Merge branch 'mdav-release' of https://github.com/MicrosoftDocs/defender-docs-pr into mdav-release

Author: denisebmsft

defender-endpoint/indicator-ip-domain.md

@@ -61,7 +61,7 @@ You can block malicious IPs/URLs through the settings page or by machine groups,
 
 ## Before you begin
 
-It's important to understand the following prerequisites before creating indicators for IPS, URLs, or domains.
+It's important to understand the following prerequisites before creating indicators for IPs, URLs, or domains.
 
 ### Microsoft Defender Antivirus version requirements
 

defender-endpoint/linux-exclusions.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 02/19/2025
+ms.date: 02/21/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -71,7 +71,7 @@ The following table shows the exclusion types supported by Defender for Endpoint
 |Process|A specific process (specified either by the full path or file name) and all files opened by it.<br/>*We recommend using full and trusted process launch path.*|`/bin/cat`<br/>`cat`<br/>`c?t`|
 
 > [!IMPORTANT]
-> The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. When implementing global process exclusions, exclude only what is absolutely necessary to ensure system reliability and security. Verify that the process is known and trusted, specify the complete path to the process location, and confirm that the process will consistently launch from the same trusted full path.
+> The paths used must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. When implementing global process exclusions, exclude only what is necessary to ensure system reliability and security. Verify that the process is known and trusted, specify the complete path to the process location, and confirm that the process will consistently launch from the same trusted full path.
 
 ### File, folder, and process exclusions support the following wildcards:
 
@@ -87,11 +87,11 @@ Wildcard|Description|Examples|
 
 ## How to configure the list of exclusions
 
-You can configure exclusions using a management console, Defender for Endpoint security settings management, or the command line.
+You can configure exclusions using a management Json configuration, Defender for Endpoint security settings management, or the command line.
 
 ### Using the management console
 
-To configure exclusions from Puppet, Ansible, or another management console, please refer to the following sample `mdatp_managed.json`.
+In enterprise environments, exclusions can also be managed through a configuration profile. Typically, you would use a configuration management tool like Puppet, Ansible, or another management console to push a file with the name `mdatp_managed.json` at the location `/etc/opt/microsoft/mdatp/managed/`. For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md). Please refer to the following sample of `mdatp_managed.json`. 
 
 ```JSON
 {
@@ -138,43 +138,39 @@ To configure exclusions from Puppet, Ansible, or another management console, ple
 }
 ```
 
-For more information, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
-
 ### Using Defender for Endpoint security settings management
 
 > [!NOTE]
+> This method is currently in private Preview. To enable this feature, please reach out to [email protected].
 > Make sure to review the prerequisites: [Defender for Endpoint security settings management prerequisites](/mem/intune/protect/mde-security-integration#prerequisites)
 
-As a security administrator, you can configure Defender for Endpoint exclusions using the Microsoft Defender portal. This method is referred to as Defender for Endpoint security settings management. If you're using this method for the first time, make sure to complete the following procedures:
+You can use the Microsoft Intune admin center or the Microsoft Defender portal to manage exclusions as endpoint security policies and assign those policies to Microsoft Entra ID groups. If you're using this method for the first time, make sure to complete the following steps:
 
 #### 1. Configure your tenant to support security settings management
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), navigate to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope**, and then select the Linux platform. 
 
-2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that are not enrolled with Intune](/mem/intune/protect/mde-security-integration).
+2. Tag devices with the `MDE-Management` tag. Most devices enroll and receive the policy within minutes, although some might take up to 24 hours. For more information, see [Learn how to use Intune endpoint security policies to manage Microsoft Defender for Endpoint on devices that aren't enrolled with Intune](/mem/intune/protect/mde-security-integration).
 
 #### 2. Create a Microsoft Entra group
 
-Create a dynamic Microsoft Entra group that uses the operating system type to ensure that all devices onboarded to Defender for Endpoint receive policies. Using a dynamic group allows devices managed by Defender for Endpoint to be automatically added to the group, eliminating the need for admins to create new policies manually. For more information, see the following articles:
-
-- [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
-- [Microsoft Entra groups overview](/entra/fundamentals/concept-learn-about-groups)
+Create a dynamic Microsoft Entra group based on the operating system type to ensure that all devices onboarded to Defender for Endpoint receive the appropriate policies. This dynamic group automatically includes devices managed by Defender for Endpoint, eliminating the need for admins to manually create new policies. For more information, see the following article: [Create Microsoft Entra Groups](/mem/intune/protect/mde-security-integration#create-microsoft-entra-groups) 
 
 #### 3. Create an endpoint security policy 
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new Policy**. 
 
 2. For Platform, select **Linux**.
 
-3. Select the required exclusion template (**Microsoft defender global exclusion (AV+EDR) for global exclusions and Microsoft defender antivirus exclusions for antivirus exclusions**), and then select **Create policy**.
+3. Select the required exclusion template (`Microsoft defender global exclusions (AV+EDR)` for global exclusions and `Microsoft defender antivirus exclusions` for antivirus exclusions), and then select **Create policy**.
 
 4. On the **Basics** page, enter a name and description for the profile, then choose **Next**.
 
 5. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.
 
 6. When you're done configuring settings, select **Next**.
 
-7. On the **Assignments** page, select the groups that will receive this profile. Then select **Next**.
+7. On the **Assignments** page, select the groups that receive this profile. Then select **Next**.
 
