Merge pull request #711 from MicrosoftDocs/metadata

denisebmsft · web-flow · commit d05f3a14db1a · 2024-06-14T10:23:51.000-07:00
Metadata
diff --git a/defender-xdr/additional-information-xdr.md b/defender-xdr/additional-information-xdr.md
@@ -2,7 +2,6 @@
 title: Important considerations related to Defender Experts for XDR
 ms.reviewer:
 description: Additional information and important considerations related to Defender Experts for XDR
-keywords: XDR, managed response, incident response, managed threat hunting, managed detection and response (MDR) service, readiness assessment, real-time visibility with XDR experts, Additional information related to XDR, benefits of microsoft xdr
 ms.service: defender-experts
 ms.subservice: dex-xdr
 ms.mktglfcycl: deploy
diff --git a/defender-xdr/custom-detections-overview.md b/defender-xdr/custom-detections-overview.md
@@ -1,6 +1,6 @@
 ---
 title: Overview of custom detections in Microsoft Defender XDR
-description: Understand how you can use advanced hunting to create custom detections and generate alerts
+description: Understand how you can use advanced hunting to create custom detections and generate alerts.
 search.appverid: met150
 ms.service: defender-xdr
 ms.subservice: adv-hunting
@@ -11,9 +11,9 @@ author: schmurky
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: m
-    - m365-security
-    - tier2
+ms.collection:
+- m365-security
+- tier2
 ms.topic: conceptual
 ms.date: 02/16/2021
 ---
diff --git a/defender-xdr/integrate-microsoft-365-defender-secops-services.md b/defender-xdr/integrate-microsoft-365-defender-secops-services.md
@@ -1,7 +1,6 @@
 ---
 title: Step 3. Plan for Microsoft Defender XDR integration with your SOC catalog of services
 description: The basics of integrating Microsoft Defender XDR into your security operations catalog of services.
-keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
diff --git a/defender-xdr/microsoft-secure-score-history-metrics-trends.md b/defender-xdr/microsoft-secure-score-history-metrics-trends.md
@@ -1,7 +1,6 @@
 ---
 title: Track your Microsoft Secure Score history and meet goals
 description: Gain insights into activity that has affected your Microsoft Secure Score. Discover trends and set goals.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft Defender portal, recommended actions
 ms.service: defender-xdr
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
diff --git a/defender-xdr/microsoft-secure-score-improvement-actions.md b/defender-xdr/microsoft-secure-score-improvement-actions.md
@@ -1,9 +1,7 @@
 ---
 title: Assess your security posture through Microsoft Secure Score
 description: Describes how to take action to improve your Microsoft Secure Score in the Microsoft Defender portal.
-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft Defender portal, recommended actions
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 f1.keywords:
   - NOCSH
diff --git a/defender-xdr/microsoft-threat-actor-naming.md b/defender-xdr/microsoft-threat-actor-naming.md
@@ -2,7 +2,6 @@
 title: How Microsoft names threat actors
 ms.reviewer: 
 description: Learn how Microsoft names threat actors and how to use the naming convention to identify associated intelligence.
-keywords: security, threat actor, security intelligence, naming convention, taxonomy, weather, threat actor naming, motivation, attribution, nation-state, financially motivated, private sector offensive actor, influence operations, groups in development, DEV-, nation state
 ms.service: defender-xdr
 ms.mktglfcycl: secure
 ms.sitesec: library
diff --git a/defender-xdr/mssp-access.md b/defender-xdr/mssp-access.md
@@ -1,9 +1,7 @@
 ---
 title: Provide managed security service provider (MSSP) access
 description: Learn about changes from the Microsoft Defender Security Center to the Microsoft Defender portal
-keywords: Getting started with the Microsoft Defender portal, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 f1.keywords:
 - NOCSH
@@ -32,7 +30,7 @@ ms.date: 02/16/2021
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 - [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
 
-To implement a multi-tenant delegated access solution, take the following steps:
+To implement a multitenant delegated access solution, take the following steps:
 
 1. Enable [role-based access control](/defender-endpoint/rbac) for Defender for Endpoint via the Microsoft Defender portal and connect with Microsoft Entra groups.
 
@@ -46,7 +44,7 @@ To implement a multi-tenant delegated access solution, take the following steps:
 
 1. **Create access groups for MSSP resources in Customer Microsoft Entra ID: Groups**
 
-    These groups will be linked to the Roles you create in Defender for Endpoint in Microsoft Defender portal. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+    These groups are linked to the Roles you create in Defender for Endpoint in Microsoft Defender portal. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
 
     - Tier 1 Analyst
     - Tier 2 Analyst
@@ -74,15 +72,15 @@ To implement a multi-tenant delegated access solution, take the following steps:
 
 1. **Add MSSP as Connected Organization in Customer Microsoft Entra ID: Identity Governance**
 
-    Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned. 
+    Adding the MSSP as a connected organization allows the MSSP to request and have accesses provisioned. 
 
     To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
 
 2. **Create a resource catalog in Customer Microsoft Entra ID: Identity Governance**
 
     Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
 
-    To do so, in the customer AD tenant,  access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+    To do so, in the customer AD tenant,  access Identity Governance: Catalogs, and add **New Catalog**. In our example, we'll call it **MSSP Accesses**.
 
     :::image type="content" source="/defender/media/goverance-catalog.png" alt-text="A new catalog in the Microsoft Defender portal" lightbox="/defender/media/goverance-catalog.png":::
 
@@ -91,7 +89,7 @@ To implement a multi-tenant delegated access solution, take the following steps:
 
 3. **Create access packages for MSSP resources Customer Microsoft Entra ID: Identity Governance**
 
-    Access packages are the collection of rights and accesses that a requestor will be granted upon approval. 
+    Access packages are the collection of rights and accesses that a requestor grants upon approval. 
 
     To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
 
@@ -106,7 +104,7 @@ To implement a multi-tenant delegated access solution, take the following steps:
 
 4. **Provide access request link to MSSP resources from Customer Microsoft Entra ID: Identity Governance**
 
-    The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
+    The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link might be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
 
     :::image type="content" source="/defender/media/access-properties.png" alt-text="The access properties in the Microsoft Defender portal" lightbox="/defender/media/access-properties.png":::
 
diff --git a/defender-xdr/portal-submission-troubleshooting.md b/defender-xdr/portal-submission-troubleshooting.md
@@ -2,10 +2,7 @@
 title: Troubleshoot Microsoft Security intelligence malware submission errors caused by administrator block
 description: Troubleshoot MSI portal errors
 ms.reviewer:
-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn't detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn't detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
 ms.service: microsoft-365-security
-ms.mktglfcycl: secure
-ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: dansimp
 author: dansimp
diff --git a/defender-xdr/preview.md b/defender-xdr/preview.md
@@ -1,12 +1,7 @@
 ---
 title: Preview features in Microsoft Defender XDR
 description: Learn about new features in Microsoft 365 security
-keywords: preview, new, m365 security, security, 365, capabilities
-search.product: eADQiWindows 10XVcnh
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 f1.keywords: 
   - NOCSH
 ms.author: dansimp
diff --git a/defender-xdr/reports-xdr.md b/defender-xdr/reports-xdr.md
@@ -2,12 +2,8 @@
 title: Defender experts for XDR report 
 ms.reviewer:
 description: Defender Experts for XDR includes an interactive, on-demand report that provides a clear summary of our expert analysts.
-keywords: XDR, extended detection and response, managed detection and response in defender experts for XDR, Defender xdr reports, XDR report, impacted assets, avergae time to resolve incidents, view incidents, resolved directly
 ms.service: defender-experts
 ms.subservice: dex-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
diff --git a/defender-xdr/respond-first-incident-analyze.md b/defender-xdr/respond-first-incident-analyze.md
@@ -1,12 +1,7 @@
 ---
 title: Analyze your first incident in Microsoft Defender XDR
 description: Investigation essentials in analysis of your first incident in Microsoft Defender XDR.
-keywords: incidents, alerts, attack story, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, incident analysis, threat analysis, threat investigation, incident investigation
-search.product: eADQiWindows 10XVcnh
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 f1.keywords:
   - NOCSH
 ms.author: diannegali
diff --git a/defender-xdr/security-copilot-m365d-incident-summary.md b/defender-xdr/security-copilot-m365d-incident-summary.md
@@ -1,11 +1,7 @@
 ---
 title: Summarize incidents with Microsoft Copilot in Microsoft Defender
 description: Generate incident summaries with Microsoft Copilot embedded in Microsoft Defender.
-keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, guided response, incident response playbooks, incident response, summary, summarize incident, summarize incidents, incident overview, write incident summary, Microsoft Copilot for Security, Copilot in Defender, Microsoft Defender
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 f1.keywords:
   - NOCSH
 ms.author: diannegali
diff --git a/defender-xdr/security-copilot-m365d-script-analysis.md b/defender-xdr/security-copilot-m365d-script-analysis.md
@@ -1,11 +1,7 @@
 ---
 title: Script analysis with Microsoft Copilot in Microsoft Defender
 description: Use Microsoft Copilot script analysis in Microsoft Defender to investigate scripts and command lines.
-keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer, security copilot script analysis, copilot in security script analysis, security copilot script analysis in Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 f1.keywords:
   - NOCSH
 ms.author: diannegali
diff --git a/defender-xdr/session-cookie-theft-alert.md b/defender-xdr/session-cookie-theft-alert.md
@@ -1,12 +1,8 @@
 ---
 title: Alert grading for session cookie theft alert
-description: Review, manage and grade the session cookie theft alert as True Positive (TP) or False Positive (FP), and if there is TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, cookie theft, AiTM, Attacker-in-the-middle, Adversary-in-the-middle, session theft, aitm cookie theft, aitm session theft.
+description: Review, manage, and grade the session cookie theft alert as True Positive (TP) or False Positive (FP), and if there's TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
 search.appverid: met150
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 f1.keywords: 
 - NOCSH
 ms.author: dansimp
@@ -37,11 +33,11 @@ This article contains information about alert grading for Session Cookie theft a
 - **Stolen session cookie was used**
 - **Authentication request from AiTM-related phishing page**
 
-Threat actors have started using innovative ways to infiltrate their target environments. Taking inspiration from Adversary-in-the-Middle attacks, this type of attack uses phishing to steal credentials or their sign-in session in order to carry out malicious actions. BEC campaigns are an excellent example.
+Threat actors use innovative ways to infiltrate their target environments. Taking inspiration from Adversary-in-the-Middle attacks, this type of attack uses phishing to steal credentials or their sign-in session in order to carry out malicious actions. BEC campaigns are an excellent example.
 
 This attack works by setting up an intermediate (phishing) site, effectively working as a proxy connection between the user and the legitimate website that the attacker is impersonating. By acting as an intermediary (proxy), the attacker is able to steal the target's password and session cookie. The attacker is therefore able to authenticate to a legitimate session as they're authenticating on behalf of the user.
 
-This playbook helps in investigating cases where suspicious behavior is observed indicative of an Attack-in-the-middle (AiTM) type of attack for cookie theft. This helps security teams like security operations center (SOC) and IT administrators to review, manage and grade the alerts as True Positive (TP) or False Positive (FP), and if it's TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
+This playbook helps in investigating cases where suspicious behavior is observed indicative of an Attack-in-the-middle (AiTM) type of attack for cookie theft. This helps security teams like security operations center (SOC) and IT administrators to review, manage, and grade the alerts as True Positive (TP) or False Positive (FP), and if it's TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
 
 The results of using this playbook are:
 
