Merge branch 'main' into docs-editor/linux-preferences-1733726064

Author: denisebmsft

CloudAppSecurityDocs/activity-filters-queries.md

@@ -20,8 +20,11 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 - Activity objects – Search for the objects the activity was done on. This filter applies to files, folders, users, or app objects.
     - Activity object ID - the ID of the object (file, folder, user, or app ID).
 
-    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contain**, **Equal**, or **Starts with** the specific item.
+    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contains**, **Equals**, or **Starts with** the specific item.
 
+    > [!NOTE]
+    > Activity-Policy's **Activity object Item** filter supports the **Equals** operator only.
+  
 - Action type - Search for a more specific action performed in an app.
 
 - Activity type - Search for the app activity.

defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md

@@ -21,6 +21,12 @@ ms.custom:
 
 # Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
 
+> [!TIP]
+> First, review common reasons for performance issues such as high CPU usage in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (RTP) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) to analyze the cause of high CPU usage in Microsoft Defender Antivirus (Antimalware Service Executable, Microsoft Defender Antivirus service, or MsMpEng.exe).
+> If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of high CPU utilization, run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to narrow down or determine the root cause of the high CPU utilization in Microsoft Defender Antivirus.
+> The final tool in your toolkit is to run the Windows Performance Recorder UI (WPRUI) or the Windows Performance Recorder (WPR command-line) as discussed in this article.
+
 ## Capture performance logs using Windows Performance Recorder
 
 Windows Performance Recorder (WPR) is a powerful recording tool that creates Event Tracing for Windows recordings and allows you to include additional information in your submission to Microsoft support.
@@ -29,62 +35,88 @@ WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can b
 
 Alternatively, follow the steps in [Capture performance logs using the WPR UI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C), or use the command-line tool *wpr.exe* [Capture performance logs using the WPR CLI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C). Both are available in Windows 8 and later versions.
 
+There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
+
+1. Using the MDE Client Analyzer
+
+1. Manually
+
+## Using the MDE Client Analyzer
+
+1. Download the [MDE Client Analyzer](/defender-endpoint/download-client-analyzer).
+
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+
+   > [!TIP]
+   > Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that don't contribute to the reproduction of the issue.
+
+
+1. Run the MDE Client Analyzer with the `-a` and `-v` switches.
+
+   PowerShellCopy
+   
+   ```
+   C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
+   ```
+   
+## Manually
+
 ### Capture performance logs using the WPR UI
 
 > [!TIP]
-> If multiple devices are experiencing this issue, try using the one with the most RAM.
+> If multiple devices are experiencing this issue, use the one with the most RAM.
 
 1. Download and install WPR.
 
 1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
 
    ![Screenshot showing the Start menu](media/wpr-01.png)
-
+   
 1. Select **More**. Select **Run as administrator**.
 
 1. Right-click **Yes** when the User Account Control dialog box appears.
 
    ![Screenshot showing the UAC page.](media/wpt-yes.png)
-
+   
 1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
 
 1. In the WPR dialog box, select **More options**.
 
    ![Screenshot showing the page where you can select more options](media/wpr-03.png)
-
+   
 1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
 
 1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
 
    ![Screenshot showing the in-file.](media/wpr-infile.png)
-
+   
    > [!WARNING]
-   > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
+   > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system might consume a high amount of nonpaged pool memory or buffers, leading to system instability. To address this, explore **Resource Analysis** to choose profiles to add.
    > This custom profile provides the necessary context for in-depth performance analysis.
 
 1. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
 
    1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups.
 
-   2. Select **Custom measurements**.
+   1. Select **Custom measurements**.
 
-   3. Select **Microsoft Defender for Endpoint analysis**.
+   1. Select **Microsoft Defender for Endpoint analysis**.
 
-   4. Select **Verbose** under *Detail* level.
+   1. Select **Verbose** under *Detail* level.
 
-   5. Select **File** or **Memory** under Logging mode.
+   1. Select **File** or **Memory** under Logging mode.
 
    > [!IMPORTANT]
-   > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you cannot directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
+   > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you can't directly reproduce the issue, select **Memory** to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
 
-1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
+1. Now you're ready to collect data. Close all unnecessary applications. Select **Hide options** to keep the space occupied by the WPR window small.
 
    ![Screenshot showing the Hide options.](media/wpr-08.png)
-
+   
 1. Select **Start**.
 
    ![Screenshot showing the Record system information page.](media/wpr-09.png)
-
+   
 1. Reproduce the issue.
 
    > [!TIP]
@@ -93,25 +125,25 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
 1. Select **Save**.
 
    ![Screenshot showing the Save option.](media/wpr-10.png)
-
+   
 1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
 
    ![Screenshot showing the pane in which you fill.](media/wpr-12.png)
-
+   
 1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
 
-   1. Select **Save**.
+1. Select **Save**.
 
