Merge branch 'main' into 40fe248f-c177-4378-8b62-7dc527c68ff5_31

Author: Ruchika-mittal01

CloudAppSecurityDocs/caac-known-issues.md

@@ -72,6 +72,7 @@ In the following applications, we encountered scenarios where browsing to a link
 - Workplace from Meta
 - ServiceNow
 - Workday
+- Box
 
 ### File upload limitations
 

CloudAppSecurityDocs/mde-govern.md

@@ -20,7 +20,7 @@ Apps marked as **Unsanctioned** in Defender for Cloud Apps are automatically syn
 
 - One of the following licenses:
 
-  - Defender for Cloud Apps (E5, AAD-P1m CAS-D) and Microsoft Defender for Endpoint [Plan 2](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2), with endpoints onboarded to Defender for Endpoint
+  - Defender for Cloud Apps + Endpoint
   - Microsoft 365 E5
 
 - Microsoft Defender Antivirus. For more information, see:

defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 12/20/2024
 ---
 
 # Deploy Defender for Endpoint on Linux with Chef
@@ -27,58 +27,129 @@ ms.date: 12/16/2024
 - Microsoft Defender for Endpoint Server
 - [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint)
 
-Before you begin: Install unzip if it's not already installed.
+## Introduction
 
-The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers.
+This article talks about how to deploy Defender for Endpoint on Linux at scale with Chef using two methods:
 
-You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:
+1. Install using installer script
+2. Manually configuring the repositories for more granular control over the deployment
+
+## Prerequisites
+
+For a description of prerequisites and system requirements, see [Microsoft Defender for Endpoint on Linux](/defender-endpoint/microsoft-defender-endpoint-linux).
+
+## Download the onboarding package
+
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) then navigate to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
+
+3. Select **Download onboarding package** and save the file as `WindowsDefenderATPOnboardingPackage.zip`.
+
+   ![The option to download the onboarded package.](/defender-endpoint/media/portal-onboarding-linux-2.png)
+   
+4. Extract the contents of the archive using the following command:
+
+   Command:
+   
+   ```
+   unzip WindowsDefenderATPOnboardingPackage.zip
+   ```
+   
+   The expected output is:
+   
+   ```
+   Archive:  WindowsDefenderATPOnboardingPackage.zip
+   inflating: mdatp_onboard.json
+   ```
+   
+## Create a directory structure
+
+Before you begin, ensure the Chef components are already installed and a Chef repository (chef generate repo &lt;reponame&gt;) exists to store the cookbook that's used to deploy to Defender for Endpoint on Chef-managed Linux servers.
+
+The following command creates a new folder structure for the new cookbook called **mdatp**. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
 
 ```bash
 chef generate cookbook mdatp
 ```
 
-This command creates a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
-After the cookbook is created, create a files folder inside the cookbook folder that just got created:
+After the cookbook is created, create a files folder inside the cookbook folder that you created:
 
 ```bash
 mkdir mdatp/files
 ```
 
-Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender portal to this new files folder.
-
-[!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
+Copy `mdatp_onboard.json` to the `/tmp` folder.
 
-On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:
+On the Chef Workstation, navigate to the **mdatp/recipes** folder, which is automatically created when the cookbook is generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the **default.rb** file then save and close the file:
 
-- include_recipe '::onboard_mdatp'
 - include_recipe '::install_mdatp'
 
-Then save and close the default.rb file.
+## Create a cookbook 
+
+A cookbook can be created through any of the following methods:
+
+- [Using an installer script](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-using-installer-script)
+- [Manually configuring repositories](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-by-manually-configuring-repositories)
+
+### Create a cookbook using installer script
+
+1. Download the installer bash script. Pull the [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) from Microsoft GitHub Repository or use the following command to download it:
+
+   ```bash
+   wget https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh /tmp
+   ```
+
+2. Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [GitHub](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_simplified.rb).
+
+   ```bash
+   mdatp = "/etc/opt/microsoft/mdatp"
+
+   #Download the onboarding json from tenant, keep the same at specific location
+   onboarding_json = "/tmp/mdatp_onboard.json"
+
+   #Download the installer script from: https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh
+   #Place the same at specific location, edit this if needed
+   mde_installer= "/tmp/mde_installer.sh"
+
+
+   ## Invoke the mde-installer script 
+   bash 'Installing mdatp using mde-installer' do
+       code <<-EOS
+       chmod +x #{mde_installer}
+       #{mde_installer} --install --onboard #{onboarding_json}
+       EOS
+   end
+   ```
+
+> [!NOTE]
+> The installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help through the following command:
+>```./mde_installer.sh --help```
 
-Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file:
+### Create a cookbook by manually configuring repositories
+
+Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [Github](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_manual.rb).
 
 ```powershell
 #Add Microsoft Defender
-Repo
 case node['platform_family']
 when 'debian'
- apt_repository 'MDAPRepo' do
+ apt_repository 'MDATPRepo' do
    arch               'amd64'
    cache_rebuild      true
    cookbook           false
    deb_src            false
    key                'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
    keyserver          "keyserver.ubuntu.com"
-   distribution       'focal'
+   distribution       'jammy'
    repo_name          'microsoft-prod'
    components         ['main']
-   trusted            true
-   uri                "https://packages.microsoft.com/config/ubuntu/20.04/prod"
+   uri                "https://packages.microsoft.com/ubuntu/22.04/prod"
  end
- apt_package "mdatp"
+apt_package "mdatp"
 when 'rhel'
  yum_repository 'microsoft-prod' do
-   baseurl            "https://packages.microsoft.com/config/rhel/7/prod/"
+   baseurl            "https://packages.microsoft.com/rhel/7/prod/"
    description        "Microsoft Defender for Endpoint"
    enabled            true
    gpgcheck           true
@@ -90,15 +161,10 @@ when 'rhel'
     dnf_package "mdatp"
  end
 end
-```
-
-You need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
-Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
 
-```powershell
 #Create MDATP Directory
 mdatp = "/etc/opt/microsoft/mdatp"
-zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
+onboarding_json = "/tmp/mdatp_onboard.json"
 
 directory "#{mdatp}" do
   owner 'root'
@@ -107,37 +173,45 @@ directory "#{mdatp}" do
   recursive true
 end
 
-#Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
-
-bash 'Extract Onboarding Json MDATP' do
-  code <<-EOS
-  unzip #{zip_path} -d #{mdatp}
-  EOS
-  not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
-end
-```
-
-Make sure to update the path name to the location of the onboarding file.
-To test deploy it on the Chef workstation, run ``sudo chef-client -z -o mdatp``.
-After your deployment, you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md).
-After creating and testing your configuration file, you can put it into the `cookbook/mdatp/files` folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
-
-```powershell
-#Copy the configuration file
-cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
-  source 'mdatp_managed.json'
+#Onboarding using tenant json 
+file "#{mdatp}/mdatp_onboard.json" do
+  content lazy { ::File.open(onboarding_json).read }
   owner 'root'
   group 'root'
-  mode '0755'
-  action :create
+  mode '0644'
+  action :create_if_missing
 end
 ```
 
-To include this step as part of the recipe just add `include_recipe ':: settings_mdatp` to your default.rb file within the recipe folder.
+>[!NOTE]
+> You can modify the os distribution, distribution version number, channel (prod/insider-fast, insiders-slow) and repo name to match the version you're deploying to and the channel you'd like to deploy to. Run `chef-client --local-mode --runlist  'recipe[mdatp]'` to test the cookbook on the Chef workstation.
+
+## Troubleshoot installation issues
+
+To troubleshoot issues:
 
-You can also use crontab to schedule automatic updates [Schedule an update for Microsoft Defender for Endpoint on Linux](linux-update-MDE-Linux.md).
+1. For information on how to find the log that's generated automatically when an installation error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
 
-Uninstall MDATP cookbook:
+2. For information about common installation issues, see [Installation issues](/defender-endpoint/linux-support-install).
+
+3. If the health of the device is `false`, see [Defender for Endpoint agent health issues](/defender-endpoint/health-status).
+
+4. For product performance issues, see [Troubleshoot performance issues](/defender-endpoint/linux-support-perf).
+
+5. For proxy and connectivity issues, see [Troubleshoot cloud connectivity issues](/defender-endpoint/linux-support-connectivity).
+
+To get support from Microsoft, open a support ticket, and provide the log files created by using the [client analyzer](/defender-endpoint/run-analyzer-macos-linux).
+
+## How to configure policies for Microsoft Defender on Linux
+
+You can configure antivirus or EDR settings on your endpoints using any of the following methods:
+
+- See [Set preferences for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences).
+- See [security settings management](/mem/intune/protect/mde-security-integration) to configure settings in the Microsoft Defender portal.
+
+## Uninstall MDATP cookbook
+
+To uninstall Defender, save the following as a cookbook `~/cookbooks/mdatp/recipes/uninstall_mdatp.rb`.
 
 ```powershell
 #Uninstall the Defender package
@@ -159,4 +233,7 @@ then
  end
 end
 ```
+
+To include this step as part of the recipe, add `include_recipe ':: uninstall_mdatp` to your `default.rb` file within the recipe folder. Ensure that you have removed the `include_recipe '::install_mdatp'` from the `default.rb` file.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/network-protection.md

