You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/get-started.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -160,7 +160,7 @@ Now the risk scores given to discovered apps are configured precisely according
160
160
Some features work best when they're customized to your needs.
161
161
Provide a better experience for your users with your own email templates. Decide what notifications you receive and customize your risk score metric to fit your organization's preferences.
162
162
163
-
## Step 7: Organize the data according to your needs
163
+
## Step 6: Organize the data according to your needs
164
164
165
165
**How to page**: [Working with IP ranges and tags](ip-tags.md)
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/includes/entra-conditional-access-policy.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,13 @@ Microsoft Entra ID supports both browser-based and non browser-based policies. W
30
30
31
31
Repeat this procedure to create a nonbrowser based Conditional Access policy. In the **Client apps** area, toggle the **Configure** option to **Yes**. Then, under **Modern authentication clients**, clear the **Browser** option. Leave all other default selections selected.
32
32
33
-
Note: The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service.
34
-
Please ensure the CA policy does not restrict access to this application in the **Target resources**.
35
-
36
33
For more information, see [Conditional Access policies](/azure/active-directory/conditional-access/overview) and [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies).
34
+
35
+
> [!NOTE]
36
+
> Microsoft Defender for Cloud Apps utilizes the application **Microsoft Defender for Cloud Apps - Session Controls** as part of the Conditional Access App Control service for user sign-in. This application is located within the 'Enterprise Applications' section of Entra ID.
37
+
To protect your SaaS applications with Session Controls, you must allow access to this application.
38
+
If you block access to this application through an Entra ID Conditional Access policy, end users won't be able to access the protected applications under session controls. <br>
39
+
>
40
+
>It's important to ensure that this application isn't unintentionally restricted by any Conditional Access policies. For policies that restrict all or certain applications, please ensure this application is listed as an exception in the **Target resources** or confirm that the blocking policy is deliberate.<br>
41
+
>
42
+
>To ensure your location-based conditional access policies function correctly, include the **Microsoft Defender for Cloud Apps – Session Controls** application in those policies.
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/ip-tags.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,7 @@ In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps*
40
40
41
41
-**Corporate**: These IPs should be all the public IP addresses of your internal network, your branch offices, and your Wi-Fi roaming addresses.
42
42
43
-
-**Risky**: These IPs should be any IP addresses that you consider risky. They can include suspicious IP addresses you've seen in the past, IP addresses in your competitors' networks, and so on.
43
+
-**Risky**: These IPs should be any IP addresses that you consider risky. They can include suspicious IP addresses you've seen in the past, IP addresses in your competitors' networks, and so on. It is suggested to be cautious with applying automatic governance actions only based on risky IP, since there are some cases when IPs that serve malicious actors are also being in use by legitimate employees, hence our recommendation is to examine each case by itself.
44
44
45
45
-**VPN**: These IPs should be any IP addresses you use for remote workers. By using this category, you can avoid raising [impossible travel](anomaly-detection-policy.md#impossible-travel) alerts when employees connect from their home locations via the corporate VPN.
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/policies-threat-protection.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,7 +88,7 @@ You must have at least one app connected using [app connectors](enable-instant-v
88
88
89
89
## Detect and alert when Admin activity is detected on risky IP addresses
90
90
91
-
Detect admin activities performed from and IP address that is considered a risky IP address, and notify the system admin for further investigation or set a governance action on the admin's account.
91
+
Detect admin activities performed from and IP address that is considered a risky IP address, and notify the system admin for further investigation or set a governance action on the admin's account. Learn more [how to work with IP ranges and Risky IP](/defender-cloud-apps/ip-tags).
