MicrosoftDocs
diff --git a/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 13 additions & 0 deletions b/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 3 additions & 2 deletions b/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎defender-xdr/automatic-attack-disruption.md‎
Lines changed: 5 additions & 5 deletions b/‎defender-xdr/automatic-attack-disruption.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎defender-xdr/data-privacy.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-xdr/data-privacy.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-xdr/incident-queue.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-xdr/incident-queue.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-xdr/incidents-overview.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-xdr/incidents-overview.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-xdr/investigate-incidents.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-xdr/investigate-incidents.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-xdr/pilot-deploy-defender-cloud-apps.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-xdr/pilot-deploy-defender-cloud-apps.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-xdr/pilot-deploy-defender-identity.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-xdr/pilot-deploy-defender-identity.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎unified-secops-platform/media/microsoft-threat-actor-naming/threat-actor-categories-lg.png‎
3.67 KB b/‎unified-secops-platform/media/microsoft-threat-actor-naming/threat-actor-categories-lg.png‎
3.67 KB
@@ -64,6 +64,19 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Feb-2025 (Build: 101.24122.0011  | Release version: 20.124122.11.0)
+
+| Build:             | **101.24122.0011**    |
+|--------------------|-----------------------|
+| Release version:   | **20.124122.11.0**    |
+| Engine version:    | **1.1.24080.11**      |
+| Signature version: | **1.419.351.0**       |
+
+##### What's new
+
+- Fixed an issue with the auth prompt during new installation on macOS with multiple active users
+- Improved stability when using the antivirus engine in passive mode
+
 ### Jan-2025 (Build: 101.24122.0005  | Release version: 20.124122.5.0)
 
 | Build:             | **101.24122.0005**    |
 
@@ -14,7 +14,7 @@ ms.collection:
 description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 02/12/2025
+ms.date: 02/18/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -47,7 +47,8 @@ Admins configure user reported messages to go to a specified reporting mailbox,
     - **Semi-Annual Channel (Preview)**: Release 2502, build 16.0.18526.20024 or later.
     - **Semi-Annual Channel**: Release 2502, build 16.0.18526.20024 or later.
   - Outlook for Mac version 16.89 (24090815) or later.
-  - Outlook for iOS and Android version 4.2446 or later.
+  - Outlook for iOS version 4.2508 or later.
+  - Outlook for Android version 4.2446 or later.
   - The new Outlook for Windows.
   - Outlook on the web.
 
 
@@ -68,7 +68,7 @@ Automatic attack disruption uses Microsoft-based XDR response actions. Examples
 - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution. The disable user action behaves differently depending on how the user is hosted in your environment.
   - When the user account is hosted in Active Directory: Defender for Identity triggers the disable user action on domain controllers running the Defender for Identity agent.
   - When the user account is hosted in Active Directory and is synced on Microsoft Entra ID:  Defender for Identity triggers the disable user action via onboarded domain controllers. Attack disruption also disables the user account on the Entra ID synced account.
-  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disable the user account on the Entra ID synced account.
+  - When the user account is hosted in Entra ID only (cloud native account): attack disruption disables the user account on the Entra ID synced account.
 
 > [!NOTE]
 > Disabling the user account in Microsoft Entra ID is not dependent on the deployment of Microsoft Defender for Identity. 
@@ -79,18 +79,18 @@ For more information, see [remediation actions](m365d-remediation-actions.md) in
 
 ### Automated response actions for SAP with Microsoft Sentinel
 
-If you're using the [unified security operations platform](/unified-secops-platform/microsoft-sentinel-onboard) and you deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP.
+If you [onboarded Microsoft Sentinel to the Defender portal](microsoft-sentinel-onboard.md) and deployed the Microsoft Sentinel solution for SAP applications, you can also deploy automatic attack disruption for SAP.
 
-For example, deploy attack disruption for SAP to contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack. 
+For example, deploy attack disruption for SAP to contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.
 
-After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption. 
+After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption.
 
 To use attack disruption for SAP, deploy a new data connector agent, or make sure that your agent is using version 90847355 or higher, and then assign and apply the required Azure and SAP roles. For more information, see:
 
 - [Deploy and configure the container hosting the SAP data connector agent](/azure/sentinel/sap/deploy-data-connector-agent-container)
 - [Update Microsoft Sentinel's SAP data connector agent](/azure/sentinel/sap/update-sap-data-connector), especially [Update your system for automatic attack disruption](/azure/sentinel/sap/update-sap-data-connector#update-your-data-connector-agent-for-attack-disruption).
 
-While you configure attack disruption in the Azure portal and your SAP system, automatic attack disruption itself surfaces only in the unified security operations platform in the Microsoft Defender portal.
+While you configure attack disruption in the Azure portal and your SAP system, automatic attack disruption itself surfaces only in the Microsoft Defender portal.
 
 ## Identify when an attack disruption happens in your environment
 
 
@@ -56,7 +56,7 @@ Customer data stored by integrated services might also be stored in the followin
 
 Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in **Advanced hunting** queries. 
 
-In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft's unified security operations platform with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
+In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft Sentinel with Microsoft's unified security operations platform](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
 
 Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.
 
