pulling from upstream

Author: batamig

.openpublishing.redirection.defender-xdr.json

@@ -170,6 +170,31 @@
       "redirect_url": "/defender-xdr/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-threat-actor-naming.md",
+      "redirect_url": "/unified-secops-platform/microsoft-threat-actor-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/malware-naming.md",
+      "redirect_url": "/unified-secops-platform/malware-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/criteria.md",
+      "redirect_url": "/unified-secops-platform/criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/submission-guide.md",
+      "redirect_url": "/unified-secops-platform/submission-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/virus-initiative-criteria.md",
+      "redirect_url": "/unified-secops-platform/virus-initiative-criteria",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/tickets.md",
       "redirect_url": "/defender-xdr/troubleshoot",
@@ -180,10 +205,60 @@
       "redirect_url": "/defender-xdr/troubleshoot",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/mto-advanced-hunting.md",
+      "redirect_url": "/unified-secops-platform/mto-advanced-hunting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-dashboard.md",
+      "redirect_url": "/unified-secops-platform/mto-dashboard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-endpoint-security-policy.md",
+      "redirect_url": "/unified-secops-platform/mto-endpoint-security-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-incidents-alerts.md",
+      "redirect_url": "/unified-secops-platform/mto-incidents-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-overview.md",
+      "redirect_url": "/unified-secops-platform/mto-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-requirements.md",
+      "redirect_url": "/unified-secops-platform/mto-requirements",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenant-devices.md",
+      "redirect_url": "/unified-secops-platform/mto-tenant-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenantgroups.md",
+      "redirect_url": "/unified-secops-platform/mto-tenantgroups",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenants.md",
+      "redirect_url": "/unified-secops-platform/mto-tenants",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/portals.md",
       "redirect_url": "/unified-secops-platform/overview-plan#understand-microsoft-security-portals-and-admin-centers",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
+      "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
+      "redirect_document_id": false
     }
   ]
 }

ATADocs/media/ATA-windows-event-forwarding.jpg

@@ -50,9 +50,8 @@ Use the following steps to prepare for deploying Defender for Identity:
 1. [Plan your Defender for Identity capacity](capacity-planning.md).
 
 > [!TIP]
-> We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if your environment has the necessary prerequisites.
->
-> The link to the *Test-MdiReadiness.ps1* script is also available from Microsoft Defender XDR, on the **Identities > Tools** page (Preview).
+> We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if the servers in your environment have the necessary prerequisites.
+> You can use the [DefenderForIdentity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/) to add the required auditing and configure the necessary settings.
 
 ## Deploy Defender for Identity
 
@@ -71,12 +70,12 @@ The following procedures help you complete the deployment process:
 
 - [**Enable and configure unified role-based access control (RBAC)**](../role-groups.md) for Defender for Identity.
 
-- [**Configure a Directory Service account (DSA) for use with Defender for Identity**](directory-service-accounts.md). While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage. For example, when you have a DSA configured, the DSA is used to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities
+- [**Configure a Directory Service account (DSA) for use with Defender for Identity**](directory-service-accounts.md). While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage. For example, when you have a DSA configured, the DSA is used to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities.
 
 - [**Configure remote calls to SAM**](remote-calls-sam.md) as needed. While this step is optional, we recommend that you configure remote calls to SAM-R for lateral movement path detection with Defender for Identity.
 
 > [!TIP]
-> By default, Defender for Identity sensors query the directory using LDAP on ports 389 and 3268. To switch to LDAPS on ports 636 and 3269, please open a support case. For more information, see [Microsoft Defender for Identity support](../support.md).
+> By default, Defender for Identity sensors query the directory using LDAP on ports 389 and 3268. To switch to LDAPS on ports 636 and 3269, open a support case. For more information, see [Microsoft Defender for Identity support](../support.md).
 >
 
 > [!IMPORTANT]

ATPDocs/deploy/deploy-defender-identity.md

@@ -146,7 +146,7 @@ Based on the data you review, you might want to create new or adjust app governa
 
 For more information, see:
 
-- [View and manage incidents and alerts](/microsoft-365/security/defender/mto-incidents-alerts)
+- [View and manage incidents and alerts](/unified-secops-platform/mto-incidents-alerts)
 - [View your app details with app governance](../app-governance-visibility-insights-view-apps.md)
 - [Create app policies in app governance](../app-governance-app-policies-create.md).
 
@@ -163,7 +163,7 @@ App governance uses machine learning-based detection algorithms to detect anomal
 
 For more information, see:
 
-- [View and manage incidents and alerts](/microsoft-365/security/defender/mto-incidents-alerts)
+- [View and manage incidents and alerts](/unified-secops-platform/mto-incidents-alerts)
 - [View your app details with app governance](../app-governance-visibility-insights-view-apps.md)
 - [Getting detailed information on an app](../app-governance-visibility-insights-view-apps.md#getting-detailed-information-on-an-app)
 
@@ -199,7 +199,7 @@ By default, there's no access or session policies deployed, and therefore no rel
 
 For more information, see:
 
-- [View and manage incidents and alerts](/microsoft-365/security/defender/mto-incidents-alerts)
+- [View and manage incidents and alerts](/unified-secops-platform/mto-incidents-alerts)
 - [Protect apps with Microsoft Defender for Cloud Apps Conditional Access app control](../proxy-intro-aad.md)
 - [Block and protect download of sensitive data to unmanaged or risky devices](../best-practices.md#block-and-protect-download-of-sensitive-data-to-unmanaged-or-risky-devices)
 - [Secure collaboration with external users by enforcing real-time session controls](../best-practices.md#secure-collaboration-with-external-users-by-enforcing-real-time-session-controls)
@@ -231,7 +231,7 @@ Create app discovery policies to start alerting and tagging newly discovered app
 
 For more information, see:
 
-- [View and manage incidents and alerts](/microsoft-365/security/defender/mto-incidents-alerts)
+- [View and manage incidents and alerts](/unified-secops-platform/mto-incidents-alerts)
 - [Cloud discovery policies](../policies-cloud-discovery.md)
 - [Create cloud discovery policies](../cloud-discovery-policies.md)
 - [Set up cloud discovery](../set-up-cloud-discovery.md)
@@ -298,7 +298,7 @@ Use the results of these queries to adjust existing file policies or create new
 
 For more information, see:
 
-- [View and manage incidents and alerts](/microsoft-365/security/defender/mto-incidents-alerts)
+- [View and manage incidents and alerts](/unified-secops-platform/mto-incidents-alerts)
 - [Information protection policies](../policies-information-protection.md).
 
 ## Related content

CloudAppSecurityDocs/ops-guide/ops-guide-daily.md

@@ -234,6 +234,8 @@
               href: mac-troubleshoot-mode.md
             - name: Troubleshoot macOS installation issues
               href: mac-support-install.md
+            - name: Troubleshoot macOS configuration
+              href: mac-support-configuration.md
             - name: Troubleshoot macOS performance issues overview
               href: mac-support-perf-overview.md
               displayName: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
@@ -259,7 +261,7 @@
             items:
             - name: Defender for Endpoint on Linux for ARM64-based devices (preview)
               href: mde-linux-arm.md
-            - name: Installer script
+            - name: Installer script based deployment
               href: linux-installer-script.md
             - name: Ansible based deployment
               href: linux-install-with-ansible.md
@@ -1532,17 +1534,21 @@
     - name: Microsoft Security Resources
       items: 
         - name: Threat actor naming
-          href: /defender-xdr/microsoft-threat-actor-naming
+          href: /unified-secops-platform/microsoft-threat-actor-naming
+
         - name: Malware names
-          href: /defender-xdr/malware-naming
+          href: /unified-secops-platform/malware-naming
+
         - name: How Microsoft identifies malware and PUA
           href: /defender-xdr/criteria
         - name: Submit files for analysis
-          href: /defender-xdr/submission-guide
+          href: /unified-secops-platform/submission-guide
+
         - name: Troubleshoot MSI portal errors caused by admin block
           href: /defender-xdr/portal-submission-troubleshooting
         - name: Microsoft virus initiative
-          href: /defender-xdr/virus-initiative-criteria
+          href: /unified-secops-platform/virus-initiative-criteria
+
         - name: Software developer FAQ
           href: /defender-xdr/developer-faq        
     - name: Malware information

defender-endpoint/TOC.yml

@@ -116,7 +116,7 @@ In this scenario, a legitimate app is blocked from writing to folders that are p
 
 In this scenario, a third-party app that isn't a threat is detected and identified as malicious by Microsoft Defender Antivirus.
 
-**How to address**: Submit the app to Microsoft for analysis. See [How to submit a file to Microsoft for analysis](/defender-xdr/submission-guide#how-do-i-submit-a-file-to-microsoft-for-analysis).
+**How to address**: Submit the app to Microsoft for analysis. See [How to submit a file to Microsoft for analysis](/unified-secops-platform/submission-guide#how-do-i-submit-a-file-to-microsoft-for-analysis).
 
 ### An app is incorrectly detected and identified as malicious by Defender for Endpoint
 

defender-endpoint/address-unwanted-behaviors-mde.md

@@ -26,7 +26,7 @@ ms.date: 10/17/2024
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
 
@@ -44,7 +44,7 @@ Use the following advanced features to get better protected from potentially mal
 
 ## Restrict correlation to within scoped device groups
 
-This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
+This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. When this setting is turned on, an incident composed of alerts that cross-device groups are no longer considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC sees several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
 
 > [!NOTE]
 > - Changing this setting impacts future alert correlations only.
@@ -57,7 +57,7 @@ Endpoint detection and response (EDR) in block mode provides protection from mal
 
 ## Automatically resolve alerts
 
-Turn this setting on to automatically resolve alerts where no threats were found or where detected threats were remediated. If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.
+Turn on this setting to automatically resolve alerts where no threats were found or where detected threats were remediated. If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.
 
 > [!NOTE]
 > - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.

defender-endpoint/advanced-features.md

@@ -27,7 +27,7 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
 Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
 

defender-endpoint/alerts-queue-endpoint-detection-response.md

@@ -24,7 +24,7 @@ search.appverid: met150
 **Applies to:**
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-alertsq-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
 The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 7 days in a grouped view. The most recent alerts are shown at the top of the list helping you see the most recent alerts first.
 

defender-endpoint/alerts-queue.md

@@ -2,9 +2,9 @@
 title: Configure Microsoft Defender for Endpoint on Android features
 description: Describes how to configure Microsoft Defender for Endpoint on Android
 ms.service: defender-endpoint
-ms.author: priyankagill
-author: priyankagill
-ms.reviewer: priyankagill
+ms.author: ewalsh
+author: emmwalshh
+ms.reviewer: denishdonga
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: android
 search.appverid: met150
-ms.date: 11/22/2024
+ms.date: 02/11/2025
 ---
 
 # Configure Defender for Endpoint on Android features
@@ -38,6 +38,7 @@ For more information about how to set up Defender for Endpoint on Android and Co
 > [!NOTE]
 > Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.
 > 
+> IP `245.245.0.1` is an internal Defender IP and should not be included in custom indicators by customers to avoid any functionality issues.
 > Also, alerts for custom indicators are currently not supported for Defender for Endpoint on Android.
 
 Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Overview of indicators](indicators-overview.md).
@@ -332,4 +333,5 @@ Use the following steps to configure the Device tags:
 - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md)
 
 - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]