Merge pull request #1444 from MicrosoftDocs/main

garycentric · web-flow · commit e8f5fd8ebd7c · 2024-09-23T15:39:10.000-07:00
Publish main to live 09/23/2024, 3:30 PM
diff --git a/defender-office-365/attack-simulation-training-faq.md b/defender-office-365/attack-simulation-training-faq.md
@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about deployment considerations and frequently asked questions regarding Attack simulation and training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
 ms.service: defender-office-365
-ms.date: 06/14/2024
+ms.date: 09/23/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -361,4 +361,16 @@ A: Yes. First you archive the payload, then you delete the archived payload. For
 
 ### Q: Can I modify the built-in payloads?
 
-A: Not directly. You can copy the payload and then modify the copy. For instructions, see [Copy payloads](attack-simulation-training-payloads.md#copy-payloads).
+A: Not directly. You can copy the built-in payload and then modify the copy. For instructions, see [Copy payloads](attack-simulation-training-payloads.md#copy-payloads).
+
+### Q: I'm trying to run a QR code simulation, but scanning the QR code shows me 'ping successful' instead of the landing page?
+
+A: When you insert a QR code in the payload editor, it maps to the base phishing URL that you selected in the **Phishing link** section \> **Select URL**. The QR code is inserted in the email message as an image. If you switch from the **Text** tab to the **Code** tab, you see the inserted image in Base64 format. The beginning of the image contains `<div id="QRcode"...>`. Make sure to verify that the finished payload contains `<div id="QRcode"...>` before you use it in a simulation.
+
+During simulation creation, if you scan the QR code or you use **Send a Test** to review the payload, the QR code points to the base phishing URL that you selected.
+
+When the payload is used in a simulation, the service replaces the QR code with a dynamically generated QR code to track click and compromise metrics. The size, position, and shape of the QR code matches the configuration options you configured in the payload. Scanning the QR code during an actual simulation takes you to the configured landing page.
+
+### Q: I'm trying to create a payload in HTML, but the payload editor seems to remove certain content from my design?
+
+A: Currently, the following HTML tags aren't supported in the payload editor: `applet, base, basefont, command, embed, frame, frameset, iframe, keygen, link, meta, noframes, noscript, param, script, object, title`.
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -444,6 +444,8 @@
                 href: copilot-in-defender-file-analysis.md
               - name: Generate device summaries
                 href: copilot-in-defender-device-summary.md
+              - name: Summarize identities
+                href: security-copilot-defender-identity-summary.md                
               - name: Use guided responses
                 href: security-copilot-m365d-guided-response.md
               - name: Generate KQL queries
diff --git a/defender-xdr/advanced-hunting-deviceevents-table.md b/defender-xdr/advanced-hunting-deviceevents-table.md
@@ -68,7 +68,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessFolderPath` | `string` | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessId` | `long` | Process ID (PID) of the process that initiated the event |
diff --git a/defender-xdr/advanced-hunting-devicefileevents-table.md b/defender-xdr/advanced-hunting-devicefileevents-table.md
@@ -60,7 +60,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessFolderPath` | `string` | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the process (image file) that initiated the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceimageloadevents-table.md b/defender-xdr/advanced-hunting-deviceimageloadevents-table.md
@@ -56,7 +56,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-devicelogonevents-table.md b/defender-xdr/advanced-hunting-devicelogonevents-table.md
@@ -64,7 +64,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead|
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead|
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-devicenetworkevents-table.md b/defender-xdr/advanced-hunting-devicenetworkevents-table.md
@@ -53,7 +53,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceprocessevents-table.md b/defender-xdr/advanced-hunting-deviceprocessevents-table.md
@@ -76,7 +76,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceregistryevents-table.md b/defender-xdr/advanced-hunting-deviceregistryevents-table.md
@@ -55,7 +55,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
 | `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
+| `InitiatingProcessFileName` | `string` | Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
 | `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
 | `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
 | `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/security-copilot-defender-identity-summary.md b/defender-xdr/security-copilot-defender-identity-summary.md
@@ -18,7 +18,7 @@ search.appverid:
   - MOE150
   - MET150
 ms.date: 09/23/2024
-appliiesto:
+appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the unified security operations center (SOC) platform
 ---
@@ -59,6 +59,10 @@ You can access the identity summary capability in the following ways:
 
    :::image type="content" source="/defender/media/copilot-in-defender/identity-summary/identity-assets-small.png" alt-text="Screenshot showing the Assets tab and a user account highlighted." lightbox="/defender/media/copilot-in-defender/identity-summary/identity-assets.png":::
 
+- In an alert page, select a user then select **Summarize** in the user details pane to generate the identity summary.
+
+- In the advanced hunting page, you can access the identity summary capability by selecting a user in the results table, then selecting the link to the user page. Copilot automatically generates the identity summary and displays the side panel upon opening the user page.
+
 - From the main menu, navigate to **Assets > Identities**. Select a username from the list, then select **View user page** to open the user page. Copilot automatically generates the identity summary and displays the side panel upon opening the user page.
 
