Merge branch 'main' into diannegali-xdrpages

Author: diannegali

CloudAppSecurityDocs/behaviors.md

@@ -26,22 +26,22 @@ While behaviors might be related to security scenarios, they're not necessarily
 
 Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
 
-|Alert name  |Policy name  |
-|---------|---------|
-|**Activity from infrequent country**  |Activity from infrequent country/region   |
-|**Impossible travel activity**  |Impossible travel  |
-|**Mass delete**  |Unusual file deletion activity (by user)  |
-|**Mass download**  |Unusual file download (by user)  |
-|**Mass share**  |Unusual file share activity (by user)  |
-|**Multiple delete VM activities**  |Multiple delete VM activities  |
-|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |
-|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |
-|**Multiple VM creation activities**  |Multiple VM creation activities  |
-|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |
-|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |
-|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |
-|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |
-|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |
+|Alert name  |Policy name  |ActionType (Hunting)|
+|---------|---------|---------|
+|**Activity from infrequent country**  |Activity from infrequent country/region   |ActivityFromInfrequentCountry|
+|**Impossible travel activity**  |Impossible travel  |ImpossibleTravelActivity|
+|**Mass delete**  |Unusual file deletion activity (by user)  |MassDelete|
+|**Mass download**  |Unusual file download (by user)  |MassDownload|
+|**Mass share**  |Unusual file share activity (by user)  |MassShare|
+|**Multiple delete VM activities**  |Multiple delete VM activities  |MultipleDeleteVmActivities|
+|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |MultipleFailedLoginAttempts|
+|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |MultiplePowerBiReportSharingActivities|
+|**Multiple VM creation activities**  |Multiple VM creation activities  |MultipleVmCreationActivities|
+|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |SuspiciousAdministrativeActivity|
+|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |SuspiciousImpersonatedActivity|
+|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |SuspiciousOauthAppFileDownloadActivities|
+|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |SuspiciousPowerBiReportSharing|
+|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |UnusualAdditionOfCredentialsToAnOauthApp|
 
 
 ## Defender for Cloud Apps' transition from alerts to behaviors

CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md

@@ -105,7 +105,7 @@ This procedure describes how to deploy your machine with Ubuntu. The deployment
 
 1. Change to root privileges using `sudo -i`.
 
-1. If you accept the [software license terms](https://go.microsoft.com/fwlink/?linkid=862492), uninstall old versions and install Docker CE by running the commands appropriate for your environment:
+1. If you accept the software license terms, uninstall old versions and install Docker CE by running the commands appropriate for your environment:
 
     #### [CentOS](#tab/centos)
 

CloudAppSecurityDocs/discovery-docker-ubuntu.md

@@ -105,7 +105,7 @@ The following steps describe the deployment in Ubuntu. The deployment steps for
     export https_proxy='<IP>:<PORT>'
     ```
 
-1. If you accept the [software license terms](https://go.microsoft.com/fwlink/?linkid=862492), uninstall old versions and install Docker CE by running the commands appropriate for your environment:
+1. If you accept the software license terms, uninstall old versions and install Docker CE by running the commands appropriate for your environment:
 
     ### [CentOS](#tab/centos)
 

CloudAppSecurityDocs/siem.md

@@ -84,7 +84,7 @@ Integrating with your SIEM is accomplished in three steps:
 
 ### Step 2: Download the JAR file and run it on your server
 
-1. In the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=838596), after accepting the [software license terms](https://go.microsoft.com/fwlink/?linkid=862491), download the .zip file and unzip it.
+1. In the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=838596), after accepting the software license terms, download the .zip file and unzip it.
 
 1. Run the extracted file on your server:
 

defender-endpoint/live-response.md

@@ -122,11 +122,11 @@ The dashboard also gives you access to:
 ## Initiate a live response session on a device
 
 > [!NOTE]
-> Live response actions initiated from the Device page are not available in the machineactions API.
+> Live response actions initiated from the Device page are not available in the MachineActions API.
 
