Informational_, _Expected Activity_, then the incident's **Status** field gets updated to _Resolved_. Our experts then conclude their work on this incident and the **Assigned to** field gets updated to _Unassigned_. Our experts may share updates from their investigation and their conclusion when resolving an incident. These updates are posted in the incident's **Comments and history** flyout panel.
-
-> [!NOTE]
-> Incident comments are one-way posts. Defender Experts can't respond to any comments or questions you add in the **Comments and history** panel. For more information about how to correspond with our experts, see [Communicating with experts in the Microsoft Defender Experts for XDR service](communicate-defender-experts-xdr.md).
+If an incident is classified as _False Positive_ or _Informational_, _Expected Activity_, then the incident's **Status** field gets updated to _Resolved_. Our experts then conclude their work on this incident and the **Assigned to** field gets updated to _Unassigned_. Our experts might share updates from their investigation and their conclusion when resolving an incident. These updates are posted under _Investigation Summary_ in the incident's **Managed response** flyout panel.
 
 Otherwise, if an incident is classified as _True Positive_, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts).
 
-- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the **Completed actions** section. Any pending actions that require you or you SOC team to complete are listed under the **Pending actions** section. For more information, see the [Actions](#actions) section. Once our experts have taken all the necessary actions on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_.
+- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the **Completed actions** section. Any pending actions that require you or you SOC team to complete are listed under the **Pending actions** section. For more information, see the [Actions](#actions) section. Once our experts have taken all the necessary actions on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Customer_.
 
 - If you have granted Defender Experts for XDR the default Security Reader access, then the required response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel under the **Pending actions** section in your Microsoft Defender portal for you or your SOC team to perform. For more information, see the [Actions](#actions) section. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and the **Assigned to** field is updated to _Customer_.
 
 You can check the number of incidents that require your action in the Defender Experts banner at the top of the Microsoft Defender homepage.
 
-:::image type="content" source="/defender/media/xdr/view-incidents.png" alt-text="Screenshot of the Defender Experts card in Microsoft Defender portal showing the number of incidents awaiting customer action." lightbox="/defender/media/xdr/view-incidents.png":::
+   :::image type="content" source="/defender/media/xdr/view-incidents.png" alt-text="Screenshot of the Defender Experts card in Microsoft Defender portal showing the number of incidents awaiting customer action." lightbox="/defender/media/xdr/view-incidents.png":::
+
+You can view the incidents related to Defender Experts by filtering the incident queue in your Microsoft Defender portal using several filter sets. [Learn more about adding incident queue filters](incident-queue.md#filters-)
+
+- To view the incidents our experts are currently investigating, use the **Incident assignment** filter, select **Assigned To Defender Experts**.
+- To view the incidents our experts have investigated and handed over to your team to act on pending remediation actions, using the **Incident assignment** filter, choose **Assigned To customer team**.
+
+    :::image type="content" source="media/new-incidents-filter-1.png" alt-text="Screenshot of the Incidents queue filtered to only show those with the Assigned to Defender Experts tag." lightbox="media/new-incidents-filter-1.png":::
+
+- To view the incidents our experts have investigated and handed over to your team to act on pending remediation actions, using the **Status** filter, choose **Awaiting Customer Action**.
+
+   :::image type="content" source="media/awaiting-customer-action-filter.png" alt-text="Screenshot of the Incidents queue in Microsoft Defender portal filtered to only show those with the Awaiting customer action tag." lightbox="media/awaiting-customer-action-filter.png":::
 
-To view the incidents our experts have investigated or are currently investigating, filter the incident queue in your Microsoft Defender portal using the _Defender Experts_ tag.
+- To view the incidents our experts have completed their investigation on (and either directly resolved or assigned to your team for pending remediation actions), using the **Tags** filter, choose **Defender Experts**.
 
-:::image type="content" source="/defender/media/xdr/incidents-filter.png" alt-text="Screenshot of the Incidents queue in Microsoft Defender portal filtered to only show those with the Defender Experts tag." lightbox="/defender/media/xdr/incidents-filter.png":::
+   :::image type="content" source="media/defender-experts-tag.png" alt-text="Screenshot of the Incidents queue in Microsoft Defender portal filtered to only show the Defender Experts tag." lightbox="media/defender-experts-tag.png":::
 
 <a name='how-to-use-managed-response-in-microsoft-365-defender'></a>
 
 ## How to use managed response in Microsoft Defender XDR
 
-In the Microsoft Defender portal, an incident that requires your attention using managed response has the **Status** field set to _Awaiting Customer Action_, the **Assigned to** field set to _Customer_ and a task card on top of the **Incidents** pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. [Learn more about notification contacts](get-started-xdr.md#tell-us-who-to-contact-for-important-matters). You will also receive a Teams notification informaing you about the updates. [Learn more about setting up Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams)
+In the Microsoft Defender portal, an incident that requires your attention using managed response has the **Status** field set to _Awaiting Customer Action_, the **Assigned to** field set to _Customer_ and a task card on top of the **Incidents** pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. [Learn more about notification contacts](get-started-xdr.md#tell-us-who-to-contact-for-important-matters). You will also receive a Teams notification informing you about the updates. [Learn more about setting up Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams)
 
 Select **View managed response** on the task card or on the top of the portal page (**Managed response** tab) to open a flyout panel where you can read our experts' investigation summary, complete pending actions identified by our experts, or engage with them through chat.
 
