Merge branch 'main' into WI370672-release-note-network-requirement-updates

Author: padmagit77

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -47,12 +47,12 @@ For information on other tables in the advanced hunting schema, [see the advance
 |-------------|-----------|-------------|
 |`Timestamp` | `datetime`	| Date and time when the record was generated or updated |
 |`BehaviorId` | `string` | Unique identifier for the behavior |
-|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management |
+|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management. |
 |`StartTime`|	`datetime`	|Date and time of the first activity related to the behavior|
 |`EndTime`|	`datetime`|	Date and time of the last activity related to the behavior|
 |`AttackTechniques`|	`string`|	MITRE ATT&CK techniques associated with the activity that triggered the behavior. Refer to subtechniques in the insider risk management behavior catalog.|
 |`Categories`|	`string`|	Type of threat indicator or breach activity identified by the behavior|
-|`ActivityType`|	`enum`|	Activity category based on categories in Microsoft Purview Insider Risk Management|
+|`ActionCategory`|	`enum`|	Category of action that triggered the event |
 |`Description`|	`string`|	Description of the behavior|
 |`ServiceSource`|	`string`|	Product or service that identified the behavior|
 |`DetectionSource`|	`string`|	Detection technology or sensor that identified the notable component or activity|

defender-xdr/advanced-hunting-datasecurityevents-table.md

@@ -50,7 +50,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`DlpPolicyMatchInfo`|	`string`|	Information around the list of data loss prevention (DLP) policies matching this event|
 |`DlpPolicyEnforcementMode`|	`int`|	Indicates the Data Loss Prevention policy that was enforced; value can be: 0 (None), 1 (Audit), 2 (Warn), 3 (Warn and bypass), 4 (Block), 5 (Allow)|
 |`DlpPolicyRuleMatchInfo`|	`dynamic`|	Details of the data loss prevention (DLP)  rules that matched with this event; in JSON array format|
-|`FileRenameInfo`|`string`|	Details of the file (file name and extension) prior to this event|
+|`FileRenameInfo`|`string`|	Details of the file (file name and extension) before this event|
 |`PhysicalAccessPointId`|	`string`|	Unique identifier for the physical access point|
 |`PhysicalAccessPointName`|	`string`|	Name of the physical access point|
 |`PhysicalAccessStatus`	|`string`|	Status of physical access, whether it succeeded or failed|
@@ -67,7 +67,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Department`|`string`|	Name of the department that the account user belongs to|
 |`SourceCodeInfo`|	`string`|	Details of the source code repository involved in the event|
 |`CcPolicyMatchInfo`|	`dynamic` | Details of the Communications Compliance policy matches for this event; in JSON array format |
-|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts|
+|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple IPs if related to Microsoft Defender for Cloud Apps alerts|
 |`Timestamp`|	`datetime`|	Date and time when the event was recorded|
 |`DeviceSourceLocationType`|	`int`|	Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
 |`DeviceDestinationLocationType`|	`int`|	Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
@@ -82,8 +82,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`InternetMessageId`|`string`	|Public-facing identifier for the email or Teams message that is set by the sending email system |
 |`NetworkMessageId`|	`guid`|	Unique identifier for the email, generated by Microsoft 365 |
 |`EmailSubject`|	`string`|	Subject of the email|
-|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files it includes the extension|
-|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files it includes the extension|
+|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files, it includes the extension|
+|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files, it includes the extension|
 |`ObjectType`|	`string`|	Type of object, such as a file or a folder, that the recorded action was applied to|
 |`ObjectSize`|	`int`|	Size of the object in bytes|
 |`IsHidden`|	`bool`|	Indicates whether the user has marked the content as hidden (True) or not (False) |
@@ -102,6 +102,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Workload`|`string`|	The Microsoft 365 service where the event occurred|
 |`IrmActionCategory`|	`enum`|	A unique enumeration value indicating the activity category in Microsoft Purview Insider Risk Management|
 |`SequenceCorrelationId`|`string`	|Details of the sequence activity|
+|`CloudAppAlertId`|`string`	| Unique identifier for the alert in Microsoft Defender for Cloud Apps |
 
 
 ## Related articles

defender-xdr/autoad-results.md

@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 06/19/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -19,15 +19,14 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Details and results of an automatic attack disruption action
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 When an automatic attack disruption triggers in Microsoft Defender XDR, the details about the risk and the containment status of compromised assets are available during and after the process. You can view the details on the incident page, which provides the full details of the attack and the up-to-date status of associated assets.
 