    ![Screenshot showing the WPR gathering general trace.](media/wpr-13.png)
-
+   
 1. After the trace has been merged and saved, right-click **Open folder**.
 
    ![Screenshot that displays the notification that WPR trace has been saved.](media/wpr-14.png)
-
-   Include both the file and the folder in your submission to Microsoft Support.
+   
+1. Include both the file and the folder in your submission to Microsoft Support.
 
    ![Screenshot showing the details of the file and the folder.](media/wpr-15.png)
-
+   
 ### Capture performance logs using the WPR CLI
 
 To collect a WPR trace using the command-line tool wpr.exe:
@@ -131,7 +163,7 @@ To collect a WPR trace using the command-line tool wpr.exe:
    ```
 
    > [!WARNING]
-   > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability.
+   > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of nonpaged pool memory or buffers, leading to system instability.
 
 1. Reproduce the issue.
 
@@ -150,8 +182,20 @@ To collect a WPR trace using the command-line tool wpr.exe:
 
 ## See also
 
+- [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows)
+
 - [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md)
+
+- [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+
 - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+
+- [Troubleshoot performance issues related to Microsoft Defender Antivirus](/defender-endpoint/troubleshoot-performance-issues)
+
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+- [Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)
+
+- [Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)
+
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-xdr/create-custom-rbac-roles.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 10/31/2024
+ms.date: 11/17/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -30,6 +30,7 @@ search.appverid: met150
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 - [Microsoft Security Exposure Management](/security-exposure-management/)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
 
 ## Create a custom role
 

defender-xdr/custom-permissions-details.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom:
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 11/17/2024
 ms.reviewer:
 search.appverid: met150
 ---
@@ -32,6 +32,7 @@ In Microsoft Defender XDR Unified role-based access control (RBAC) you can selec
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 - [Microsoft Security Exposure Management](/security-exposure-management/)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
 
 <a name='microsoft-365-defender-unified-rbac-permission-details'></a>
 

defender-xdr/edit-delete-rbac-roles.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 06/27/2024
+ms.date: 11/17/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -30,6 +30,7 @@ search.appverid: met150
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 - [Microsoft Security Exposure Management](/security-exposure-management/)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
 
 In Microsoft Defender XDR Unified role-based access control (RBAC), you can edit and delete custom roles or roles that were imported from Defender for Endpoint, Defender for Identity, or Defender for Office 365.
 
@@ -39,7 +40,7 @@ The following steps guide you on how to edit roles in Microsoft Defender XDR Uni
 
 > [!IMPORTANT]
 > You must be a Global Administrator or Security Administrator in Microsoft Entra ID, or have all the Authorization permissions assigned in Microsoft Defender XDR Unified RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
-> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+> Microsoft recommends that you use roles with the fewest permissions to help improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as global administrator or security administrator.
 
@@ -49,7 +50,7 @@ The following steps guide you on how to edit roles in Microsoft Defender XDR Uni
 
 4. Select the role you want to edit. You can only edit one role at a time.
 
-5. Once selected, this opens a flyout pane where you can edit the role:
+5. Once selected, a flyout pane opens where you can edit the role:
 
     :::image type="content" source="/defender/media/defender/m365-defender-rbac-edit-roles.png" alt-text="Screenshot of the edit roles flyout page" lightbox="/defender/media/defender/m365-defender-rbac-edit-roles.png":::
 
@@ -60,7 +61,7 @@ The following steps guide you on how to edit roles in Microsoft Defender XDR Uni
 
 To delete roles in Microsoft Defender XDR Unified RBAC, select the role or roles you want to delete and select **Delete roles**.
 
-If the workload is active, by removing the role all assigned user permission will be deleted.
+If the workload is active, all assigned user permission are deleted by removing the role.
 
 > [!NOTE]
 > After deleting an imported role, the role won't be deleted from the individual product RBAC model. If needed, you can re-import it to the Microsoft Defender XDR Unified RBAC list of roles.
@@ -76,7 +77,7 @@ The Export feature enables you to export the following roles data:
 - The assigned data sources
 - The assigned users or user groups
 
-When a role has multiple assignments, each assignment will be represented as a separate row in the CSV file.
+When a role has multiple assignments, each assignment is represented as a separate row in the CSV file.
 
 The CSV also includes a snapshot of the Defender XDR Unified RBAC activation status for each workload available on the tenant.
 
@@ -97,7 +98,7 @@ The following steps guide you on how to export roles in Microsoft Defender XDR U
 
     :::image type="content" source="/defender/media/defender/m365-defender-rbac-export-roles.png" alt-text="Screenshot of the export roles page" lightbox="/defender/media/defender/m365-defender-rbac-export-roles.png":::
 
-A CSV file containing all the roles data will be generated and downloaded to the local machine.
+A CSV file containing all the roles data is generated and downloaded to the local computer.
 
 ## Next steps