Merge branch 'main' into pr/1307

denisebmsft · denisebmsft · commit 97861e4ce87d · 2024-09-10T10:00:04.000-07:00
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
@@ -861,40 +861,15 @@ The following configuration profile contains entries for all settings described
 
 ```JSON
 {
-   "antivirusEngine":{
-      "enforcementLevel":"real_time",
-      "behaviorMonitoring": "enabled",
+"antivirusEngine":{
+      "enforcementLevel":"passive",
+      "behaviorMonitoring": "disabled",
       "scanAfterDefinitionUpdate":true,
       "scanArchives":true,
       "scanHistoryMaximumItems": 10000,
       "scanResultsRetentionDays": 90,
       "maximumOnDemandScanThreads":2,
       "exclusionsMergePolicy":"merge",
-      "exclusions":[
-         {
-            "$type":"excludedPath",
-            "isDirectory":false,
-            "path":"/var/log/system.log<EXAMPLE DO NOT USE>"
-         },
-         {
-            "$type":"excludedPath",
-            "isDirectory":true,
-            "path":"/run<EXAMPLE DO NOT USE>"
-         },
-         {
-            "$type":"excludedPath",
-            "isDirectory":true,
-            "path":"/home/*/git<EXAMPLE DO NOT USE>"
-         },
-         {
-            "$type":"excludedFileExtension",
-            "extension":".pdf<EXAMPLE DO NOT USE>"
-         },
-         {
-            "$type":"excludedFileName",
-            "name":"cat<EXAMPLE DO NOT USE>"
-         }
-      ],
       "allowedThreats":[
          "<EXAMPLE DO NOT USE>EICAR-Test-File (not a virus)"
       ],
@@ -904,6 +879,7 @@ The following configuration profile contains entries for all settings described
       ],
       "nonExecMountPolicy":"unmute",
       "unmonitoredFilesystems": ["nfs,fuse"],
+      "enableFileHashComputation": false,
       "threatTypeSettingsMergePolicy":"merge",
       "threatTypeSettings":[
          {
@@ -914,14 +890,49 @@ The following configuration profile contains entries for all settings described
             "key":"archive_bomb",
             "value":"audit"
          }
-      ]
+      ],
+      "scanFileModifyPermissions":false,
+      "scanFileModifyOwnership":false,
+      "scanNetworkSocketEvent":false,
+      "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/<EXAMPLE DO NOT USE>",
+      "offlineDefintionUpdateFallbackToCloud":false,
+      "offlineDefinitionUpdate":"disabled"
    },
    "cloudService":{
       "enabled":true,
       "diagnosticLevel":"optional",
       "automaticSampleSubmissionConsent":"safe",
       "automaticDefinitionUpdateEnabled":true,
-      "proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
+      "proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/",
+      "definitionUpdatesInterval":28800
+   },
+   "features":{
+      "moduleLoad":"disabled",
+      "supplementarySensorConfigurations":{
+        "enableFilePermissionEvents":"disabled",
+        "enableFileOwnershipEvents":"disabled",
+        "enableRawSocketEvent":"disabled",
+        "enableBootLoaderCalls":"disabled",
+        "enableProcessCalls":"disabled",
+        "enablePseudofsCalls":"diabled",
+        "enableEbpfModuleLoadEvents":"disabled",
+        "sendLowfiEvents":"disabled"
+      },
+      "ebpfSupplementaryEventProvider":"enabled",
+      "offlineDefinitionUpdateVerifySig": "disabled"
+   },
+   "networkProtection":{
+      "enforcementLevel":"disabled",
+      "disableIcmpInspection":true
+   },
+   "edr":{
+      "groupIds":"GroupIdExample",
+      "tags": [
+         {
+         "key": "GROUP",
+         "value": "Tag"
+         }
+       ]
    },
 "exclusionSettings":{
   "exclusions":[
diff --git a/defender-endpoint/prepare-deployment.md b/defender-endpoint/prepare-deployment.md
@@ -16,7 +16,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 06/26/2024
+ms.date: 09/09/2024
 ---
 
 # Assign roles and permissions for Microsoft Defender for Endpoint deployment
@@ -38,15 +38,7 @@ The next step when deploying Defender for Endpoint is to assign roles and permis
 
 ## Role-based access control
 
-Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. Microsoft recommends [review the different roles that are available](/azure/active-directory/roles/permissions-reference) and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.
-
-|Personas|Roles|Microsoft Entra role (if necessary)|Assign to|
-|---|---|---|---|
-|Security Administrator||||
-|Security Analyst||||
-|Endpoint Administrator||||
-|Infrastructure Administrator||||
-|Business Owner/Stakeholder||||
+Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. [Review the different roles available](/azure/active-directory/roles/permissions-reference) and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.
 
 Microsoft recommends using [Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure) to manage your roles to provide additional auditing, control, and access review for users with directory permissions.
 
@@ -62,11 +54,11 @@ You can find details on permission guidelines here: [Create roles and assign the
 
 The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.
 
-|Tier|Description|Permission Required|
+|Tier|Description|Permissions required|
 |---|---|---|
-|Tier 1|**Local security operations team / IT team** <br/><br/> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.||
-|Tier 2|**Regional security operations team** <br/><br/> This team can see all the devices for their region and perform remediation actions.|View data|
-|Tier 3|**Global security operations team** <br/><br/> This team consists of security experts and is authorized to see and perform all actions from the portal.|View data <br/><br/> Alerts investigation Active remediation actions <br/><br/> Alerts investigation Active remediation actions <br/><br/> Manage portal system settings <br/><br/> Manage security settings|
+|Tier 1|**Local security operations team / IT team** <br/><br/> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.|View data|
+|Tier 2|**Regional security operations team** <br/><br/> This team can see all the devices for their region and perform remediation actions.|View data <br/><br/> Alerts investigation <br/><br/> Active remediation actions <br/><br/>|
+|Tier 3|**Global security operations team** <br/><br/> This team consists of security experts and is authorized to see and perform all actions from the portal.|View data <br/><br/> Alerts investigation <br/><br/> Active remediation actions <br/><br/>  Manage portal system settings <br/><br/> Manage security settings|
 
 ## Next step
 
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -29,6 +29,11 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+## September 2024
+
+- [Microsoft Defender Threat Intelligence](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) customers can now view the [latest featured threat intelligence articles](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal#featured-threat-intelligence-articles-widget) in the Microsoft Defender portal home page. The **Intel explorer** page now also has an [article digest](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal#article-digest) that notifies them of the number of new Defender TI articles that were published since they last accessed the Defender portal.
+- [Microsoft Defender XDR Unified RBAC permissions](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added to submit inquiries and view responses from [Microsoft Defender Experts](experts-on-demand.md). You can also [view responses](experts-on-demand.md#where-to-view-responses-from-defender-experts) to inquires submitted to Ask Defender Experts through your listed email addresses when submitting your inquiry or in the Defender portal by navigating to **Reports** > **Defender Experts messages**.
+
 ## August 2024
 
 - (Preview) Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see [Microsoft Defender multitenant management](mto-overview.md) and [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal).
@@ -67,7 +72,6 @@ You can also get product updates and important notifications through the [messag
 
 - (Preview) You can now filter your Microsoft Defender for Cloud alerts by the associated **alert subscription ID** in the Incidents and Alerts queues. For more information, see [Microsoft Defender for Cloud in Microsoft Defender XDR](microsoft-365-security-center-defender-cloud.md).
 
-
 - (GA) You can now **[filter your results](advanced-hunting-query-results.md#filter-results)** in advanced hunting so you can narrow down your investigation on specific data you want to focus on.
 
 ## May 2024
