Merge branch 'main' into docs-editor/microsoft-defender-endpoint-li-1740001173

Author: denisebmsft

CloudAppSecurityDocs/release-notes.md

@@ -21,6 +21,17 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## February 2025
 
+### Enhanced alert source accuracy
+
+Microsoft Defender for Cloud Apps is enhancing its alert sources to deliver more precise information. This update, applicable to new alerts only, will be reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.   
+The goal is to improve the accuracy of alert origins, facilitating better identification, management, and response to alerts.
+
+To learn more about the different alert sources in Defender XDR see the _Alert sources_ section of [Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn](/defender-xdr/investigate-alerts?tabs=settings)
+
+To learn more about the Graph API alert resource: [alert resource type - Microsoft Graph v1.0 | Microsoft Learn](/graph/api/resources/security-alert?view=graph-rest-1.0)
+
+### Network requirement updates
+
 Due to improvements being made to Microsoft Defender for Cloud Apps to improve security and performance, you must update network information in your system's firewall and additional third-party services. Make these changes by March 16, 2025 to ensure uninterrupted access to our services:
 
 - Update your firewall rules to allow outbound traffic on port 443 to the following new CDN (Content Delivery Network)  endpoints before March 16, 2025:
@@ -128,7 +139,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
-For more information see [Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
+For more information, see [Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 

defender-endpoint/guidance-for-pen-testing-and-bas.md

@@ -70,8 +70,8 @@ It's important to get the settings correct. To resolve misconfiguration issues,
 | Windows | Microsoft Defender for Endpoint security settings management <br/>(*Recommended*) | [Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)](evaluate-mda-using-mde-security-settings-management.md) |
 | Windows | Group Policy | [Evaluate Microsoft Defender Antivirus using Group Policy](evaluate-mdav-using-gp.md)  |
 | Windows | PowerShell | [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md) |
-| Mac | Jamf (or another tool)  | [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) |
-| Linux | Configuration profile <br/> Defender for Endpoint security settings management | [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) |
+| Mac |Microsoft Defender for Endpoint security settings management or Intune or Jamf or another tool| [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) |
+| Linux |Microsoft Defender for Endpoint security settings management or another tool.| [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) |
 
 ## How to submit possible false negatives for investigation
 
@@ -113,7 +113,7 @@ It's crucial to report to Microsoft as soon as possible. The advanced hunting te
 
 | Portal | Description |
 |--|--|
-| MDSI portal | The MDSI portal is a service provided by Microsoft Security Intelligence. It allows users to submit files for malware analysis. Microsoft security researchers analyze these files to determine if they're threats, unwanted applications, or normal files. The portal is used to report detection concerns to Microsoft Defender Research, submit files for analysis, and track the results of submissions.<br/><br/>This portal was formerly known as the Windows Defender Security Intelligence (WSDI). Because it currently supports Mac, Linux, and Android submissions, its name changed. |
+| MDSI portal | The MDSI portal is a service provided by Microsoft Defender Security Intelligence. It allows users to submit files for malware analysis. Microsoft Defender security researchers analyze these files to determine if they're threats, unwanted applications, or normal files. The portal is used to report detection concerns to Microsoft Defender Research, submit files for analysis, and track the results of submissions.<br/><br/>|
 | Microsoft Defender portal | If you have a subscription to Microsoft Defender XDR, or your subscription includes Defender for Endpoint Plan 2, you can use the **Submissions** page in the Microsoft Defender portal. |
 
 1. Submit the data you gathered during steps 1-2 by using either the MDSI portal or the Microsoft Defender portal.

defender-endpoint/mde-linux-arm.md

@@ -43,16 +43,28 @@ Initially, the following Linux distributions are supported in preview:
 
 - Ubuntu 20.04 ARM64
 - Ubuntu 22.04 ARM64
+- Ubuntu 24.04 ARM64
+
 - Amazon Linux 2 ARM64
 - Amazon Linux 2023 ARM64
 
+- RHEL 8.x ARM64
+
+- RHEL 9.x ARM64
+
+- Oracle Linux 8.x ARM64
+
+- Oracle Linux 9.x ARM64
+
+- SUSE Linux Enterprise Server 15 (SP5, SP6) ARM64
+
 > [!NOTE]
 > Support for more Linux distributions is planned as part of this preview program.
 
