Merge branch 'docs-editor/validate-antimalware-1744984849' of https://github.com/joshgingras/defender-docs-pr into pr/joshgingras/3517

Author: joshgingras

defender-endpoint/linux-whatsnew.md

@@ -4,9 +4,9 @@ description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
 ms.author: ewalsh
 author: emmwalshh
-ms.reviewer: kumasumit, gopkr
+ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 04/08/2025
+ms.date: 04/18/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,9 +43,9 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
-### April-2025 Build: 101.25022.0001 | Release version: 30.125022.0001.0
+### April-2025 Build: 101.25022.0002 | Release version: 30.125022.0001.0
 
-|Build:             |**101.25022.0001**    |
+|Build:             |**101.25022.0002**    |
 |-------------------|----------------------|
 |Released:          |**April 07, 2025**    |
 |Published:         |**April 07, 2025**    |

defender-endpoint/validate-antimalware.md

@@ -1,5 +1,5 @@
 ---
-title: AV detection test for verifying device's onboarding and reporting services
+title: Antivirus detection test for verifying device's onboarding and reporting services
 description: AV detection test to verify the device's proper onboarding and reporting to the service.
 ms.service: defender-endpoint
 ms.subservice: reference
@@ -15,10 +15,10 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 04/18/2025
 ---
 
-# AV detection test for verifying device's onboarding and reporting services
+# Antivirus detection test for verifying device's onboarding and reporting services
 
 **Applies to:**
 
@@ -34,10 +34,8 @@ Scenario requirements and setup
 - Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2
 
 - Linux
-
 - macOS
-
-- Microsoft Defender real-time protection is enabled
+- [Real-time protection](/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) is enabled
 
 ## EICAR test file to simulate malware
 

defender-xdr/alert-classification-malicious-exchange-connectors.md

@@ -1,6 +1,6 @@
 ---
-title: Alert classification for malicious exchange connectors
-description: Alert grading recipients from malicious exchange connectors activity and protect their network from malicious attack.
+title: Alert classification for malicious Exchange connectors
+description: Learn how to classify alerts on malicious Exchange connectors activity and protect your network from attacks.
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - MET150
-ms.date: 03/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for malicious Exchange connectors so that I can take the necessary actions to remediate the attack and protect my network.
@@ -27,7 +27,7 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-Threat actors use compromised exchange connectors for sending out spam and phishing emails in bulk to unsuspecting recipients by masquerading legitimate emails. Since the connector is compromised, the emails would usually be trusted by the recipients. These kinds of phishing emails are common vectors for phishing campaigns, and business email compromise (BEC) scenario. Hence, such emails need to be monitored heavily due to the likelihood of successful recipients' compromises being high.
+Threat actors use compromised Microsoft Exchange connectors for sending out spam and phishing emails in bulk to unsuspecting recipients by masquerading legitimate emails. Since the connector is compromised, the emails would usually be trusted by the recipients. These kinds of phishing emails are common vectors for phishing campaigns, and business email compromise (BEC) scenario. Hence, such emails need to be monitored heavily due to the likelihood of successful recipients' compromises being high.
 
 This playbook helps in investigating instances where malicious connectors are setup/deployed by malicious actors. Accordingly, they take necessary steps to remediate the attack and mitigate the security risks arising from it. The playbook helps in classifying the alerts as either true positive (TP) or false positive (FP). If alerts are TP, the playbook lists necessary recommended actions for remediating the attack. This playbook is available for security teams who review, handle/manage, and grade the alerts.
 
@@ -44,15 +44,15 @@ Connectors are used to route mail traffic between remote email systems and Offic
 
 ### Malicious Exchange connectors
 
-Attackers may compromise an existing exchange connector or compromise an admin, and set up a new connector by sending phish or spam/bulk emails.
+Attackers may compromise an existing Exchange connector or compromise an admin, and set up a new connector by sending phish or spam/bulk emails.
 
 The typical indicators of a malicious connector can be found when looking at email traffic and its headers. For example, when email traffic is observed from a connector node with a mismatch in P1 (header sender) and P2 (envelope sender) sender addresses along with no information on Sender's AccountObjectId.
 
 This alert tries to identify such instances of mail flow, wherein the mail sending activity seems suspicious adding to that relevant information on sender is unavailable.
 
 ## Playbook workflow
 
-You must follow the sequence to identify malicious exchange connectors:
+You must follow the sequence to identify malicious Exchange connectors:
 
 - Identify which accounts are sending emails:
   - Do accounts appear to be compromised?
@@ -69,7 +69,7 @@ You must follow the sequence to identify malicious exchange connectors:
 This section describes the steps to investigate an alert and remediate the security risk due to this incident.
 
 - Determine whether the connector demonstrates bad (malicious) behavior.
-  - Look for events indicating unusual mail traffic and identify, whether any new exchange connector was added recently.
+  - Look for events indicating unusual mail traffic and identify, whether any new and recently added Exchange connector.
     - For mail traffic observed, determine if the email accounts are compromised by inspecting whether the accounts are responsible for unusual mail traffic.
   - Look for mail content containing malicious artifacts (bad links/attachments).
   - Look for domains that are not part of your environment.

defender-xdr/alert-classification-password-spray-attack.md

@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for password spray attacks so that I can take the necessary actions to remediate the attack and protect my network.

defender-xdr/alert-classification-playbooks.md

@@ -18,7 +18,7 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify alerts by using alert classification playbooks so that I can take the necessary actions to remediate the attack and protect my network.
@@ -89,6 +89,7 @@ See these playbooks for steps to more quickly classify alerts for the following
 - [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)
 - [Suspicious IP addresses related to password spray activity](alert-classification-suspicious-ip-password-spray.md)
 - [Password spray attacks](alert-classification-password-spray-attack.md)
+- [Malicious Exchange connectors](alert-classification-malicious-exchange-connectors.md)
 
 See [Investigate alerts](investigate-alerts.md) for information on how to examine alerts with the Microsoft Defender portal.
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/alert-classification-suspicious-ip-password-spray.md

@@ -1,6 +1,6 @@
 ---
 title: Alert classification for suspicious IP address related to password spraying activity
-description: Alert classification for suspicious IP address related to password spraying activity to review the alerts and take recommended actions to remediate the attack and protect your network.
+description: Investigate and review alerts related to suspicious IP address related to password spraying activity and take recommended actions to protect your network.
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 02/11/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to investigate and classify alerts for suspicious IP addresses related to password spray attacks that I can take the necessary actions to remediate the attack and protect my network.

defender-xdr/alert-grading-playbook-email-forwarding.md

@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 04/03/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify alerts about suspicious email forwarding activity so that I can take the necessary actions to remediate the attack and protect my network.

defender-xdr/alert-grading-playbook-inbox-forwarding-rules.md

@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid: 
   - MOE150
   - met150
-ms.date: 07/26/2024
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify suspicious inbox forwarding rules alerts so that I can take the necessary actions to remediate the attack and protect my network.

defender-xdr/alert-grading-playbook-inbox-manipulation-rules.md

@@ -17,7 +17,7 @@ ms.topic: how-to
 search.appverid:
   - MOE150
   - met150
-ms.date: 04/05/2023
+ms.date: 04/18/2025
 appliesto:
   - Microsoft Defender XDR
 #customer intent: As a SOC analyst, I want to know how to review and classify suspicious inbox manipulation rules alerts so that I can take the necessary actions to remediate the attack and protect my network.

defender-xdr/api-access.md

@@ -18,17 +18,15 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 02/08/2024
+ms.date: 04/15/2025
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Access the Microsoft Defender XDR APIs
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).