Merge branch 'main' into docs-editor/configure-advanced-scan-types-1730417719

denisebmsft · web-flow · commit e133ea6bf2a7 · 2024-11-01T07:53:51.000-07:00
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: linux
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 10/31/2024
+ms.date: 11/01/2024
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -163,7 +163,7 @@ The Python version of the client analyzer accepts command line parameters to per
 
    ```
 
-#### Rung the client analyzer script
+#### Run the client analyzer script
 
 > [!NOTE]
 > If you have an active live response session you can skip Step 1.
@@ -189,6 +189,34 @@ This section provides instructions on how to run the tool locally on the Linux m
 
 ### Run the binary version of the client analyzer
 
+#### Summary:
+
+1. Obtain from [https://aka.ms/xmdeclientanalyzerbinary](https://aka.ms/xmdeclientanalyzerbinary). Or, if your Linux server has internet access use `wget` to download the file:
+
+   ```bash
+   wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
+   ```
+
+2. Unzip the file that is downloaded, and then of the extracted files unzip again the SupportToolLinuxBinary.zip
+
+   ```bash
+   unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
+   ```
+
+3. Run the binary
+
+   ```
+   sudo ./MDESupportTool -d --mdatp-log debug
+   ```
+   
+4. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the `/tmp` directory.
+
+5. The log set will be owned by root user so you may need root privileges to remove the log set.
+
+6. Upload the file for the support engineer.
+
+#### Details:
+
 1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine you need to investigate.
 
    If you're using a terminal, download the tool by entering the following command:
@@ -217,18 +245,17 @@ This section provides instructions on how to run the tool locally on the Linux m
    cd XMDEClientAnalyzerBinary
    ```
 
-4. Two new zip files are produced:
+1. Two new zip files are produced:
 
    - `SupportToolLinuxBinary.zip`: For all Linux devices
-   - `SupportToolMacOSBinary.zip`: For Mac devices
-
-5. Depending on the operating system, unzip the appropriate file for the machine you want to investigate.
-
-   | OS type | Command |
-   |--|--|
-   | Linux | `unzip -q SupportToolLinuxBinary.zip` |
-   | Mac | `unzip -q SupportToolMacOSBinary.zip` |
+   - `SupportToolMacOSBinary.zip`: For Mac devices, ignore this one.
+      
+1. Unzip the SupportToolLinuxBinary.zip for the Linux machine you want to investigate.
 
+   ```bash
+    unzip -q SupportToolLinuxBinary.zip 
+   ```
+   
 6. Run the tool as root to generate diagnostic package:
 
    ```bash
@@ -245,11 +272,11 @@ This section provides instructions on how to run the tool locally on the Linux m
 > [!WARNING]
 > Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
 
-1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Linux machine you need to investigate.
 
    If you're using a terminal, download the tool by running the following command:
 
-   ```bash
+      ```bash
    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
    ```
 
diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: macos
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 10/31/2024
+ms.date: 11/01/2024
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -24,9 +24,6 @@ f1.keywords: NOCSH
 
 If you're experiencing reliability or device health issues with Microsoft Defender for Endpoint on macOS, you can use the XMDE Client Analyzer to diagnose these issues. This article describes two ways to use the client analyzer tool:
 
-- [Use the binary version of the client analyzer](#use-the-binary-version-of-the-client-analyzer)
-- 
-
 1. Using a binary version (no external Python dependency)
 2. Using a Python-based solution
 
@@ -65,13 +62,12 @@ If you're experiencing reliability or device health issues with Microsoft Defend
    - `SupportToolLinuxBinary.zip`: For all Linux devices
    - `SupportToolMacOSBinary.zip`: For Mac devices
 
-5. Depending on the machine you're investigating, unzip the appropriate file. 
-
-   | OS type | Terminal command |
-   |---|---|
-   | Linux | `unzip -q SupportToolLinuxBinary.zip` |
-   | Mac | `unzip -q SupportToolMacOSBinary.zip` |
+1. Unzip the SupportToolMacOSBinary.zip. 
 
+   ```bash
+    unzip -q SupportToolMacOSBinary.zip
+   ```
+   
 6. Run the tool as root to generate your diagnostic package:
 
    ```bash
@@ -87,11 +83,11 @@ The tool currently requires Python version 3 or later to be installed on your de
 > [!WARNING]
 > Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
 
-1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac or Linux machine you're investigating.
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac machine you're investigating.
 