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,6 +49,7 @@ App connector errors can be seen in the app connector dialog after attempting to
49
49
> |Get Permissions: NoHttpResponseException: `*******.salesforce.com:443` failed to respond|Salesforce|IP restriction on customer ENV.|In the Salesforce portal, under **Setup** > **Session Settings**, clear the **Lock sessions to the IP address from which they originated** check box.|
50
50
> |team_not_authorized|Slack|Slack Discovery API is not enabled.|Contact Slack support and ask to enable Discovery API.|
51
51
> |RuntimeException: com.adallom.adalib.httputils.exceptions.HttpRequestFailure: Server returned: 403 Forbidden|ServiceNow|Permissions are incorrect|Follow the process to connect ServiceNow to Defender for Cloud Apps again using an admin account.|
52
+
> |Operation you are attempting to perform is not supported by your plan|Smartsheet|The Smartsheet Plan is not correct, an enterprise license with the platinum package is required|Upgrade Smartsheet license.|
52
53
> |Get events: {"code":403,"serverResponse"<br />Get users: {"code":403,"serverResponse"<br />…<br />"body":"{"error":"permission denied"}"|Workday|Insufficient permission to access audit logs and/or user endpoints|Verify all permissions are in place. [Learn more](./connect-workday.md#prerequisites)|
53
54
> |"code":400,"serverResponse"<br />…<br />body":"{"error":"invalid_grant"}|Workday|Authentication issue|Account used to set up the instance may be locked or disabled. To verify, view the Workday account and select **View Sign-on History**. You may see an authentication failure message in the report specifying that the System Account is disabled. [Learn more](./connect-workday.md#how-to-connect-workday-to-defender-for-cloud-apps-using-oauth)|
54
55
> |"code":401,"serverResponse":<br />…<br />body":"{"error":"invalid_client"}"|Workday|Client token validity issue|OAuth 2.0 REST API Client token not valid. The token may have expired, or may be incorrect. Generate another token and assign it to the connected instance. [Learn more](./connect-workday.md#how-to-connect-workday-to-defender-for-cloud-apps-using-oauth)|
Copy file name to clipboardExpand all lines: defender-endpoint/evaluate-exploit-protection.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- tier2
16
16
- mde-asr
17
17
search.appverid: met150
18
-
ms.date: 11/21/2024
18
+
ms.date: 02/03/2025
19
19
---
20
20
21
21
# Evaluate exploit protection
@@ -89,6 +89,8 @@ For Adobe Reader use the following ASR rule:
89
89
90
90
• [Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes)
91
91
92
+
[Google Chrome ](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#Can-I-use-EMET-to-help-protect-Chrome-against-attack-on-Microsoft-Windows)no longer recommends enabling Exploit Protection (EMET) because it's redundant or superseded with built-in attack mitigations.
93
+
92
94
## Application compatibility list
93
95
94
96
The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product. Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -102,7 +104,7 @@ The following table lists specific products that have compatibility issues with
102
104
| Certain AMD (ATI) video drivers | System ASLR=AlwaysOn |
103
105
| DropBox | EAF |
104
106
| Excel Power Query, Power View, Power Map and PowerPivot | EAF |
105
-
| Google Chrome | EAF+ |
107
+
| Google Chrome ([no longer recommended](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#Can-I-use-EMET-to-help-protect-Chrome-against-attack-on-Microsoft-Windows))| EAF+ |
106
108
| Immidio Flex+ | EAF |
107
109
| Microsoft Office Web Components (OWC) | System DEP=AlwaysOn |
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-collect-support-log.md
+1-9Lines changed: 1 addition & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.collection:
14
14
ms.topic: troubleshooting
15
15
ms.subservice: edr
16
16
search.appverid: met150
17
-
ms.date: 11/18/2024
17
+
ms.date: 02/03/2025
18
18
---
19
19
20
20
# Collect support logs in Microsoft Defender for Endpoint using live response
@@ -69,14 +69,6 @@ This article provides instructions on how to run the tool via Live Response on W
69
69
70
70
- The latest preview version of MDEClientAnalyzer can be downloaded here: <https://aka.ms/MDEClientAnalyzerPreview>.
71
71
72
-
- If you can't allow the machine to reach the above URL, then upload `MDEClientAnalyzerPreview.zip` file to the library before running the LiveAnalyzer script:
- For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or doesn't appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md).
81
73
82
74
- As described in [Live response command examples](live-response-command-examples.md), you might want to use the `&` symbol at the end of the command to collect logs as a background action:
| - | Fixed inaccuracy in BeyondTrust Remote Support | 22-Jan-25 |
56
56
| 68411 | Fixed inaccurate detections in WebM Project libwebp by excluding razer file path | 22-Jan-25 |
57
57
| 77999 | Defender Vulnerability Management doesn't currently support these four ESET vulnerabilities: <br/>- CVE-2020-11446<br/>- CVE-2023-5594<br/>- CVE-2023-3160<br/>- CVE-2024-7400 | 22-Jan-25 |
58
-
58
+
| - | Updated existing normalization rule for Adobe Acrobat Reader to detect raw names with 'neopackage'| 22-Jan-25 |
59
+
| 70377 | Fixed incorrect detections in Microsoft Teams by excluding incorrect Raw Product Names Vida | 22-Jan-25 |
60
+
| 74420 | Fixed incorrect detections in Toggl Track by excluding incorrect Raw Product Names WeChat | 22-Jan-25 |
61
+
| 75694 | Fixed incorrect detections in McAfee by excluding incorrect Raw Product Names Drive Encryption | 22-Jan-25 |
62
+
| 71402 | Fixed incorrect detections in Smoothwall by excluding incorrect Raw Product Names Smoothwall Unified Client | 22-Jan-25 |
63
+
| 76607 | Fixed inaccuracy in Dell BeyondCompare by excluding incorrect Raw Product Names Scooter Software | 22-Jan-25 |
64
+
| - | Added normalization rule for Microsoft Visual Studio 2015 to improve detection logic | 22-Jan-25 |
65
+
| 79328 | Fixed incorrect detections in Microsoft Monitoring Agent by excluding incorrect Raw Product Names MDOP MBAM | 22-Jan-25 |
66
+
| 83419 | Added Microsoft Defender Vulnerability Management support to Sinclair MakeMeAdmin | 22-Jan-25 |
67
+
| 84540 | Fixed incorrect detections in Apple Xcode by excluding incorrect Raw Product Names ProtoPie and RocketSim | 22-Jan-25 |
68
+
| - | Fixed incorrect detections in Apache Tomcat by excluding incorrect Raw Product Names Commons Logging | 22-Jan-25 |
69
+
| 61679 | Defender Vulnerability Management doesn't currently support ESRI portal for Arcgis | 22-Jan-25 |
70
+
| - | Defender Vulnerability Management doesn't currently support Citrix Virtual Apps & Desktops | 22-Jan-25 |
59
71
60
72
## November 2024
61
73
@@ -72,8 +84,6 @@ The following tables present the relevant vulnerability information organized by
72
84
| Inaccuracy report ID | Description | Fix date |
73
85
|---|---|---|
74
86
| - | Fixed inaccuracy in Microsoft LibDB & NSS vulnerabilities | 03-Oct-24 |
75
-
| 70377 | Fixed incorrect detections in Microsoft Teams by excluding Vida from the Teams normalization rule | 09-Oct-24 |
76
-
| 74420 | Fixed incorrect detections in Toggl Track by excluding WeChat from the Toggl Track normalization rule | 09-Oct-24 |
Copy file name to clipboardExpand all lines: defender-xdr/alerts-incidents-correlation.md
+23-14Lines changed: 23 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,15 +18,15 @@ ms.topic: conceptual
18
18
search.appverid:
19
19
- MOE150
20
20
- MET150
21
-
ms.date: 10/25/2024
21
+
ms.date: 02/02/2025
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
25
25
---
26
26
27
27
# Alert correlation and incident merging in the Microsoft Defender portal
28
28
29
-
This article explains how the Microsoft Defender portal aggregates and correlates the alerts that it collects from all the sources that produce them and send them to the portal. It explains how Defender creates incidents from these alerts, and how it continues to monitor their evolution, merging incidents together if the situation warrants. To learn more about alerts and their sources, and how incidents add value in the Microsoft Defender portal, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
29
+
This article explains how the correlation engine in the Microsoft Defender portal aggregates and correlates the alerts collected from all the sources that produce them and send them to the portal. It explains how Defender creates incidents from these alerts, and how it continues to monitor their evolution, merging incidents together if the situation warrants. To learn more about alerts and their sources, and how incidents add value in the Microsoft Defender portal, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
30
30
31
31
## Incident creation and alert correlation
32
32
@@ -56,36 +56,45 @@ Defender's correlation engine merges incidents when it recognizes common element
56
56
- Time frames
57
57
- Sequences of events that point to multistage attacks—for example, a malicious email click event that follows closely on a phishing email detection.
58
58
59
-
### Outcomes of the merge process
59
+
### Details of the merge process
60
60
61
-
When two or more incidents are merged, a new incident is not created to absorb them. Instead, the contents of one incident are migrated into the other incident, and the incident abandoned in the process is automatically closed. The abandoned incident is no longer visible or available in the Defender portal, and any reference to it is redirected to the consolidated incident. The abandoned, closed incident remains accessible in Microsoft Sentinel in the Azure portal. The contents of the incidents are handled in the following ways:
61
+
When two or more incidents are merged, a new incident is *not* created to absorb them. Instead, the contents of one incident (the **"source incident"**) are migrated into the other incident (the **"target incident"**), and the source incident is automatically closed. The source incident is no longer visible or available in the Defender portal, and any reference to it is redirected to the target incident. The source incident, though closed, remains accessible in Microsoft Sentinel in the Azure portal.
62
62
63
-
- Alerts contained in the abandoned incident are removed from it and added to the consolidated incident.
64
-
- Any tags applied to the abandoned incident are removed from it and added to the consolidated incident.
65
-
- A **`Redirected`** tag is added to the abandoned incident.
63
+
#### Merge direction
64
+
65
+
The direction of the incident merge refers to which incident is the source and which is the target. This direction is determined by Microsoft Defender, based on its own internal logic, with the goal of maximizing information retention and access. The user doesn't have any input into this decision.
66
+
67
+
#### Incident contents
68
+
69
+
The contents of the incidents are handled in the following ways:
70
+
71
+
- All alerts contained in the source incident are removed from the source incident and added to the target incident.
72
+
- Any tags applied to the source incident are removed from the source incident and added to the target incident.
73
+
- A **`Redirected`** tag is added to the source incident.
66
74
- Entities (assets etc.) follow the alerts they're linked to.
67
-
- Analytics rules recorded as involved in the creation of the abandoned incident are added to the rules recorded in the consolidated incident.
68
-
- Currently, comments and activity log entries in the abandoned incident are *not* moved to the consolidated incident.
75
+
- Analytics rules recorded as involved in the creation of the source incident are added to the rules recorded in the target incident.
76
+
- Currently, comments and activity log entries in the source incident are *not* moved to the target incident.
69
77
70
-
To see the abandoned incident's comments and activity history, open the incident in Microsoft Sentinel in the Azure portal. The activity history includes the closing of the incident and the adding and removal of alerts, tags, and other items related to the incident merge. These activities are attributed to the identity *Microsoft Defender XDR - alert correlation*.
78
+
To see the source incident's comments and activity history, open the incident in Microsoft Sentinel in the Azure portal. The activity history includes the closing of the incident and the adding and removal of alerts, tags, and other items related to the incident merge. These activities are attributed to the identity *Microsoft Defender XDR - alert correlation*.
71
79
72
80
### When incidents aren't merged
73
81
74
82
Even when the correlation logic indicates that two incidents should be merged, Defender doesn't merge the incidents under the following circumstances:
75
83
76
84
- One of the incidents has a status of "Closed". Incidents that are resolved don't get reopened.
77
-
- The two incidents eligible for merging are assigned to two different people.
78
-
- Merging the two incidents would raise the number of entities in the merged incident above the allowed maximum of 50 entities per incident.
85
+
- The source and target incidents are assigned to two different people.
86
+
- The source and target incidents have two different classifications (for example, true positive and false positive).
87
+
- Merging the two incidents would raise the number of entities in the target incident above the allowed maximum.
79
88
- The two incidents contain devices in different [device groups](/defender-endpoint/machine-groups) as defined by the organization. <br>(This condition is not in effect by default; it must be enabled.)
-[The power of incidents in Microsoft Defender XDR](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/the-power-of-incidents-in-microsoft-365-defender/ba-p/3515483)
0 commit comments