@@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to malicious or suspic
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 12/13/2024
+ms.date: 12/18/2024
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -63,8 +63,11 @@ Here are a few important points to keep in mind:
 - Encrypted URLs (full path) are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge).
 - Encrypted URLs (FQDN only) are blocked in non-Microsoft browsers.
 - URLs loaded via HTTP connection coalescing, such as content loaded by modern CDNs, are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge), unless the CDN URL itself is added to the indicator list.
+
+- Network Protection will block connections on both standard and non-standard ports.
+
 - Full URL path blocks are applied for unencrypted URLs.
- 
+
 There might be up to two hours of latency (usually less) between the time when the action is taken and the URL/IP is blocked.
 
 Watch this video to learn how network protection helps reduce the attack surface of your devices from phishing scams, exploits, and other malicious content:

defender-endpoint/web-protection-overview.md

@@ -7,7 +7,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: tdoucette
 ms.localizationpriority: medium
-ms.date: 10/23/2024
+ms.date: 12/18/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -53,6 +53,8 @@ Web threat protection includes:
 > - Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.
 > - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge).
 > - Encrypted URLs (FQDN only) can be blocked in third party browsers (i.e. other than Internet Explorer, Edge).
+> - URLs loaded via HTTP connection coalescing, such as content loaded by modern CDNs, are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge), unless the CDN URL itself is added to the indicator list.
+> - Network Protection will block connections on both standard and non-standard ports.
 > - Full URL path blocks can be applied for unencrypted URLs.
 
 There might be up to two hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. For more information, see [Web threat protection](web-threat-protection.md).

defender-office-365/defender-for-office-365-whats-new.md

@@ -8,7 +8,7 @@ ms.author: chrisda
 author: chrisda
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 10/09/2024
+ms.date: 12/17/2024
 audience: ITPro
 ms.collection:
   - m365-security
@@ -39,6 +39,14 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 
+## December 2024
+
+ - [Considerations for integrating non-Microsoft security services with Microsoft 365](mdo-integrate-security-service.md): Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services.
+
+## November 2024
+
+ - **Introducing LLM-based BEC detection and classification**: Microsoft Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. To learn more, see our blog post [Microsoft Ignite: Redefining email security with LLMs to tackle a new era of social engineering](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421). 
+
 ## October 2024
 
 - **Tenant Allow/Block List in Microsoft 365 now supports IPv6 address**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) now supports [allowing and blocking IPv6 addresses] (tenant-allow-block-list-ip-addresses-configure.md). It's available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet environments.

defender-office-365/mdo-integrate-security-service.md

@@ -45,6 +45,8 @@ While Microsoft provides a comprehensive platform for email security, we underst
 
 This configuration is covered in detail in [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) and is fully supported by Microsoft. Email security vendors that support [Authenticated Received Chain (ARC)](email-authentication-arc-configure.md) work best, but there are limitations. For example, avoid using [Safe Links](safe-links-about.md) to check and wrap links with a non-Microsoft service that also rewrites links. Double link wrapping can prevent Safe Links from validating link status, detonating links for threats, and potentially triggering one-time use links. We recommend disabling the link wrapping feature in the non-Microsoft service.
 
+For additional background on this configuration, see [Manage mail flow using a third-party cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud).
+
 ## Integration via the Microsoft Graph API
 
 Some non-Microsoft services authenticate and use the Microsoft Graph API to scan messages after they're delivered to user mailboxes. This configuration also allows the non-Microsoft service to remove messages that they believe to be malicious or unwanted. Typically, this configuration requires full access to mailboxes by the non-Microsoft service. Be sure to understand the security and support practices of the non-Microsoft service before granting this permission.