Merge branch 'main' into docs-editor/android-intune-1731646455

Author: denisebmsft

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 11/10/2024
+ms.date: 11/18/2024
 search.appverid: met150
 ---
 
@@ -330,6 +330,11 @@ By default the state of this rule is set to block. In most cases, many processes
 
 Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.
 
+> [!TIP]
+> 1. ASR audit events don't generate toast notifications. However, since the LSASS ASR rule produces large volume of audit events, almost all of which are safe to ignore when the rule is enabled in block mode, you can choose to skip the audit mode evaluation and proceed to block mode deployment, beginning with a small set of devices and gradually expanding to cover the rest.
+> 2. The rule is designed to suppress block reports/toasts for friendly processes. It is also designed to drop reports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of whether toast notifications are enabled or disabled. 
+> 3. ASR in warn mode is designed to present users with a block toast notification that includes an "Unblock" button. Due to the "safe to ignore" nature of LSASS ASR blocks and their large volume, WARN mode is not advisable for this rule (irrespective of whether toast notifications are enabled or disabled).
+
 > [!NOTE]
 > In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. 
 > The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode.

defender-endpoint/mac-whatsnew.md

@@ -6,7 +6,7 @@ author: deniseb
 ms.author: deniseb
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 10/30/2024
+ms.date: 11/18/2024
 audience: ITPro
 ms.collection:
 - m365-security
@@ -41,7 +41,7 @@ For more information on Microsoft Defender for Endpoint on other operating syste
 
 - In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device control's ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1.
 
-- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.0.1 or newer.
+- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.1 or newer.
 
 ## Sequoia support
 

defender-endpoint/machines-view-overview.md

@@ -136,6 +136,7 @@ The available device properties to use as filters vary based on the device inven
 |**Device subtype**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
 |**Device type**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
 |**Device value**|All|The assigned value of the device. The available values are **High** and **Low**.|
+|**Discovery sources**|All|The source reporting on the device.|
 |**Exclusion state**|All|The available values are **Not excluded** and **Excluded**. For more information, see [Exclude devices](exclude-devices.md).|
 |**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: <ul><li>**High**</li><li>**Medium**</li><li>**Low**: Devices are less vulnerable to exploitation.</li><li>**No data available**: Possible causes for this value include: <ul><li>The device is inactive (stopped reporting for more than 30 days).</li><li>The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).</li><li>The agent software on the device is stale (unlikely).</li></ul></li></ul>|
 |**First seen**|All tabs except **Network devices**|How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are **Last 7 days** or **Over 7 days ago**.|
@@ -178,6 +179,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **OS version**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **First seen**
   - **Last device update**<sup\*</sup>
   - **Tags**<sup\*</sup>
@@ -204,6 +206,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Criticality level**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **Last device update**<sup\*</sup>
   - **First seen**
   - **Tags**<sup\*</sup>
@@ -219,6 +222,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Vendor**<sup>\*</sup>
   - **Model**<sup>\*</sup>
   - **Name**<sup>\*</sup>
+  - **Discovery sources**
   - **Domain**
   - **Device type**
   - **Device subtype**
@@ -241,6 +245,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Model**<sup>\*</sup>
   - **Risk level**<sup>\*</sup>
   - **Exposure level**<sup>\*</sup>
+  - **Discovery sources**
   - **OS distribution**<sup>\*</sup>
   - **OS version**<sup>\*</sup>
   - **First seen**
@@ -253,6 +258,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Name**<sup>\*</sup>
   - **Vendor**<sup>\*</sup>
   - **IP**<sup>\*</sup>
+  - **Discovery sources**
   - **MAC address**
   - **Risk level**
   - **Exposure level**

defender-endpoint/troubleshoot-collect-support-log.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 11/07/2024
+ms.date: 11/18/2024
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -37,7 +37,7 @@ This article provides instructions on how to run the tool via Live Response on W
    - If you require additional logs related to Microsoft Defender Antivirus, then use `..\Tools\MDELiveAnalyzerAV.ps1`.
    - If you require [Microsoft Endpoint Data Loss Prevention](/purview/endpoint-dlp-learn-about) related logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`.
    - If you require network and [Windows Filter Platform](/windows-hardware/drivers/network/windows-filtering-platform-architecture-overview) related logs, then use `..\Tools\MDELiveAnalyzerNet.ps1`.
-   - If you require [Process Monitor](/sysinternals/downloads/procmon) logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`.
+   - If you require [Process Monitor](/sysinternals/downloads/procmon) logs, then use `..\Tools\MDELiveAnalyzerAppCompat.ps1`.
 
 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
 

defender-office-365/how-policies-and-protections-are-combined.md

@@ -68,7 +68,8 @@ There are two major factors that determine which policy is applied to a message:
 
   <sup>\*</sup> Defender for Office 365 only.
 
-  The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
+  > [!IMPORTANT]
+  > The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
 
 For example, the group named "Contoso Executives" is included in the following policies:
 

defender-xdr/TOC.yml

@@ -154,6 +154,8 @@
                    href: dlp-investigate-alerts-defender.md
                  - name: Investigate data loss prevention alerts with Microsoft Sentinel
                    href: dlp-investigate-alerts-sentinel.md
+                 - name: Investigate and respond to container threats
+                   href: investigate-respond-container-threats.md  
                  - name: Alerts
                    href: investigate-alerts.md
                  - name: Alert classification playbooks

defender-xdr/activate-defender-rbac.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 09/30/2024
+ms.date: 11/17/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -29,6 +29,8 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
 
@@ -54,20 +56,19 @@ You can activate your workloads in two ways from the Permissions and roles page:
 :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
 
 1. **Activate workloads**
-   - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
-   - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-   :::image type="content" source="/defender/media/defender/defender-rbac-select-workload.png" alt-text="Screenshot of the choose workloads to activate screen":::
+- Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
+- You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
+
+:::image type="content" source="/defender/media/defender/defender-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen.":::
 
    > [!NOTE]
    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
-   >
    > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
-   >
-   > Defender XDR Unified RBAC is automatically active for Secure Score access. Once a custom role with one of the permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
+   > Defender XDR Unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
    > 
    > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
-
+   
 2. **Workload settings**
     - Select **Workload settings**.
     - This brings you to the Microsoft Defender XDR **Permission and roles** page.

defender-xdr/advanced-hunting-security-copilot.md

@@ -1,6 +1,6 @@
 ---
-title: Microsoft Copilot for Security in advanced hunting
-description: Learn how Microsoft Copilot for Security advanced hunting (NL2KQL) plugin can generate a KQL query for you.
+title: Microsoft Security Copilot in advanced hunting
+description: Learn how Microsoft Security Copilot advanced hunting (NL2KQL) plugin can generate a KQL query for you.
 search.appverid: met150
 ms.service: defender-xdr
 ms.subservice: adv-hunting
@@ -27,22 +27,30 @@ appliesto:
 - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Microsoft Copilot for Security in advanced hunting
+# Microsoft Security Copilot in advanced hunting
 
-[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting.
 
-Threat hunters or security analysts who aren't yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Copilot for Security then generates a KQL query that corresponds to the request using the advanced hunting data schema.
+**Applies to:**
+
+- Microsoft Defender
+- Microsoft Defender XDR
+
+## Security Copilot in advanced hunting
+
+[Microsoft Security Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting.
+
+Threat hunters or security analysts who aren't yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Security Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema.
 
 This feature reduces the time  it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats.
 
-Users with access to Copilot for Security have access to this capability in advanced hunting.
+Users with access to Security Copilot have access to this capability in advanced hunting.
 
 > [!NOTE]
-> The advanced hunting capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
+> The advanced hunting capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins).
 
 ## Try your first request
 
-1. Open the **advanced hunting** page from the navigation bar in the Microsoft Defender portal. The Copilot for Security side pane for advanced hunting appears at the right hand side.
+1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Security Copilot side pane for advanced hunting appears at the right hand side.
 
     :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png":::
 
@@ -51,11 +59,11 @@ Users with access to Copilot for Security have access to this capability in adva
 
 
 
-    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Copilot for Security for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png":::
+    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Security Copilot for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png":::
 
 1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**.
 
-    ![Screenshot of Copilot for Security in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png)
+    ![Screenshot of Security Copilot in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png)
 
 
 1. Review the generated query. You can then choose to run the query by selecting **Add and run**.
@@ -66,7 +74,7 @@ Users with access to Copilot for Security have access to this capability in adva
 
     If you need to make further tweaks, select **Add to editor**.
 
-   ![Screenshot of Copilot for Security in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png)
 
     The generated query appears in the query editor as the last query, where you can edit it before running using the regular **Run query** above the query editor.
 
@@ -75,23 +83,24 @@ Users with access to Copilot for Security have access to this capability in adva
 
 
 > [!TIP]
-> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used.
+> Providing feedback is an important way to let the Security Copilot team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used.
 
 
-In the [Microsoft Defender portal](advanced-hunting-microsoft-defender.md), you can prompt Copilot for Security to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future.
+> [!NOTE]
+> In the [unified Microsoft Defender portal](advanced-hunting-microsoft-defender.md), you can prompt Security Copilot to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future.
 
 ## Query sessions
 
 You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page doesn't discard the session. You can still access the generated queries should you need them.
 
 Select the chat bubble icon (**New chat**) to discard the current session.
 
-   ![Screenshot of Copilot for Security in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png)
 
 ## Modify settings
 
 Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting.
 
-   ![Screenshot of Copilot for Security in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png)
 
 Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**).