Merge branch 'main' into diannegali-containip

Author: diannegali

CloudAppSecurityDocs/release-notes.md

@@ -19,11 +19,39 @@ For more information on what's new with other Microsoft Defender security produc
 
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
+## February 2025
+
+Due to improvements being made to Microsoft Defender for Cloud Apps to improve security and performance, you must update network information in your system's firewall and additional third-party services. Make these changes by March 16, 2025 to ensure uninterrupted access to our services:
+
+- Update your firewall rules to allow outbound traffic on port 443 to the following new CDN (Content Delivery Network)  endpoints before March 16, 2025:
+
+  - cdn.cloudappsecurity.com
+  - cdn-discovery.cloudappsecurity.com
+
+- All required outbound access URLs can also be found in Defender for Cloud Apps network requirements page under 'Portal Access'.
+
+- To use Defender for Cloud Apps in the Microsoft Defender portal, make sure you add outbound port 443 for all IP addresses and DNS names listed in our documentation to your firewall's allowlist.
+
+- To connect to third-party apps, enable Defender for Cloud Apps to connect from the following IP addresses, also available in our documentation:
+
+  - **US1**: - 23.101.201.123 - 20.228.186.154
+
+  - **US2**: - 20.15.114.156 - 172.202.90.196
+
+  - **US3**: - 20.3.226.231 - 4.255.218.227
+
+  - **EU1**: - 20.71.203.39 - 137.116.224.49
+
+  - **EU2**: - 20.0.210.84 - 20.90.9.64
+
+- To stay up to date on IP ranges that impact the experiences in Microsoft Defender for Cloud Apps in the areas of portal experience access, access and session controls, SIEM agent connection, app connectors, mail servers, and log collector, we recommend using the Azure service tag for Microsoft Defender for Cloud Apps services, and 'MicrosoftCloudAppSecurity.' The latest IP ranges are found in the service tag. For more information, see [Azure IP ranges](/azure/virtual-network/service-tags-overview).
+
 ## November 2024
 
 ### Internal Session Controls application notice
- The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service.  
-Please ensure there is no CA policy restricting access to this application. 
+
+The Enterprise application 'Microsoft Defender for Cloud Apps – Session Controls' is used internally by the Conditional Access App Control service.  
+Ensure there's no CA policy restricting access to this application.
 For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate.  
 
 For more information, see [Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps](session-policy-aad.md#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps).
@@ -73,13 +101,13 @@ For more information, see [OAuth app data usage insights on app governance](/def
 ### New anomaly data in advanced hunting CloudAppEvents table
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
-The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
 
 ### New Conditional Access app control / inline data in advanced hunting CloudAppEvents table
 
-Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.   
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.
 Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
@@ -100,8 +128,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
-For more information see: 
-[Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps)
+For more information see [Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -140,7 +167,7 @@ Use the feedback mechanisms at the top and bottom of each documentation page to
 
 ### Large scale export of Activity logs (Preview)
 
-A new user experience dedicated to providing users the option to export from “activity log” page up to six months back or up to 100K events.
+A new user experience dedicated to providing users the option to export from 'activity log' page up to six months back or up to 100K events.
 
 You can filter the results using time range and various other filters and even hide private activities.
 
@@ -151,11 +178,12 @@ For more information, see [Export activities six months back](activity-filters-q
 
 Customize the Microsoft Defender for Cloud Apps(MDA) block experience for apps that are blocked using Cloud Discovery.
 
-You can set up a custom redirect URL on block pages 
+You can set up a custom redirect URL on block pages:
+
 - To educate and redirect end users to organization acceptable use policy 
 - To guide end users on steps to follow to secure an exception for block
 
-For more information, see  [Configure custom URL for MDA block pages](mde-govern.md#educate-users-when-accessing-blocked-apps--customize-the-block-page)
+For more information, see [Configure custom URL for MDA block pages](mde-govern.md#educate-users-when-accessing-blocked-apps--customize-the-block-page).
 
 
 ### In-browser protection for macOS users and newly supported policies (Preview)

CloudAppSecurityDocs/troubleshooting-cloud-discovery.md

@@ -1,7 +1,7 @@
 ---
 title: Troubleshooting cloud discovery errors 
 description: This article provides a list of cloud discovery frequent errors and resolution recommendations for each.
-ms.date: 05/15/2024
+ms.date: 02/19/2025
 ms.topic: conceptual
 ---
 # Troubleshooting cloud discovery errors
@@ -18,7 +18,7 @@ If you integrated Microsoft Defender for Endpoint with Defender for Cloud Apps,
 
 |Issue|Resolution|
 |----|----|
-|**Defender-managed endpoints** reports do not appear in the list|Make sure the devices you're connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.|
+|**Defender-managed endpoints** reports don't appear in the list|Make sure the devices you're connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.|
 |**Discovery reports are empty** |If the endpoint device is behind a forward proxy, you can send logs from your forward proxy using a log collector|
 
 ## Log parsing errors
@@ -39,11 +39,11 @@ You can track the processing of cloud discovery logs using the governance log. T
 
 |Issue|Resolution|
 |----|----|
-|Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you are using is not set to SFTP.  |
+|Couldn't connect to the log collector over FTP| 1. Verify that you're using FTP credentials and not SSH credentials. <br />2. Verify that the FTP client you're using isn't set to SFTP (Secure File Transfer Protocol).  |
 |Failed updating collector configuration | 1. Verify that you entered the latest access token. <br />2. Verify in your firewall that the log collector is allowed to initiate outbound traffic on port 443.|
-|Logs sent to the collector do not appear in the portal | 1.  Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Data source page, verify that the name of data source is **NSS** and that it is configured correctly. <br />&nbsp;&nbsp;&nbsp;&nbsp;b. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
-|Log collector status: Created | The log collector deployment was not completed. Complete the on-premises deployment steps according to the deployment guide.|
-|Log collector status: Disconnected | No data received in the last 24 hours from any of the linked data sources. |
+|Logs sent to the collector don't appear in the portal | 1. Check to see if there are failed parsing tasks in the Governance log.  <br />  &nbsp;&nbsp;&nbsp;&nbsp;If so, troubleshoot the error with the Log Parsing error table above.<br /> 2. If not, check the data sources and Log collector configuration in the portal. <br /> &nbsp;&nbsp;&nbsp;&nbsp;a. In the Data source page, verify that the name of data source is **NSS** and that it's configured correctly. <br />&nbsp;&nbsp;&nbsp;&nbsp;b. In the Log collectors page, verify that the data source is linked to the right log collector. <br /> 3. Check the local configuration of the on-premises log collector machine.  <br />&nbsp;&nbsp;&nbsp;&nbsp;a. Log in to the log collector over SSH and run the collector_config utility.<br/>&nbsp;&nbsp;&nbsp;&nbsp;b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP, or FTP) and that it's sending them to the correct port and directory.<br /> &nbsp;&nbsp;&nbsp;&nbsp;c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy <br /> 4.   Verify that the log collector is allowed to initiate outbound traffic on port 443. |
+|Log collector status: Created | The log collector deployment wasn't completed. Complete the on-premises deployment steps according to the deployment guide.|
+|Log collector status: Disconnected | If you see this issue, it means no data has been received in the last 24 hours from any of the linked data sources. Contact Microsoft Defender for Cloud Apps support and provide the log files for investigation. Our team analyzes the logs to identify when the last sync occurred and what caused the disconnection. |
 |Failed pulling latest collector image| If you get this error during Docker deployment, it could be that you don't have enough memory on the host. To check this, run this command on the host: `docker pull mcr.microsoft.com/mcas/logcollector`. If it returns this error: `failed to register layer: Error processing tar file(exist status 1): write /opt/jdk/jdk1.8.0_152/src.zip: no space left on device` contact your host machine administrator to provide more space.|
 
 ## Discovery dashboard errors

CloudAppSecurityDocs/tutorial-shadow-it.md

@@ -101,6 +101,3 @@ The nature of cloud apps means that they're updated daily and new apps appear al
 
 [!INCLUDE [Open support ticket](includes/support.md)]
 
-## Learn more
-
-- Try our interactive guide: [Discover and manage cloud app usage with Microsoft Defender for Cloud Apps](https://mslearn.cloudguides.com/guides/Discover%20and%20manage%20cloud%20app%20usage%20with%20Microsoft%20Cloud%20App%20Security)

defender-endpoint/TOC.yml

@@ -66,6 +66,8 @@
     - name: Evaluate Microsoft Defender Antivirus
       href: evaluate-microsoft-defender-antivirus.md
       items:
+      - name: Guidance for pen testing and BAS scenarios
+        href: guidance-for-pen-testing-and-bas.md
       - name: Evaluate Microsoft Defender Antivirus using PowerShell
         href: microsoft-defender-antivirus-using-powershell.md
       - name: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management

defender-endpoint/access-mssp-portal.md

@@ -26,7 +26,7 @@ ms.date: 12/18/2020
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-mssp-support-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

defender-endpoint/android-intune.md

@@ -27,7 +27,7 @@ ms.date: 12/06/2024
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 Learn how to deploy Defender for Endpoint on Android on Microsoft Intune Company Portal enrolled devices. For more information about Microsoft Intune device enrollment, see [Enroll your device](/mem/intune/user-help/enroll-device-android-company-portal).
 

defender-endpoint/android-privacy.md

@@ -24,7 +24,7 @@ ms.date: 12/18/2020
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 Defender for Endpoint on Android collects information from your configured Android devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for Android secure, up to date, performing as expected, and to support the service.
 

defender-endpoint/android-support-signin.md

@@ -26,7 +26,7 @@ ms.date: 12/18/2020
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 When onboarding a device, you might see sign in issues after the app is installed.
 

defender-endpoint/android-whatsnew.md

@@ -26,7 +26,7 @@ ms.date: 02/04/2025
 - [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 #### Microsoft Defender for Mobile: Open Wi-Fi Detection Update
 

defender-endpoint/api-microsoft-flow.md

@@ -26,7 +26,7 @@ ms.date: 12/18/2020
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
 
 Automating security procedures is a standard requirement for every modern Security Operations Center (SOC). For SOC teams to operate in the most efficient way, automation is a must. Use Microsoft Power Automate to help you create automated workflows and build an end-to-end procedure automation within a few minutes. Microsoft Power Automate supports different connectors that were built exactly for that.