Merge branch 'main' into WI361499-restructure-and-categorise-secure-posture-docs

Author: aditisrivastava07

.openpublishing.redirection.defender-endpoint.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-endpoint/threat-analytics-analyst-reports.md",
+      "redirect_url": "/defender-xdr/threat-analytics-analyst-reports",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "defender-endpoint/threat-analytics.md",
+      "redirect_url": "/defender-xdr/threat-analytics",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "defender-endpoint/configure-microsoft-threat-experts.md",
       "redirect_url": "/defender-xdr/defender-experts-for-hunting",

.openpublishing.redirection.defender-xdr.json

@@ -259,6 +259,51 @@
       "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
       "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-phishing.md",
+      "redirect_url": "/security/operations/incident-response-playbook-phishing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-identity.md",
+      "redirect_url": "/defender-for-identity/manage-security-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/incident-response-overview.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-analyze.md",
+      "redirect_url": "/defender-xdr/investigate-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-365-defender.md",
+      "redirect_url": "/defender-xdr/manage-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/export-incidents-queue.md",
+      "redirect_url": "/defender-xdr/incident-queue",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-remediate.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/m365d-time-zone.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/feedback.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": false
+    },                                       
   ]
 }

ATPDocs/deploy/activate-capabilities.md

@@ -88,12 +88,16 @@ Activate the Defender for Identity from the [Microsoft Defender portal](https://
 
    The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+    :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
 ## Onboarding Confirmation 
 
@@ -104,7 +108,7 @@ To confirm the sensor has been onboarded:
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
->  The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
 ## Test activated capabilities
 
@@ -126,7 +130,6 @@ In the Defender portal, select **Identities** > **Dashboard**, and review the de
 
 For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
-
 ### Confirm entity page details
 
 Confirm that entities, such as domain controllers, users, and groups, are populated as expected. 
@@ -139,7 +142,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-    If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -205,18 +208,20 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the **Options** menu, select any of the available remediation actions.
+2. From the **Options** menu, select any of the available remediation actions.
 
-1. Check Active Directory for the expected activity.
+3. Check Active Directory for the expected activity.
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings > Identities > Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+
+    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 

ATPDocs/deploy/media/activate-capabilities/1.jpg

@@ -79,7 +79,6 @@ Our approach to information protection can be split into the following phases th
     1. Under **Inspection method**, choose and configure one of the following classification services:
 
         - **[Data Classification Services](dcs-inspection.md)**: Uses classification decisions you've made across Microsoft 365, Microsoft Purview Information Protection, and Defender for Cloud Apps to provide a unified labeling experience. This is the preferred content inspection method as it provides a consistent and unified experience across Microsoft products.
-        - **[Built-in DLP](content-inspection-built-in.md)**: Inspects files for sensitive information using our built-in DLP content inspection engine.
 
     1. For highly sensitive files, select **Create an alert** and choose the alerts you require, so that you're informed when there are files with unprotected sensitive information in your organization.
     1. Select **Create**.

ATPDocs/deploy/media/activate-capabilities/2.jpg

@@ -55,7 +55,7 @@ sections:
         answer: |
           If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). This license is available as an add-on to Microsoft 365 Business Premium and the standalone version of Defender for Business. The Microsoft Defender for Business servers license is priced at $3 per server instance. You can either purchase a license for each onboarded server, or choose to offboard servers from Defender for Business.
 
-          If you have more than 60 servers, you'll need to get another license, such as [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). 
+          If you have more than 60 servers, you'll need to get another license, such as Microsoft Defender for Endpoint Server or Microsoft Defender for Servers Plan 1 or Plan 2. For more information, see [Onboard servers to Microsoft Defender for Endpoint](/defender-endpoint/onboard-server). 
 
       - question: What is the difference between Microsoft Defender for Business servers and Microsoft Defender for Servers Plan 1 and Plan 2?
         answer: |
@@ -95,9 +95,13 @@ sections:
 
       - question: How do I run custom reports with Defender for Business?
         answer: |
-          Defender for Business uses the Defender for Endpoint APIs. You can use the APIs and a Power BI connector to set up custom reporting. As an example scenario, you could schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email. 
+          Defender for Business uses the Defender for Endpoint APIs for all the capabilities that are available in Defender for Business. You can use the APIs with a reporting tool. As an example scenario, you can use a Power BI connector and schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email. 
           
-          For more information, see [API reference information](/defender-endpoint/api/exposed-apis-create-app-partners). Also see [Microsoft Defender for Business and Microsoft partner resources](mdb-partners.md).
+          For more information, see the following resources:
+          
+          - [Overview of management and APIs](/defender-endpoint/api/management-apis)
+          - [API reference information](/defender-endpoint/api/exposed-apis-create-app-partners)
+          - [Microsoft Defender for Business and Microsoft partner resources](mdb-partners.md)
 
       - question: I'm a Microsoft partner. Will I be able to manage multiple tenants from one control panel, or will I have to sign in to each tenant individually?
         answer: |
@@ -128,19 +132,41 @@ sections:
 
       - question: What are the differences between Defender for Business and Defender for Endpoint Plans 1 and 2?
         answer: |
-          Both Defender for Business and Defender for Endpoint provide strong threat protection capabilities for your company's devices (computers, phones, and tablets, which are also referred to as endpoints). The following table summarizes some key differences between these plans.
+          [Defender for Business](mdb-overview.md) is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. Defender for Business also features [simplified configuration](mdb-setup-configuration.md) and [device onboarding options](mdb-onboard-devices.md) that streamline the overall setup and configuration process.
 
-          | Subscription | Description |
-          |--|--|
-          | Defender for Business | [Defender for Business](mdb-overview.md) is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. <br/><br/>Defender for Business also features [simplified configuration](mdb-setup-configuration.md) and [device onboarding options](mdb-onboard-devices.md) that streamline the overall setup and configuration process. | 
-          | Defender for Endpoint | [Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. <br/><br/>Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities. <br/><br/>Defender for Endpoint Plan 2 extends Plan 1 capabilities with threat and vulnerability management, EDR, automated investigation & remediation, threat hunting, and six months of data retention. |
+          [Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. 
           
+          - Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities. 
+          - Defender for Endpoint Plan 2 extends Plan 1 capabilities with core vulnerability management capabilities, EDR, automated investigation & remediation, threat hunting, and six months of data retention. 
+          
+          The following table summarizes some differences between Defender for Business and Defender for Endpoint:
+
+          | Capabilities | Defender for Business | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 |
+          |---|---|---|---|
+          | Centralized management | ✔ | ✔ | ✔ |
+          | Simplified firewall and antivirus configuration for Windows | ✔ | | |
+          | Vulnerability management (core capabilities) | ✔ | | ✔ |
+          | Attack surface reduction | ✔ | ✔ | ✔ |
+          | Next-generation protection | ✔ | ✔ | ✔ |
+          | Endpoint detection & response (EDR) | ✔ <br/>(optimized) | | ✔ |
+          | Automatic attack disruption | ✔ | | ✔ |
+          | Automated investigation & remediation | ✔ | | ✔ |
+          | Monthly security summary reporting | ✔ | | ✔ |
+          | 30 days advanced hunting and six months of data retention in the device timeline | | | ✔ |
+          | Threat analytics | ✔<br/>(optimized) | | ✔ |
+          | Cross-platform support <br/>(Mac, iOS, Android)| ✔ | ✔ | ✔ |
+          | Windows Server and Linux Server <br/>(requires server licenses) | ✔  | ✔ | ✔ |
+          | Microsoft Threat Experts | | | ✔ |
+          | Microsoft 365 Lighthouse <br/>(optimized; for CSPs only) | ✔ | | |
+          | Microsoft Defender multi-tenant management | ✔ | ✔ | ✔ |
+          | APIs | ✔  | ✔ | ✔ |
+
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |
-          In general, mixed-licensing scenarios aren't supported in Defender for Business or Microsoft 365 Business Premium. 
-          
-          If you're using the standalone version of Defender for Business, and you add Defender for Endpoint Plan 2 to your tenant, your experience defaults to the Defender for Business experience. However, if you have enough Defender for Endpoint Plan 2 for all users in your tenant, you can contact support and change your experience to the Defender for Endpoint Plan 2 experience. In this case, you're no longer using your Defender for Business licenses, and the simplified configuration experience in Defender for Business changes to advanced settings in Defender for Endpoint. 
-          
+          Microsoft Defender for Business does not support mixed licensing, so a tenant with Defender for Business (which is included in Microsoft 365 Business Premium) along with Defender for Endpoint Plan 2 (which is included in Microsoft 365 E5 Security) defaults to the Defender for Business experience. 
+
+          For example, if you have 80 users licensed for Defender for Business (as part of a Microsoft 365 Business Premium subscription), and you add Microsoft 365 E5 Security for 30 of those users, the experience for all users defaults to Defender for Business. If you want to change that to the Defender for Endpoint Plan 2 experience, you should license all users for Defender for Endpoint Plan 2 (either through the standalone version of Defender for Endpoint Plan 2 or Microsoft 365 E5 Security), and then contact Microsoft Support to request the switch for your tenant.
+                    
           For more information, see [Manage your subscription settings](mdb-manage-subscription.md).
 
           For more information about licenses and product terms, see [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).