 ## Review the incident graph
@@ -58,16 +57,18 @@ You can use specific queries in [advanced hunting](advanced-hunting-overview.md)
 Contain actions triggered by attack disruption are found in the [DeviceEvents table](advanced-hunting-deviceevents-table.md) in advanced hunting. Use the following queries to hunt for these specific contain actions:
 
 - Device contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedDevice"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedDevice"
+  ```
 
 - User contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedUser"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedUser"
+  ```
 
 ### Hunt for disable user account actions
 

defender-xdr/automatic-attack-disruption.md

@@ -7,28 +7,26 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
   - m365-security
   - tier1
   - usx-security
   - usx-security
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
 ms.date: 09/11/2024
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Automatic attack disruption in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
 
 Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online.
@@ -105,7 +103,7 @@ The Defender XDR user experience now includes additional visual cues to ensure v
 
     - A tag titled *Attack Disruption* appears next to affected incidents
 
-1. On the incident page:
+2. On the incident page:
 
     - A tag titled *Attack Disruption*
     - A yellow banner at the top of the page that highlights the automatic action taken
@@ -121,7 +119,7 @@ For more information, see [view attack disruption details and results](autoad-re
 
 ## Next steps
 
-- [Configuring automatic attack disruption in Microsoft Defender XDR](configure-attack-disruption.md)
+- [Configure automatic attack disruption](configure-attack-disruption.md)
 - [View details and results](autoad-results.md)
 - [Get email notifications for response actions](m365d-response-actions-notifications.md)
 

defender-xdr/configure-deception.md

@@ -1,6 +1,6 @@
 ---
 title: Configure the deception capability in Microsoft Defender XDR
-description: Learn how to create, edit, and delete deception rules in Microsoft Defender XDR.
+description: Learn how to create, edit, and delete deception rules in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
 - NOCSH
@@ -12,21 +12,20 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier1
-ms.topic: conceptual
+ms.topic: how-to
 search.appverid: 
 - MOE150
 - MET150
 ms.date: 01/12/2024
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a security analyst, I want to learn how to configure the deception capability so that I can protect my organization from high-impact attacks that use human-operated lateral movement.
 ---
 
 # Configure the deception capability in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/defender-endpoint/onboarding).
 

defender-xdr/custom-detection-rules.md

@@ -123,11 +123,11 @@ With the query in the query editor, select **Create detection rule** and specify
 
 - **Detection name** - Name of the detection rule; should be unique
 - **Frequency** -Interval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)
-- **Alert title** - Title displayed with alerts triggered by the rule; should be unique.
+- **Alert title** - Title displayed with alerts triggered by the rule; should be unique and in plaintext. Strings are sanitized for security purposes so HTML, Makrdown, and other code won't work.
 - **Severity** - Potential risk of the component or activity identified by the rule.
 - **Category** - Threat component or activity identified by the rule.
 - **MITRE ATT&CK techniques** - One or more attack techniques identified by the rule as documented in the [MITRE ATT&CK framework](https://attack.mitre.org/). This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software.
-- **Description** - More information about the component or activity identified by the rule.
+- **Description** - More information about the component or activity identified by the rule. Strings are sanitized for security purposes so HTML, Makrdown, and other code won't work.
 - **Recommended actions** - Additional actions that responders might take in response to an alert.
 
