Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into patch-1

Author: yelevin

ATPDocs/whats-new.md

@@ -22,6 +22,22 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## December 2024
+
+### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+
+Defender for Identity has added the new **Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)** recommendation in Microsoft Secure Score.
+
+This recommendation directly addresses the recently published [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019), which highlights security risks associated with vulnerable AD CS configurations. This security posture assessment lists all vulnerable certificate templates found in customer environments due to unpatched AD CS servers.
+
+The new recommendation is added to other AD CS-related recommendations. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that post risks to the entire organization, together with related detections.
+
+For more information, see:
+
+- [Security assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)](https://go.microsoft.com/fwlink/?linkid=2296922)
+
+- [Microsoft Defender for Identity's security posture assessments](security-assessment.md)
+
 ## October 2024
 
 ### MDI is expanding coverage with new 10 Identity posture recommendations (preview)
@@ -532,6 +548,7 @@ This version includes improvements and bug fixes for cloud services and the Defe
 
 - [What is Microsoft Defender for Identity?](what-is.md)
 - [Frequently asked questions](technical-faq.yml)
+
 - [Defender for Identity prerequisites](prerequisites.md)
 - [Defender for Identity capacity planning](capacity-planning.md)
 - [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -141,10 +141,6 @@ These policies look for activities within a single session with respect to the b
 
 * This detection identifies users that failed multiple login attempts in a single session with respect to the baseline learned, which could indicate on a breach attempt.
 
-### Data exfiltration to unsanctioned apps
-
-* This policy is automatically enabled to alert you when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
-
 ### Multiple delete VM activities
 
 * This policy profiles your environment and triggers alerts when users delete multiple VMs in a single session, relative to the baseline in your organization. This might indicate an attempted breach.

CloudAppSecurityDocs/api-entities.md

@@ -1,7 +1,7 @@
 ---
 title: Entities API
 description: This article provides information about using the Entities API.
-ms.date: 01/29/2023
+ms.date: 11/28/2024
 ms.topic: reference
 ---
 # Entities API
@@ -32,7 +32,7 @@ The following table describes the supported filters:
 | entity | entity pk | eq, neq | Filter entities with specific entities pks. If a user is selected, this filter also returns all of the user's accounts. Example: `[{ "id": "entity-id", "inst": 0 }]` |
 | userGroups |string | eq, neq | Filter entities by their associated group IDs |
 | app | integer | eq, neq | Filter entities using services with the specified SaaS ID for example: 11770 |
-| instance | integer | eq, neq | Filter entities using services with the specified Appstances (SaaS ID and Instance ID), for example: 11770, 1059065 |
+| instance | integer | eq, neq | Filter entities using services with the specified app instances (SaaS ID and Instance ID). For example: 11770, 1059065 |
 | isExternal | boolean | eq | The entity's affiliation. Possible values include:<br /><br />**true**: External<br />**false**: Internal<br />**null**: No value |
 | domain | string | eq, neq, isset, isnotset | The entity's related domain |
 | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |

CloudAppSecurityDocs/file-filters.md

@@ -11,6 +11,15 @@ To provide data protection, Microsoft Defender for Cloud Apps gives you visibili
 
 > [!IMPORTANT]
 > Starting **September 1, 2024**, we'll be phasing out the **Files** **page** from Microsoft Defender for Cloud Apps. Core functionalities of the Files page will be available on the **Cloud apps > Policies > Policy Management** page. We recommend using the Policy Management page to investigate files and to create, modify, and filter Information Protection policies and Malware files. For more information, see [File policies in Microsoft Defender for Cloud Apps](data-protection-policies.md).
+>
+
+>[!NOTE]
+> **Query Size Limitation in Files Policy Filters and "Edit and Preview Results"**
+>
+> - When creating or editing a file policy, or when using the "Edit and preview results" option, there is a query size limitation. This limitation ensures optimal performance and prevents system overload.
+> - If your query exceeds the allowed size, you may need to refine your criteria or use other filters to fit within the acceptable limits. For example, if the policy involves "collaborators" criteria that includes the group "everyone" or "everyone except external users" it may cause a failure due to  query size limitation.
+> - Please note that if the query exceeds the size limitation, the system will not specify which filter caused the failure.
+
 ## Enable file monitoring
 
 To enable file monitoring for Defender for Cloud Apps, first turn on file monitoring in the **Settings** area. In the Microsoft Defender portal, select **Settings** > **Cloud Apps** > **Information Protection** > **Files** > **Enable file monitoring** > **Save**.