@@ -100,18 +108,18 @@ Apart from these one-click actions, you can also receive managed responses from
 
 1. Select the arrow buttons in an action card to expand it and read more information about the required action.
 
-:::image type="content" source="/defender/media/xdr/action-card-1.png" alt-text="Screenshot of managed response action to isolate the device prod server." lightbox="/defender/media/xdr/action-card-1.png":::
+   :::image type="content" source="/defender/media/xdr/action-card-1.png" alt-text="Screenshot of managed response action to isolate the device prod server." lightbox="/defender/media/xdr/action-card-1.png":::
 
 2. For cards with one-click response actions, select the required action. The **Action status** in the card changes to **In progress**, then to **Failed** or **Completed**, depending on the action's outcome.
 
-:::image type="content" source="/defender/media/xdr/action-card-2.png" alt-text="Screenshot of managed response action showing in-progress to isolate the device prod server." lightbox="/defender/media/xdr/action-card-2.png":::
+   :::image type="content" source="/defender/media/xdr/action-card-2.png" alt-text="Screenshot of managed response action showing in-progress to isolate the device prod server." lightbox="/defender/media/xdr/action-card-2.png":::
 
 > [!TIP]
 > You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). If a response action fails, try doing it again from the **View device details** page or [initiate a chat](communicate-defender-experts-xdr.md#in-portal-chat) with Defender Experts.
 
 3. For cards with required actions that you need to perform manually, select **I've completed this action** once you've performed them, then select **Yes, I've done it** in the confirmation dialog box that appears.
 
-:::image type="content" source="/defender/media/xdr/ive-completed-this-action.png" alt-text="Screenshot of managed response action to confirm action completion." lightbox="/defender/media/xdr/ive-completed-this-action.png":::
+   :::image type="content" source="/defender/media/xdr/ive-completed-this-action.png" alt-text="Screenshot of managed response action to confirm action completion." lightbox="/defender/media/xdr/ive-completed-this-action.png":::
 
 4. If you don't want to complete a required action right away, select **Skip**, then select **Yes, skip this action** in the confirmation dialog box that appears.
 
@@ -134,10 +142,11 @@ Once you have turned on the connector, updates by Defender Experts to the **Stat
 The following section describes how an incident handled by our experts is updated in Sentinel as it progresses through the investigation journey:
 
 1. An incident being investigated by our experts has the **Status** listed as _Active_ and the **Owner** listed as _Defender Experts_.
-1. An incident that our experts have confirmed as a _True Positive_ has a managed response posted in Microsoft Defender XDR, and a **Tag** _Awaiting Customer Action_ and the **Owner** is listed as _Customer_. You need to act on the incident based on using the provided managed response.
+1. An incident that our experts have confirmed as a _True Positive_ has a managed response posted in Microsoft Defender XDR, and a **Tag** _Awaiting Customer Action_ and the **Owner** is listed as _Customer_. You need to act on the incident based on using the provided managed response in the Defender portal.
+1. An incident that our experts have confirmed as a _True Positive_, with all remediation actions taken by Defender Experts, has the incident's Status updated to _Resolved_ and the **Owner** is listed as _Customer_. You can review the actions completed on the incident using the provided managed response in the Defender portal.
 1. Once our experts have concluded their investigation and closed an incident as _False Positive_ or _Informational_, _Expected Activity_, the incident's **Status** is updated to _Resolved_, the **Owner** is updated to _Unassigned_, and a **Reason for closing** is provided.
 
-:::image type="content" source="/defender/media/xdr/microsoft-sentinel-incidents.png" alt-text="Screenshot of Microsoft Sentinel incidents." lightbox="/defender/media/xdr/microsoft-sentinel-incidents.png":::
+   :::image type="content" source="/defender/media/xdr/microsoft-sentinel-incidents.png" alt-text="Screenshot of Microsoft Sentinel incidents." lightbox="/defender/media/xdr/microsoft-sentinel-incidents.png":::
 
 ### Other applications
 

defender-xdr/media/awaiting-customer-action-filter.png

@@ -55,6 +55,8 @@ You can also get product updates and important notifications through the [messag
 - (Preview) You can now query Microsoft Sentinel data using the [advanced hunting query API](/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http&preserve-view=true). You can use the `timespan` parameter to query Defender XDR and Microsoft Sentinel data that have longer data retention than the Defender XDR default of 30 days.
 
 - (Preview) In the unified Microsoft Defender portal, you can now create custom detections in querying data that spans Microsoft Sentinel and Defender XDR tables. Read [Create custom analytics and detection rules](advanced-hunting-microsoft-defender.md#create-custom-analytics-and-detection-rules) for more information.
+
+- Updated [troubleshooting steps for Microsoft Defender Experts app permissions in Microsoft Teams](teams-restrictions-dexapp.md).
 
 ## April 2024