Merge branch 'main' into chrisda

Author: chrisda

.openpublishing.publish.config.json

@@ -6,7 +6,7 @@
       "build_output_subfolder": "ATA-Docs",
       "locale": "en-us",
       "monikers": [],
-      "open_to_public_contributors": true,
+      "open_to_public_contributors": false,
       "type_mapping": {
         "Conceptual": "Content"
       },

CloudAppSecurityDocs/behaviors.md

@@ -1,7 +1,7 @@
 ---
 title: Investigate behaviors with advanced hunting | Microsoft Defender for Cloud Apps
 description: Learn how to investigate Microsoft Defender for Cloud App behaviors with Microsoft Defender XDR advanced hunting.
-ms.date: 09/07/2023
+ms.date: 08/05/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Cloud Apps customer, I want to understand how behaviors work so that I can investigate more effectively.
 ---
@@ -10,9 +10,9 @@ ms.topic: how-to
 
 
 
-While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps uses a separate data type, called *behaviors*.
+While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud use a separate data type, called *behaviors*.
 
-This article describes how to investigate Defender for Cloud Apps behaviors with Microsoft Defender XDR advanced hunting.
+This article describes how to investigate Defender for Cloud Apps and Defender for Cloud behaviors with Microsoft Defender XDR advanced hunting.
 
 Have feedback to share? Fill out our [feedback form](https://forms.office.com/r/x0mX5hBkGu)!
 
@@ -27,7 +27,7 @@ While behaviors might be related to security scenarios, they're not necessarily
 
 ## Supported detections
 
-Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
+Behaviors currently support low-fidelity, Defender for Cloud Apps and Defender for Cloud detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
 
 |Alert name  |Policy name  |ActionType (Hunting)|
 |---------|---------|---------|

defender-endpoint/gov.md

@@ -160,6 +160,7 @@ These are the known gaps:
 |Microsoft Defender for Endpoint Security Configuration Management|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|:::image type="icon" source="media/svg/check-yes.svg" border="false":::|
 |Microsoft Defender for IoT enterprise IoT security|:::image type="icon" source="media/svg/check-no.svg" border="false":::|:::image type="icon" source="media/svg/check-no.svg" border="false":::|:::image type="icon" source="media/svg/check-no.svg" border="false":::|
 
+
 > [!NOTE]
 > While Microsoft Secure Score is available for GCC, GCC High and DoD customers, there are some security recommendations that aren't available.
 

defender-endpoint/mac-install-with-intune.md

@@ -488,6 +488,7 @@ To download the onboarding package from the Microsoft Defender portal:
 
 1. Select **Download onboarding package**. Save it as _GatewayWindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 
+
 1. Extract the contents of the .zip file:
 
    ```bash

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -46,6 +46,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
+## July 2025
+
+- (GA) [Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) is now generally available on Windows Server 2019 or later.  Helps with the stability and performance of Microsoft Defender Antivirus.
+
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.

defender-for-cloud/TOC.yml

@@ -1,2 +0,0 @@
-- name: Index
-  href: index.md

defender-for-cloud/index.md

@@ -53,7 +53,7 @@ By default, users can download infected files from SharePoint or OneDrive. Here'
 1. In a web browser, a user tries to download a file from SharePoint or OneDrive that happens to be infected.
 2. The user is shown a warning that a virus was detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.
 
-To change this behavior so users can't download infected files from SharePoint or OneDrive, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/blocked files for users.
+To change this behavior so users can't download infected files from SharePoint or OneDrive, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/blocked files for users.
 
 For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
 

defender-office-365/anti-malware-protection-for-spo-odfb-teams-about.md

@@ -95,7 +95,7 @@ Set-SPOTenant -DisallowInfectedFileDownload $true
 - This setting affects both users and admins.
 - People can still delete malicious files.
 
-For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant).
+For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant).
 