    If you're using a terminal, download the tool by running the following command:
 
-   ```bash
+      ```bash
    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
    ```
 
@@ -128,9 +124,9 @@ The tool currently requires Python version 3 or later to be installed on your de
    ./mde_support_tool.sh
    ```
 
-7. To collect actual diagnostic package and generate the result archive file, run again as root:
+1. To collect actual diagnostic package and generate the result archive file, run again as root:
 
-   ```bash
+      ```bash
    sudo ./mde_support_tool.sh -d
    ```
 
@@ -196,75 +192,12 @@ To approve profile installation, see the [Apple Support Guide](https://support.a
 
 Usage example `./mde_support_tool.sh trace --length 5`
 
-#### Exclude mode
-
-Add exclusions for audit-d monitoring.
-
-> [!NOTE]
-> This functionality exists for Linux only.
-
-```console
-  -h, --help            show this help message and exit
-  -e <executable>, --exe <executable>
-                        exclude by executable name, i.e: bash
-  -p <process id>, --pid <process id>
-                        exclude by process id, i.e: 911
-  -d <directory>, --dir <directory>
-                        exclude by target path, i.e: /var/foo/bar
-  -x <executable> <directory>, --exe_dir <executable> <directory>
-                        exclude by executable path and target path, i.e: /bin/bash /var/foo/bar
-  -q <q_size>, --queue <q_size>
-                        set dispatcher q_depth size
-  -r, --remove          remove exclusion file
-  -s, --stat            get statistics about common executables
-  -l, --list            list auditd rules
-  -o, --override        Override the existing auditd exclusion rules file for mdatp
-  -c <syscall number>, --syscall <syscall number>
-                        exclude all process of the given syscall
-```
-
-Usage example: `sudo ./MDESupportTool exclude -d /var/foo/bar`
-
-### AuditD Rate Limiter
-
-Syntax that can be used to limit the number of events being reported by the auditD plugin. This option sets the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events are limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.
-
-> [!NOTE]
-> This functionality exists for Linux only.
-
-```console
--h, --help                                  show this help message and exit
--e <true/false>, --enable <true/false>      enable/disable the rate limit with default values
-```
-
-Usage example: `sudo ./mde_support_tool.sh ratelimit -e true`
-
-> [!NOTE]
-> This functionality should be carefully used as limits the number of events being reported by the auditd subsystem as a whole. This could reduces the number of events for other subscribers as well.
-
-### AuditD Skip Faulty Rules
-
-This option enables you to skip the faulty rules added in the auditd rules file while loading them. This option allows the auditd subsystem to continue loading rules even if there's a faulty rule. This option summarizes the results of loading the rules. In the background, this option runs the auditctl with the -c option.
-
-> [!NOTE]
-> This functionality is only available on Linux.
-
-```console
--h, --help                                  show this help message and exit
--e <true/false>, --enable <true/false>      enable/disable the option to skip the faulty rules. In case no argumanet is passed, the option will be true by default.
-```
-
-Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
-
-> [!NOTE]
-> This functionality skips faulty rules. The faulty rule then needs to be further identified and fixed.
-
-## Result package contents on macOS and Linux
+## Result package contents on macOS
 
 | File | Description |
 |---|---|
 | `report.html` | The main HTML output file that contains the findings and guidance from running the client analyzer tool on the device. This file is only generated when running the Python-based version of the client analyzer tool. |
-| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on either [macOS](mac-resources.md#collecting-diagnostic-information) or [Linux](linux-resources.md#collect-diagnostic-information). |
+| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on [macOS](mac-resources.md#collecting-diagnostic-information). |
 | `mde.xml` | XML output that is generated while running and is used to build the html report file. |
 | `Processes_information.txt` | Contains the details of the running Microsoft Defender for Endpoint related processes on the system. |
 | `Log.txt` | Contains the same log messages written on screen during the data collection. |