-The installation procedures in this article install the agent version `101.24102.0002` from the insiders-slow channel on the ARM64-based device. (See [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md).) 
-
 ## Deploy Defender for Endpoint on Linux for ARM64-based devices
 
+The deployment procedures in this article installs the agent version `101.24102.0003` from the insiders-slow channel on the ARM64-based device. (See [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md).) 
+
 You can choose from several methods to deploy Defender for Endpoint on Linux to your ARM64-based device:
 
 - [Installer script](#deploy-using-the-installer-script)
@@ -351,7 +363,7 @@ See these articles:
 
 ## Troubleshoot deployment issues
 
-If you run into any issues deploying Defender for Endpoint on Linux to your ARM64-based devices, help is available. First, review our list of common issues and how to resolve them. If the problem persists, contact us.
+If you run into any issues deploying Defender for Endpoint on Linux to your ARM64-based devices, help is available. First, review our list of common issues and how to resolve them. If the problem persists, [contact us](#contact-us-if-you-need-help).
 
 ### Common issues and how to resolve them
 

defender-endpoint/mde-security-settings-management.md

@@ -51,7 +51,7 @@ As a security administrator, you can configure different Microsoft Defender Anti
 
 You'll find endpoint security policies under **Endpoints** > **Configuration management** > **Endpoint security policies**.
 
-:::image type="content" source="./media/endpoint-security-policies.png" alt-text="Managing Endpoint security policies in the Microsoft Defender portal":::
+:::image type="content" source="./media/endpoint-security-policies.png" alt-text="Managing Endpoint security policies in the Microsoft Defender portal" lightbox="./media/endpoint-security-policies.png":::
 
 The following list provides a brief description of each endpoint security policy type:
 
@@ -109,14 +109,14 @@ To verify that you have successfully created a policy, select a policy name from
 
 > [!NOTE]
 > It can take up to 90 minutes for a policy to reach a device. To speed up the process, for devices Managed by Defender for Endpoint, you can select **Policy sync** from the actions menu so that it's applied in approximately 10 minutes.
-> :::image type="content" source="./media/policy-sync.png" alt-text="Image showing policy sync button":::
+>
+> :::image type="content" source="./media/policy-sync.png" alt-text="Image showing policy sync button" lightbox="./media/policy-sync.png":::
 
 The policy page displays details that summarize the status of the policy. You can view a policy's status, which devices it is applied to, and assigned groups.
 
 During an investigation, you can also view the **Security policies** tab in the device page to view the list of policies that are being applied to a particular device. For more information, see [Investigating devices](investigate-machines.md#security-policies).
 
-
-:::image type="content" source="./media/security-policies-list.png" alt-text="Security policies tab with list of policies":::
+:::image type="content" source="./media/security-policies-list.png" alt-text="Security policies tab with list of policies" lightbox="./media/security-policies-list.png":::
 
 ## Antivirus policies for Windows and Windows Server
 
@@ -131,14 +131,10 @@ During an investigation, you can also view the **Security policies** tab in the
 |PUA Protection|PUA Protection on|
 
 For more information, see:
-
-[Advanced technologies at the core of Microsoft Defender Antivirus](/defender-endpoint/adv-tech-of-mdav)
-
-[Enable and configure Microsoft Defender Antivirus always-on protection](/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
-
-[Behavior monitoring in Microsoft Defender Antivirus](/defender-endpoint/behavior-monitor)
-
-[Detect and block potentially unwanted applications](/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
+- [Advanced technologies at the core of Microsoft Defender Antivirus](/defender-endpoint/adv-tech-of-mdav)
+- [Enable and configure Microsoft Defender Antivirus always-on protection](/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
+- [Behavior monitoring in Microsoft Defender Antivirus](/defender-endpoint/behavior-monitor)
+- [Detect and block potentially unwanted applications](/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
 
 1. **Cloud protection features**:
 
@@ -165,9 +161,7 @@ Standard security intelligence updates can take hours to prepare and deliver; ou
 |Archive Max Depth | Not configured|
 |Archive Max Size | Not configured|
 
-For more information, see:
-
-[Configure Microsoft Defender Antivirus scanning options](/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus)
+For more information, see [Configure Microsoft Defender Antivirus scanning options](/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus).
 
 **Security Intelligence updates**:
 
@@ -187,10 +181,8 @@ For more information, see:
 > 'MMPC' is Microsoft Defender security intelligence center (WDSI formerly Microsoft Malware Protection Center) https://www.microsoft.com/en-us/wdsi/definitions.
 
 For more information, see:
-
-[Microsoft Defender Antivirus security intelligence and product updates](/defender-endpoint/microsoft-defender-antivirus-updates)
-
-[Update channels for security intelligence updates](/defender-endpoint/manage-gradual-rollout)
+- [Microsoft Defender Antivirus security intelligence and product updates](/defender-endpoint/microsoft-defender-antivirus-updates)
+- [Update channels for security intelligence updates](/defender-endpoint/manage-gradual-rollout)
 
 **Engine updates**:
 
@@ -247,10 +239,8 @@ For more information, see [Manage the gradual rollout process for Microsoft Defe
 > And for Windows Servers, on Saturday's at 1:00 AM. (60)
 
 For more information, see:
-
-[Configure scheduled quick or full Microsoft Defender Antivirus scans](/defender-endpoint/schedule-antivirus-scans)
-
-[Microsoft Defender Antivirus full scan considerations and best practices](/defender-endpoint/mdav-scan-best-practices)
+- [Configure scheduled quick or full Microsoft Defender Antivirus scans](/defender-endpoint/schedule-antivirus-scans)
+- [Microsoft Defender Antivirus full scan considerations and best practices](/defender-endpoint/mdav-scan-best-practices)
 
 **Threat severity default action**:
 
@@ -285,10 +275,8 @@ Disable local administrator AV settings such as exclusions, and set the policies
 |Excluded Processes | Add as needed for working around false positives (FPs) and/or troubleshooting high cpu utilizations in MsMpEng.exe|
 
 For more information, see:
-
-[Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus)
-
-[Configure custom exclusions for Microsoft Defender Antivirus](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)
+- [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus)
+- [Configure custom exclusions for Microsoft Defender Antivirus](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)
 
 **Microsoft Defender Core service:**
 
@@ -383,9 +371,7 @@ For more information, see [Attack surface reduction rules deployment overview](/
    | -------- | -------- |
    | TamperProtection (Device) | On|
 
-For more information, see:
-
-[Protect security settings with tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
+For more information, see [Protect security settings with tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection).
 
 #### Check the Cloud Protection network connectivity
 
@@ -398,7 +384,7 @@ cd "C:\Program Files\Windows Defender"
 MpCmdRun.exe -ValidateMapsConnection
 ```
 
-For more information [Use the cmdline tool to validate cloud-delivered protection](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus).
+For more information, see [Use the cmdline tool to validate cloud-delivered protection](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus).
 
 #### Check the platform update version
 

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -89,20 +89,32 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 
   - Ubuntu 20.04 ARM64
   - Ubuntu 22.04 ARM64
+  - Ubuntu 24.04 ARM64
+    
   - Amazon Linux 2 ARM64
   - Amazon Linux 2023 ARM64
 
-  > [!IMPORTANT]
+  - RHEL 8.x ARM64
+    
+  - RHEL 9.x ARM64
+    
+  - Oracle Linux 8.x ARM64
+    
+  - Oracle Linux 9.x ARM64
+    
+  - SUSE Linux Enterprise Server 15 (SP5, SP6) ARM64
+    
+    > [!IMPORTANT]
   > Support for Microsoft Defender for Endpoint on Linux for ARM64-based Linux devices is now in preview. For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md). 
    
-  > [!NOTE]
+    > [!NOTE]
   > The workstation versions of these distributions are unsupported.
   > Distributions and versions that aren't explicitly listed are unsupported (even if they're derived from the officially supported distributions). 
   > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
   > Currently, Rocky and Alma distributions aren't supported in Microsoft Defender Vulnerability Management.
   > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version agnostic. The minimal requirement for the kernel version to be `3.10.0-327` or later.
   
-  > [!CAUTION]
+    > [!CAUTION]
   > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions isn't supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
   
 - List of supported filesystems for RTP, Quick, Full, and Custom Scan.

defender-for-iot/manage-devices-inventory.md

@@ -42,6 +42,10 @@ To customize the device inventory views:
 
 [!INCLUDE [defender-iot-site-association](includes/site-association.md)]
 
+### OT network tag
+
+When a Defender for Endpoint agent is associated with a site, all devices discovered by that agent automatically receive the **Network type: OT** tag in the **Tags** column to show that these devices are part of the site. This tag helps users focus on devices that belong to their OT network.
+
 ## Manage OT devices
 
 - [Explore the device inventory](/defender-endpoint/machines-view-overview#explore-the-device-inventory) including search, export to CSV, and more.

defender-xdr/breadcrumb/toc.yml

@@ -12,6 +12,15 @@
   - name: Microsoft Defender XDR
     tocHref: /unified-secops-platform/
     topicHref: /defender-xdr/index
+  - name: Microsoft Defender XDR
+    tocHref: /defender-for-endpoint/
+    topicHref: /defender-xdr/index
+  - name: Microsoft Defender XDR
+    tocHref: /defender-office-365/
+    topicHref: /defender-xdr/index
+  - name: Microsoft Defender XDR
+    tocHref: /defender-cloud-apps/
+    topicHref: /defender-xdr/index  
 
 ## Azure override
 - name: 'Microsoft Defender'