    :::image type="content" source="/defender/media/copilot-in-defender/identity-summary/identity-identities-small.png" alt-text="Screenshot highlighting the view user page option in an username search within Identities." lightbox="/defender/media/copilot-in-defender/identity-summary/identity-identities.png":::
diff --git a/defender-xdr/security-copilot-in-microsoft-365-defender.md b/defender-xdr/security-copilot-in-microsoft-365-defender.md
@@ -17,17 +17,18 @@ ms.topic: conceptual
 search.appverid:
 - MOE150
 - MET150
-ms.date: 08/20/2024
+ms.date: 09/23/2024
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
 ---
 
 # Microsoft Copilot in Microsoft Defender
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-- Microsoft Sentinel in the Microsoft Defender portal
+> [!NOTE]
+> Microsoft Defender XDR provides a unified XDR experience for Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Vulnerability Management. Learn more about this pre- and post-breach defense suite in [What is Microsoft Defender XDR?](microsoft-365-defender.md)
 
 [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, and create incident reports.
 
@@ -73,6 +74,12 @@ Copilot helps security teams quickly assess and understand suspicious files with
 
 :::image type="content" source="/defender/media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide-small.png" alt-text="Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted." lightbox="/defender/media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide.png":::
 
+### Investigate identities immediately
+
+Quickly assess a user’s risk by generating an [identity summary](security-copilot-defender-identity-summary.md) with Copilot. Identify when an identity is at risk or suspicious with contextualized information about a user’s role and role changes, sign in behaviors, devices signed in to, and relevant contact information.
+
+:::image type="content" source="/defender/media/copilot-in-defender/identity-summary/identity-incident-graph-small.png" alt-text="Screenshot showing the Summarize option in the user details pane." lightbox="/defender/media/copilot-in-defender/identity-summary/identity-incident-graph.png":::
+
 ### Write incident reports efficiently
 
 Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For an incident report to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot [generates an incident report](security-copilot-m365d-create-incident-report.md) by quickly consolidating these pieces of information.
@@ -108,9 +115,9 @@ Because of its continuing evolution, Copilot might miss some things. Reviewing a
 All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps:
 
 1. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards.](/defender/media/copilot-in-defender/copilot-defender-feedback.png) located at the bottom of any results card in the Copilot side panel.
-2. Select **Confirmed, it looks great** if the results are accurate based on your assessment. You can provide more information in the next dialog box.
-3. Select **Off-target, inaccurate** if any detail is incorrect or incomplete based on your assessment. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft.
-4. You can also report the results if it contains questionable or ambiguous information by selecting **Potentially harmful, inappropriate**. Provide more information about the results in the next dialog box and select Submit.
+2. Select **Looks right** if you deem the results accurate. You can provide more information in the next dialog box.
+3. Select **Needs improvement** if you assessed the result as lacking or incomplete. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft.
+4. You can also report the results if it contains questionable or ambiguous information by selecting **Inappropriate**. Provide more information about the results in the next dialog box and select Submit.
 
 <a name='microsoft-365-defender-plugin-in-security-copilot'></a>
 
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 08/12/2024
+ms.date: 09/23/2024
 manager: dansimp
 audience: ITPro
 ms.collection:
@@ -31,6 +31,7 @@ You can also get product updates and important notifications through the [messag
 
 ## September 2024
 
+- (GA) Copilot in Defender now includes the identity summary capability, providing instant insights into a user's risk level, sign in activity, and more. For more information, see [Summarize identity information with Copilot in Defender](security-copilot-defender-identity-summary.md).
 - [Microsoft Defender Threat Intelligence](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) customers can now view the [latest featured threat intelligence articles](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal#featured-threat-intelligence-articles-widget) in the Microsoft Defender portal home page. The **Intel explorer** page now also has an [article digest](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal#article-digest) that notifies them of the number of new Defender TI articles that were published since they last accessed the Defender portal.
 - [Microsoft Defender XDR Unified RBAC permissions](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added to submit inquiries and view responses from [Microsoft Defender Experts](experts-on-demand.md). You can also [view responses](experts-on-demand.md#where-to-view-responses-from-defender-experts) to inquires submitted to Ask Defender Experts through your listed email addresses when submitting your inquiry or in the Defender portal by navigating to **Reports** > **Defender Experts messages**.
 - (GA) **Advanced hunting context panes** are now available in more experiences. This allows you to access the advanced hunting feature without leaving your current workflow. 
