Merge branch 'main' into diannegali-gohuntexport

Author: diannegali

defender-endpoint/defender-endpoint-trial-user-guide.md

@@ -7,7 +7,7 @@ ms.author: deniseb
 manager: deniseb 
 audience: ITPro
 ms.topic: how-to
-ms.date: 09/10/2024
+ms.date: 11/11/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -117,6 +117,8 @@ After you have onboarded devices, [run a detection test](run-detection-test.md).
 
 The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is a central location where you can view onboarded devices, security recommendations, detected threats, alerts, and more. To get started, see [Microsoft Defender portal](/defender-xdr/microsoft-365-defender-portal).   
 
+> [!IMPORTANT]
+> If you decide not to renew your trial or purchase a subscription, make sure to offboard devices before your trial expires.
 
 ## See also
 

defender-endpoint/device-discovery-faq.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/23/2021
+ms.date: 11/12/2024
 ---
 
 # Device discovery frequently asked questions
@@ -65,11 +65,54 @@ The discovery engine distinguishes between network events that are received in t
 ## What protocols are you capturing and analyzing?
 
 By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols:
-ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD
+
+- ARP
+- CDP
+- DHCP
+- DHCPv6
+- IP (headers)
+- LLDP
+- LLMNR
+- mDNS
+- MNDP
+- MSSQL
+- NBNS
+- SSDP
+- TCP (SYN headers)
+- UDP (headers)
+- WSD
 
 ## Which protocols do you use for active probing in Standard discovery?
 When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP
+
+- AFP
+- ARP
+- DHCP
+- FTP
+- HTTP
+- HTTPS
+- ICMP
+- IphoneSync
+- IPP
+- LDAP
+- LLMNR
+- mDNS
+- NBNS
+- NBSS
+- PJL
+- RDP
+- RPC
+- SIP
+- SLP
+- SMB
+- SMTP
+- SNMP
+- SSH
+- Telnet
+- UPNP
+- VNC
+- WinRM
+- WSD
 
 In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage.
 
@@ -88,9 +131,10 @@ As device discovery uses passive methods to discover devices in the network, any
 
 Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up to date (typically, devices probed no more than once in a three-week period)
 
-## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it, what should I do?
+## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it. What should I do?
 
 The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
+
 `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1`
 
 ## What is the amount of traffic being generated by the Standard discovery active probe?
@@ -101,13 +145,13 @@ Active probing can generate up to 50Kb of traffic between the onboarded device a
 
 You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
 
- The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
+The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
 
 ## Can I onboard unmanaged devices that were found?
 
 Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them.
 
-## I've noticed that unmanaged device health state is always "Active", why is that?
+## I've noticed that unmanaged device health state is always "Active". Why is that?
 
 Temporarily, unmanaged device health state is "Active" during the standard retention period of the device inventory, regardless of their actual state.
 
@@ -138,4 +182,5 @@ The device discovery capabilities have been built to only discover and identify
 ### You can exclude network lures from active probing
 
 Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode).
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-office-365/attack-simulation-training-get-started.md

@@ -65,7 +65,7 @@ Watch this short video to learn more about Attack simulation training.
 
 - There are no corresponding PowerShell cmdlets for Attack simulation training.
 
-- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, POL, QAT, SGP, SWE, and ZAF.
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, POL, QAT, SGP, SWE, TWN and ZAF.
 
   > [!NOTE]
   > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry are available in these regions. We're working to enable the features and we'll notify customers as soon as reported email telemetry becomes available.

defender-office-365/tenant-allow-block-list-email-spoof-configure.md

@@ -55,10 +55,10 @@ This article describes how admins can manage entries for email senders in the Mi
 
 - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
   - [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**.
-  - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):
+  - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) in the  **Exchange admin center** at <https://admin.exchange.microsoft.com> \> **Roles** \> **Admin Roles**:
     - *Add and remove entries from the Tenant Allow/Block List*: Membership in one of the following role groups:
       - **Organization Management** or **Security Administrator** (Security admin role).
-      - **Security Operator** (Tenant AllowBlockList Manager).
+      - **Security Operator** (Tenant AllowBlockList Manager role)
     - *Read-only access to the Tenant Allow/Block List*: Membership in one of the following role groups:
       - **Global Reader**
       - **Security Reader**

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -43,7 +43,7 @@ For editable functions, more options are available when you select the vertical
 - **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
 - **Delete** – deletes the function
 
-### Use arg() operator for Azure Resource Graph queries (Preview)
+### Use arg() operator for Azure Resource Graph queries
 The *arg()* operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
 
