Merge branch 'main' into WI432220-new-article-migrate-siem-api-solution

Author: DeCohen

defender-business/mdb-faq.yml

@@ -10,7 +10,7 @@ metadata:
   ms.topic: faq
   ms.service: defender-business
   ms.localizationpriority: medium
-  ms.date: 03/19/2024
+  ms.date: 05/20/2025
   ms.reviewer: efratka, nehabha
   f1.keywords: NOCSH
   ms.collection:
@@ -61,10 +61,10 @@ sections:
         answer: |
           The following table compares server options for Defender for Business customers:
 
-          | Server license | Description |
-          |--|--|
-          | Microsoft Defender for Business servers | [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com). |
-          | Microsoft Defender for Servers Plan 1 / Plan 2| [Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
+          |Server license|Description|
+          |---|---|
+          |Microsoft Defender for Business servers|[Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com).|
+          |Microsoft Defender for Servers Plan 1 / Plan 2|[Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
 
           Adding Defender for Cloud to a tenant that has Defender for Business doesn't change the simplified configuration experience that Defender for Business offers. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 work with Defender for Business. 
 
@@ -90,7 +90,7 @@ sections:
 
           |OS|Method|Notes|
           |---|---|---|
-          |Windows |[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
+          |Windows|[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
           |Mac|Jamf or Intune|You can use Jamf or Intune to set up device control on Mac. See [Device Control for macOS](/defender-endpoint/mac-device-control-overview).|
 
       - question: How do I run custom reports with Defender for Business?
@@ -141,25 +141,25 @@ sections:
           
           The following table summarizes some differences between Defender for Business and Defender for Endpoint:
 
-          | Capabilities | Defender for Business | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 |
-          |---|---|---|---|
-          | Centralized management | ✔ | ✔ | ✔ |
-          | Simplified firewall and antivirus configuration for Windows | ✔ | | |
-          | Vulnerability management (core capabilities) | ✔ | | ✔ |
-          | Attack surface reduction | ✔ | ✔ | ✔ |
-          | Next-generation protection | ✔ | ✔ | ✔ |
-          | Endpoint detection & response (EDR) | ✔ <br/>(optimized) | | ✔ |
-          | Automatic attack disruption | ✔ | | ✔ |
-          | Automated investigation & remediation | ✔ | | ✔ |
-          | Monthly security summary reporting | ✔ | | ✔ |
-          | 30 days advanced hunting and six months of data retention in the device timeline | | | ✔ |
-          | Threat analytics | ✔<br/>(optimized) | | ✔ |
-          | Cross-platform support <br/>(Mac, iOS, Android)| ✔ | ✔ | ✔ |
-          | Windows Server and Linux Server <br/>(requires server licenses) | ✔  | ✔ | ✔ |
-          | Microsoft Threat Experts | | | ✔ |
-          | Microsoft 365 Lighthouse <br/>(optimized; for CSPs only) | ✔ | ✔ | ✔ |
-          | Microsoft Defender multi-tenant management | ✔ | ✔ | ✔ |
-          | APIs | ✔  | ✔ | ✔ |
+          |Capabilities|Defender for</br>Business|Defender for</br>Endpoint Plan 1|Defender for</br>Endpoint Plan 2|
+          |---|:---:|:---:|:---:|
+          |Centralized management|✔|✔|✔|
+          |Simplified firewall and antivirus configuration for Windows|✔|||
+          |Vulnerability management (core capabilities)|✔||✔|
+          |Attack surface reduction|✔|✔|✔|
+          |Next-generation protection|✔|✔|✔|
+          |Endpoint detection & response (EDR)|✔ <br/> (optimized)||✔|
+          |Automatic attack disruption|✔||✔|
+          |Automated investigation & remediation|✔||✔|
+          |Monthly security summary reporting|✔||✔|
+          |30 days advanced hunting <br/> and six months of data retention <br/> in the device timeline|||✔|
+          |Threat analytics|✔ <br/> (optimized)||✔|
+          |Cross-platform support <br/> (Mac, iOS/iPadOS, Android)|✔|✔|✔|
+          |Windows Server and Linux Server <br/> (requires server licenses)|✔|✔|✔|
+          |Microsoft Threat Experts|||✔|
+          |Microsoft 365 Lighthouse <br/> (optimized; for CSPs only)|✔|✔|✔|
+          |Microsoft Defender multi-tenant management|✔|✔|✔|
+          |APIs|✔|✔|✔|
 
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |

defender-endpoint/microsoft-defender-antivirus-compatibility.md

@@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 02/11/2025
+ms.date: 05/20/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh
@@ -94,12 +94,12 @@ Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is di
 
 The following table summarizes the state of Microsoft Defender Antivirus in several scenarios. 
 
