Merge branch 'main' into deniseb-281044

Author: denisebmsft

defender-endpoint/android-configure-mam.md

@@ -14,7 +14,7 @@ ms.collection:
 - mde-android
 ms.topic: conceptual
 ms.subservice: android
-ms.date: 07/25/2024
+ms.date: 08/08/2024
 ---
 
 # Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)
@@ -124,14 +124,14 @@ End users also need to take steps to install Microsoft Defender for Endpoint on
 
 1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.
 
-2. Select **Continue**. A screen is presented which recommends downloading and setting up of Microsoft Defender for Endpoint on Android app.
+2. Select **Continue**. A screen is presented which recommends downloading and setting up of the Microsoft Defender: Antivirus (Mobile) app.
 
 3. Select **Download**. You'll be redirected to the app store (Google play).
 
-4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.
-
-   :::image type="content" source="media/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen." lightbox="media/download-mde.png":::
+4. Install the Microsoft Defender: Antivirus (Mobile) app and go back to the managed app onboarding screen.
 
+    :::image type="content" source="media/mam-flow.png" alt-text="Shows the procedure of downloading Microsoft Defender: Antivirus (Mobile) app." lightbox="media/mam-flow.png":::
+   
 5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You'll automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.
 
 6. Select **Continue** to log into the managed application.

defender-endpoint/api/get-all-recommendations.md

@@ -100,34 +100,36 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
     "value": [
         {
-            "id": "va-_-microsoft-_-windows_10" "va-_-microsoft-_-windows_11",
-            "productName": "windows_10" "Windows_11",
-            "recommendationName": "Update Windows 10" "Update Windows 11",
-            "weaknesses": 397,
+            "id": "va-_-microsoft-_-edge_chromium-based",
+            "productName": "edge_chromium-based",
+            "recommendationName": "Update Microsoft Edge Chromium-based to version 127.0.2651.74",
+            "weaknesses": 762,
             "vendor": "microsoft",
-            "recommendedVersion": "",
+            "recommendedVersion": "127.0.2651.74",
+            "recommendedVendor": "",
+            "recommendedProgram": "",
             "recommendationCategory": "Application",
             "subCategory": "",
             "severityScore": 0,
             "publicExploit": true,
             "activeAlert": false,
             "associatedThreats": [
-                "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
-                "40c189d5-0330-4654-a816-e48c2b7f9c4b",
-                "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
-                "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
-                "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+                "71d9120e-7eea-4058-889a-1a60bbf7e312"
             ],
             "remediationType": "Update",
             "status": "Active",
             "configScoreImpact": 0,
-            "exposureImpact": 7.674418604651163,
-            "totalMachineCount": 37,
-            "exposedMachinesCount": 7,
+            "exposureImpact": 1.1744086343876479,
+            "totalMachineCount": 261,
+            "exposedMachinesCount": 193,
             "nonProductivityImpactedAssets": 0,
-            "relatedComponent": "Windows 10" "Windows 11"
+            "relatedComponent": "Edge Chromium-based",
+            "hasUnpatchableCve": false,
+            "tags": [
+            "internetFacing"
+            ],
+            "exposedCriticalDevices": 116
         }
-        ...
      ]
 }
 ```

defender-endpoint/api/get-all-vulnerabilities.md

@@ -94,21 +94,24 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
     "value": [
         {
-            "id": "CVE-2019-0608",
-            "name": "CVE-2019-0608",
-            "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
-            "severity": "Medium",
-            "cvssV3": 4.3,
+            "id": "CVE-2024-7256",
+            "name": "CVE-2024-7256",
+            "description": "Summary: Google Chrome is vulnerable to a security bypass due to insufficient data validation in Dawn. An attacker can exploit this vulnerability by tricking a user into visiting a malicious website, allowing them to bypass security restrictions. Impact: If successfully exploited, this vulnerability could allow a remote attacker to bypass security restrictions in Google Chrome. Remediation: Apply the latest patches and updates provided by the respective vendors. Generated by AI",
+            "severity": "High",
+            "cvssV3": 8,
             "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
-            "exposedMachines": 4,
-            "publishedOn": "2019-10-08T00:00:00Z",
-            "updatedOn": "2019-12-16T16:20:00Z",
+            "exposedMachines": 23,
+            "publishedOn": "2024-07-30T00:00:00Z",
+            "updatedOn": "2024-07-31T00:00:00Z",
+            "firstDetected": "2024-07-31T01:55:47Z",
             "publicExploit": false,
             "exploitVerified": false,
             "exploitInKit": false,
             "exploitTypes": [],
             "exploitUris": [],
-            "CveSupportability": "supported"  
+            "cveSupportability": "Supported",
+            "tags": [],
+            "epss": 0.632
         }
     ]
 

defender-endpoint/api/get-recommendation-by-id.md

@@ -102,7 +102,11 @@ Here's an example of the response.
     "totalMachineCount": 6,
     "exposedMachinesCount": 5,
     "nonProductivityImpactedAssets": 0,
-    "relatedComponent": "Chrome"
+    "relatedComponent": "Chrome",
+    "tags": [
+    "internetFacing"
+    ],
+    "exposedCriticalDevices": 116
 }
 ```
 

