Merge pull request #2158 from MicrosoftDocs/main

Published main to live, Wednesday 10:30 AM PST, 12/11

Author: padmagit77

CloudAppSecurityDocs/protect-servicenow.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 12/26/2023
+ms.date: 12/11/2024
 ms.topic: how-to
 ---
 
@@ -154,11 +154,11 @@ For more information, see the [ServiceNow product documentation](https://docs.se
 1. Establish an internal procedure to ensure that the connection remains alive. A couple of days before the expected expiration of the refresh token lifespan.
 Revoke to the old refresh token. We don't recommend keeping old keys for security reasons.
 
-    1. On the ServiceNow pane, search for System OAuth, and then select Manage Tokens.
+    1. On the ServiceNow pane, search for **System OAuth**, and then select **Manage Tokens**.
 
     1. Select the old token from the list according to the OAuth name and expiration date.
 
-    1. Select Revoke Access > Revoke.
+    1. Select **Revoke Access > Revoke**.
       
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.
 
@@ -210,7 +210,7 @@ To connect ServiceNow with Defender for Cloud Apps, you must have admin-level pe
 
 1. Select **Connect**.
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
-After connecting ServiceNow, you'll receive events for seven days prior to connection.
+After connecting ServiceNow, you'll receive events for one hour prior to connection.
 
 If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

defender-endpoint/ios-install.md

@@ -137,9 +137,9 @@ Configure the supervised mode for Defender for Endpoint app through an App confi
 
 Admins deploy any one of the given profiles.
 
-1. **Zero touch (Silent) Control Filter** - This profile enables silent onboarding for users. Download the config profile from [ControlFilterZeroTouch](https://aka.ms/mdeiosprofilesupervisedzerotouch)
+1. **Zero touch (Silent) Control Filter** - This profile enables silent onboarding for users. Download the config profile from [ControlFilterZeroTouch](https://download.microsoft.com/download/f/8/e/f8ed3484-b665-4c3c-9ae9-272c8a04159b/Microsoft_Defender_for_Endpoint_Control_Filter_Zerotouch.mobileconfig).
 
-2. **Control Filter** - Download the config profile from [ControlFilter](https://aka.ms/mdeiosprofilesupervised).
+2. **Control Filter** - Download the config profile from [ControlFilter](https://download.microsoft.com/download/f/8/e/f8ed3484-b665-4c3c-9ae9-272c8a04159b/Microsoft_Defender_for_Endpoint_Control_Filter_1.mobileconfig).
 
 Once the profile has been downloaded, deploy the custom profile. Follow the steps below:
 

defender-xdr/advanced-hunting-defender-results.md

@@ -30,17 +30,17 @@ ms.date: 11/19/2024
 
 ## Explore results
 
-Results of queries that were run appear in the **Results** tab. You can export the results to a CSV file by selecting **Export**. 
 
 :::image type="content" source="/defender/media/advanced-hunting-unified-results.png" alt-text="Screenshot of advanced hunting results with options to expand result rows in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-results.png":::
 
 You can also explore the results in-line with the following features:
 
-- Expand a result by selecting the dropdown arrow at the left of each result
-- Where applicable, expand details for results that are in JSON or array format by selecting the dropdown arrow at the left of applicable result row for added readability
-- Open the side pane to see a record's details (concurrent with expanded rows)
+- Expand a result by selecting the dropdown arrow at the left of each result.
+- Where applicable, expand details for results that are in JSON or array format by selecting the dropdown arrow at the left of applicable result row for added readability.
+- Open the side pane to see a record's details (concurrent with expanded rows).
 
