Merge branch 'main' into diannegali-updatesecbaselines

Author: diannegali

ATPDocs/health-alerts.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for Identity health issues
 description: This article describes all the health issues that can occur for each component, listing the cause and the steps needed to resolve the problem
-ms.date: 07/09/2024
+ms.date: 01/16/2025
 ms.topic: how-to
 ---
 
@@ -191,6 +191,12 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 |----|----|----|----|----|
 |Radius accounting (VPN integration) data ingestion failures.|The listed Defender for Identity sensors have radius accounting (VPN integration) data ingestion failures.|Validate that the shared secret in the Defender for Identity configuration settings matches your VPN server, according to the guidance described [Configure VPN in Defender for Identity](vpn-integration.md#configure-vpn-in-defender-for-identity) section, in the [Defender for Identity VPN integration](vpn-integration.md) page.|Low|Health issues page|
 
+### Auditing for AD CS servers is not enabled as required
+
+|Alert|Description|Resolution|Severity|Displayed in|
+|----|----|----|----|----|
+|Auditing for AD CS servers is not enabled as required. (This configuration is validated once a day, per sensor).|The Advanced Auditing Policy Configuration or AD CS auditing is not enabled as required.|Enable the Advanced Auditing Policy Configuration and AD CS auditing according to the guidance as described in the [Configure auditing on AD CS](configure-windows-event-collection.md#configure-auditing-on-ad-cs) section, in the [Configure Windows Event collection](configure-windows-event-collection.md) page.|Medium|Sensors health issues tab|
+
 ### Sensor failed to retrieve Microsoft Entra Connect service configuration
 
 | Alert| Description  |Resolution|Severity|Displayed in|

CloudAppSecurityDocs/behaviors.md

@@ -26,22 +26,22 @@ While behaviors might be related to security scenarios, they're not necessarily
 
 Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
 
-|Alert name  |Policy name  |
-|---------|---------|
-|**Activity from infrequent country**  |Activity from infrequent country/region   |
-|**Impossible travel activity**  |Impossible travel  |
-|**Mass delete**  |Unusual file deletion activity (by user)  |
-|**Mass download**  |Unusual file download (by user)  |
-|**Mass share**  |Unusual file share activity (by user)  |
-|**Multiple delete VM activities**  |Multiple delete VM activities  |
-|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |
-|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |
-|**Multiple VM creation activities**  |Multiple VM creation activities  |
-|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |
-|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |
-|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |
-|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |
-|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |
+|Alert name  |Policy name  |ActionType (Hunting)|
+|---------|---------|---------|
+|**Activity from infrequent country**  |Activity from infrequent country/region   |ActivityFromInfrequentCountry|
+|**Impossible travel activity**  |Impossible travel  |ImpossibleTravelActivity|
+|**Mass delete**  |Unusual file deletion activity (by user)  |MassDelete|
+|**Mass download**  |Unusual file download (by user)  |MassDownload|
+|**Mass share**  |Unusual file share activity (by user)  |MassShare|
+|**Multiple delete VM activities**  |Multiple delete VM activities  |MultipleDeleteVmActivities|
+|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |MultipleFailedLoginAttempts|
+|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |MultiplePowerBiReportSharingActivities|
+|**Multiple VM creation activities**  |Multiple VM creation activities  |MultipleVmCreationActivities|
+|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |SuspiciousAdministrativeActivity|
+|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |SuspiciousImpersonatedActivity|
+|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |SuspiciousOauthAppFileDownloadActivities|
+|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |SuspiciousPowerBiReportSharing|
+|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |UnusualAdditionOfCredentialsToAnOauthApp|
 
 
 ## Defender for Cloud Apps' transition from alerts to behaviors

CloudAppSecurityDocs/discovery-docker-ubuntu-azure.md

@@ -105,7 +105,7 @@ This procedure describes how to deploy your machine with Ubuntu. The deployment
 
 1. Change to root privileges using `sudo -i`.
 
-1. If you accept the [software license terms](https://go.microsoft.com/fwlink/?linkid=862492), uninstall old versions and install Docker CE by running the commands appropriate for your environment:
+1. If you accept the software license terms, uninstall old versions and install Docker CE by running the commands appropriate for your environment:
 
     #### [CentOS](#tab/centos)
 

CloudAppSecurityDocs/discovery-docker-ubuntu.md

@@ -105,7 +105,7 @@ The following steps describe the deployment in Ubuntu. The deployment steps for
     export https_proxy='<IP>:<PORT>'
     ```
 
-1. If you accept the [software license terms](https://go.microsoft.com/fwlink/?linkid=862492), uninstall old versions and install Docker CE by running the commands appropriate for your environment:
+1. If you accept the software license terms, uninstall old versions and install Docker CE by running the commands appropriate for your environment:
 
     ### [CentOS](#tab/centos)
 

CloudAppSecurityDocs/siem.md

@@ -84,7 +84,7 @@ Integrating with your SIEM is accomplished in three steps:
 
 ### Step 2: Download the JAR file and run it on your server
 
-1. In the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=838596), after accepting the [software license terms](https://go.microsoft.com/fwlink/?linkid=862491), download the .zip file and unzip it.
+1. In the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=838596), after accepting the software license terms, download the .zip file and unzip it.
 