-1. Sign in to Microsoft Defender portal.
+1. Sign in to [Microsoft Defender portal](https://security.microsoft.com).
 
-2. Navigate to **Endpoints > Device inventory** and select a device to investigate. The devices page opens.
+2. Navigate to **Endpoints** > **Device inventory** and select a device to investigate. The devices page opens.
 
 3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
 
@@ -235,17 +235,20 @@ You can have a collection of PowerShell and Bash scripts that can run on devices
 
 #### To upload a file in the library
 
-1. Click **Upload file to library**.
+> [!NOTE]
+> There are restrictions on the characters that can be uploaded to the library. Use alphanumeric characters and some symbols (specifically, `-`, `_`, or `.`).
+
+1. Select **Upload file to library**.
 
-2. Click **Browse** and select the file.
+2. Select **Browse** and select the file.
 
 3. Provide a brief description.
 
 4. Specify if you'd like to overwrite a file with the same name.
 
 5. If you'd like to be,  know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
 
-6. Click **Confirm**.
+6. Select **Confirm**.
 
 7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
 
@@ -254,7 +257,7 @@ You can have a collection of PowerShell and Bash scripts that can run on devices
 Anytime during a session, you can cancel a command by pressing CTRL + C.
 
 > [!WARNING]
-> Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
+> Using this shortcut doesn't stop the command in the agent side. It only cancels the command in the Microsoft Defender portal. So, changing operations such as "remediate" may continue, even if the command is canceled.
 
 ## Run a script
 

defender-office-365/media/mail-flow-status-report-mailflow-view-phishing-block-threat-class.png

@@ -19,7 +19,7 @@ description: "Admins can learn how to find and use the email security reports th
 ms.custom: 
 - seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 01/08/2025
+ms.date: 01/17/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -242,6 +242,10 @@ If you hover over a horizontal band in the diagram, you see the number of relate
 
 :::image type="content" source="media/mail-flow-status-report-mailflow-view-details.png" alt-text="The Phishing block details in Mailflow view in the Mailflow status report." lightbox="media/mail-flow-status-report-mailflow-view-details.png":::
 
+In Defender for Office 365, if you select **Phishing block** \> **General filter**, threat classification results are shown. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+
+:::image type="content" source="media/mail-flow-status-report-mailflow-view-phishing-block-threat-class.png" alt-text="Screenshot of selecting Phishing block, General filter in the Mailflow view of the Mailflow status report." lightbox="media/mail-flow-status-report-mailflow-view-phishing-block-threat-class.png":::
+
 The details table below the diagram shows the following information:
 
