Merge branch 'poliveria-threat-analytics-07242024' of https://github.com/MicrosoftDocs/defender-docs-pr into poliveria-threat-analytics-07242024

Author: poliveria

defender-endpoint/edr-detection.md

@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/01/2024
+ms.date: 08/06/2024
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -33,7 +33,7 @@ ms.date: 08/01/2024
 - macOS
 - Microsoft Defender for Endpoint
 - Microsoft Defender for Endpoint on Linux
-- Microsoft Defender for Endpoint on macOS
+<!---- Microsoft Defender for Endpoint on macOS--->
 
 Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
 
@@ -43,14 +43,13 @@ Run an EDR detection test to verify that the device is properly onboarded and re
 
 1. Open a Command Prompt window
 
-2. At the prompt, copy and run the command below. The Command Prompt window will close automatically.
+2. At the prompt, copy and run the following command. The Command Prompt window closes automatically.
 
+   ```powershell
+   powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
+   ```
 
-```powershell
-powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
-```
-
-3. If successful, the detection test will be marked as completed and a new alert will appear in few minutes.
+3. If successful, the detection test is marked as completed and a new alert appears within a few minutes.
 
 ### Linux
 
@@ -64,7 +63,7 @@ curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/MDE-Linux-EDR-DIY
 1. Extract the zip 
 
 ```bash
-unzip ~/Downloads/MDE Linux DIY.zip
+unzip ~/Downloads/MDE-Linux-EDR-DIY.zip
 ```
 
 1. And run the following command: 
@@ -77,6 +76,7 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
 3. Look at the alert details, machine timeline, and perform your typical investigation steps.
 
+<!---
 ### macOS
 
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
@@ -129,12 +129,16 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
     Look at the alert details and the device timeline, and perform the regular investigation steps.
 
- Next steps that you can consider performing are to add AV exclusions as needed for application compatibility or performance:
+--->
+
+## Next steps
+
+If you're experiencing issues with application compatibility or performance, you might consider adding exclusions. See the following articles for more information:
 
 - [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md)
 - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
 - [Manage suppression rules](manage-suppression-rules.md)
 - [Create indicators of compromise (IoC)](manage-indicators.md)
 - [Create and manage custom detections rules](/defender-xdr/custom-detection-rules)
 
-Read through [Microsoft Defender for Endpoint Security Operations Guide](mde-sec-ops-guide.md).
+Also, see the [Microsoft Defender for Endpoint Security Operations Guide](mde-sec-ops-guide.md).

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 07/25/2024
+ms.date: 08/07/2024
 audience: ITPro
 ms.topic: reference
 author: siosulli
@@ -98,6 +98,23 @@ All our updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### July-2024 (Platform: 4.18.24070.5 | Engine: 1.1.24070.3)
+
+- Security intelligence update version: **1.417.14.0**
+- Release date: **August 7, 2024** (Engine and Platform)
+- Platform: **4.18.24070.5**
+- Engine: **1.1.24070.3**
+- Support phase: **Security and Critical Updates**
+
+### What's new
+
+- False positive detections are no longer reported as `ThreatNotFound` in the Microsoft Defender portal. 
+- Optimized Network Protection calls to the backend that occur as a result of suspicious connection checks.
+- Fixed the [PerformanceModeStatus](/windows/client-management/mdm/defender-csp#configurationperformancemodestatus) configuration key in Defender CSP so changing this value in the console takes effect on the endpoint. 
+- Resolved an issue where File Evidence Location was not always captured in scenarios where the Remote Location is inaccessible. 
+- New event log added (5016) to report Microsoft Defender Antivirus self-healed when a deadlock is detected during shutdown. 
+- Fixed a prioritization issue with full scans initiated from the portal that resulted in longer than expected full scan duration.
+
 ### June-2024 (Platform: 4.18.24060.7 | Engine: 1.1.24060.5)
 
 - Security intelligence update version: **1.415.1.0**

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/08/2024
+ms.date: 08/06/2024
 ---
 
 # Microsoft Defender for Endpoint on Mac
@@ -70,14 +70,17 @@ There are several methods and deployment tools that you can use to install and c
 ### System requirements
 
 The three most recent major releases of macOS are supported.
+
 - 14 (Sonoma), 13 (Ventura), 12 (Monterey)
+
   > [!IMPORTANT]
   > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md).
 
-- Supported processors: x64 and ARM64.
+- Supported processors: x64 and ARM64
+
 - Disk space: 1GB
 
-Beta versions of macOS aren't supported.
+- Beta versions of macOS aren't supported.
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
@@ -119,6 +122,8 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
 >
 > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
 
+#### Test network connectivity
+
 To test that a connection isn't blocked, open <https://x.cp.wd.microsoft.com/api/report> and <https://cdn.x.cp.wd.microsoft.com/ping> in a browser.
 