 8. On the **Review + create** page, when you're done, select **Save**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
@@ -420,7 +416,7 @@ To get the name of a detected threat, run the following command:
 mdatp threat list
 ```
 
-For example, to add `EICAR-Test-File (not a virus)` to the allow list, run the following command:
+For example, to add `EICAR-Test-File (not a virus)` to the allowlist, run the following command:
 
 ```bash
 mdatp threat allowed add --name "EICAR-Test-File (not a virus)"

defender-office-365/defender-for-office-365-whats-new.md

@@ -174,7 +174,7 @@ For more information on what's new with other Microsoft Defender security produc
 
 ## April 2023
 
-- [Using machine learning to drive more effective simulations in Attack Simulation and Training](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/attack-simulation-training-using-machine-learning-to-drive-more/ba-p/3791023): Make use of intelligent predicted compromise rate (PCR) and Microsoft Defender for Office 365 payload recommendations for utilizing high-quality payloads in your simulation.
+- [Using machine learning to drive more effective simulations in Attack Simulation and Training](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/attack-simulation-training-using-machine-learning-to-drive-more-effective-simula/3791023): Make use of intelligent predicted compromise rate (PCR) and Microsoft Defender for Office 365 payload recommendations for utilizing high-quality payloads in your simulation.
 - [Training only campaigns available with an expanded library](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/training-only-campaign-is-now-available-with-an-expanded-training-module-library/3795237): You can now directly assign training content to your organization without needing to tie training to a phishing simulation campaign. We have also expanded our training module library to more than 70 different modules.
 
 ## March 2023

defender-office-365/mdo-portal-permissions.md

@@ -39,6 +39,9 @@ You need to be member of the **Global Administrator**<sup>\*</sup> role in Micro
 - Some Defender for Office 365 features require additional permissions in Exchange Online. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
 - Microsoft Defender XDR has its own Unified role-based access control (RBAC). This model provides a single permissions management experience in one central location where admins can control permissions across different security solutions. These permissions are different from the permissions described in this article. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](/defender-xdr/manage-rbac).
 - **If you activate Defender XDR RBAC for Email & collaboration, the permissions page at <https://security.microsoft.com/emailandcollabpermissions> is no longer available in the Defender portal, so you need to ensure that you configure or import your roles _before_ you activate Defender XDR Unified RBAC.**
+
+  :::image type="content" source="media/defender-xdr-rbac-permissions-page.png" alt-text="Screenshot of the Permissions page in the Microsoft Defender portal showing Microsoft Defender XDR roles and Email & Collaboration roles." lightbox="media/defender-xdr-rbac-permissions-page.png":::
+
 - For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions).
 
 > [!IMPORTANT]

defender-office-365/scc-permissions.md

@@ -20,7 +20,7 @@ description: Admins can learn about the roles and role groups in Microsoft Defen
 ms.custom: 
 - seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 11/27/2024
+ms.date: 02/20/2025
 ---
 
 # Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview
@@ -43,8 +43,10 @@ This article contains the inventory of Defender for Office 365 and Microsoft Pur
 
 > [!NOTE]
 > In the Microsoft Defender XDR preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](/defender-xdr/manage-rbac).
-> 
-> **If you activate Defender XDR RBAC for Email & collaboration, the permissions page at <https://security.microsoft.com/emailandcollabpermissions> is no longer available in the Defender portal**.
+>
+> **If you activate Defender XDR RBAC for Email & collaboration, the permissions page at <https://security.microsoft.com/emailandcollabpermissions> is no longer available in the Defender portal, so you need to ensure that you configure or import your roles _before_ you activate Defender XDR Unified RBAC.**
+>
+> :::image type="content" source="media/defender-xdr-rbac-permissions-page.png" alt-text="Screenshot of the Permissions page in the Microsoft Defender portal showing Microsoft Defender XDR roles and Email & Collaboration roles." lightbox="media/defender-xdr-rbac-permissions-page.png":::
 
 ## Role groups in Microsoft Defender for Office 365 and Microsoft Purview
 

defender-xdr/TOC.yml

@@ -55,13 +55,13 @@
     - name: Protect against threats
       items:
       - name: Protect your endpoints
-        href: /defender-endpoint
+        href: /defender-endpoint/microsoft-defender-endpoint?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
       - name: Protect your identities
-        href: /defender-for-identity
+        href: /defender-for-identity/what-is?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
       - name: Protect your Office 365 workloads
-        href: /defender-office-365
+        href: /defender-office-365/mdo-about?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
       - name: Protect your cloud apps
-        href: /defender-cloud-apps
+        href: /defender-cloud-apps/what-is-defender-for-cloud-apps?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
       - name: Microsoft Secure Score
         items:
           - name: Overview

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -57,7 +57,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`ServiceSource`|	`string`|	Product or service that identified the behavior|
 |`DetectionSource`|	`string`|	Detection technology or sensor that identified the notable component or activity|
 |`ActivityCount`|	`int`|	Total user activity events recorded under this behavior|
-|`IsAnomalous`|	`bool`|	Indicates if this user behavior is anomalous by itself or based on insider risk management global settings|
+|`IsAnomalous`|	`bool`|	Indicates if this behavior is anomalous (1) or not (0)|
 |`IsContentHidden`|	`bool`|	Indicates if the behavior involves hidden content on a device|
 |`AccountUpn`|	`string`|	User principal name (UPN) of the account|
 |`AccountEmail`|	`string`|	Email address of the account|

defender-xdr/microsoft-365-security-center-defender-cloud.md

@@ -29,7 +29,7 @@ ms.custom: admindeeplinkDEFENDER
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/)
 
-[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) is now part of Microsoft Defender XDR. Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, providing richer context to investigations that span cloud resources, devices, and identities. In addition, security teams can get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents.
+Security teams using Microsoft Defender for Cloud can now view Defender for Cloud alerts and incidents in the Microsoft Defender portal. This helps security teams gain richer context to investigations that include cloud workloads. In addition, security teams can get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents.
 
 The Microsoft Defender portal combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.