 You can also right-click on any result value in a row so that you can use it to:
+
 - Add more filters to the existing query
 - Copy the value for use in further investigation
 - Update the query to extend a JSON field to a new column
@@ -64,18 +64,18 @@ You can use the link to incident feature to add advanced hunting query results t
     You can also select **Link to an existing incident** to add the selected records to an existing incident. Choose the related incident from the dropdown list of existing incidents. You can also enter the first few characters of the incident name or ID to find the incident you want.<br>
    :::image type="content" source="/defender/media/advanced-hunting-results-link4.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link4.png":::
 4.	For either selection, provide the following details, then select **Next**:
-    - **Alert title** – a descriptive title for the results that your incident responders can understand; this descriptive title becomes the alert title
-    - **Severity** – choose the severity applicable to the group of alerts
-    - **Category** – choose the appropriate threat category for the alerts
-    - **Description** – give a helpful description of the grouped alerts
-    - **Recommended actions** – list the recommended remediation actions for the security analysts who are investigating the incident
+    - **Alert title** – A descriptive title for the results that your incident responders can understand; this descriptive title becomes the alert title
+    - **Severity** – Choose the severity applicable to the group of alerts
+    - **Category** – Choose the appropriate threat category for the alerts
+    - **Description** – Give a helpful description of the grouped alerts
+    - **Recommended actions** – List the recommended remediation actions for the security analysts who are investigating the incident
 5.	In the **Entities** section, select the entities that are involved in the suspicious events. Those entities are used to correlate other alerts to the linked incident and are visible from the incident page. 
 
       For Microsoft Defender XDR data, the entities are automatically selected. If the data is from Microsoft Sentinel, you need to select the entities manually.
 
       There are two sections for which you can select entities:
 
-    a. **Impacted assets** – impacted assets that appear in the selected events should be added here. The following types of assets can be added: 
+    a. **Impacted assets** – Impacted assets that appear in the selected events should be added here. The following types of assets can be added: 
     - Account
     - Device
     - Mailbox
@@ -84,7 +84,7 @@ You can use the link to incident feature to add advanced hunting query results t
     - Amazon Web Services resource
     - Google Cloud Platform resource
 
-    b. **Related evidence** – non-assets that appear in the selected events can be added in this section. The supported entity types are:
+    b. **Related evidence** – Non-assets that appear in the selected events can be added in this section. The supported entity types are:
     - Process
     - File
     - Registry value
@@ -112,7 +112,7 @@ You can use the link to incident feature to add advanced hunting query results t
 
 6. Select **Next**.
 7. Review the details you've provided in the Summary section. 
-8.	Select **Done**.
+8. Select **Done**.
 
 ### View linked records in the incident
 You can select the generated link from the summary step of the wizard or select the incident name from the incident queue, to view the incident to which the events are linked.
@@ -127,6 +127,7 @@ You can also select the event from the timeline view or from the query results v
 :::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the incident page in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link8.png":::
 
 ### Filter for events added using advanced hunting
-You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source 
+
+You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source.
 
 :::image type="content" source="/defender/media/advanced-hunting-results-link9.png" alt-text="Screenshot of the filter dropdown in advanced hunting in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link9.png":::

defender-xdr/advanced-hunting-link-to-incident.md

@@ -37,29 +37,28 @@ You can use the link to incident feature to add advanced hunting query results t
 
 1. In the advanced hunting query page, first enter your query in the query field provided then select **Run query** to get your results.
 
-    :::image type="content" source="/defender/media/link-to-incident-1.png" alt-text="Screenshot of the advanced hunting page in the Microsoft Defender portal" lightbox="/defender/media/link-to-incident-1.png":::
+    :::image type="content" source="/defender/media/link-to-incident-1.png" alt-text="Screenshot of the advanced hunting page in the Microsoft Defender portal." lightbox="/defender/media/link-to-incident-1.png":::
 
 2. In the Results page, select the events or records that are related to a new or current investigation you're working on, then select **Link to incident**.
 
-    :::image type="content" source="/defender/media/link-to-incident-1b.png" alt-text="Screenshot of the link to incident feature in advanced hunting in the Microsoft Defender portal" lightbox="/defender/media/link-to-incident-1b.png":::
+    :::image type="content" source="/defender/media/link-to-incident-1b.png" alt-text="Screenshot of the link to incident feature in advanced hunting in the Microsoft Defender portal." lightbox="/defender/media/link-to-incident-1b.png":::
 
 3. Find the **Alert details** section in the Link to incident pane, then select **Create new incident** to convert the events to alerts and group them to a new incident:
-
-    
+ 
     Or select **Link to an existing incident** to add the selected records to an existing one. Choose the related incident from the dropdown list of existing incidents. You can also enter the first few characters of the incident name or ID to find the existing incident. 
 
-   :::image type="content" source="/defender/media/advanced-hunting-results-link4.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link4.png":::
+   :::image type="content" source="/defender/media/advanced-hunting-results-link4.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-results-link4.png":::
 
 4. For either selection, provide the following details, then select **Next**:
-      - **Alert title** - provide a descriptive title for the results that your incident responders can understand. This descriptive title becomes the alert title.
+      - **Alert title** - Provide a descriptive title for the results that your incident responders can understand. This descriptive title becomes the alert title.
       - **Severity** - Choose the severity applicable to the group of alerts.
       - **Category** - Choose the appropriate threat category for the alerts.
       - **Description** - Give a helpful description for the grouped alerts.
       - **Recommended actions** - Provide remediation actions.
 
 5. In the **Entities** section, you can find which entities are used to correlate other alerts to the linked incident. They also appear in the incident page. You can review the preselected entities categorized as follows:
 
-    a. **Impacted assets** – assets impacted by the selected events, can be: 
+    a. **Impacted assets** – Assets impacted by the selected events, can be: 
     - Account
     - Device
     - Mailbox
@@ -68,7 +67,7 @@ You can use the link to incident feature to add advanced hunting query results t
     - Amazon Web Services resource
     - Google Cloud Platform resource
 
-    b. **Related evidence** – non-assets that appear in the selected events. The supported entity types are:
+    b. **Related evidence** – Non-assets that appear in the selected events. The supported entity types are:
     - Process
     - File
     - Registry value
@@ -83,11 +82,11 @@ You can use the link to incident feature to add advanced hunting query results t
 6. After an entity type is selected, select an identifier type that exists in the selected records so that it can be used to identify this entity. Each entity type has a list of supported identifiers, as can be seen in the relevant drop down. Read the description displayed when hovering on each identifier to better understand it.
 7. After selecting the identifier, select a column from the query results that contain the selected identifier. You can select **Explore query and results** to open the advanced hunting context panel. This allows you to explore your query and results to make sure you chose the right column for the selected identifier. 
      <br>
-    :::image type="content" source="/defender/media/advanced-hunting-defender-results-identifier.png" alt-text="Screenshot of the link to incident wizard entities branch in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-defender-results-identifier.png":::
+    :::image type="content" source="/defender/media/advanced-hunting-defender-results-identifier.png" alt-text="Screenshot of the link to incident wizard entities branch in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-defender-results-identifier.png":::
      <br>
     In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient's mailbox and recipient's account are the impacted entities, and the sender's IP as well as email message are related evidence.
 
-    :::image type="content" source="/defender/media/advanced-hunting-defender-results-link-entities.png" alt-text="Screenshot of the link to incident wizard full entities branch in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-defender-results-link-entities.png":::
+    :::image type="content" source="/defender/media/advanced-hunting-defender-results-link-entities.png" alt-text="Screenshot of the link to incident wizard full entities branch in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-defender-results-link-entities.png":::
 
     A different alert is created for each record with a unique combination of impacted entities. In our example, if there are three different recipient mailboxes and recipient object ID combinations, for instance, then three alerts are created and linked to the chosen incident.
 
@@ -96,18 +95,20 @@ You can use the link to incident feature to add advanced hunting query results t
 8.	Select **Done**.
 
 ### View linked records in the incident
+
 You can select the generated link from the summary step of the wizard or select the incident name from the incident queue, to view the incident to which the events are linked.
 
-:::image type="content" source="/defender/media/advanced-hunting-results-link7.png" alt-text="Screenshot of the summary step in the link to incident wizard in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link7.png":::
+:::image type="content" source="/defender/media/advanced-hunting-results-link7.png" alt-text="Screenshot of the summary step in the link to incident wizard in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-results-link7.png":::
 
 In our example, the three alerts, representing the three selected events, were linked successfully to a new incident.
 In each of the alert pages, you can find the complete information on the event or events in timeline view (if available) and the query results view. 
 
 You can also select the event from the timeline view or from the query results view to open the **Inspect record** pane.
 
-:::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the incident page in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link8.png":::
+:::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the incident page in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-results-link8.png":::
 
 ### Filter for events added using advanced hunting
-You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source 
 
-:::image type="content" source="/defender/media/advanced-hunting-results-link9.png" alt-text="Screenshot of the filter dropdown in advanced hunting in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link9.png":::
+You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source.
+
+:::image type="content" source="/defender/media/advanced-hunting-results-link9.png" alt-text="Screenshot of the filter dropdown in advanced hunting in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-results-link9.png":::