 ## Step 3 (Recommended) Use the Microsoft Defender portal to create an alert policy for detected files
 
@@ -169,7 +169,7 @@ For detailed syntax and parameter information, see [New-ActivityAlert](/powershe
   Get-SPOTenant | Format-List DisallowInfectedFileDownload
   ```
 
-  For detailed syntax and parameter information, see [Get-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant).
+  For detailed syntax and parameter information, see [Get-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/get-spotenant).
 
 - To verify you successfully configured an alert policy for detected files, use either of the following methods:
   - In the Microsoft Defender portal at <https://security.microsoft.com/alertpolicies>, select the alert policy, and verify the settings.

defender-office-365/safe-attachments-for-spo-odfb-teams-configure.md

@@ -0,0 +1,157 @@
+---
+title: CloudStorageAggregatedEvents table in the advanced hunting schema
+description: Learn about the CloudStorageAggregatedEvents table in the advanced hunting schema, which contains information about storage activity and related events.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 08/05/2025
+---
+
+# CloudStorageAggregatedEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+The `CloudStorageAggregatedEvents` table in the [advanced hunting](advanced-hunting-overview.md) contains information about storage activity and related events. Use this reference to construct queries that return information from this table.
+
+> [!IMPORTANT]
+> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This advanced hunting table is populated by records from [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `DataAggregationStartTime` | `datetime` | The start time during which the data was aggregated |
+| `DataAggregationEndTime` | `datetime` | The end time during which the data was aggregated |
+| `DataSource` | `string` | The source of the aggregated logs |
+| `SubscriptionId` | `string` | Unique identifier assigned to the Azure subscription |
+| `ResourceGroup` | `string` | Name of the resource group where the storage account resides |
+| `StorageAccount` | `string` | The identifier for the storage account |
+| `StorageContainer` | `string` | The identifier for the storage container | 	
+| `StorageFileShare` | `string` | The identifier for the storage file share | 	 
+| `ServiceType` | `string` | Specifies the type of storage service (for example, Blob, ADLS Gen2, Files.REST, Files.SMB) | 	 
+| `IpAddress` | `string` | The IP addresses from which the storage was accessed |  	 
+| `UserAgentHeader` | `string` | Details of the user agent accessing the storage (for example, browser or application) | 	 
+| `OperationNamesList` | `object` | A list of storage operations performed (for example, CreateContainer, DeleteContainer) | 	 
+| `AuthenticationType` | `string` | The authentication method used to access the storage (for example, AccountKey, SAS, Oauth) | 	 
+| `AccountObjectId` | `string` | The unique identifier of the object is making the storage access | 	 
+| `AccountTenantId` | `long` | The unique identifier of the Azure tenant | 	 
+| `AccountApplicationId` | `string` | The application ID associated with the storage access | 	 
+| `AccountUpn` | `string` | The user principal name of the accessing user | 	 
+| `AccountType` | `long` | The account type used | 	 
+| `OperationsCount` | `int` | The total number of storage operations performed | 	 
+| `SuccessfulOperationsCount` | `int` | The count of successful storage operations | 	 
+| `FailedOperationsCount` | `int` | The count of failed storage operations | 	 
+| `FirstEventTimestamp` | `datetime` | The timestamp of the first observed operation in the aggregation period	| 	 
+| `LastEventTimestamp` | `datetime` | The timestamp of the last observed operation in the aggregation period | 	 
+| `TotalResponseLength` | `int` | The total response length of all GET operations during the aggregation period |
+| `SuccessfulReadOperations` | `int` | The count of successful read operations | 
+| `DistinctGetOperations` | `int` | The count of distinct GET operations performed | 
+| `AnonymousSuccessfulOperations` | `int` | The count of successful anonymous operations | 
+| `HasAnonymousResourceNotFoundFailures` | `bool` | Indicates whether anonymous resource not found failures occurred | 
+| `CountryName` | `string` | The name of the country from where the storage was accessed | 
+| `CityName` | `string` | The name of the city from where the storage was accessed | 
+| `ProvinceName` | `string` | The name of the province or state from where the storage was accessed | 
+| `ClientSystemServiceName` | `string` | The name of the system service is in the data center | 
+| `ClientCloudPlatformName` | `string` | The name of the cloud platform where the data center is located | 
+| `IsTorExitNode` | `bool` | Indicates whether the IP address is a Tor exit node | 
+| `IsKnownSuspiciousIp` | `bool` | Indicates whether the IP address is known to be suspicious | 
+| `IsPrivateIp` | `bool` | Indicates whether the IP address is private | 
+| `SuspiciousUserAgentName` | `string` | The name of the suspicious user agent accessing the storage | 
+| `HashReputationMd5List` | `object` | A list of MD5 hash reputations for the accessed resources | 
+| `AzureResourceId` | `string` | The Azure Resource ID of the storage account | 
+| `Location` | `string` | The location of the storage account (region) | 
+| `Timestamp` | `datetime` | Indicate the time when the record was generated | 
+| `ReportId` | `string` | GUID to identify the record in the specific table | 
+| `ActionType` | `string` | Type of action (aggregated logs) | 
+| `AdditionalFields` | `dynamic` | Additional information about the event in JSON array format | 
+
+
+## Sample queries
+
+To detect failed anonymous authentication attempts:
+
+```kusto
+CloudStorageAggregatedEvents
+| where FailedOperationsCount > 0
+| where AuthenticationType == "Anonymous"
+| project StorageAccount, FailedOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To list unusual authentication methods used: 
+
+```kusto
+// Define a list of expected authentication types
+let ExpectedAuthTypes = dynamic(["AccountKey", "SAS", "Oauth"]);
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where not(AuthenticationType in (ExpectedAuthTypes))
+| summarize TotalOperations = sum(OperationsCount) by StorageAccount, AuthenticationType
+```
+To find storage accounts with a high number of failed operations: 
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| summarize TotalFailedOperations = sum(FailedOperationsCount) by StorageAccount
+| where TotalFailedOperations > 100
+| order by TotalFailedOperations desc
+```
+
+To monitor anonymous successful operations: 
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where AuthenticationType == "Anonymous" and SuccessfulOperationsCount > 0
+| project StorageAccount, SuccessfulOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To detect access to sensitive containers or file shares:
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where AuthenticationType == "Anonymous" and SuccessfulOperationsCount > 0
+| project StorageAccount, SuccessfulOperationsCount, OperationNamesList, AdditionalFields
+```
+
+To detect suspicious file uploads with known malicious hashes:
+
+```kusto
+CloudStorageAggregatedEvents
+| where DataAggregationEndTime >= ago(7d)
+| where isnotempty(Md5Hashes)
+| mv-expand HashReputation = Md5Hashes
+| extend HashDetails = parse_json(HashReputation)
+| project StorageAccount, AccountUpn, OperationNamesList, HashMd5 = HashDetails.md5Hash, ResourcePath = HashDetails.resourcePath, OperationType = HashDetails.operationType, ETag = HashDetails.etag
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+