 This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables are not supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 

defender-xdr/breadcrumb/toc.yml

@@ -9,6 +9,9 @@
   - name: Microsoft Defender XDR
     tocHref: /defender-for-identity/
     topicHref: /defender-xdr/index
+  - name: Microsoft Defender XDR
+    tocHref: /unified-secops-platform/
+    topicHref: /defender-xdr/index
 
 ## Azure override
 - name: 'Microsoft Defender'
@@ -18,4 +21,3 @@
   - name: 'Microsoft Defender XDR'
     tocHref: /azure/sentinel/
     topicHref: /defender-xdr/index
-

defender-xdr/whats-new.md

@@ -33,11 +33,12 @@ You can also get product updates and important notifications through the [messag
 
 - (GA) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**.
 - (GA) The [***go hunt***](investigate-incidents.md#go-hunt) action from the attack story graph and the **last update time** column in the [incident queue](incident-queue.md#incident-queue) are now generally available.
+- (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender.
 
 ## October 2024
 
 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability.
-- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries-preview), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
 
 ## September 2024
 
@@ -341,7 +342,7 @@ The security operations team can view all actions pending approval, and the stip
 
 ## June 2021
 
-- (Preview) [View reports per threat tags](threat-analytics.md#view- reports-by-category)
+- (Preview) [View reports per threat tags](threat-analytics.md#view-reports-by-category)
 
   Threat tags help you focus on specific threat categories and review the most relevant reports.
 

exposure-management/exposure-insights-overview.md

@@ -51,12 +51,12 @@ Security Exposure Management provides initiatives that currently include:
 
 ### Initiative elements
 
-**Element** | **Goal** | **Details**
---- | --- | ---
-**Initiative** | Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.| Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/> The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.
-**Metric** | Metrics in security initiatives help you to measure exposure risk for different areas within the initiative.| Each metric gathers together one or more recommendations for similar assets.<br/><br/>Metrics can be associated with one or more initiatives.<br/><br/>**Important**: Threat analytics initiatives don't have metrics. They have recommendations only.
-**Recommendations** |Security recommendations help you to understand the compliance state for a specific security initiative.  | All security initiatives have recommendations associated with them.<br/><br/>Recommendations can be associated with one or more initiatives.<br/><br/> Within initiatives, recommendations are assigned a compliance state.
-**Events** | Events help you to  monitor initiative changes.  | Events notify you when there's a drop in an all-up initiative score or metric score, indicating that exposure risk grew.
+|**Element** | **Goal** | **Details**|
+|--- | --- | ---|
+|**Initiative** |Initiatives help you to gather security projects that have similar resources and workloads, and to assess and remediate the security posture of each project.|Each security initiative provides an all-up score that provides a fast measure of how strong security posture is for the initiative at the current point in time.<br/><br/>The all-up score also provides a target score indicator, the number of critical assets affected, and shows how the score has moved over the last 24 hours.|
+|**Metric** |Metrics in security initiatives help you to measure exposure risk for different areas within the initiative.|Each metric gathers together one or more recommendations for similar assets.<br/><br/>Metrics can be associated with one or more initiatives.<br/><br/>**Important**: Threat analytics initiatives don't have metrics. They have recommendations only.|
+|**Recommendations** |Security recommendations help you to understand the compliance state for a specific security initiative.  |All security initiatives have recommendations associated with them.<br/><br/>Recommendations can be associated with one or more initiatives.<br/><br/>Within initiatives, recommendations are assigned a compliance state.|
+|**Events** |Events help you to  monitor initiative changes.  |Events notify you when there's a drop in an all-up initiative score or metric score, indicating that exposure risk grew.|
 
 ## Working with initiatives
 

exposure-management/media/metrics.png

@@ -64,7 +64,7 @@ Current asset types are:
 | Partner Tier2 Support                         | Identity   | Very High                 | Identities in this role can reset passwords for all users (including Global Administrators), update credentials for applications, create and delete users, and create OAuth2 permission grants. This role has been deprecated and will be removed from Microsoft Entra ID in the future. Don't use - not intended for general use. |
 | Password Administrator                        | Identity   | Very High                 | Identities in this role can reset passwords for nonadministrators and Password Administrators. |
 | Privileged Authentication Administrator       | Identity   | Very High                 | Identities in this role can view, set, and reset authentication method information for any user (admin or nonadmin). |
-| Privileged Role Administrator                 | Identity   | High                      | Identities in this role can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. |
+| Privileged Role Administrator                 | Identity   | Very High                 | Identities in this role can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. |
 | Security Administrator                        | Identity   | High                      | Identities in this role can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365. |
 | Security Operator                             | Identity   | High                      | Identities in this role can create and manage security events.    |
 | Security Reader                               | Identity   | High                      | Identities in this role can read security information and reports in Microsoft Entra ID and Office 365. |