 
@@ -1,6 +1,6 @@
 ---
 title: Prioritize incidents in the Microsoft Defender portal
-description: Learn how to filter incidents from the incident queue in the unified security operations platform in the Microsoft Defender portal.
+description: Learn how to filter incidents from the incident queue in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -26,7 +26,7 @@ appliesto:
 
 # Prioritize incidents in the Microsoft Defender portal
 
-The unified security operations platform in the Microsoft Defender portal applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft Sentinel and Defender XDR also trigger unique alerts on activities that can only be identified as malicious given the end-to-end visibility in the unified platform across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization.
+The Microsoft Defender portal applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft Sentinel and Defender XDR also trigger unique alerts on activities that can only be identified as malicious given the end-to-end visibility in the unified platform across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization.
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
@@ -68,7 +68,7 @@ For more visibility at a glance, Microsoft Defender XDR generates incident names
 
 For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
 
-If you onboarded Microsoft Sentinel to the unified security operations platform, then any alerts and incidents coming from Microsoft Sentinel are likely to have their names changed (regardless of whether they were created before or since the onboarding).
+If you onboarded Microsoft Sentinel to the Defender portal, then any alerts and incidents coming from Microsoft Sentinel are likely to have their names changed (regardless of whether they were created before or since the onboarding).
 
 We recommend that you avoid using the incident name as a condition for triggering [automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules). If the incident name is a condition, and the incident name changes, the rule will not be triggered.
 
 
@@ -1,6 +1,6 @@
 ---
 title: Incidents and alerts in the Microsoft Defender portal
-description: An introduction to incidents and alerts, and the differences between them, in the unified security operations platform in the Microsoft Defender portal.
+description: An introduction to incidents and alerts, and the differences between them, in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords:
   - NOCSH
@@ -27,7 +27,7 @@ appliesto:
 
 # Incidents and alerts in the Microsoft Defender portal
 
-The Microsoft Defender portal brings together a unified set of security services to reduce your exposure to security threats, improve your organizational security posture, detect security threats, and investigate and respond to breaches. These services collect and produce signals that are displayed in the portal. The two main kinds of signals are:
+Microsoft's unified SecOps platform in the Microsoft Defender portal brings together a unified set of security services to reduce your exposure to security threats, improve your organizational security posture, detect security threats, and investigate and respond to breaches. These services collect and produce signals that are displayed in the portal. The two main kinds of signals are:
 
 **Alerts**: Signals that result from various threat detection activities. These signals indicate the occurrence of malicious or suspicious events in your environment.
 
 
@@ -105,7 +105,7 @@ If the incident or related alerts were the result of an analytics rule you've se
 
 ### Attack paths
 
-The incident graph also contains information about **attack paths**. These paths allows security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **Show attack paths**. Attack paths are available for entities with the **critical asset** tag.
+The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **Show attack paths**. Attack paths are available for entities with the **critical asset** tag.
 
 :::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting the Show attack paths action in the incident graph." lightbox="/defender/media/investigate-incidents/attack-path.png":::
 
@@ -117,7 +117,7 @@ Selecting an attack path from the list displays the attack path graph, which sho
 
 > [!NOTE]
 > To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
-> To view attack path details in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the Security Administrator role is required.
+> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
 
 ## Alerts
 
 
@@ -259,9 +259,9 @@ For more information on advanced hunting in Microsoft Defender for Cloud Apps da
 
 ## SIEM integration
 
-You can integrate Defender for Cloud Apps with Microsoft Sentinel as part of Microsoft's [unified security operations platform](/unified-secops-platform/) or a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
+You can integrate Defender for Cloud Apps with Microsoft Sentinel as part of Microsoft's [unified security operations platform](/unified-secops-platform/), or with a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
 
-Microsoft Sentinel includes a Microsoft Defender for XDR data connector to bring all signals from Defender XDR, including Defender for Cloud Apps, to Microsoft Sentinel. Use the unified security operations platform in the Defender portal as a single platform for end-to-end security operations (SecOps).
+Microsoft Sentinel includes a Microsoft Defender for XDR data connector to bring all signals from Defender XDR, including Defender for Cloud Apps, to Microsoft Sentinel. Use the Defender portal as a unified security operations (SecOps) platform.
 
 For more information, see:
 
 
@@ -183,9 +183,9 @@ For more information, see:
 
 ## SIEM integration
 
-You can integrate Defender for Identity with Microsoft Sentinel as part of Microsoft's [unified security operations platform](/unified-secops-platform/) or a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
+You can integrate Defender for Identity with Microsoft Sentinel as part of Microsoft's [unified security operations platform](/unified-secops-platform/), or with a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
 
-Microsoft Sentinel includes a Microsoft Defender for XDR data connector to bring all signals from Defender XDR, including Defender for Identity, to Microsoft Sentinel. Use the unified security operations platform in the Defender portal as a single platform for end-to-end security operations (SecOps). 
+Microsoft Sentinel supports a Microsoft Defender for XDR data connector to bring all signals from Defender XDR, including Defender for Identity, to Microsoft Sentinel. Use the Defender portal as a unified security operations (SecOps) platform.
 
 For more information, see: