Merge branch 'main' into patch-1

Author: SuhaliKondapalli17

ATPDocs/health-alerts.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for Identity health issues
 description: This article describes all the health issues that can occur for each component, listing the cause and the steps needed to resolve the problem
-ms.date: 07/09/2024
+ms.date: 01/16/2025
 ms.topic: how-to
 ---
 
@@ -191,6 +191,12 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 |----|----|----|----|----|
 |Radius accounting (VPN integration) data ingestion failures.|The listed Defender for Identity sensors have radius accounting (VPN integration) data ingestion failures.|Validate that the shared secret in the Defender for Identity configuration settings matches your VPN server, according to the guidance described [Configure VPN in Defender for Identity](vpn-integration.md#configure-vpn-in-defender-for-identity) section, in the [Defender for Identity VPN integration](vpn-integration.md) page.|Low|Health issues page|
 
+### Auditing for AD CS servers is not enabled as required
+
+|Alert|Description|Resolution|Severity|Displayed in|
+|----|----|----|----|----|
+|Auditing for AD CS servers is not enabled as required. (This configuration is validated once a day, per sensor).|The Advanced Auditing Policy Configuration or AD CS auditing is not enabled as required.|Enable the Advanced Auditing Policy Configuration and AD CS auditing according to the guidance as described in the [Configure auditing on AD CS](configure-windows-event-collection.md#configure-auditing-on-ad-cs) section, in the [Configure Windows Event collection](configure-windows-event-collection.md) page.|Medium|Sensors health issues tab|
+
 ### Sensor failed to retrieve Microsoft Entra Connect service configuration
 
 | Alert| Description  |Resolution|Severity|Displayed in|

defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ ms.author: ewalsh
 ms.custom: nextgen
 ms.reviewer: ksarens
 manager: deniseb
-ms.date: 01/15/2025
+ms.date: 01/16/2025
 ms.subservice: ngp
 ms.topic: how-to
 ms.collection: 
@@ -32,7 +32,7 @@ search.appverid: met150
 You can perform various functions in Microsoft Defender Antivirus using the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus tasks. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
 
 > [!TIP]
-> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the **Start** menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
 
 The MpCmdRun utility uses the following syntax:
 
@@ -52,29 +52,36 @@ In our example, the MpCmdRun utility starts a full antivirus scan on the device.
 
 |Command|Description|
 |---|---|
-|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool|
+|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool.|
 |`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations.|
-|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing|
+|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing.|
 |`-CaptureNetworkTrace -Path <path>`|Captures all the network input into the Network Protection service and saves it to a file at `<path>`. <br/>Supply an empty path to stop tracing.|
 |`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See [collecting diagnostic data](collect-diagnostic-data.md).|
 |`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder.|
 |`-RemoveDefinitions [-All]`|Restores the installed security intelligence to a previous backup copy or to the original default set.|
 |`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded security intelligence.|
 |`-RemoveDefinitions [-Engine]`|Restores the previous installed engine.|
-|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new security intelligence updates.|
-|`-Restore  [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s).|
+|`-SignatureUpdate [-UNC |-MMPC]`|Checks for new security intelligence updates.|
+|`-Restore  [-ListAll |[[-Name <name>] [-All] |[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined items.|
 |`-AddDynamicSignature [-Path]`|Loads dynamic security intelligence.|
 |`-ListAllDynamicSignatures`|Lists the loaded dynamic security intelligence.|
 |`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic security intelligence.|
 |`-CheckExclusion -path <path>`|Checks whether a path is excluded.|
+|`-TDT [-on|-off|-default]`|Disable or Enable TDT feature or sets it to default. If no option is specified, it retrieves the current status.|
+|`-OSCA`|Prints OS Copy Acceleration feature status.|
+|`-DeviceControl -TestPolicyXml  <FilePath> [-Rules | -Groups]`|Validate xml policy groups and rules.|
+|`-TrustCheck -File <FilePath>`|Checks trust status of a file.|
 |`-ValidateMapsConnection`|Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+|`-ListCustomASR`|List the custom Azure Site Recovery rules present on this device.|
+|`-DisplayECSConnection`|Displays URLs that Defender Core service uses to establish connection to ECS.|
+|`-HeapSnapshotConfig <-Enable|-Disable> [-Pid <ProcessID>]`|Enable or Disable heap snapshot (tracing) configuration for process. Replace `<ProcessID>` with the actual process ID.|
 |`-ResetPlatform`| Reset platform binaries back to `%ProgramFiles%\Windows Defender`.|
 |`-RevertPlatform`| Revert platform binaries back to the previously installed version of the Defender platform.|
 
 > [!NOTE]
-> For the "Scan" command, the following are the default timeout values for Quick or Full scans where the scan will stop at that time by default.
-- Scheduled Full Scans or MpCmdRun -scan: 7 day limit
-- Scheduled Quick Scans or MpCmdRun -scan: 1 day limit
+> For the `Scan` command, the following are the default time out values for Quick or Full scans where the scan will stop at that time by default.
+> - Scheduled Full Scans or MpCmdRun -scan: Seven day limit
+> - Scheduled Quick Scans or MpCmdRun -scan: One day limit
 
 
 ## Common errors in running commands via mpcmdrun.exe
@@ -83,7 +90,7 @@ The following table lists common errors that can occur while using the MpCmdRun
 
 |Error message|Possible reason|
 |---|---|
-|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> Note that in Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
 |**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
 |**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
 |**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
@@ -98,7 +105,7 @@ The following table lists common errors that can occur while using the MpCmdRun
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
 - [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference articles for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
 - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
 - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

defender-endpoint/network-protection.md

@@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to malicious or suspic
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 12/18/2024
+ms.date: 01/16/2025
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -56,7 +56,7 @@ The following table summarizes network protection areas of coverage.
 > On Mac and Linux, you must have network protection in block mode for these features to be supported in the Microsoft Edge browser.
 > On Windows, network protection doesn't monitor Microsoft Edge. For processes other than Microsoft Edge and Internet Explorer, web protection scenarios leverage network protection for inspection and enforcement.
 
-Here are a few important points to keep in mind:
+### Known issues & limitations
 
 - IP is supported for all three protocols (`TCP`, `HTTP`, and `HTTPS` (TLS)).
 - Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.

defender-endpoint/respond-machine-alerts.md

@@ -320,7 +320,7 @@ You'll be able to stop containing a device at any time.
 
 ## Contain user from the network
 
-When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (termination the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.
+When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (terminating the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.
 
 > [!NOTE]
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.

defender-xdr/faq-managed-response.md

@@ -16,7 +16,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 10/31/2024
+ms.date: 01/16/2025
 ---
 
 # Understanding Managed response
@@ -30,7 +30,7 @@ The following section lists down questions you or your SOC team might have regar
 | Questions | Answers |
 |---------|---------|
 |**What is Managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|
-|**What actions are in scope for Managed response?** | All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction<br><li>Disable user<br><li>Enable user</ul><br>*For users (Coming soon)*<ul><li>Revoke refresh token<br><li>Soft delete emails</ul> |
+|**What actions are in scope for Managed response?** | All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Disable user<br><li>Enable user<br><li>Revoke refresh token<br><li>Soft delete emails</ul> |
 |**Can I customize the extent of Managed response?** | You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](get-started-xdr.md#exclude-devices-and-users-from-remediation) |
 |**What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
 |**How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](faq-incident-notifications-xdr.md).|

defender-xdr/incident-queue.md

@@ -123,7 +123,7 @@ This table lists the filter names that are available.
 | **Alert severity<br>Incident severity** | The severity of an alert or incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. Select **High**, **Medium**, **Low**, or **Informational**. |
 | **Incident assignment** | Select the assigned user or users. |
 | **Multiple service sources**  | Specify whether the filter is for more than one service source. |
-| **Service/detection sources**  | Specify incidents that contain alerts from one or more of the following:<li>Microsoft Defender for Identity<li>Microsoft Defender for Cloud Apps<li>Microsoft Defender for Endpoint<li>Microsoft Defender XDR<li>Microsoft Defender for Office 365<li>App Governance<li>Microsoft Entra ID Protection<li>Microsoft Data Loss Prevention<li>Microsoft Defender for Cloud<li>Microsoft Sentinel<br><br>Many of these services can be expanded in the menu to reveal further choices of detection sources within a given service. |
+| **Service/detection sources**  | Specify incidents that contain alerts from one or more of the following:<li>Microsoft Defender for Identity<li>Microsoft Defender for Cloud Apps<li>Microsoft Defender for Endpoint<li>Microsoft Defender XDR<li>Microsoft Defender for Office 365<li>App Governance<li>Microsoft Entra ID Protection<li>Microsoft Data Loss Prevention<li>Microsoft Defender for Cloud<li>Microsoft Sentinel<li>Microsoft Purview Insider Risk Management<br><br>Many of these services can be expanded in the menu to reveal further choices of detection sources within a given service. |
 | **Tags** | Select one or multiple tag names from the list. |
 | **Multiple category**  | Specify whether the filter is for more than one category. |
 | **Categories** | Choose categories to focus on specific tactics, techniques, or attack components seen. |
@@ -137,6 +137,9 @@ This table lists the filter names that are available.
 | **Alert policies** | Specify an alert policy title.  |
 | **Alert subscription IDs** | Specify an alert  based on a subscription ID.  |
 
+> [!NOTE]
+> If you have provisioned access to Microsoft Purview Insider Risk Management, you can view and manage insider risk management alerts and hunt for insider risk management events in the Microsoft Defender portal. For more information, see [Investigate insider risk threats in the Microsoft Defender portal](irm-investigate-alerts-defender.md).
+
 The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **High**, **Medium**, or **Low**.
 
 You can quickly remove a filter by selecting the **X** in the name of a filter in the **Filters** list.