 #### Rule frequency

defender-xdr/deception-overview.md

@@ -7,27 +7,26 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
 - tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: 
 - MOE150
 - MET150
 ms.date: 08/14/2024
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+#customer intent: As a security analyst, I want to understand how to manage the deception capability in Microsoft Defender XDR to detect human-operated attacks with lateral movement.
 ---
 
 # Manage the deception capability in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-- Microsoft Defender for Endpoint
-
 > [!IMPORTANT]
 > Some information in this article relates to prereleased products/services that might be substantially modified before commercially release. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
@@ -63,9 +62,9 @@ Attackers interacting with the fake network assets set up by the deception capab
 
 The built-in deception capability in the Microsoft Defender portal uses rules to make decoys and lures that match your environment. The feature applies machine learning to suggest decoys and lures that are tailored to your network. You can also use the deception feature to manually create the decoys and lures. These decoys and lures are then automatically deployed to your network and planted to devices you specify using PowerShell.
 
-:::image type="content" source="/defender/media/deception/fig1-deception.png" alt-text="Screenshot of an attack with lateral movement and where deception intercepts the attack" lightbox="/defender/media/deception/fig1-deception.png":::
+Deception technology, through high confidence detections of human-operated lateral movement, alerts security teams when an attacker interacts with fake hosts or lures. Here's the process of how the deception capability works:
 
-*Figure 1. Deception technology, through high confidence detections of human-operated lateral movement, alerts security teams when an attacker interacts with fake hosts or lures*
+:::image type="content" source="/defender/media/deception/fig1-deception.png" alt-text="Screenshot of an attack with lateral movement and where deception intercepts the attack" lightbox="/defender/media/deception/fig1-deception.png":::
 
 **Decoys** are fake devices and accounts that appear to belong to your network. **Lures** are fake content planted on specific devices or accounts and are used to attract an attacker. The content can be a document, a configuration file, cached credentials, or any content that an attacker can likely read, steal, or interact with. Lures imitate important company information, settings, or credentials.
 
@@ -94,9 +93,9 @@ The alert details contain:
 - The decoy device or user account where the alert originated
 - The type of attack like sign in attempts or lateral movement attempts
 
-:::image type="content" source="/defender/media/deception/deception-alert-small.png" alt-text="Screenshot of a deception alert highlighting the tag and the attempt" lightbox="/defender/media/deception/deception-alert.png":::
+Here's an example of a deception-related alert:
 
-*Figure 2. Details of a deception-related alert*
+:::image type="content" source="/defender/media/deception/deception-alert-small.png" alt-text="Screenshot of a deception alert highlighting the tag and the attempt" lightbox="/defender/media/deception/deception-alert.png":::
 
 ## Next step
 

defender-xdr/m365d-action-center.md

@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 5/9/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection:
 - m365-security
@@ -19,13 +19,13 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand how to view and approve automated investigation and remediation tasks in the Action center.
 ---
 
 # The Action center
 
-**Applies to:**
-- Microsoft Defender XDR
-
 The Action center provides a "single pane of glass" experience for incident and alert tasks such as:
 
 - Approving pending remediation actions.

defender-xdr/m365d-autoir-actions.md

@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 11/25/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -19,13 +19,13 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand how to view and manage remediation actions in the Action center
 ---
 
 # View and manage actions in the Action center
 
-**Applies to:**
-- Microsoft Defender XDR
-
 Threat protection features in Microsoft Defender XDR can result in certain remediation actions. Here are some examples:
 
 - [Automated investigations](m365d-autoir.md) can result in remediation actions that are taken automatically or await your approval.

defender-xdr/m365d-autoir-report-false-positives-negatives.md

@@ -19,15 +19,14 @@ ms.custom:
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
 ms.date: 07/14/2023
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Address false positives or false negatives in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 False positives or negatives can occasionally occur with any threat protection solution. If [automated investigation and response capabilities](m365d-autoir.md) in Microsoft Defender XDR missed or wrongly detected something, there are steps your security operations team can take:
 
 - [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis)