Merge pull request #2004 from MicrosoftDocs/main

OOB publish main to live for PR 1869

Author: garycentric

defender-endpoint/microsoft-defender-core-service-overview.md

@@ -7,7 +7,7 @@ manager: deniseb
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.topic: overview
-ms.date: 06/21/2024
+ms.date: 11/25/2024
 search.appverid: met150
 ms.localizationpriority: medium
 audience: ITPro
@@ -32,6 +32,8 @@ To enhance your endpoint security experience, Microsoft is releasing the Microso
    - Mid April 2024 to Enterprise customers running Windows clients.
    - Beginning of July 2024 to U.S. Government customers running Windows clients.
 
+   - Mid January 2025 to Enterprise customers running Windows Server.
+      
 3. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
 
 4. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience:

defender/index.yml

@@ -227,4 +227,4 @@ additionalContent:
         - url: /azure/defender-for-cloud/defender-for-resource-manager-introduction
           text: Microsoft Defender for Resource Manager
         - url: /azure/defender-for-cloud/defender-for-databases-introduction
-          text: Microsoft Defender for open-source relational databases
+          text: Microsoft Defender for open-source relational databases

unified-secops-platform/TOC.yml

@@ -0,0 +1,23 @@
+- name: "Microsoft Defender"
+  tocHref: /defender/
+  topicHref: /defender/index
+  items:
+  - name: "Microsoft's unified SecOps platform"
+    tocHref: /unified-secops-platform/
+    topicHref: /unified-secops-platform/index
+  - name: "Microsoft's unified SecOps platform"
+    tocHref: /security/zero-trust/
+    topicHref: /defender-xdr/unified-secops-platform/index
+  - name: "Microsoft's unified SecOps platform"
+    tocHref: /defender-for-identity/
+    topicHref: /defender-xdr/unified-secops-platform/index
+    
+## Azure override
+- name: "Microsoft Defender"
+  tocHref: /azure/
+  topicHref: /defender/index
+  items:
+  - name: "Microsoft's unified SecOps platform"
+    tocHref: /azure/sentinel/
+    topicHref: /unified-secops-platform/index
+

unified-secops-platform/breadcrumb/toc.yml

@@ -1,79 +1,87 @@
 ---
 title: Microsoft Defender XDR in the Defender portal 
-description: Learn about Microsoft Defender XDR in the Defender portal
+description: Learn about the services and features available with Microsoft Defender XDR in the Microsoft Defender portal.
 search.appverid: met150
 ms.service: unified-secops-platform
 ms.author: cwatson
 author: cwatson-cat
 ms.localizationpriority: medium
-ms.date: 10/08/2024
+ms.date: 11/18/2024
 audience: ITPro
 ms.collection:
 - M365-security-compliance
 - tier1
 - usx-security
-ms.topic: conceptual
+ms.topic: concept-article
+
+# customer intent: As a security operations center leader, I want to learn about the services and features available with Defender XDR to help me determine whether it meets my organization's requirements.
 ---
 
-# Defender XDR in the Defender portal
+# Microsoft Defender XDR in the Defender portal
+
+Microsoft Defender XDR in the Microsoft unified SecOps platform unifies and coordinates threat protection across a broad range of assets, including devices and endpoints, identities, email, Microsoft 365 services, and SaaS apps.
+
+Defender XDR consolidates threat signals and data across assets, so that you can monitor and manage security threats from a single location in the [Microsoft Defender portal](https://security.microsoft.com). 
+
+
+Defender XDR combines multiple Microsoft security services.
+
+**Service** | **Details**
+--- | ---
+**[Protect against email threats with Defender for Office 365](/defender-office-365/mdo-sec-ops-guid)** | Helps protect email and Office 365 resources.
+**[Protect devices with Defender for Endpoint](/defender-endpoint/mde-sec-ops-guide)** | Delivers preventative protection, post-breach detection, and automated investigation and response for devices.
+**[Protect Active Directory with Defender for Identity](/defender-xdr/microsoft-365-security-center-mdi)** | Uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
+**[Protect SaaS cloud apps with Defender for Cloud Apps](/defender-xdr/microsoft-365-security-center-defender-cloud-app)** | Provides deep visibility, strong data controls, and enhanced threat protection for SaaS and PaaS cloud apps.
+**[Protect against a broad range of threats with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)** |  Microsoft Sentinel seamlessly integrates with Defender XDR to combine the capabilities of both products into a unified security platform for threat detection, investigation, hunting, and response.
+
+
+## Detecting threats
+
+Defender XDR provides continuous threat monitoring. When threats are detected [security alerts](/defender-xdr/alerts-incidents-correlation) are created. Defender automatically aggregates related alerts and security signals into [security incidents](/defender-xdr/alerts-incidents-correlation#incident-creation-and-alert-correlation).
+
+Incidents define a complete picture of an attack. Incidents help SOC teams to understand attacks and respond more quickly. Incidents gather together related alerts, information about attack scope and progress, and the entities and assets involved in an attack.
+
+A [single incident queue](/defender-xdr/incident-queue) in the Defender portal provides full visibility into the latest alerts and incidents, and historical data. You can search and query the incident queue, and prioritize responses based on severity.
 
-Microsoft's unified security platform combines services in the [Microsoft Defender portal](https://security.microsoft.com). In the Defender portal, you can monitor and manage pre-breach and post-breach security across your organization's on-premises and multicloud assets and workloads.
+:::image type="content" source="media/defender-xdr-portal/incidents-page.png" alt-text="Screenshot of the Incidents page in the Microsoft Defender portal" lightbox="media/defender-xdr-portal/incidents-page.png":::
 
-Defender XDR in the Defender portal combines protection, detection, investigation, and response to threats across your entire organization and all its components, in a central place. Defender XDR combines a number of Microsoft's security services into a single location.
 
+### Detecting lateral movement attacks
 
-**[Defender for Office 365](/defender-office-365/mdo-about)** | Helps secure organizations with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources. 
-**[Defender for Endpoint](/defender-endpoint/)** | Delivers preventative protection, post-breach detection, automated investigation, and response for devices in the organization.
-**[Defender for Identity](/defender-for-identity/what-is)** | Provides a cloud-based security solution that uses on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
-**[Defender for Cloud Apps](/cloud-app-security/)** | Provides a comprehensive cross-SaaS and PaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
+Defender for XDR includes [deception capability](/defender-xdr/deception-overview) to detect human-operated lateral movement, which is often used in common attacks such as ransomware and email compromise.
 
-> [!NOTE]
-> When you open the portal, you see only the security services included in your subscriptions. For example, if you have Defender for Office 365 but not Defender for Endpoint, you see features and capabilities for Defender for Office 365, but not for device protection. 
+Deception capability generates decoy assets. When attackers interact with these assets, deception capability raises high-confidence alerts that can be viewed on the Alerts page in the portal.
 
+## Automatically disrupting threats
 
-## Investigate incidents and alerts
+Defender XDR uses [automatic attack disruption](/defender-xdr/automatic-attack-disruption) for containing attacks in progress, limiting attack impact, and providing more time for security teams to respond.
 
-Centralizing security information creates a single place to investigate security incidents across your entire organization and all its components including:
+Automatic disruption relies on high-fidelity signals that are produced by incident correlation across million of Defender product signals and continuous investigation insights from Microsoft's security research team, to ensure a high signal-to-noise ratio.
 
-- Hybrid identities
-- Endpoints
-- Cloud apps
-- Business apps
-- Email and docs
-- IoT
-- Network
-- Business applications
-- Operational technology (OT)
-- Infrastructure and cloud workloads
+Automatic disruption uses Defender XDR response actions when attacks are detected. Responses include containing or disabling assets.
 
-A primary example is **Incidents** under **Incidents & alerts**.
+Attack disruptions are clearly marked in the Defender XDR incident queue, and on specific incident pages.
 
-:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents.png" alt-text="The Incidents page in the Microsoft Defender portal." lightbox="/defender/media/incidents-queue/incidents-ss-incidents.png":::
 
-Selecting an incident name displays a page that demonstrates the value of centralizing security information as you get better insights into the full extend of a threat, from email, to identity, to endpoints.
+## Hunting for threats
 
-<!-- commenting this out as the file path will move soon and I don't want to fight with this broken link anymore. File path is changing anyway. :::image type="content" source="../../media/incidents-overview/incidents-ss-incident-summary.png" alt-text="Screenshot that shows the attack story page for an incident in the Microsoft Defender portal." lightbox="../../media/incidents-overview/incidents-ss-incident-summary.png"::: -->
+Proactive hunting inspects and investigates security events and data to locate known and potential security threats. 
 
-Take the time to review the incidents in your environment, drill down into each alert, and practice building an understanding of how to access the information and determine next steps in your analysis.
+Defender XDR provides threat hunting capabilities in the Defender portal. 
 
-Learn more about [incidents in the Defender portal](/defender-xdr/incidents-overview), and [managing incidents and alerts](/defender-xdr/manage-incidents).
+- **Advanced hunting**: SOC teams can use [advanced hunting](/defender-xdr/advanced-hunting-overview) with the Kusto Query Language (KQL) in the portal to create custom queries and rules for threat hunting across the enterprise. Analysts can search for indicators of compromise, anomalies, and suspicious activities across Defender XDR data sources.
 
-## Hunt for threats
+    If you're not familiar with KQL, Defender XDR provides a guided mode to create queries visually, and predefined query templates.
 
-You can build custom detection rules and hunt for specific threats in your environment. **Hunting** uses a query-based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings.
+- **Custom detection rules**: In addition to advanced hunting, SOC teams can create [custom detection rules](/defender-xdr/custom-detections-overview) to proactively monitor and respond to events and system states. Rules can trigger alerts or automatic response actions.
 
-Learn about [proactive threat hunting](/defender-xdr/advanced-hunting-overview), and [hunting for threats across devices, emails, apps, and identities](/defender-xdr/advanced-hunting-query-emails-devices).
+## Responding to threats
 
+Defender for XDR provides [automated investigation and response](/defender-xdr/m365d-autoir) capabilities. Automation reduces the volume of alerts that must be handled manually by SOC teams. 
 
-## Respond to emerging threats
+As alerts create incidents, automated investigations produce a verdict that determines whether a threat was found. When suspicious and malicious threats are identified, remediation actions include sending a file to quarantine, stopping a process, blocking a URL, or isolating a device.
 
-Threat analytics is the Microsoft threat intelligence solution from expert Microsoft security researchers.In the portal, track and respond to emerging threats with these threat analytics:
+You can view a summary of automated investigations and responses in the Home page of the portal. Pending remediation actions are handled in the portal Action Center.
 
-- Active threat actors and their campaigns
-- Popular and new attack techniques
-- Critical vulnerabilities
-- Common attack surfaces
-- Prevalent malware
 
-Learn about [tracking and responding to emerging threats with threat analytics](/defender-xdr/threat-analytics).