 - **Date (UTC)**
@@ -688,7 +692,7 @@ In the details table below the chart, the following information is available:
 - **Subject**
 - **Sender**
 - **Recipients**
-- **Detection technology**: The same detection technology values from the chart.
+- **Detection technology**: The same detection technology values as described in [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology).
 - **Delivery status**
 - **Sender IP**
 - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
@@ -732,6 +736,91 @@ In Defender for Microsoft 365, the following actions are available at the top of
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
+### View data by Email \> Phish and Chart breakdown by Threat classification (Defender for Office 365)
+
+:::image type="content" source="media/threat-protection-status-report-phishing-threat-classification-view.png" alt-text="The Threat classification view for phishing email in the Threat protection status report." lightbox="media/threat-protection-status-report-phishing-threat-classification-view.png":::
+
+Threat classification in Defender for Office 365 uses AI to identify and categorize threats. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+
+In the **View data by Email \> Phish** view, selecting **Chart breakdown by Threat classification** shows the following information in the chart:
+
+- **PII Gathering**
+- **Business intelligence**
+- **Invoice**
+- **Payroll**
+- **Gift card**
+- **Contact establishment**
+- **Task**
+- **None**
+
+In the details table below the chart, the following information is available:
+
+- **Date**
+- **Subject**
+- **Sender**
+- **Recipients**
+- **Detection technology**: The same detection technology values as described in [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology).
+- **Threat classification**: The same threat classification values shown in the chart and described in [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+- **Delivery status**
+- **Sender IP**
+- **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
+
+  To see all columns, you likely need to do one or more of the following steps:
+
+  - Horizontally scroll in your web browser.
+  - Narrow the width of appropriate columns.
+  - Zoom out in your web browser.
+
+Select :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to modify the report by selecting one or more of the following values in the flyout that opens:
+
+- **Date (UTC)** **Start date** and **End date**
+- **Detection** section:
+  - **URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
+  - **Advanced filter**: Phishing signals based on machine learning.
+  - **General filter**: Phishing signals based on analyst rules.
+  - **Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization. 
+  - **Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.
+  - **Spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).
+  - **Impersonation brand**: Sender impersonation of well-known brands.
+  - **Mixed analysis detection**: Multiple filters contributed to the message verdict.
+  - **File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
+  - **Fingerprint matching**: The message closely resembles a previous detected malicious message.
+  - **URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.
+  - **URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.
+  - **Impersonation user**: Impersonation of protected senders that you specified in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) or learned through mailbox intelligence.
+  - **Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+  - **Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+  - **File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.
+  - **File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.
+  - **Campaign**: Messages identified as part of a [campaign](campaigns.md).
+- **Threat classification**: Leave the value **All** or remove it, double-click in the empty box, and then select an available value.
+- **Priority account protection**: **Yes** and **No**. For more information, see [Configure and review priority account protection in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
+- **Evaluation**: **Yes** or **No**.
+- **Protected by**: **MDO** (Defender for Office 365) and **EOP**
+- **Direction**: Leave the value **All** or remove it, double-click in the empty box, and then select **Inbound**, **Outbound**, or **Intra-org**.
+- **Tag**: Leave the value **All** or remove it, double-click in the empty box, and then select **Priority account**. For more information about user tags, see [User tags](user-tags-about.md).
+- **Domain**: Leave the value **All** or remove it, double-click in the empty box, and then select an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).
+- **Policy type**: Select **All** or one of the following values:
+  - **Anti-malware**
+  - **Safe Attachments**
+  - **Anti-phish**
+  - **Anti-spam**
+  - **Mail flow rule** (transport rule)
+  - **Others**
+- **Policy name (details table view only)**: Select **All** or a specific policy.
+- **Recipients (separated by commas)**
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+If you select an entry from the details table by clicking anywhere in the row other than the check box next to the first column, an email details flyout opens. This details flyout is known as the _Email summary panel_ and contains summarized information that's also available on the [Email entity page in Defender for Office 365](mdo-email-entity-page.md) for the message. For details about the information in the Email summary panel, see [The Email summary panel](mdo-email-entity-page.md#the-email-summary-panel).
+
+The following actions are available at the top of the Email summary panel for the Threat protection status report:
+
+- :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
+
+On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
+
 ### Chart breakdown by Delivery status
 
 :::image type="content" source="media/threat-protection-status-report-phishing-delivery-status-view.png" alt-text="The Delivery status view for phishing email and malware email in the Threat protection status report." lightbox="media/threat-protection-status-report-phishing-delivery-status-view.png":::
@@ -754,7 +843,7 @@ In the details table below the chart, the following information is available:
 - **Subject**
 - **Sender**
 - **Recipients**
-- **Detection technology**: The same detection technology values from the chart.
+- **Detection technology**: The same detection technology values as described in [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology).
 - **Delivery status**
 - **Sender IP**
 - **Tags**: For more information about user tags, see [User tags](user-tags-about.md).
@@ -811,7 +900,7 @@ In the details table below the chart, the following information is available:
 - **Date**
 - **Attachment filename**
 - **Workload**
-- **Detection technology**: The same detection technology values from the chart.
+- **Detection technology**: The same detection technology values as described in [View data by Email \> Phish and Chart breakdown by Detection Technology](#view-data-by-email--phish-and-chart-breakdown-by-detection-technology).
 - **File size**
 - **Last modifying user**