Merge branch 'main' into v-smandalika-9469997

Author: denisebmsft

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 10/21/2024
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -24,7 +24,6 @@ ms.date: 10/11/2024
 
 **Applies to:**
 
-- Microsoft Defender for Servers
 - Microsoft Defender XDR
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -41,11 +40,10 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 ### Prerequisites
 
 - Access to the Microsoft Defender portal
-- Linux distribution using the [systemd](https://systemd.io/) system manager
+- Linux distribution using the [systemd](https://systemd.io/)system manager
 
   > [!NOTE]
   > Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
-
 - Beginner-level experience in Linux and BASH scripting
 - Administrative privileges on the device (for manual deployment)
 
@@ -76,12 +74,17 @@ In general you need to take the following steps:
 ### System requirements
 
 - Disk space: 2 GB
+
   > [!NOTE]
   > An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections. Please make sure that you have free disk space in /var.
+
 - Cores: 2 minimum, 4 preferred
+
   > [!NOTE]
   > If you are on Passive or RTP ON mode, 2 Cores are minimum and 4 Cores are preferred. If you are turning on BM, then a minimum of 4 Cores is required.
+
 - Memory: 1 GB minimum, 4 preferred
+
 - List of supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
   - Red Hat Enterprise Linux 6.7 or higher (In preview)
   - Red Hat Enterprise Linux 7.2 or higher
@@ -108,87 +111,38 @@ In general you need to take the following steps:
   - Alma 8.4 and higher
   - Alma 9.2 and higher 
   - Mariner 2
-
-    > [!NOTE]
-    > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
-    > With RHEL 6 support for 'extended end of life' coming to an end by June 30, 2024; Defender for Endpoint on Linux support for RHEL 6 will also be deprecated by June 30, 2024
-    > Defender for Endpoint on Linux version `101.23082.0011` is the last Defender for Endpoint on Linux release supporting RHEL 6.7 or higher versions (does not expire before June 30, 2024). Customers are advised to plan upgrades to their RHEL 6 infrastructure aligned with guidance from Red Hat.
-    > Microsoft Defender Vulnerablity Management is not supported on Rocky and Alma currently.
-
-- List of supported kernel versions
-
-   > [!NOTE]
-   > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version.
-   > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
-
-  - The `fanotify` kernel option must be enabled
-
-  - Red Hat Enterprise Linux 6 and CentOS 6:
-    - For 6.7: 2.6.32-573.* (except 2.6.32-573.el6.x86_64)
-    - For 6.8: 2.6.32-642.*
-    - For 6.9: 2.6.32-696.* (except 2.6.32-696.el6.x86_64)
-    - For 6.10: 
-      - 2.6.32-754.10.1.el6.x86_64
-      - 2.6.32-754.11.1.el6.x86_64
-      - 2.6.32-754.12.1.el6.x86_64
-      - 2.6.32-754.14.2.el6.x86_64
-      - 2.6.32-754.15.3.el6.x86_64
-      - 2.6.32-754.17.1.el6.x86_64
-      - 2.6.32-754.18.2.el6.x86_64
-      - 2.6.32-754.2.1.el6.x86_64
-      - 2.6.32-754.22.1.el6.x86_64
-      - 2.6.32-754.23.1.el6.x86_64
-      - 2.6.32-754.24.2.el6.x86_64
-      - 2.6.32-754.24.3.el6.x86_64
-      - 2.6.32-754.25.1.el6.x86_64
-      - 2.6.32-754.27.1.el6.x86_64
-      - 2.6.32-754.28.1.el6.x86_64
-      - 2.6.32-754.29.1.el6.x86_64
-      - 2.6.32-754.29.2.el6.x86_64
-      - 2.6.32-754.3.5.el6.x86_64
-      - 2.6.32-754.30.2.el6.x86_64
-      - 2.6.32-754.33.1.el6.x86_64
-      - 2.6.32-754.35.1.el6.x86_64
-      - 2.6.32-754.39.1.el6.x86_64
-      - 2.6.32-754.41.2.el6.x86_64
-      - 2.6.32-754.43.1.el6.x86_64
-      - 2.6.32-754.47.1.el6.x86_64
-      - 2.6.32-754.48.1.el6.x86_64
-      - 2.6.32-754.49.1.el6.x86_64
-      - 2.6.32-754.6.3.el6.x86_64
-      - 2.6.32-754.9.1.el6.x86_64
-
-   > [!NOTE]
-   > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
+    
+  > [!NOTE]
+  > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
+  > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
+  > Microsoft Defender Vulnerablity Management is not supported on Rocky and Alma currently.
+  > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
 
   > [!CAUTION]
   > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
 
 - List of supported filesystems for RTP, Quick, Full and Custom Scan.
-  
-  |RTP, Quick, Full Scan| Custom Scan|
-  |---|---|
-  |btrfs|All filesystems supported for RTP, Quick, Full Scan|
-  |ecryptfs|Efs|
-  |ext2|S3fs|
-  |ext3|Blobfuse|
-  |ext4|Lustr|
-  |fuse|glustrefs|
-  |fuseblk|Afs|
-  |jfs|sshfs|
-  |nfs (v3 only)|cifs|
-  |overlay|smb|
-  |ramfs|gcsfuse|
-  |reiserfs|sysfs|
-  |tmpfs|
-  |udf|
-  |vfat|
-  |xfs|
-
-
-After you've enabled the service, you need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-- Audit framework (`auditd`) must be enabled.
+
+   |RTP, Quick, Full Scan| Custom Scan|
+   |---|---|
+   |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
+   |`ecryptfs`|`Efs`|
+   |`ext2`|`S3fs`|
+   |`ext3`|`Blobfuse`|
+   |`ext4`|`Lustr`|
+   |`fuse`|`glustrefs`|
+   |`fuseblk`|`Afs`|
+   |`jfs`|`sshfs`|
+   |`nfs` (v3 only)|`cifs`|
+   |`overlay`|`smb`|
+   |`ramfs`|`gcsfuse`|
+   |`reiserfs`|`sysfs`|
+   |`tmpfs`||
+   |`udf`||
+   |`vfat`||
+   |`xfs`||
+    
+- Audit framework (`auditd`) must be enabled if you are using auditd as your primary event provider.
 
   > [!NOTE]
   > System events captured by rules added to `/etc/audit/rules.d/` will add to `audit.log`(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
@@ -197,17 +151,16 @@ After you've enabled the service, you need to configure your network or firewall
 
 ### External package dependency
 
-The following external package dependencies exist for the mdatp package:
+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies. The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-- For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, `mde-netfilter`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, and `mde-netfilter`
+- For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, and `mde-netfilter`
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, and `mde-netfilter`
 
 The mde-netfilter package also has the following package dependencies:
-- For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, `libglib2.0-0`
-- For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
 
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.
+- For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, and `libglib2.0-0`
+- For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
 
 ### Configuring Exclusions
 
@@ -226,7 +179,6 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
 
 > [!WARNING]
 > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
 > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
 
 For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md).
@@ -250,7 +202,9 @@ High I/O workloads from certain applications can experience performance issues w
 ## Related articles
 
 - [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint)
+
 - [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines)
+
 - [Turn on network protection for Linux](network-protection-linux.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-office-365/attack-simulation-training-faq.md

@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about deployment considerations and frequently asked questions regarding Attack simulation and training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
 ms.service: defender-office-365
-ms.date: 09/23/2024
+ms.date: 10/22/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -96,13 +96,24 @@ Either way, it's important to use different payloads to avoid discussion and ide
 
 By default, Outlook is configured to block automatic image downloads in messages from the internet. Although you can [configure Outlook to automatically download images](https://support.microsoft.com/office/15e08854-6808-49b1-9a0a-50b81f2d617a), we don't recommend it due to the security implications (potential automatic download of malicious code or web bugs, also known as web beacons or tracking pixels).
 
-### I see clicks or compromise events from users who insist they didn't click the link in the simulation message
+### I see clicks or compromise events from users who insist they didn't click the link in the simulation message OR I see clicks within a few seconds of delivery for many users (false positives). What's going on?
 
-Third-party filtering services might be to blame. For any non-Microsoft filtering systems that you use, you need to allow or exempt the following items:
+These events can occur when additional security devices or applications inspect simulation messages. For example (but not limited to): 
+
+- Applications or plugins within Outlook that inspect or intercept the message.
+- Email security applications.
+- Endpoint security or anti-virus software.
+- Security orchestration, automation and response (SOAR) playbooks that automatically triage or automatically respond to reported messages.
+
+These types of applications can look at web content to detecting phishing, so you need to define exclusions for simulation messages in these applications.
+
+EmailLinkClicked_IP and EmailLinkClicked_TimeStamp data might give more details about the event. For example, if a click occured a few seconds after delivery, and the IP address doesn't belong to Microsoft, your company, or the user, then it's likely that a third-party filtering system or another service intercepted the message.
+
+For any non-Microsoft filtering systems or services, you need to allow or exempt the following items:
 
 - All [Attack simulation training URLs](attack-simulation-training-get-started.md#simulations) and the corresponding domains. Currently, we don't send simulation messages from a static list of IP addresses.
 - Any other domains that you use in custom payloads.
-
+	
 ### Can I add the External tag or safety tips to simulation messages?
 
 Custom payloads have the option to add the External tag to messages. For more information, see Step 5 in [Create payloads](attack-simulation-training-payloads.md#create-payloads).
@@ -253,6 +264,13 @@ We find that campaigns where the targeted users are identified by Microsoft Entr
 
 Currently, there are 94 built-in trainings on the [Training modules](attack-simulation-training-training-modules.md) page.
 
+### Q: How are languages used for experiences like training modules and notifications?
+
+- **Training modules**: The browser locale settings are used. But once the training has been assigned to a user, the language selection persists, and future trainings are assigned in that language.
+- **End user notifications**: The mailbox locale/language settings are used.
+- **Simulation playloads**: The language selected by the admin during creation is used.
+- **Landing pages**: The Microsoft 365 account language settings are used. User can also change languages from the drop down present in the landing page.
+
 ### Q: Are there any limits in targeting users while importing from a CSV or adding users?
 
 A: The limit for importing recipients from a CSV file or adding individual recipients to a simulation is 40,000.

defender-office-365/attack-simulation-training-insights.md

@@ -466,7 +466,7 @@ How user activity signals are captured is described in the following table.
 |Read Message|The user read the simulation message.|Message read signals might experience issues in the following scenarios: <ul><li>The user reported the message as phishing in Outlook without leaving the reading pane, and **Mark items as read when viewed in the Reading Pane** wasn't configured (default).</li><li>The user reported the unread message as phishing in Outlook, the message was deleted, and **Mark messages as read when deleted** wasn't configured (default).</li></ul>|
 |Out of Office|Determines whether the user is out of office.|Currently calculated by the Automatic replies setting from Outlook.|
 |Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|<ul><li>**Credential Harvest**: The user entered their credentials on the login page (credentials aren't stored by Microsoft).¹</li><li>**Malware Attachment**: The user opened the payload attachment and selected **Enable Editing** in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653).</li><li>**Link in Attachment**: The user opened the attachment and entered their credentials after clicking on the payload link.</li><li>**Link to Malware**: The user clicked on the payload link and entered their credentials.</li><li>**Drive by URL**: The user clicked on the payload link (entering credentials isn't required).¹</li><li>**OAuth Consent Grant**: The user clicked on the payload link and accepted the prompt to share permissions.¹</li></ul>|
-|Clicked Message Link|The user clicked on the payload link in the simulation message.|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message).|
+|Clicked Message Link|The user clicked on the payload link in the simulation message.|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message OR I see clicks within a few seconds of delivery for many users (false positives). What's going on?](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message-or-i-see-clicks-within-a-few-seconds-of-delivery-for-many-users-false-positives-whats-going-on)|
 |Forwarded Message|The user forwarded the message.||
 |Replied to Message|The user replied to the message.||
 |Deleted message|The user deleted the message.|The signal comes from the Outlook activity of the user. If the user reports the message as phishing, the message might be moved to the Deleted Items folder, which is identified as a deletion.|

defender-office-365/attack-simulation-training-simulations.md

@@ -13,7 +13,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 08/13/2024
+ms.date: 10/22/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -206,7 +206,12 @@ On the **Target users** page, select who receives the simulation. Use the follow
 
 - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the simulation, choose one of the following options:
 
-  - :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
+  - :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. The following group types are supported:
+    - Microsoft 365 Groups (static and dynamic)
+    - Distribution groups (static only)
+    - Mail-enabled Security group (static only)
+
+    The following search tools are available:
 
     - **Search for users or groups**: If you click in the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section: