Merge pull request #1031 from MicrosoftDocs/chrisda

Unified RBAC to [Microsoft] Defender XDR Unified RBAC

Author: chrisda

defender-endpoint/admin-submissions-mde.md

@@ -10,7 +10,7 @@ manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
 ms.topic: how-to
-ms.collection: 
+ms.collection:
 - m365-security
 - tier3
 ms.custom: FPFN
@@ -35,13 +35,15 @@ The new unified submissions experience is available only in subscriptions that i
 You need to assign permissions before you can perform the procedures in this article. Use one of the following options:
 
 **Microsoft Defender for Endpoint** permissions:
- - Submit files / file hashes: _"Alerts investigation" or "Manage security settings in Security Center"_
- - View submissions: "_View Data - Security operations"_
-                  
-**Microsoft Defender XDR** unified RBAC permissions:
- - Submit files / file hashes: *"Alerts (Manage)" or "Core security settings (manage)"*
- - View submissions: _"Security data basics (read)"_
-                        
+
+- Submit files / file hashes: _"Alerts investigation" or "Manage security settings in Security Center"_
+- View submissions: "_View Data - Security operations"_
+
+**Microsoft Defender XDR Unified RBAC** permissions:
+
+- Submit files / file hashes: _"Alerts (Manage)" or "Core security settings (manage)"_
+- View submissions: _"Security data basics (read)"_
+
 For more information about how you can submit spam, phish, URLs, and email attachments to Microsoft, see [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](/defender-office-365/submissions-admin).
 
 ## Submit a file or file hash to Microsoft from the Defender portal
@@ -54,7 +56,7 @@ For more information about how you can submit spam, phish, URLs, and email attac
 
    :::image type="content" source="/defender/media/unified-admin-submission-new.png" alt-text="Screenshot showing how to add a new submission.":::
 
-2. In the **Submit items to Microsoft for review** flyout that opens, select **Files** or **File hash** from the **Select the submission type** dropdown list.
+4. In the **Submit items to Microsoft for review** flyout that opens, select **Files** or **File hash** from the **Select the submission type** dropdown list.
 
    - If you selected **Files**, configure the following options:
      - Select **Browse files**. In the dialog that opens, find and select the file, and then select **Open**. Repeat this step as many times as necessary. To remove an entry from the flyout, select :::image type="icon" source="/defender/media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.

defender-for-iot/prerequisites.md

@@ -21,7 +21,7 @@ To see how Defender for IoT can help and protect your network sign up to a free,
 
 Before you start, you need:
 
-- A Microsoft tenant, with Global or Billing admin access to the tenent.
+- A Microsoft tenant, with Global or Billing admin access to the tenant.
 
     For more information, see [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses) and [About admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
 
@@ -73,4 +73,4 @@ This table shows the full roles and permissions needed for all MDE features used
 
 To assign roles and permissions for other Microsoft Defender for Endpoint features, such as alerts, incidents and inventory, see [assign roles and permissions for Defender for Endpoint](/defender-endpoint/prepare-deployment).
 
-For more information, see [map unified RBAC permissions](/defender-xdr/compare-rbac-roles#microsoft-entra-global-roles-access).
+For more information, see [Map Microsoft Defender XDR Unified RBAC permissions: Microsoft Entra Global roles access](/defender-xdr/compare-rbac-roles#microsoft-entra-global-roles-access).

defender-xdr/TOC.yml

@@ -7,13 +7,13 @@ author: siosulli
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: 
+ms.collection:
 - m365-security
 - tier3
-ms.custom: 
+ms.custom:
 ms.topic: reference
 ms.date: 06/27/2024
-ms.reviewer: 
+ms.reviewer:
 search.appverid: met150
 ---
 
@@ -114,15 +114,15 @@ You configured protection-related Exchange Online permissions in the Exchange ad
 
 ### Map Microsoft Defender for Identity permissions to the Microsoft Defender XDR Unified RBAC permissions
 
-|Defender for Identity permission|Unified RBAC permission|
+|Defender for Identity permission|Defender XDR Unified RBAC permission|
 |---|-----|
 |MDI admin|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (Read and manage) </br>Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System settings (Read and manage)|
 |MDI user|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System setting (read)|
 |MDI viewer|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Security settings \ Core security settings (read) </br>Authorization and settings \ System setting (read)|
 
 > [!NOTE]
-> Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).  
-> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users. 
+> Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).
+> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
 
 <a name='azure-active-directory-global-roles-access'></a>
 

defender-xdr/compare-rbac-roles.md

@@ -82,7 +82,7 @@ The CSV also includes a snapshot of the Unified RBAC activation status for each
 The following steps guide you on how to export roles in Microsoft Defender XDR Unified RBAC:
 
 > [!NOTE]
-> To export roles, you must be a Global Administrator or Security Administrator in Microsoft Entra ID, or have the **Authorization (manage)** permission assigned for all data sources in Microsoft Defender XDR Unified RBAC and have at least one workload activated for Unified RBAC.
+> To export roles, you must be a Global Administrator or Security Administrator in Microsoft Entra ID, or have the **Authorization (manage)** permission assigned for all data sources in Microsoft Defender XDR Unified RBAC and have at least one workload activated for Defender XDR Unified RBAC.
 >
 >For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
 

defender-xdr/edit-delete-rbac-roles.md

@@ -42,7 +42,7 @@ Select **Ask Defender Experts** directly inside the Microsoft 365 security porta
 
 You need to select one of the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](compare-rbac-roles.md#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions).
 
-|**Product name**|**Product RBAC permission**|
+|Product name|Product RBAC permission|
 |---|---|---|
 | Microsoft Defender for Endpoint RBAC | Manage security settings in the Security Center|
 | Microsoft Defender XDR Unified RBAC | Authorization and settings \ Security settings \ Core security settings (manage)</br>Authorization and settings \ Security settings \ Detection tuning (manage) |
@@ -51,44 +51,44 @@ You need to select one of the following permissions before submitting inquires t
 
 The option to **Ask Defender Experts** is available in several places throughout the portal:
 
-- **Device page actions menu**
+- **Device page actions menu**:
 
-:::image type="content" source="/defender/media/mte/defenderexperts/device-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device page action menu in the Microsoft Defender portal." lightbox="/defender/media/mte/defenderexperts/device-page-actions-menu.png":::
+  :::image type="content" source="/defender/media/mte/defenderexperts/device-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device page action menu in the Microsoft Defender portal." lightbox="/defender/media/mte/defenderexperts/device-page-actions-menu.png":::
 
-- **Device inventory page flyout menu**
+- **Device inventory page flyout menu**:
 
-:::image type="content" source="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png":::
+  :::image type="content" source="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png":::
 
-- **Alerts page flyout menu**
+- **Alerts page flyout menu**:
 
-:::image type="content" source="/defender/media/mte/defenderexperts/alerts-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/alerts-flyout-menu.png":::
+  :::image type="content" source="/defender/media/mte/defenderexperts/alerts-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/alerts-flyout-menu.png":::
 
-- **Incidents page actions menu**
+- **Incidents page actions menu**:
 
-:::image type="content" source="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png":::
+  :::image type="content" source="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png":::
 
 ### Sample questions you can ask from Defender Experts
 
-**Alert information**
+#### Alert information
 
 - We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further?
 - We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference?
 - We received an odd alert today about an abnormal number of failed logins from a high profile user's device. We can't find any further evidence for these attempts. How can Microsoft Defender XDR see these attempts? What type of logins are being monitored?
 - Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"?
 - I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?
 
-**Possible device compromise**
+#### Possible device compromise
 
 - Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity or incidents.
 - Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago.
 
-**Threat intelligence details**
+#### Threat intelligence details
 
 - We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link?
 - We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft Defender XDR provides against this threat actor?
 - We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical?
 
-**Microsoft Defender Experts for Hunting alert communications**
+#### Microsoft Defender Experts for Hunting alert communications
 
 - Can your incident response team help us address the Defender Experts Notification that we got?
 - We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident?
@@ -97,4 +97,4 @@ The option to **Ask Defender Experts** is available in several places throughout
 ### Next step
 
 - [Understand the Defender Experts for Hunting report in Microsoft Defender XDR](defender-experts-report.md)
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/experts-on-demand.md

@@ -66,15 +66,15 @@ The following steps guide you on how to import roles into Microsoft Defender XDR
    > [!NOTE]
    > If the role you want to import appears in the **Roles not eligible for import** list, it contains assignments for users or user groups that no longer exist in Entra ID.
    >
-   > To import this role to Unified RBAC, remove the user or user group from the role in the original RBAC model. Select the role to view the list of users that still exist for that role to determine which user or group to remove.
+   > To import this role to Microsoft Defender XDR Unified RBAC, remove the user or user group from the role in the original RBAC model. Select the role to view the list of users that still exist for that role to determine which user or group to remove.
 
 8. Select **Submit**.
 
 9. Select **Done** on the confirmation page.
 
 Now that you have imported your roles you will be able to [View and edit roles](edit-delete-rbac-roles.md) and activate the workloads.
 
-For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft Defender XDR Unified RBAC model. For more information, see [Activate the workloads](activate-defender-rbac.md).
+For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Defender XDR Unified RBAC model. For more information, see [Activate the workloads](activate-defender-rbac.md).
 
 Imported roles appear in the **Permissions and roles** list together with any custom roles you might have created. All imported roles will be marked as **Imported** in the description. Once you edit an imported role it will no longer be marked as **Imported**.
 

defender-xdr/import-rbac-roles.md

@@ -44,7 +44,7 @@ To ensure access to Defender for Cloud alerts in the Microsoft Defender portal,
 > [!NOTE]
 > The permission to view Defender for Cloud alerts and correlations is automatic for the entire tenant. Viewing for specific subscriptions is not supported. You can use the **alert subscription ID** filter to view Defender for Cloud alerts associated with a specific Defender for Cloud subscription in the alert and incident queues. Learn more about [filters](incident-queue.md#filters-).
 
-The integration is available only by applying the appropriate [unified role-based access control (RBAC)](manage-rbac.md) for Defender for Cloud. To view Defender for Cloud alerts and correlations without unified RBAC, you must be a Global Administrator or Security Administrator in Azure Active Directory.
+The integration is available only by applying the appropriate [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md) role for Defender for Cloud. To view Defender for Cloud alerts and correlations without Defender XDR Unified RBAC, you must be a Global Administrator or Security Administrator in Azure Active Directory.
 
 > [!IMPORTANT]
 > Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization.

defender-xdr/microsoft-365-security-center-defender-cloud.md

@@ -117,7 +117,7 @@ If you turn on security defaults, you are awarded full points for the following
 
 ### Manage permissions with Microsoft Defender XDR Unified role-based access control(RBAC)
 
-With [Microsoft Defender XDR Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. Unified RBAC allows you to control which users have access to Secure Score data, the products for which they see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.
+With [Microsoft Defender XDR Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. Defender XDR Unified RBAC allows you to control which users have access to Secure Score data, the products for which they see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.
 
 You can also manage user permissions to access Secure Score data from additional data sources, such as the other products supported by Secure Score, for more information, see [Products included in Secure Score](#products-included-in-secure-score). You can view the Secure Score data from the other data sources either alone or alongside the other data sources.