Merge branch 'main' into mdav-relnotes

Author: denisebmsft

.openpublishing.redirection.defender.json

@@ -110,16 +110,6 @@
       "redirect_url": "/defender-endpoint/mde-demonstration-amsi",
       "redirect_document_id": true
     },
-    {
-      "source_path": "defender-xdr/pilot-deploy-defender-endpoint.md",
-      "redirect_url": "/defender-endpoint/pilot-deploy-defender-endpoint",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "defender-xdr/pilot-deploy-defender-office-365.md",
-      "redirect_url": "/defender-office-365/pilot-deploy-defender-office-365",
-      "redirect_document_id": false
-    },
     {
       "source_path": "defender-endpoint/techniques-device-timeline.md",
       "redirect_url": "/defender-endpoint/device-timeline-event-flag#techniques-in-the-device-timeline",
@@ -129,6 +119,16 @@
       "source_path": "defender-endpoint/linux-support-rhel.md",
       "redirect_url": "/defender-endpoint/comprehensive-guidance-on-linux-deployment",
       "redirect_document_id": true
-    }            
+    },
+    {
+      "source_path": "defender-office-365/pilot-deploy-defender-office-365.md",
+      "redirect_url": "/defender-xdr/pilot-deploy-defender-office-365",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
+      "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
+      "redirect_document_id": false
+    }           
   ]
 }

CloudAppSecurityDocs/release-notes.md

@@ -20,6 +20,30 @@ For more information on what's new with other Microsoft Defender security produc
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
 
+## October 2024
+
+### New anomaly data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
+The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New Conditional Access app control / inline data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.   
+Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New data in advanced hunting CloudAppEvents table - OAuthAppId
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new _OAuthAppId_ column for queries and detection rules.
+
+Using _OAuthAppId_ allows the queries that consider specific OAuth applications, making queries and detection rules more accurate.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
 ## September 2024
 
 ### Enforce Edge in-browser when accessing business apps
@@ -28,7 +52,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
 For more information see: 
-[Enforce Edge in-browser protection when accessing business apps](https://learn.microsoft.com/defender-cloud-apps/in-browser-protection#enforce-edge-in-browser-when-accessing-business-apps)
+[Enforce Edge in-browser protection when accessing business apps](/defender-cloud-apps/in-browser-protection)
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -146,7 +170,7 @@ Microsoft Defender for Cloud Apps log collector now supports [Azure Kubernetes S
 
 For more information, see [Configure automatic log upload using Docker on Azure Kubernetes Service (AKS)](discovery-kubernetes.md).
 
-### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table
+### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules. Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
 
@@ -224,7 +248,7 @@ Automatic log collection is supported using a Docker container on multiple opera
 
 For more information, see [Configure automatic log upload using Podman](discovery-linux-podman.md).
 
-### New anomaly data for the advanced hunting CloudAppEvents table
+### New anomaly data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules. Using this data helps to rule out false positives and find anomalies.
 

defender-endpoint/TOC.yml

@@ -10,8 +10,6 @@
       href: zero-trust-with-microsoft-defender-endpoint.md
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
-    - name: Pilot and deploy Microsoft Defender for Endpoint
-      href: pilot-deploy-defender-endpoint.md
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform

defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md

@@ -14,7 +14,7 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: asr
-ms.date: 01/15/2024
+ms.date: 10/28/2024
 ---
 
 # URL reputation demonstrations
@@ -71,7 +71,7 @@ Blocked from downloading because of its URL reputation
 
 - [Download blocked due to URL reputation](https://demo.smartscreen.msft.net/download/malwaredemo/freevideo.exe)
 
-  Launching this link should render a message similar to the Malware page message.
+  Launching this link should render a warning that the download was blocked as being unsafe by Microsoft Edge.
 
 ### Exploit page
 

defender-endpoint/indicator-manage.md

@@ -15,20 +15,18 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 10/28/2024
 ---
 
 # Manage indicators
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
 
 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
@@ -55,29 +53,29 @@ Download the sample CSV to know the supported column attributes.
 
 > [!NOTE]
 > Only 500 indicators can be uploaded for each batch. 
->
 > Attempting to import indicators with specific categories requires the string to be written in Pascal case convention and only accepts the category list available at the portal.
 
 The following table shows the supported parameters.
 
 | Parameter|Type|Description |
 | ---| ---| --- |
-| indicatorType|Enum|Type of the indicator. Possible values are: *FileSha1*, *FileSha256*, *IpAddress*, *DomainName*, and *Url*. **Required** |
-| indicatorValue|String|Identity of the [Indicator](api/ti-indicator.md) entity. **Required** |
-| action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: *Allowed*, *Audit*, *BlockAndRemediate*, *Warn*, and *Block*. **Required** |
-| title|String|Indicator alert title. **Required** |
-| description|String| Description of the indicator. **Required** |
-| expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional** |
-| severity|Enum|The severity of the indicator. Possible values are: *Informational*, *Low*, *Medium*, and *High*. **Optional** |
-| recommendedActions|String|TI indicator alert recommended actions. **Optional** |
-| rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional** |
-| category|String|Category of the alert. Examples include: Execution and credential access. **Optional** |
-| mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It's recommended to add a value in category when a MITRE technique. |
-| GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional** |
+| indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. <br/> **Required** |
+| indicatorValue|String|Identity of the [Indicator](api/ti-indicator.md) entity. <br/> **Required** |
+| action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Allowed`, `Audit`, `BlockAndRemediate`, `Warn`, and `Block`. <br/> **Required** |
+| title|String|Indicator alert title.<br/> **Required** |
+| description|String| Description of the indicator.<br/> **Required** |
+| expirationTime|DateTimeOffset|The expiration time of the indicator in the following format `YYYY-MM-DDTHH:MM:SS.0Z`. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. <br/>**Optional** |
+| severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. <br/>**Optional** |
+| recommendedActions|String|TI indicator alert recommended actions. <br/>**Optional** |
+| rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. <br/>**Optional** |
+| category|String|Category of the alert. Examples include: Execution and credential access. <br/>**Optional** |
+| mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). <br/> **Optional** <br/>It's recommended to add a value in category when a MITRE technique. |
+| GenerateAlert|String|Whether the alert should be generated. Possible Values are: `True` or `False`. <br/>**Optional** |
 
