Merge branch 'main' into changing-ata-owner

Author: batamig

CloudAppSecurityDocs/activity-filters-queries.md

@@ -13,7 +13,7 @@ This article provides descriptions and instructions for Defender for Cloud Apps
 
 ## Activity filters
 
-Below is a list of the activity filters that can be applied. Most filters support multiple values as well as *NOT* to provide you with a powerful tool for policy creation.
+Below is a list of the activity filters that can be applied. Most filters support multiple values and *NOT* to provide you with a powerful tool for policy creation.
 
 - Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts using Defender for Cloud Apps.
 
@@ -30,7 +30,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 - Activity type - Search for the app activity.
 
   > [!NOTE]
-  > Apps are added to the filter only if there is activity for that app.
+  > Apps are added to the filter only if there's activity for that app.
 
 - Administrative activity – Search only for administrative activities.
 
@@ -56,7 +56,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 
 - IP address – The raw IP address, category, or tag from which the activity was performed.
   - Raw IP address - Enables you to search for activities that were performed on or by raw IP addresses. The raw IPs can equal, don't equal, start with, or don't start with a particular sequence.
-  - IP category - The category of the IP address from which the activity was performed, for example, all activities from the administrative IP address range. The categories need to be configured to include the relevant IP addresses. Some IPs may be categorized by default. for example, there are IP addresses that are considered by Microsoft threat intelligence sources will be categorized as risky. To learn how to configure the IP categories, see [Organize the data according to your needs](ip-tags.md).
+  - IP category - The category of the IP address from which the activity was performed, for example, all activities from the administrative IP address range. The categories need to be configured to include the relevant IP addresses. Some IPs might be categorized by default. for example, there are IP addresses that are considered by Microsoft threat intelligence sources will be categorized as risky. To learn how to configure the IP categories, see [Organize the data according to your needs](ip-tags.md).
   - IP tag - The tag of the IP address from which the activity was performed, for example, all activities from anonymous proxy IP addresses. Defender for Cloud Apps creates a set of built-in IP tags that aren't configurable. Additionally, you can configure your IP tags. For more information about configuring your IP tags, see [Organize the data according to your needs](ip-tags.md).
   The built-in IP tags include the following:
     - Microsoft apps (14 of them)
@@ -88,7 +88,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
   - User domain - Search for a specific user domain.
   - User organization - The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
   - User group - Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
-  - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking will take you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
+  - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking takes you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
   - The **User group** and **User name** filters can be further filtered by using the **As** filter and selecting the role of the user, which can be any of the following:
     - Activity object only - meaning that the user or user group selected didn't perform the activity in question; they were the object of the activity.
     - Actor only - meaning that the user or user group performed the activity.
@@ -132,7 +132,7 @@ Defender for Cloud Apps also provides you with **Suggested queries**. Suggested
 
 - Sharing activities - Filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
 
-- Successful log-in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
+- Successful log in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
   ![query activities.](media/queries-activity.png)
 
@@ -162,22 +162,59 @@ For example:
 
 ![Filter after selecting investigate 6 months back.](media/filter-six-months-back.png)
 
-#### Export activities six months back (Preview)
 
-You can export all activities from up to six months by clicking the Export button in the top-left corner  
+### Export activities six months back (Preview)
+
+
+You can export all activities from the past six months by clicking the Export button in the top-left corner  of the Activity log page.
+
 ![Click the export icon to export records.](media/activity-filters-queries/export-button-of-activity-logs.png)
 
+When exporting data:
 
+- You can choose a date range of up to six months.
+- You can choose to exclude private activities.  
+- The exported file is limited to 100,000 records and is delivered in CSV format.
 
+Once the export is complete, the file is available under **Exported reports**.
 
-When exporting data, you can choose a date range of up to six months, and have the ability to exclude private activities.  
-The exported file is limited to 100,000 records and will be in CSV format.
+To access exported files and check export status, navigate to **Reports -> Cloud Apps** in Microsoft 365 Defender portal to view the status of the export process and access past exports.  
 
-The result file will be accessible under the **Exported reports**. Users can navigate to **Reports -> Cloud Apps** in Microsoft 365 Defender portal to view the status of the export process and access past exports.  
-Reports that include private activities will be marked with an Eye icon in the reports page.  
+Reports that include private activities are marked with an Eye icon in the reports page.  
 
 ![eye-icon](media/activity-filters-queries/eye-icon-to-indicate-private-report.png)
 
+> [!NOTE] 
+>Exporting and viewing activity data up to six months back is restricted to specific roles with elevated permissions.
+
+The following roles are supported:
+
+- `INVITED_ADMIN`
+
+- `GLOBAL_ADMINISTRATOR`
+
+- `SECURITY_ADMINISTRATOR`
+
+- `MCAS_ADMINISTRATOR`
+
+- `DISCOVERY_ADMIN`
+
+- `SECURITY_OPERATOR`
+
+- `COMPLIANCE_ADMIN`
+
+- `SECURITY_READER`
+
+- `GLOBAL_READER`
+
+- `URBAC_ROLES_GLOBAL_ADMINISTRATOR`
+
+- `URBAC_ROLES_COMPLIANCE_ADMINISTRATOR`
+
+- `URBAC_ROLES_SECURITY_READER`
+
+- `URBAC_ROLES_SECURITY_OPERATOR`
+
 ## Next steps
 
 > [!div class="nextstepaction"]

defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-ngp
 search.appverid: met150
-ms.date: 03/19/2024
+ms.date: 04/07/2025
 ---
 