CloudAppSecurityDocs/protect-egnyte.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your Egnyte environment (Preview) | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your Egnyte app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 12/12/2024
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your Egnyte environment
@@ -77,9 +77,9 @@ This section describes how to connect Microsoft Defender for Cloud Apps to your
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
 >[!NOTE]
->Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice.
->To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token).
->Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>- Microsoft recommends using a short lived access token. Egnyte doesn't currently support short lived tokens. We recommend our customers to refresh the access token every 6 months as a security best practice. To refresh the access token, revoke the old token by following [Revoking an oAuth token](https://developers.egnyte.com/docs/read/Public_API_Authentication#Revoking-an-OAuth-Token). Once the old token is revoked, reconnect the Egnyte connector by following the process documented above.
+>
+>- Defender for Cloud Apps intentionally provides a lower rate limit than Egnyte's maximum to avoid exceeding the API constraints. For more infomration, see the relevant Egnyte documentation: [Rate limiting](https://developers.egnyte.com/docs/read/Best_Practices) | [Audit Reporting API v2](https://developers.egnyte.com/docs/read/Audit_Reporting_API_V2)
 
 ## Next steps
 

CloudAppSecurityDocs/protect-servicenow.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 12/26/2023
+ms.date: 12/12/2024
 ms.topic: how-to
 ---
 
@@ -45,7 +45,8 @@ In Secure Score, select **Recommended actions** and filter by **Product** = **Se
 
 For more information, see:
 -	[Security posture management for SaaS apps](security-saas.md)
--	[Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+-	[Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score
+)
 
 ## Control ServiceNow with built-in policies and policy templates
 
@@ -154,11 +155,11 @@ For more information, see the [ServiceNow product documentation](https://docs.se
 1. Establish an internal procedure to ensure that the connection remains alive. A couple of days before the expected expiration of the refresh token lifespan.
 Revoke to the old refresh token. We don't recommend keeping old keys for security reasons.
 
-    1. On the ServiceNow pane, search for System OAuth, and then select Manage Tokens.
+    1. On the ServiceNow pane, search for **System OAuth**, and then select **Manage Tokens**.
 
     1. Select the old token from the list according to the OAuth name and expiration date.
 
-    1. Select Revoke Access > Revoke.
+    1. Select **Revoke Access > Revoke**.
       
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.
 
@@ -181,7 +182,7 @@ Revoke to the old refresh token. We don't recommend keeping old keys for securit
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
-After connecting ServiceNow, you'll receive events for seven days prior to connection.
+After connecting ServiceNow, you'll receive events for 1 hour prior to connection.
 
 ### Legacy ServiceNow connection
 
@@ -210,7 +211,7 @@ To connect ServiceNow with Defender for Cloud Apps, you must have admin-level pe
 
 1. Select **Connect**.
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
-After connecting ServiceNow, you'll receive events for seven days prior to connection.
+After connecting ServiceNow, you'll receive events for one hour prior to connection.
 
 If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

defender-business/mdb-onboard-devices.md

@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: overview
 ms.service: defender-business
 ms.localizationpriority: medium
-ms.date: 06/19/2024
+ms.date: 12/12/2024
 ms.reviewer: efratka, nehabha, muktaagarwal
 f1.keywords: NOCSH
 ms.collection:
@@ -274,7 +274,7 @@ After a device is enrolled in Intune, you can add it to a device group. [Learn m
 ## Servers
 
 > [!NOTE]
-> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
+> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). 
 
 Choose the operating system for your server:
 

defender-endpoint/TOC.yml

@@ -137,9 +137,10 @@
             - name: Migrating devices to streamlined method
               href: migrate-devices-streamlined.md
 
-        - name: Onboarding Windows Client
+        - name: Onboard client devices
+          href: onboard-client.md
           items:
-          - name: Onboarding Windows Client overview
+          - name: Onboarding Windows client overview
             href: onboard-windows-client.md
           - name: Defender for Endpoint plug-in for WSL
             href: mde-plugin-wsl.md
@@ -158,7 +159,8 @@
           - name: Onboard previous versions of Windows
             href: onboard-downlevel.md
 
-        - name: Onboarding Windows Server
+        - name: Onboard server devices
+          href: onboard-server.md
           items:
           - name: Onboarding Windows Server overview
             href: onboard-windows-server.md
@@ -285,7 +287,7 @@
               href: linux-schedule-scan-mde.md
             - name: Schedule antivirus scan in Defender for Endpoint on Linux
               href: schedule-antivirus-scan-in-mde.md
-            - name: Schedule an update of the Microsoft Defender for Endpoint (Linux)
+            - name: Schedule an update for Microsoft Defender for Endpoint on Linux
               href: linux-update-MDE-Linux.md
             - name: Configure eBPF-based sensor
               href: linux-support-ebpf.md 

defender-endpoint/android-configure.md

@@ -37,6 +37,8 @@ For more information about how to set up Defender for Endpoint on Android and Co
 
 > [!NOTE]
 > Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.
+> 
+> Also, alerts for custom indicators are currently not supported for Defender for Endpoint on Android.
 
 Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Overview of indicators](indicators-overview.md).