Merge branch 'main' into diannegali-updatemdeinxdr

diannegali · web-flow · commit e9bdf457304e · 2024-10-16T09:35:34.000+01:00
diff --git a/defender-endpoint/android-intune.md b/defender-endpoint/android-intune.md
@@ -15,7 +15,7 @@ ms.custom: partner-contribution
 ms.topic: conceptual
 ms.subservice: android
 search.appverid: met150
-ms.date: 07/25/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune
@@ -284,7 +284,10 @@ Android low touch onboarding is disabled by default. Admins can enable it throug
 
       > [!div class="mx-imgBorder"]
    > ![Screenshot showing a low touch onboarding configuration policy.](media/low-touch-user-upn.png)
-   
+
+> [!Note]
+> Once the policy is created, these value types will show as string.
+ 
 8. Assign the policy to the target user group.
 
 9. Review and create the policy.
diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 10/15/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -94,48 +94,46 @@ Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst
 
 - Install `yum-utils` if it isn't installed yet:
 
-  ```bash
+    ```bash
   sudo yum install yum-utils
   ```
 
-  > [!NOTE]
+    > [!NOTE]
   > Your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/rhel/`.
 
-  Use the following table to help guide you in locating the package:
+    Use the following table to help guide you in locating the package:
 
   |Distro & version|Package|
   |---|---|
   |For Alma 8.4 and higher|<https://packages.microsoft.com/config/alma/8/prod.repo>|
   |For Alma 9.2 and higher|<https://packages.microsoft.com/config/alma/9/prod.repo>|
   |For RHEL/Centos/Oracle 9.0-9.8|<https://packages.microsoft.com/config/rhel/9/prod.repo>|
-  |For RHEL/Centos/Oracle 8.0-8.9|<https://packages.microsoft.com/config/rhel/8/prod.repo>|
+  |For RHEL/Centos/Oracle 8.0-8.10|<https://packages.microsoft.com/config/rhel/8/prod.repo>|
   |For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |<https://packages.microsoft.com/config/rhel/7.2/prod.repo>|
   |For Amazon Linux 2023 |<https://packages.microsoft.com/config/amazonlinux/2023/prod.repo>|
   |For Fedora 33|<https://packages.microsoft.com/config/fedora/33/prod.repo>|
   |For Fedora 34|<https://packages.microsoft.com/config/fedora/34/prod.repo>|
   |For Rocky 8.7 and higher|<https://packages.microsoft.com/config/rocky/8/prod.repo>|
   |For Rocky 9.2 and higher|<https://packages.microsoft.com/config/rocky/9/prod.repo>|
+  
+    In the following commands, replace *[version]* and *[channel]* with the information you've identified:
 
-  <!--|For RHEL/Centos 6.7-6.10|<https://packages.microsoft.com/config/rhel/6/[channel].repo>|-->
-
-  In the following commands, replace *[version]* and *[channel]* with the information you've identified:
-
-  ```bash
+    ```bash
   sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/[version]/[channel].repo
   ```
 
-  > [!TIP]
+    > [!TIP]
   > Use hostnamectl command to identify system related information including release *[version]*.
 
-  For example, if you're running CentOS 7 and want to deploy Defender for Endpoint on Linux from the `prod` channel:
+    For example, if you're running CentOS 7 and want to deploy Defender for Endpoint on Linux from the `prod` channel:
 
-  ```bash
+    ```bash
   sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo
   ```
 
-  Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-fast* channel:
+    Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-fast* channel:
 
-  ```bash
+    ```bash
   sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/insiders-fast.repo
   ```
 
diff --git a/defender-endpoint/microsoft-defender-endpoint-mac.md b/defender-endpoint/microsoft-defender-endpoint-mac.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 10/03/2024
+ms.date: 10/15/2024
 ---
 
 # Microsoft Defender for Endpoint on Mac
@@ -59,24 +59,18 @@ To get the latest features, including preview capabilities (such as endpoint det
 
 There are several methods and deployment tools that you can use to install and configure Defender for Endpoint on Mac.
 
-- Third-party management tools:
-    - [Microsoft Intune-based deployment](mac-install-with-intune.md)
+- [Microsoft Intune-based deployment](mac-install-with-intune.md)
+- Non-Microsoft management tools:
     - [JAMF-based deployment](mac-install-with-jamf.md)
     - [Other MDM products](mac-install-with-other-mdm.md)
-
-- Command-line tool:
-    - [Manual deployment](mac-install-manually.md)
+- Command-line tool: [Manual deployment](mac-install-manually.md)
 
 ### System requirements
 
 These four most recent major releases of macOS are supported.
-
 - 15.0.1 (Sequoia)
-
 - 14 (Sonoma)
-
 - 13 (Ventura)
-
 - 12 (Monterey)
 
 - Supported processors: x64 and ARM64
@@ -85,24 +79,23 @@ These four most recent major releases of macOS are supported.
 
 - Beta versions of macOS aren't supported.
 
-- Important
-
-> On macOS 11 (Big Sur) and later, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Fmicrosoft-defender-endpoint-mac.md/main/979628aa-e0a5-ba01-7de6-f03ef27b15df/mac-sysext-policies.md).
+> [!IMPORTANT]
+> On macOS 11 (Big Sur) and later, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md) and detailed in [installation instructions](#installation-instructions).
 
-After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+After you've enabled the service, you might need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
 ### Licensing requirements
 
 Microsoft Defender for Endpoint on Mac requires one of the following Microsoft Volume Licensing offers:
 
-- Microsoft 365 E5 (M365 E5)
+- Microsoft 365 E5
 - Microsoft 365 E5 Security
-- Microsoft 365 A5 (M365 A5)
+- Microsoft 365 A5
 - Windows 10 Enterprise E5
 - Microsoft 365 Business Premium
 - Windows 11 Enterprise E5
-- Microsoft Defender for Endpoint P2
-- Microsoft Defender for Endpoint P1 (which is included in [Microsoft 365 E3 (M365 E3)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639))
+- Microsoft Defender for Endpoint P2 (included in Microsoft 365 E5 and E5 Security)
+- Microsoft Defender for Endpoint P1 (included in [Microsoft 365 E3](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639))
 
 > [!NOTE]
 > Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.
@@ -126,7 +119,6 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
 
 > [!WARNING]
 > Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
->
 > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
 
 #### Test network connectivity
diff --git a/defender-endpoint/run-analyzer-macos-linux.md b/defender-endpoint/run-analyzer-macos-linux.md
@@ -22,39 +22,40 @@ search.appverid: met150
 # Run the client analyzer on macOS and Linux
 
 **Applies to:**
+
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
 The XMDEClientAnalyzer is used for diagnosing Microsoft Defender for Endpoint health or reliability issues on onboarded devices running either Linux, or macOS.
 
 There are two ways to run the client analyzer tool:
 
-1. Using a binary version (no Python dependency)
+1. Using a binary version (no external Python dependency)
 2. Using a Python-based solution
 
-
 ## Running the binary version of the client analyzer
 
 1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the macOS or Linux machine you need to investigate.\
 If you're using a terminal, download the tool by entering the following command:
 
-    ```console
+    ```bash
     wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
     ```
 
 1. Verify the download.
 
    > [!NOTE]
    > The current SHA256 hash of `XMDEClientAnalyzerBinary.zip` that is downloaded from this link is: `4E972F7950EA475A21735042484CD00CED6EA70ED9CBB48B4C9405FFD2706DFA`.
+ 
    - Linux
 
-       ```console
+    ```bash
     echo '4E972F7950EA475A21735042484CD00CED6EA70ED9CBB48B4C9405FFD2706DFA XMDEClientAnalyzerBinary.zip' | sha256sum -c
     ```
 
    - macOS
 
-       ```console
+    ```bash
     echo '4E972F7950EA475A21735042484CD00CED6EA70ED9CBB48B4C9405FFD2706DFA  XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
     ```
 
@@ -63,13 +64,13 @@ If you're using a terminal, download the tool by entering the following command:
 
     If you're using a terminal, extract the files by entering the following command:
 
-    ```console
+    ```bash
     unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
     ```
 
 4. Change to the tool's directory by entering the following command:
 
-    ```console
+    ```bash
     cd XMDEClientAnalyzerBinary
     ```
 
@@ -84,87 +85,82 @@ If you're using a terminal, download the tool by entering the following command:
 
    - Linux
 
-     ```console
+     ```bash
      unzip -q SupportToolLinuxBinary.zip
      ```
 
    - Mac
 
-     ```console
+     ```bash
      unzip -q SupportToolMacOSBinary.zip
      ```
 
 7. Run the tool as _root_ to generate diagnostic package:
 
-   ```console
+   ```bash
    sudo ./MDESupportTool -d
    ```
 
 ## Running the Python-based client analyzer
 
 > [!NOTE]
->
-> - The analyzer depends on few extra PIP packages (sh, distro, lxml, pandas) which are installed in the OS when in root to produce the result output. If not installed, the analyzer will try to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
->
->   >[!WARNING]
->   >Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
->
-> - In addition, the tool currently requires Python version 3 or later to be installed.
->
-> - If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the mde_support_tool.sh script. For example:
-.
->   `https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"`
+> - The analyzer depends on few extra PIP packages (`decorator`, `sh`, `distro`, `lxml`, and `psutil`) which are installed in the operating system when in root to produce the result output. If not installed, the analyzer attempts to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
+> - In addition, the tool currently requires Python version 3 or later to be installed on your device.
+> - If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the `mde_support_tool.sh` script. For example: `https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"`.
+
+> [!WARNING]
+> Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
 
 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.
 
