Merge branch 'main' into diannegali-xdrinsiderrisk

Author: robmazz

ATPDocs/health-alerts.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for Identity health issues
 description: This article describes all the health issues that can occur for each component, listing the cause and the steps needed to resolve the problem
-ms.date: 07/09/2024
+ms.date: 01/16/2025
 ms.topic: how-to
 ---
 
@@ -191,6 +191,12 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 |----|----|----|----|----|
 |Radius accounting (VPN integration) data ingestion failures.|The listed Defender for Identity sensors have radius accounting (VPN integration) data ingestion failures.|Validate that the shared secret in the Defender for Identity configuration settings matches your VPN server, according to the guidance described [Configure VPN in Defender for Identity](vpn-integration.md#configure-vpn-in-defender-for-identity) section, in the [Defender for Identity VPN integration](vpn-integration.md) page.|Low|Health issues page|
 
+### Auditing for AD CS servers is not enabled as required
+
+|Alert|Description|Resolution|Severity|Displayed in|
+|----|----|----|----|----|
+|Auditing for AD CS servers is not enabled as required. (This configuration is validated once a day, per sensor).|The Advanced Auditing Policy Configuration or AD CS auditing is not enabled as required.|Enable the Advanced Auditing Policy Configuration and AD CS auditing according to the guidance as described in the [Configure auditing on AD CS](configure-windows-event-collection.md#configure-auditing-on-ad-cs) section, in the [Configure Windows Event collection](configure-windows-event-collection.md) page.|Medium|Sensors health issues tab|
+
 ### Sensor failed to retrieve Microsoft Entra Connect service configuration
 
 | Alert| Description  |Resolution|Severity|Displayed in|

defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ ms.author: ewalsh
 ms.custom: nextgen
 ms.reviewer: ksarens
 manager: deniseb
-ms.date: 06/06/2023
+ms.date: 01/16/2025
 ms.subservice: ngp
 ms.topic: how-to
 ms.collection: 
@@ -32,7 +32,7 @@ search.appverid: met150
 You can perform various functions in Microsoft Defender Antivirus using the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus tasks. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
 
 > [!TIP]
-> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the **Start** menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
 
 The MpCmdRun utility uses the following syntax:
 
@@ -52,38 +52,45 @@ In our example, the MpCmdRun utility starts a full antivirus scan on the device.
 
 |Command|Description|
 |---|---|
-|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool|
+|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool.|
 |`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations.|
-|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing|
+|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing.|
 |`-CaptureNetworkTrace -Path <path>`|Captures all the network input into the Network Protection service and saves it to a file at `<path>`. <br/>Supply an empty path to stop tracing.|
 |`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See [collecting diagnostic data](collect-diagnostic-data.md).|
 |`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder.|
 |`-RemoveDefinitions [-All]`|Restores the installed security intelligence to a previous backup copy or to the original default set.|
 |`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded security intelligence.|
 |`-RemoveDefinitions [-Engine]`|Restores the previous installed engine.|
-|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new security intelligence updates.|
-|`-Restore  [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s).|
+|`-SignatureUpdate [-UNC |-MMPC]`|Checks for new security intelligence updates.|
+|`-Restore  [-ListAll |[[-Name <name>] [-All] |[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined items.|
 |`-AddDynamicSignature [-Path]`|Loads dynamic security intelligence.|
 |`-ListAllDynamicSignatures`|Lists the loaded dynamic security intelligence.|
 |`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic security intelligence.|
 |`-CheckExclusion -path <path>`|Checks whether a path is excluded.|
+|`-TDT [-on|-off|-default]`|Disable or Enable TDT feature or sets it to default. If no option is specified, it retrieves the current status.|
+|`-OSCA`|Prints OS Copy Acceleration feature status.|
+|`-DeviceControl -TestPolicyXml  <FilePath> [-Rules | -Groups]`|Validate xml policy groups and rules.|
+|`-TrustCheck -File <FilePath>`|Checks trust status of a file.|
 |`-ValidateMapsConnection`|Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+|`-ListCustomASR`|List the custom Azure Site Recovery rules present on this device.|
+|`-DisplayECSConnection`|Displays URLs that Defender Core service uses to establish connection to ECS.|
+|`-HeapSnapshotConfig <-Enable|-Disable> [-Pid <ProcessID>]`|Enable or Disable heap snapshot (tracing) configuration for process. Replace `<ProcessID>` with the actual process ID.|
 |`-ResetPlatform`| Reset platform binaries back to `%ProgramFiles%\Windows Defender`.|
 |`-RevertPlatform`| Revert platform binaries back to the previously installed version of the Defender platform.|
 
 > [!NOTE]
-> For the "Scan" command, the following are the default timeout values for Quick or Full scans where the scan will stop at that time by default.
-> - Portal initiated scans (Quick or Full) or Windows Security app (Quick or Full): No time limit
-> - Scheduled Full Scans or MpCmdRun -scan: 7 day limit
-> - Scheduled Quick Scans or MpCmdRun -scan: 1 day limit
+> For the `Scan` command, the following are the default time out values for Quick or Full scans where the scan will stop at that time by default.
+> - Scheduled Full Scans or MpCmdRun -scan: Seven day limit
+> - Scheduled Quick Scans or MpCmdRun -scan: One day limit
+
 
 ## Common errors in running commands via mpcmdrun.exe
 
 The following table lists common errors that can occur while using the MpCmdRun tool.
 
 |Error message|Possible reason|
 |---|---|
-|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> Note that in Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
 |**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
 |**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
 |**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
@@ -98,7 +105,7 @@ The following table lists common errors that can occur while using the MpCmdRun
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
 - [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference articles for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
 - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
 - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -37,6 +37,19 @@ search.appverid: met150
 
 In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Defender for Endpoint](microsoft-defender-endpoint.md).
 
+ If you have Microsoft Defender XDR, review the "Alerts sources" as described in [Investigate alerts in Microsoft Defender XDR](/defender-xdr/investigate-alerts?tabs=settings).
+
+Continue here if the "Alert source" is "Microsoft Defender for Endpoint".
+
+The next step is to review the “detection source”:
+
+|Detection source| Information|
+| -------- | -------- |
+|EDR|The alert is related to Microsoft Defender for Endpoint – Endpoint Detection and Response <br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/> • Work-around: Add an EDR exclusion|
+|Antivirus|The alert relates to Microsoft Defender Antivirus in Active mode (Primary) where it will block.  If Microsoft Defender Antivirus is in Passive mode, EDR in block mode might just detect.<br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](https://aka.ms/wdsi) <br/> • Work-around: Add [Indicators - File hash - allow ](/defender-endpoint/defender-endpoint-false-positives-negatives)or an [AV exclusion](/defender-endpoint/defender-endpoint-false-positives-negatives)|
+| Custom TI| Custom indicators (Indicators - [file hash](/defender-endpoint/indicator-file) or [ip address or URL](/defender-endpoint/indicator-ip-domain) or [certificates](/defender-endpoint/indicator-certificates)) <br/> • Solution: How to[ manage indicators](/defender-endpoint/indicator-manage).   <br/><br/> Or if you see CustomEnterpriseBlock, it could be  <br/> <br/> 1) Automated Investigation and Response (AutoIR) –  <br/> • Solution: Submit the False Positive to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives) <br/> • Work-around: [Automation folder exclusions  ](/defender-endpoint/manage-automation-folder-exclusions)<br/> 2) Custom detection rules deriving from Advanced Hunting (AH) –  <br/> • Solution: [Manage existing custom detection rules  ](/defender-xdr/custom-detection-rules)<br/> 3) EDR in block mode –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> 4) Live Response –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> 5) PUA protection –  <br/> • Solution: Submit the False Positive(s) to [https://aka.ms/wdsi](/defender-endpoint/defender-endpoint-false-positives-negatives)<br/> • Work-around: [Indicators – File hash – allow](/defender-endpoint/defender-endpoint-false-positives-negatives) or [AV exclusions](/defender-endpoint/defender-endpoint-false-positives-negatives)|
+| Smartscreen|[ Smartscreen](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) [report unsafe site](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or it could be related to a [Network Protection detection](https://www.microsoft.com/wdsi/support/report-exploit-guard)|
+
 :::image type="content" source="media/false-positives-overview.png" alt-text="The definition of false positive and negatives in the Microsoft Defender portal" lightbox="media/false-positives-overview.png":::
 
 Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives occurring with Defender for Endpoint, your security operations can take steps to address them by using the following process:

defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md

@@ -131,7 +131,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
 
 ### Use Group Policy to configure PUA protection
 
-1. Download and install [Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)](https://www.microsoft.com/download/details.aspx?id=103507)
+1. Download and install [the latest Administrative templates for Windows 11](https://www.bing.com/search?q=administrative+template+download+windows+11&FORM=R5FD)
 
 2. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
 

defender-endpoint/manage-alerts.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 01/15/2025
 ---
 
 # Manage Microsoft Defender for Endpoint alerts
@@ -38,6 +38,7 @@ Selecting an alert in either of those places brings up the **Alert management pa
 :::image type="content" source="media/atp-alerts-selected.png" alt-text="The Alert management pane and the Alerts queue" lightbox="media/atp-alerts-selected.png":::
 
 Watch this video to learn how to use the new Microsoft Defender for Endpoint alert page.
+
 > [!VIDEO https://learn-video.azurefd.net/vod/player?id=8a9c08a6-558c-47a8-a336-d748acbdaa80]
 
 ## Link to another incident
@@ -99,6 +100,9 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
 6. Click **Save**.
 
+> [!NOTE]
+> Alert suppression is not compatible for custom detections. Make sure to fine-tune your custom detections to avoid [false positives](/defender-endpoint/defender-endpoint-false-positives-negatives).
+
 #### View the list of suppression rules
 
 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Alert suppression**.

defender-endpoint/network-protection.md

@@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to malicious or suspic
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 12/18/2024
+ms.date: 01/16/2025
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -56,7 +56,7 @@ The following table summarizes network protection areas of coverage.
 > On Mac and Linux, you must have network protection in block mode for these features to be supported in the Microsoft Edge browser.
 > On Windows, network protection doesn't monitor Microsoft Edge. For processes other than Microsoft Edge and Internet Explorer, web protection scenarios leverage network protection for inspection and enforcement.
 
-Here are a few important points to keep in mind:
+### Known issues & limitations
 
 - IP is supported for all three protocols (`TCP`, `HTTP`, and `HTTPS` (TLS)).
 - Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.

defender-endpoint/respond-machine-alerts.md

@@ -320,7 +320,7 @@ You'll be able to stop containing a device at any time.
 
 ## Contain user from the network
 
-When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (termination the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.
+When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (terminating the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.
 
 > [!NOTE]
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.