 If you prefer the command line, you can also check the connection by running the following command in Terminal:

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -6,7 +6,7 @@ ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 07/25/2024
+ms.date: 08/07/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,22 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### April-2024 (Engine: 1.1.24040.1 | Platform: 4.18.24040.4)
+
+- Security intelligence update version: **1.411.7.0**
+- Release date: **May 07, 2024** (Engine) / **May 16, 2024** (Platform)
+- Engine: **1.1.24040.1**
+- Platform: **4.18.24040.4**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Added an opt-out feature for Experimental Configuration Services (ECS) and One collector in the Core Service.
+- Fixed an issue where occasionally exclusions deployed via Intune were not being honored when tamper protection was enabled.
+- After a new engine version is released, support for older versions (N-2) will now reduce to technical support only. Engine versions older than N-2 are no longer supported.
+- Improved health monitoring and telemetry for [attack surface rules](overview-attack-surface-reduction.md) exclusions.
+- Updated inaccurate information in [Configure exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) regarding wildcard usage with contextual exclusions.
+
 ### March-2024 (Engine: 1.1.24030.4 | Platform: 4.18.24030.9)
 
 - Security intelligence update version: **1.409.1.0**

defender-endpoint/onboard-windows-multi-session-device.md

@@ -128,7 +128,15 @@ Also, if you're using FSlogix user profiles, we recommend you follow the guidanc
 
 #### Licensing requirements
 
-Note on licensing: When using Windows Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 E5 Security, or Microsoft 365 E5, or have the VM licensed through Microsoft Defender for Cloud.
+When using Windows Enterprise multi-session, per our security best practices the virtual machine can be licensed through Microsoft Defender for Servers or you can choose to have all Azure Virtual Desktop virtual machine users licensed through one of the following licenses:
+
+- Microsoft Defender for Endpoint Plan 1 or Plan 2 (per user)
+- Windows Enterprise E3
+- Windows Enterprise E5
+- Microsoft 365 E3
+- Microsoft 365 E5 Security
+- Microsoft 365 E5
+
 Licensing requirements for Microsoft Defender for Endpoint can be found at: [Licensing requirements](minimum-requirements.md#licensing-requirements).
 
 #### Related Links

defender-office-365/quarantine-admin-manage-messages-files.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to view and manage quarantined messages for all users in Exchange Online Protection (EOP). Admins in organizations with Microsoft Defender for Office 365 can also manage quarantined files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
 ms.service: defender-office-365
-ms.date: 05/21/2024
+ms.date: 08/07/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -88,6 +88,8 @@ Watch this short video to learn how to manage quarantined messages as an admin.
 
 In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
 
+By default, only the first 100 entries are shown until you scroll down to the bottom of the list, which loads more results.
+
 On the **Email** tab, you can decrease the vertical spacing in the list by clicking :::image type="icon" source="media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal** and then selecting :::image type="icon" source="media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
 
 You can sort the entries by clicking on an available column header. Select :::image type="icon" source="media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
@@ -206,7 +208,7 @@ In the details flyout that opens, the following information is available:
   - **Policy type**
   - **Policy name**
   - **Recipient count**
-  - **Recipients**: If the message contains multiple recipients, you might need to use [Preview message](#preview-email-from-quarantine) or [View message header](#view-email-message-headers) to see the complete list of recipients.
+  - **Recipients**: If the message contains many recipients, you can use [Preview message](#preview-email-from-quarantine) or [View message header](#view-email-message-headers) to see the complete list of recipients.
 
     Recipient email addresses always resolve to the primary email address, even if the message was sent to a [proxy address](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses).
 
@@ -489,14 +491,16 @@ In organizations with Microsoft Defender for Office 365 (add-on licenses or incl
 
 #### Take action on multiple quarantined email messages
 
-When you select multiple quarantined messages on the **Email** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Email** tab (depending on the **Release status** values of the messages that you selected):
+When you select up to 100 quarantined messages on the **Email** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Email** tab (depending on the **Release status** values of the messages that you selected):
 
 - [Release quarantined email](#release-quarantined-email)
 
   The only available options to select for bulk actions are **Send a copy of this message to other recipients in your organization** and **Send the message to Microsoft to improve detection (false positive)**.
 
 - [Approve or deny release requests from users for quarantined email](#approve-or-deny-release-requests-from-users-for-quarantined-email)
+
 - [Delete email from quarantine](#delete-email-from-quarantine)
+
 - [Report email to Microsoft for review from quarantine](#report-email-to-microsoft-for-review-from-quarantine)
 
   The only available options to select for bulk actions are **Allow emails with similar attributes** and the related **Remove allow entry after** and **Allow entry note** options.
@@ -520,7 +524,7 @@ Admins can search the audit log to find events for messages that were deleted fr
 
    - **Date and time range (UTC)**
    - **Activities - friendly names**: Click in the box, start typing "quarantine" in the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: **Search** box that appears, and then select **Deleted Quarantine message** from the results.
-   - **Users**: If know who deleted the message from quarantine, you can further filter the results by user.
+   - **Users**: If you know who deleted the message from quarantine, you can further filter the results by user.
 
 3. When you're finished entering the search criteria, select **Search** to generate the search.