     If you're using a terminal, download the tool by running the following command:
 
-    ```console
+    ```bash
     wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
     ```
 
 2. Verify the download
 
    - Linux
 
-    ```console
+    ```bash
     echo 'E1C3D20516C849D8CD27257BB6084FBC2991B8F6214BF9121BB9B1446F95BB1F XMDEClientAnalyzer.zip' | sha256sum -c
     ```
 
    - macOS
 
-    ```console
+    ```bash
     echo 'E1C3D20516C849D8CD27257BB6084FBC2991B8F6214BF9121BB9B1446F95BB1F  XMDEClientAnalyzer.zip' | shasum -a 256 -c
     ```
 
 3. Extract the contents of XMDEClientAnalyzer.zip on the machine.
     If you're using a terminal, extract the files by using the following command:
 
-    ```console
+    ```bash
     unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
     ```
 
 4. Change directory to the extracted location.
 
-    ```console
+    ```bash
     cd XMDEClientAnalyzer
     ```
 
 5. Give the tool executable permission:
 
-    ```console
+    ```bash
     chmod a+x mde_support_tool.sh
     ```
 
 6. Run as a non-root user to install required dependencies:
 
-    ```console
+    ```bash
     ./mde_support_tool.sh
     ```
 
 7. To collect actual diagnostic package and generate the result archive file, run again as root:
 
-    ```console
+    ```bash
     sudo ./mde_support_tool.sh -d
     ```
 
diff --git a/defender-office-365/message-headers-eop-mdo.md b/defender-office-365/message-headers-eop-mdo.md
@@ -56,7 +56,7 @@ The individual fields and values are described in the following table.
 |Field|Description|
 |---|---|
 |`ARC`|The `ARC` protocol has the following fields: <ul><li>`AAR`: Records the content of the **Authentication-results** header from DMARC.</li><li>`AMS`: Includes cryptographic signatures of the message.</li><li>`AS`: Includes cryptographic signatures of the message headers. This field contains a tag of a chain validation called `"cv="`, which includes the outcome of the chain validation as **none**, **pass**, or **fail**.</li></ul>|
-|`CAT:`|The category of protection policy that's applied to the message: <ul><li>`AMP`: Anti-malware</li><li>`BULK`: Bulk</li><li>`DIMP`: Domain impersonation<sup>\*</sup></li><li>`FTBP`: Anti-malware [common attachments filter](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies)</li><li>`GIMP`: [Mailbox intelligence](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) impersonation<sup>\*</sup></li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`INTOS`: Intra-Organization phishing</li><li>`MALW`: Malware</li><li>`OSPM`: Outbound spam</li><li>`PHSH`: Phishing</li><li>`SAP`: Safe Attachments<sup>\*</sup></li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User impersonation<sup>\*</sup></li></ul> <br/> <sup>\*</sup>Defender for Office 365 only. <br/><br/> An inbound message might be flagged by multiple forms of protection and multiple detection scans. Policies are applied in an order of precedence, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|
+|`CAT:`|The category of protection policy that's applied to the message: <ul><li>`AMP`: Anti-malware</li><li>`BIMP`: Brand impersonation<sup>\*</sup></li><li>`BULK`: Bulk</li><li>`DIMP`: Domain impersonation<sup>\*</sup></li><li>`FTBP`: Anti-malware [common attachments filter](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies)</li><li>`GIMP`: [Mailbox intelligence](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) impersonation<sup>\*</sup></li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`BIMP`: Brand impersonation</li><li>`HSPM`: High confidence spam</li><li>`INTOS`: Intra-Organization phishing</li><li>`MALW`: Malware</li><li>`OSPM`: Outbound spam</li><li>`PHSH`: Phishing</li><li>`SAP`: Safe Attachments<sup>\*</sup></li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User impersonation<sup>\*</sup></li></ul> <br/> <sup>\*</sup>Defender for Office 365 only. <br/><br/> An inbound message might be flagged by multiple forms of protection and multiple detection scans. Policies are applied in an order of precedence, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|
 |`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).|
 |`CTRY`|The source country/region as determined by the connecting IP address, which might not be the same as the originating sending IP address.|
 |`DIR`|The Directionality of the message: <ul><li>`INB`: Inbound message.</li><li>`OUT`: Outbound message.</li><li>`INT`: Internal message.</li></ul>|
diff --git a/defender-xdr/experts-on-demand.md b/defender-xdr/experts-on-demand.md
@@ -19,7 +19,7 @@ ms.collection:
   - essentials-manage
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/14/2024
+ms.date: 10/16/2024
 ---
 
 # Collaborate with experts on demand
@@ -52,12 +52,12 @@ You need to select one of the following Microsoft Entra ID roles to view and sub
 
 To learn more about how Microsoft Entra ID roles map to Microsoft Defender Unified RBAC permissions, see [Microsoft Entra Global roles access](compare-rbac-roles.md#microsoft-entra-global-roles-access).
 
-Microsoft Defender Experts customers using Ask Defender Experts capability will also be able to use the following permissions from [Microsoft Defender XDR Unified RBAC](../defender-xdr/custom-permissions-details.md).
+Microsoft Threat Experts customers using Ask Defender Experts capability will also be able to use the following permissions from [Microsoft Defender XDR Unified RBAC](../defender-xdr/custom-permissions-details.md).
 
-|Microsoft Unified RBAC role|Permission level|
+|Microsoft Defender XDR Unified RBAC role|Permission level|
 |---|---|---|
 | Security data basics | Read |
-| Alerts or Response | Read and submit |
+| Alerts, Response | Read and submit |
 
 ### Where to submit inquiries to Ask Defender Experts
 