 > [!NOTE]
-> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
-For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748).
+> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748).
+>
+> Network indicators do not support the action type, `BlockAndRemediate`. If a network indicator is set to `BlockAndRemediate`, it won't import. 
 
 Watch this video to learn how Microsoft Defender for Endpoint provides multiple ways to add and manage Indicators of compromise (IoCs). 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLVw]
@@ -89,4 +87,5 @@ Watch this video to learn how Microsoft Defender for Endpoint provides multiple
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
 - [Create indicators based on certificates](indicator-certificates.md)
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/mac-install-with-intune.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 10/28/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
@@ -80,7 +80,7 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
 
 1. In the **Settings picker**, expand the **System Configuration** category, and then select **System Extensions** > **Allowed System Extensions:**
 
-   ![Screenshot showing the Settings Picker](media/mac-install-with-intune/screenshot-2024-09-11-at-1.41.09 pm.png)
+   :::image type="content" alt-text="Screenshot showing the Settings Picker" source="media/mac-install-with-intune/screenshot-2024-09-11-at-1.41.09-pm.png" lightbox="media/mac-install-with-intune/screenshot-2024-09-11-at-1.41.09-pm.png":::
 
 1. Close the Settings picker, and then select **+ Edit instance**. 
 
@@ -91,7 +91,7 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
    |`com.microsoft.wdav.epsext`|`UBF8T346G9`|
    |`com.microsoft.wdav.netext`|`UBF8T346G9`|
 
-   ![Screenshot showing allowed system extensions](media/mac-install-with-intune/image003.png)
+   :::image type="content" alt-text="Screenshot showing allowed system extensions" source="media/mac-install-with-intune/image003.png" lightbox="media/mac-install-with-intune/image003.png":::
 
 1. On the **Assignments** tab, assign the profile to a group where the macOS devices or users are located.
 
@@ -203,7 +203,7 @@ Download [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-
 
 To turn off notifications for the end users, you can change **Show NotificationCenter** from `true` to `false` in [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig).
 
-:::image type="content" source="../defender-endpoint/media/image.png" alt-text="Screenshot showing notif.mobileconfig with ShowNotificationCenter set to True." lightbox="../defender-endpoint/media//image.png":::
+:::image type="content" source="../defender-endpoint/media/image.png" alt-text="Screenshot showing notif.mobileconfig with ShowNotificationCenter set to True.":::
 
 To configure notifications:
 
@@ -217,7 +217,7 @@ To configure notifications:
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`. Then select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `Notify-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Notif.mobileconfig`.
 
@@ -233,7 +233,7 @@ To configure notifications:
 
 This profile is used to allow Microsoft Defender for Endpoint on macOS to access the accessibility settings on Apple macOS High Sierra (10.13.6) and newer.
 
-Download [accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+Download [accessibility.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/macos/mobileconfig/profiles/accessibility.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
 
 1. Under **Configuration profiles**, select **Create Profile**.
 
@@ -262,7 +262,7 @@ Download [accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/b
 > [!CAUTION]
 > macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control.
 
-Download [bluetooth.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as in [Step 6: Accessibility settings](#step-6-accessibility-settings) to enable Bluetooth access.
+Download [bluetooth.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as in [Step 6: Accessibility settings](#step-6-accessibility-settings) to enable Bluetooth access.
 
 > [!NOTE]
 > Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth.
@@ -277,10 +277,10 @@ This profile is used to update the Microsoft Defender for Endpoint on macOS via
 
 For more information, see [Deploy updates for Microsoft Defender for Endpoint on macOS](mac-updates.md).
 
-Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+Download [com.microsoft.autoupdate2.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
 
 > [!NOTE]
-> The sample `AutoUpdate2.mobileconfig` from the GitHub repository has it set to Current Channel (Production).
+> The sample `com.microsoft.autoupdate2.mobileconfig` from the GitHub repository has it set to Current Channel (Production).
 
 1. Under **Configuration profiles**, select **Create Profile**.
 
@@ -294,7 +294,7 @@ Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo
 
 1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Then select **Next**.
 
-1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Autoupdate.mobileconfig`.
+1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `com.microsoft.autoupdate2.mobileconfig`.
 
 1. Choose a **Deployment channel** and select **Next**.
 
@@ -329,9 +329,6 @@ For more information about managing security settings, see:
 - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration?pivots=mdssc-ga)
 - [Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-security-settings-for-windows-macos-and-linux-natively-in/ba-p/3870617)
 
-> [!NOTE]
-> If the device is managed via Intune, the device won't register via Defender for Endpoint Security Settings Management in the [Microsoft Defender portal](https://security.microsoft.com). Only the policies set via Intune take effect.
-
 #### **Set policies using Microsoft Intune**
 
 You can manage the security settings for Microsoft Defender for Endpoint on macOS under **Setting Preferences** in Microsoft Intune.