defender-endpoint/api/recommendation.md

@@ -80,5 +80,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://si
 |exposedMachinesCount|Long|Number of installed devices that are exposed to vulnerabilities|
 |nonProductivityImpactedAssets|Long|Number of devices that aren't affected|
 |relatedComponent|String|Related software component|
-|
+|exposedCriticalDevices|Numeric|The sum of critical devices in all levels of criticality except “not critical" for a particular recommendation|
+
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]

defender-endpoint/api/vulnerability.md

@@ -64,5 +64,7 @@ exploitInKit|Boolean|Exploit is part of an exploit kit
 exploitTypes|String collection|Exploit affect. Possible values are: **Local privilege escalation**, **Denial of service**, or **Local**
 exploitUris|String collection|Exploit source URLs
 CveSupportability| String collection| Possible values are: **Supported**, **Not Supported**, or **SupportedInPremium**
+EPSS|Numeric| Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model.
+
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]

defender-endpoint/edr-detection.md

@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/06/2024
+ms.date: 08/15/2024
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -76,7 +76,6 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
 3. Look at the alert details, machine timeline, and perform your typical investigation steps.
 
-<!---
 ### macOS
 
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
@@ -129,7 +128,6 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
     Look at the alert details and the device timeline, and perform the regular investigation steps.
 
---->
 
 ## Next steps
 

defender-endpoint/endpoint-attack-notifications.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 09/23/2022
+ms.date: 08/15/2024
 ---
 
 # Endpoint Attack Notifications
@@ -31,7 +31,7 @@ ms.date: 09/23/2022
 > This covers threat hunting on your Microsoft Defender for Endpoint service. However, if you're interested to explore the service beyond your current license, and proactively hunt threats not just on endpoints but also across Office 365, cloud applications, and identity, refer to [Microsoft Defender Experts for Hunting](/defender-xdr/defender-experts-for-hunting).
 
 > [!NOTE]
-> Customers who signed up for Experts on Demand prior to sunset will have access to Ask Defender Experts until the expiration of their current contract.
+> The intake of new customers to the Endpoint Attack Notifications service is currently on pause. For customers interested in a managed service, sign up the [Defender Experts service request form](https://aka.ms/IWantDefenderExperts).
 
 Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts - Targeted Attack Notification) provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage. These notifications show up as a new alert. The managed hunting service includes:
 

defender-endpoint/internet-facing-devices.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 07/10/2023
+ms.date: 07/31/2024
 ---
 
 # Internet-facing devices
@@ -64,6 +64,10 @@ You can use filters to focus in on internet-facing devices and investigate the r
 
    :::image type="content" source="/defender/media/defender-endpoint/internet-facing-filter.png" alt-text="Screenshot of the internet-facing filter" lightbox="/defender/media/defender-endpoint/internet-facing-filter.png":::
 
+The internet-facing device tag also appears in Microsoft Defender Vulnerability Management. This allows you to filter for internet-facing devices from the [weaknesses](/defender-vulnerability-management/tvm-weaknesses) and the [security recommendations](/defender-vulnerability-management/tvm-security-recommendation) pages in the Microsoft Defender portal. 
+
+   :::image type="content" source="/defender/media/defender-endpoint/internet-facing-weaknesses.png" alt-text="Screenshot of the internet-facing weaknesses" lightbox="/defender/media/defender-endpoint/internet-facing-weaknesses.png":::
+
 > [!NOTE]
 > If no new events for a device occur for 48 hours, the Internet-facing tag is removed and it will no longer be visible in the Microsoft Defender portal.
 

defender-endpoint/mac-preferences.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/29/2024
+ms.date: 08/15/2024
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS
@@ -681,7 +681,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
         <key>PayloadOrganization</key>
         <string>Microsoft</string>
         <key>PayloadIdentifier</key>
-        <string>com.microsoft.wdav</string>
+        <string>
         <key>PayloadDisplayName</key>
         <string>Microsoft Defender for Endpoint settings</string>
         <key>PayloadDescription</key>
@@ -704,7 +704,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
                 <key>PayloadOrganization</key>
                 <string>Microsoft</string>
                 <key>PayloadIdentifier</key>
-                <string>com.microsoft.wdav</string>
+                <string>
                 <key>PayloadDisplayName</key>
                 <string>Microsoft Defender for Endpoint configuration settings</string>
                 <key>PayloadDescription</key>