@@ -78,7 +74,7 @@ The results of using this playbook are:
     - Look for mail flow events [EmailEvents & EmailUrlInfo on NetworkMessageId] where the multiple emails are sent with the same Url.
         - Follow up with inspecting whether an increase or a high volume of mail deletion (ActivityType as Trash or Delete) is observed `[CloudAppEvents]` for the mailbox account.
         - Matching behavior could be deemed as highly suspicious.
-    - Examine device events for Url events that match click events `[DeviceEvents on AccountName|AccountUpn]` for Office365 emails.
+    - Examine device events for Url events that match click events `[DeviceEvents on AccountName|AccountUpn]` for Office 365 emails.
         - Matching the events for click sources (for example, different IP addresses for the same Url) could be an indication of malicious behavior.
 
 ## Advanced hunting queries
@@ -89,14 +85,14 @@ Use these queries to gather more information related to the alert and determine
 Ensure you have access to the following tables:
 
 - AadSignInEventsBeta - contains sign-in information for users.
-- IdentityLogonEvents - contains logon information for users.
+- IdentityLogonEvents - contains sign-in information for users.
 - CloudAppEvents - contains audit logs of user activities.
 - EmailEvents - contains mail flow/traffic information.
 - EmailUrlInfo - contains Url information contained in emails.
 - UrlClickEvents - contains Url click logs for Urls that were clicked in the emails.
 - DeviceEvents - contains device activity audit events.
 
-Use the query below to identify suspicious logon behavior:
+Use the query below to identify suspicious sign-in behavior:
 
 ```kusto
 let OfficeHomeSessionIds = 
diff --git a/defender-xdr/setup-m365deval.md b/defender-xdr/setup-m365deval.md
@@ -1,13 +1,8 @@
 ---
 title: Set up your Microsoft Defender XDR trial lab or pilot environment
 description: Access Microsoft Defender portal then set up your Microsoft Defender XDR trial lab environment
-keywords: Microsoft Defender XDR trial setup, Microsoft Defender XDR pilot setup, try Microsoft Defender XDR, Microsoft Defender XDR evaluation lab setup
-search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
diff --git a/defender-xdr/start-using-mdex-xdr.md b/defender-xdr/start-using-mdex-xdr.md
@@ -2,12 +2,8 @@
 title: How to use the Microsoft Defender Experts for XDR service
 ms.reviewer:
 description: Defender Experts for XDR helps prioritize and customize recommendations to fit your environment
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, threat hunting and analysis, incidents by category, impacted assets
 ms.service: defender-experts
 ms.subservice: dex-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
diff --git a/defender-xdr/streaming-api-storage.md b/defender-xdr/streaming-api-storage.md
@@ -1,13 +1,8 @@
 ---
 title: Stream Microsoft Defender XDR events to your Storage account
 description: Learn how to configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account.
-keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
-search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
diff --git a/defender-xdr/streaming-api.md b/defender-xdr/streaming-api.md
@@ -1,7 +1,6 @@
 ---
 title: Stream Microsoft Defender XDR events
 description: Learn how to configure Microsoft Defender XDR to stream Advanced Hunting events to Event Hubs or Azure storage account
-keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
 search.appverid: met150
 ms.service: defender-xdr
 ms.author: macapara
diff --git a/defender-xdr/submission-guide.md b/defender-xdr/submission-guide.md
@@ -2,10 +2,7 @@
 title: Submit files for analysis by Microsoft
 description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections.
 ms.reviewer:
-keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn't detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn't detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
 ms.service: defender-xdr
-ms.mktglfcycl: secure
-ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: dansimp
 author: dansimp
diff --git a/defender-xdr/supported-event-types.md b/defender-xdr/supported-event-types.md
@@ -1,13 +1,8 @@
 ---
 title: Microsoft Defender XDR streaming event types supported in Event Streaming API
 description: Learn which streaming event types (tables) are supported by the streaming API
-keywords: raw data export, Streaming API, API, Event hubs, Azure storage, storage account, Hunting, raw data sharing
-search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.service: defender-xdr
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