-| Antivirus/antimalware solution | Onboarded to Defender for Endpoint? | Microsoft Defender Antivirus state | Smart App Control State | 
+| Antivirus/antimalware solution | Onboarded to Defender for Endpoint? | Microsoft Defender Antivirus state | Smart App Control State |
 |---|---|---|---|
 | Microsoft Defender Antivirus | Yes | Active mode | N/A  |
-| Microsoft Defender Antivirus | No | Active mode | On, Evaluation, or Off | 
-| A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) | N/A | 
-| A non-Microsoft antivirus/antimalware solution | No | Disabled (automatically) | Evaluation or On | 
+| Microsoft Defender Antivirus | No | Active mode | On, Evaluation, or Off |
+| A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) | Evaluation or On|
+| A non-Microsoft antivirus/antimalware solution | No | Disabled (automatically) | N/A or Off|
 
 > [!NOTE]
 > Smart App Control is a consumer-only product that's used on new Windows 11 installs. It can run alongside your antivirus software and block apps that are considered to be malicious or untrusted. [Learn more about Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003).

defender-office-365/mdo-deployment-guide.md

@@ -18,7 +18,7 @@ ms.collection:
 ms.custom:
 description: Learn how to get started with the initial deployment and configuration of Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 02/24/2025
+ms.date: 05/20/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -315,7 +315,17 @@ In general, it's easier to create blocks than allows, because unnecessary allow
 
 - **Allow**:
 
-  - You can't create allow entries for **domains and email addresses**, **files**, and **URLs** directly on the corresponding tabs in the Tenant Allow/Block List. Instead, you use the **Submissions** page to report the item to Microsoft. As you report the item to Microsoft, you can select to allow the item, which creates a corresponding temporary allow entry in the Tenant Allow/Block list.
+  - You can create allow entries for **domains and email addresses** and **URLs** on the corresponding tabs in the Tenant Allow/Block List to override the following verdicts:
+    - Bulk
+    - Spam
+    - High confidence spam
+    - Phishing (not high confidence phishing)
+
+  - You can't create allow entries directly in the Tenant Allow/Block List for the following items:
+    - Malware or high confidence phishing verdicts for **domains and email addresses** or **URLs**.
+    - Any verdicts for **files**.
+
+    Instead, you use the **Submissions** page to report the items to Microsoft. After you select **I've confirmed it's clean**, you can then select **Allow this message**, **Allow this URL**, or **Allow this file** to create a corresponding temporary allow entry in the Tenant Allow/Block list.
 
   - Messages allowed by [spoof intelligence](anti-spoofing-spoof-intelligence.md) are shown on the **Spoof intelligence** page. If you change a block entry to an allow entry, the sender becomes a manual allow entry on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also proactively create allow entries for not yet encountered spoofed senders on the **Spoofed senders** tab.
 

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 05/02/2025
+ms.date: 05/20/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -33,6 +33,12 @@ This article provides information on inaccuracies that have been reported. You c
  
 The following tables present the relevant vulnerability information organized by month.
 
+## May 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 92212 | Fixed inaccuracy in NetData vulnerabilities- CVE-2019-9834, CVE-2023-22496, CVE-2023-22497 & CVE-2024-32019 | 18-May-25 |
+
 ## April 2025
 
 | Inaccuracy report ID | Description | Fix date |
@@ -44,9 +50,13 @@ The following tables present the relevant vulnerability information organized by
 | 92184 | Fixed inaccurate detections in Amazon Send to Kindle | 23-Apr-25 |
 | 91112 | Fixed incorrect detections in Vendor- Jabra | 23-Apr-25 |
 | 88590 | Fixed incorrect detections in Vendor- PDF Exchange Editor | 23-Apr-25 |
+| 90101 | Fixed bad detections in Vendor- JetBrains | 23-Apr-25 |
 | - | Fixed inaccuracy in Mattermost Desktop vulnerability- CVE-2023-5920 | 24-Apr-25 |
 | - | Fixed inaccuracy in OpenSSL vulnerabilities- CVE-2024-9143, CVE-2024-13176 & CVE-2024-12797 | 24-Apr-25 |
 | 94679 | Fixed inaccuracy in Secure Client by adding 1.0 as invalid version | 29-Apr-25 |
+| - | Fixed inaccuracy in VMware Tools vulnerabilities- CVE-2025-31334 & CVE-2024-33899 | 29-Apr-25 |
+| 94769 | Fixed inaccuracy in Micro Focus Operations Agent vulnerability- CVE-2024-0622 | 30-Apr-25 |
+| 96209 | Fixed inaccuracy in AnyDesk vulnerability- CVE-2024-52940 | 30-Apr-25 |
 
 ## March 2025
 

defender-xdr/advanced-hunting-cloudappevents-table.md

@@ -30,13 +30,13 @@ ms.date: 05/15/2025
 
 The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about events involving accounts and objects in Office 365 and other [cloud apps and services](#apps-and-services-covered). Use this reference to construct queries that return information from this table.
 
-## Get access
+## Prerequisites
 
 To make sure the `CloudAppEvents` data is populated:
 
 1.  Go to the Defender portal and select **Settings > Cloud apps > App connectors**.
 
-1.  In the Microsoft 365 connector portal, select the **Pull activities** checkbox.
+1.  In the **Select Microsoft 365 components** page, select the **Microsoft 365 activities** checkbox.
 
  For detailed instructions, see: [Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-office-365#prerequisites)
 

defender-xdr/advanced-hunting-cloudauditevents-table.md

@@ -17,24 +17,26 @@ ms.collection:
 ms.custom: 
 - cx-ti
 - cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 12/29/2023
+ms.date: 05/20/2025
 ---
 
 # CloudAuditEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 
 
 The `CloudAuditEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about cloud audit events for various cloud platforms protected by the organization's [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). Use this reference to construct queries that return information from this table.
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+This advanced hunting table is populated by records from Microsoft Defender for Cloud. If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender-xdr/advanced-hunting-cloudprocessevents-table.md

@@ -17,22 +17,27 @@ ms.collection:
 ms.custom: 
 - cx-ti
 - cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 11/11/2024
+ms.date: 05/20/2025
 ---
 
 # CloudProcessEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
+
 
 The `CloudProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process events in multicloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine as protected by the organization's [Microsoft Defender for Cloud](/azure/defender-for-cloud/concept-integration-365#advanced-hunting-in-xdr). Use this reference to construct queries that return information from this table.
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
+This advanced hunting table is populated by records from Microsoft Defender for Cloud. If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results. For more information about prerequisites in integrating Defender for Cloud with Defender XDR, read [Microsoft Defender XDR integration](/azure/defender-for-cloud/concept-integration-365).
+
+
 For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender-xdr/advanced-hunting-oauthappinfo-table.md

@@ -34,7 +34,14 @@ The `OAuthAppInfo` table in the advanced hunting schema contains information abo
 
 The `OAuthAppInfo` table might not include all the app or service principal-related properties that are available on Entra ID. It also does not include data related to Microsoft first-party apps or apps without any OAuth consents. The coverage of the table is based on the existing scope of Microsoft 365-connected apps covered by app governance. 
 
+## Prerequisities
 
+This advanced hunting table is populated by app governance records from Microsoft Defender for Cloud Apps. To turn on app governance, follow the steps in [Turn on app governance](/defender-cloud-apps/app-governance-get-started).
+
+If your organization hasn’t deployed Microsoft Defender for Cloud Apps in Microsoft Defender XDR or turned on app governance, queries that use the table aren’t going to work or return any results.
+
+
+## Schema
 For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender/index.yml

@@ -185,8 +185,8 @@ conceptualContent:
            text: See more
            url: /defender-for-iot/    
 
-        - title: Microsoft's unified security operations platform
-          summary: End-to-end SecOps with Microsoft Sentinel
+        - title: Microsoft Sentinel
+          summary: End-to-end security operations
           links:
           - url: /unified-secops-platform/overview-unified-security
             itemType: overview

exposure-management/get-started-exposure-management.md

@@ -19,6 +19,10 @@ On the Exposure Management > **Overview** dashboard, you can review the overall
 
 Use the dashboard as a starting point for a snapshot of organizational posture and exposure, and drill down to details as needed.
 
+You can filter the list of affected devices based on their scope, ensuring that data presentation is aligned with your specific needs. The filter selection persists even when switching between Exposure Management experiences, allowing you to maintain you preferred view and focus on specific devices without reapplying filters.
+
+Initiative scores will reflect the selected scope, whether defined by the admin or adjusted by the end user, ensuring users see accurate and relevant scores based on their access scope.
+
 :::image type="content" source="./media/get-started-exposure-management/exposure-management-overview.png" alt-text="Screenshot of the security exposure management overview page." lightbox="./media/get-started-exposure-management/exposure-management-overview.png":::
 
 ## Connecting your external security and asset management products