 1. Run the extracted file on your server:
 

defender-endpoint/TOC.yml

@@ -926,25 +926,21 @@
 
       - name: Troubleshooting Microsoft Defender Antivirus
         items:
-        - name: Troubleshoot Microsoft Defender Antivirus performance issues
-          items:
+        - name: Troubleshoot performance issues related to real-time protection
+          href: troubleshoot-performance-issues.md
+          items: 
           - name: Performance analyzer for Microsoft Defender Antivirus
             href: tune-performance-defender-antivirus.md
           - name: Performance analyzer reference
             href: performance-analyzer-reference.md
-            displayName: high cpu msmpeng.exe antimalware engine microsoft defender
-              antivirus windows defender antivirus
-          - name: Troubleshoot performance issues related to real-time protection
-            href: troubleshoot-performance-issues.md
-          - name: Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
-            href: troubleshoot-av-performance-issues-with-wprui.md
-            displayName: Troubleshoot antivirus performance issues with WPRUI windows
-              performance recorder UI WPR windows performance recorder
           - name: Troubleshoot Microsoft Defender Antivirus performance issues with Process
               Monitor
             href: troubleshoot-av-performance-issues-with-procmon.md
-            displayName: Troubleshoot Microsoft Defender Antivirus MDAV performance perf
-              issues with Process Monitor ProcMon
+          - name: Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
+            href: troubleshoot-av-performance-issues-with-wprui.md
+        - name: Troubleshoot Microsoft Defender Antivirus performance issues
+          items:
+          
         - name: Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
           href: troubleshoot-microsoft-defender-antivirus.yml
         - name: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution

defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ ms.author: ewalsh
 ms.custom: nextgen
 ms.reviewer: ksarens
 manager: deniseb
-ms.date: 06/06/2023
+ms.date: 01/16/2025
 ms.subservice: ngp
 ms.topic: how-to
 ms.collection: 
@@ -32,7 +32,7 @@ search.appverid: met150
 You can perform various functions in Microsoft Defender Antivirus using the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus tasks. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
 
 > [!TIP]
-> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the **Start** menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
 
 The MpCmdRun utility uses the following syntax:
 
@@ -52,38 +52,45 @@ In our example, the MpCmdRun utility starts a full antivirus scan on the device.
 
 |Command|Description|
 |---|---|
-|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool|
+|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool.|
 |`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations.|
-|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing|
+|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing.|
 |`-CaptureNetworkTrace -Path <path>`|Captures all the network input into the Network Protection service and saves it to a file at `<path>`. <br/>Supply an empty path to stop tracing.|
 |`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See [collecting diagnostic data](collect-diagnostic-data.md).|
 |`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder.|
 |`-RemoveDefinitions [-All]`|Restores the installed security intelligence to a previous backup copy or to the original default set.|
 |`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded security intelligence.|
 |`-RemoveDefinitions [-Engine]`|Restores the previous installed engine.|
-|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new security intelligence updates.|
-|`-Restore  [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s).|
+|`-SignatureUpdate [-UNC |-MMPC]`|Checks for new security intelligence updates.|
+|`-Restore  [-ListAll |[[-Name <name>] [-All] |[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined items.|
 |`-AddDynamicSignature [-Path]`|Loads dynamic security intelligence.|
 |`-ListAllDynamicSignatures`|Lists the loaded dynamic security intelligence.|
 |`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic security intelligence.|
 |`-CheckExclusion -path <path>`|Checks whether a path is excluded.|
+|`-TDT [-on|-off|-default]`|Disable or Enable TDT feature or sets it to default. If no option is specified, it retrieves the current status.|
+|`-OSCA`|Prints OS Copy Acceleration feature status.|
+|`-DeviceControl -TestPolicyXml  <FilePath> [-Rules | -Groups]`|Validate xml policy groups and rules.|
+|`-TrustCheck -File <FilePath>`|Checks trust status of a file.|
 |`-ValidateMapsConnection`|Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+|`-ListCustomASR`|List the custom Azure Site Recovery rules present on this device.|
+|`-DisplayECSConnection`|Displays URLs that Defender Core service uses to establish connection to ECS.|
+|`-HeapSnapshotConfig <-Enable|-Disable> [-Pid <ProcessID>]`|Enable or Disable heap snapshot (tracing) configuration for process. Replace `<ProcessID>` with the actual process ID.|
 |`-ResetPlatform`| Reset platform binaries back to `%ProgramFiles%\Windows Defender`.|
 |`-RevertPlatform`| Revert platform binaries back to the previously installed version of the Defender platform.|
 
 > [!NOTE]
-> For the "Scan" command, the following are the default timeout values for Quick or Full scans where the scan will stop at that time by default.
-> - Portal initiated scans (Quick or Full) or Windows Security app (Quick or Full): No time limit
-> - Scheduled Full Scans or MpCmdRun -scan: 7 day limit
-> - Scheduled Quick Scans or MpCmdRun -scan: 1 day limit
+> For the `Scan` command, the following are the default time out values for Quick or Full scans where the scan will stop at that time by default.
+> - Scheduled Full Scans or MpCmdRun -scan: Seven day limit
+> - Scheduled Quick Scans or MpCmdRun -scan: One day limit
+
 
 ## Common errors in running commands via mpcmdrun.exe
 
 The following table lists common errors that can occur while using the MpCmdRun tool.
 
 |Error message|Possible reason|
 |---|---|
-|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> Note that in Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
 |**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
 |**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
 |**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
@@ -98,7 +105,7 @@ The following table lists common errors that can occur while using the MpCmdRun
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
 - [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference articles for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
 - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
 - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)