 
@@ -45,7 +45,7 @@ This article describes how to configure exclusion lists.
 |Any file on the machine that is opened by any process under a specific folder|Specifying `c:\test\sample\*` would exclude files opened by: <p> `c:\test\sample\test.exe` <p> `c:\test\sample\test2.exe` <p> `c:\test\sample\utility.exe`|
 |Any file on the machine that is opened by a specific process in a specific folder|Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe`|
 
-When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
+When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, is scanned unless it's added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
 
 The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
 
@@ -60,15 +60,15 @@ By default, local changes made to the lists (by users with administrator privile
 You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
 
 > [!NOTE]
-> **Network Protection** and **Attack surface reduction rules** are directly impacted by process exclusions on all platforms, meaning that a process exclusion on any OS (Windows, MacOS, Linux) will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
+> **Network Protection** and **Attack surface reduction rules** are directly impacted by process exclusions on all platforms, meaning that a process exclusion on any OS (Windows, macOS, Linux) results in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
 
 ### Image name vs full path for process exclusions
 
-Two different types of process exclusions may be set. A process may be excluded by image name, or by full path. The image name is simply the file name of the process, without the path.
+Two different types of process exclusions might be set. A process might be excluded by image name, or by full path. The image name is simply the file name of the process, without the path.
 
 For example, given the process `MyProcess.exe` running from `C:\MyFolder\` the full path to this process would be `C:\MyFolder\MyProcess.exe` and the image name is `MyProcess.exe`. 
 
-Image name exclusions are much more broad - an exclusion on `MyProcess.exe` excludes any processes with this image name, regardless of the path they're run from. So for example, if the process `MyProcess.exe` is excluded by image name, it will also be excluded if it is run from `C:\MyOtherFolder`, from removable media, et cetera. As such it's recommended that whenever possible, the full path is used. 
+Image name exclusions are much more broad - an exclusion on `MyProcess.exe` excludes any processes with this image name, regardless of the path they're run from. So for example, if the process `MyProcess.exe` is excluded by image name, it will also be excluded if it's run from `C:\MyOtherFolder`, from removable media, et cetera. As such it's recommended that whenever possible, the full path is used. 
 
 ### Use wildcards in the process exclusion list
 
@@ -88,7 +88,7 @@ The following table describes how the wildcards can be used in the process exclu
 
 ### Contextual Process Exclusions
 
-A process exclusion may also be defined via a [Contextual exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) allowing, for example, a specific file to be excluded only if it's opened by a specific process. 
+A process exclusion might also be defined via a [Contextual exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) allowing, for example, a specific file to be excluded only if it's opened by a specific process. 
 
 ## Configure the list of exclusions for files opened by specified processes
 
@@ -98,26 +98,26 @@ For more information, see [Configure device restriction settings in Microsoft In
 
 ### Use Microsoft Configuration Manager to exclude files that have been opened by specified processes from scans
 
-See [How to create and deploy antimalware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Configuration Manager (current branch).
+See [How to create and deploy anti-malware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Configuration Manager (current branch).
 
 ### Use Group Policy to exclude files that have been opened by specified processes from scans
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 3. Expand the tree to **Windows components \> Microsoft Defender Antivirus \> Exclusions**.
 
 4. Double-click **Process Exclusions** and add the exclusions:
     1. Set the option to **Enabled**.
-    2. Under the **Options** section, click **Show...**.
+    2. Under the **Options** section, select **Show...**.
     3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
 
-5. Click **OK**.
+5. Select **OK**.
 
 ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
 
-Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
+Using PowerShell to add or remove exclusions for files that are opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
 
 The format for the cmdlets is:
 
@@ -134,7 +134,7 @@ The following are allowed as the \<cmdlet\>:
 |Remove items from the list|`Remove-MpPreference`|
 
 > [!IMPORTANT]
-> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again overwrites the existing list.
+> If you create a list, with either `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference`, cmdlet overwrites the existing list.
 
 For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file that is opened by the specified process:
 

defender-xdr/before-you-begin-defender-experts.md

@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 - cx-ean
 search.appverid: met150
-ms.date: 03/20/2025
+ms.date: 04/07/2025
 ---
 
 # Before you begin using Defender Experts for Hunting
@@ -95,7 +95,7 @@ The following sections enumerate additional information about the service's data
 
 All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations)
 
-Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for US customers and in the European Union for EU customers, for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.
+Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the EU region for customers whose Defender XDR data is in scope of European Union data boundary and in the US region for other customers, for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.
 
 Microsoft experts hunt over [advanced hunting logs](advanced-hunting-schema-tables.md) in Microsoft Defender XDR advanced hunting tables. The data in these tables depend on the set of Defender services the customer is enabled for (for example, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID). Experts also use a large set of internal threat intelligence data to inform their hunting and automation.
 

defender-xdr/before-you-begin-xdr.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 02/05/2025
+ms.date: 04/07/2025
 ---
 
 # Before you begin
@@ -77,7 +77,7 @@ The following sections enumerate additional information about the service's data
 
 All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations).
 
-Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.
+Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for US customers and in the European Union for EU customers for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.
 
 Microsoft experts hunt over [advanced hunting logs](advanced-hunting-schema-tables.md) in Microsoft Defender XDR advanced hunting tables. The data in these tables depend on the set of Defender services the customer is enabled for (for example, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Microsoft Entra ID). Experts also use a large set of internal threat intelligence data to inform their hunting and automation.