Merge branch 'main' into v-mathavale-9634357

denisebmsft · web-flow · commit faa22acf6231 · 2024-12-25T08:39:28.000-08:00
diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
@@ -38,12 +38,12 @@ This article describes how to deploy Microsoft Defender for Endpoint on Linux ma
 - [Configure the Linux software repository](#configure-the-linux-software-repository)
   - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma-1)
   - [SLES and variants](#sles-and-variants-1)
-  - [Ubuntu and Debian systems](#ubuntu-and-debian-systems-1)
+  - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)
   - [Mariner](#mariner)
 - [Application installation](#application-installation)
   - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma)
   - [SLES and variants](#sles-and-variants)
-  - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)
+  - [Ubuntu and Debian systems](#ubuntu-and-debian-systems-1)
   - [Mariner](#mariner-1)
 - [Download the onboarding package](#download-the-onboarding-package)
 - [Client configuration](#client-configuration)
diff --git a/defender-endpoint/linux-install-with-puppet.md b/defender-endpoint/linux-install-with-puppet.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 12/24/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Puppet
@@ -43,7 +43,7 @@ This article describes how to deploy Defender for Endpoint on Linux using Puppet
 
  For a description of prerequisites and system requirements, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
 
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. For more information, see [Puppet documentation](https://puppet.com/docs).
 
 ## Download the onboarding package
 
@@ -59,18 +59,7 @@ Download the onboarding package from Microsoft Defender portal.
 
    :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package.":::
 
-4. From a command prompt, verify that you have the file. 
-
-    ```bash
-    ls -l
-    ```
-
-    ```console
-    total 8
-    -rw-r--r-- 1 test  staff  4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
-    ```
-
-5. Extract the contents of the archive.
+4. Extract the contents of the archive.
 
    ```bash
    unzip WindowsDefenderATPOnboardingPackage.zip
@@ -111,7 +100,7 @@ You need to create a Puppet manifest for deploying Defender for Endpoint on Linu
        └── init.pp
    ```
 
-### Create a manifest file
+## Create a manifest file
 
 There are two ways to create a manifest file:
 
@@ -120,7 +109,14 @@ There are two ways to create a manifest file:
 
 #### Create a manifest to deploy Defender for Endpoint using an installer script
 
-Add the following content to the `install_mdatp/manifests/init.pp` file. You can also download the file directly from [GitHub](https://teams.microsoft.com/l/message/19:2c1dc910-b8b7-415a-a9fd-2cd04843b43c_cb7ab2ef-8a66-4fcf-8c66-1723507f52df@unq.gbl.spaces/1734343607885?context=%7B%22contextType%22%3A%22chat%22%7D)
+1. Download the installer bash script. Pull the [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) from Microsoft GitHub Repository or use the following command to download it.
+
+
+```bash
+wget https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh /etc/puppetlabs/code/environments/production/modules/install_mdatp/files/
+```
+
+2. Add the following content to the `install_mdatp/manifests/init.pp` file. You can also download the file directly from [GitHub](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/puppet.install_mdatp_simplified.init.pp)
 
 ```bash
 
@@ -160,33 +156,14 @@ class install_mdatp (
   }
 
 }
-
 ```
-#### Create a manifest to deploy Defender for Endpoint by configuring repositories manually
-
-Defender for Endpoint on Linux can be deployed from one of the following channels:
-
-- *insiders-fast*, denoted as `[channel]`
-- *insiders-slow*, denoted as `[channel]`
-- *prod*, denoted as `[channel]` using the version name (see [Linux Software Repository for Microsoft Products](/linux/packages))
-
-Each channel corresponds to a Linux software repository.
+>[!NOTE]
+>Installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help.
+>`./mde_installer.sh --help`
 
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow*, and lastly by *prod*.
-
-In order to preview new features and provide early feedback, we recommend that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
-> [!WARNING]
-> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
-Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/`.
-
-In the below commands, replace *[distro]* and *[version]* with the information you've identified:
-
-> [!NOTE]
-> In case of RedHat, Oracle Linux, Amazon Linux 2, and CentOS 8, replace *[distro]* with 'rhel'.
+#### Create a manifest to deploy Defender for Endpoint by configuring repositories manually
 
-Add the following content to the `install_mdatp/manifests/init.pp` file:
+Add the following content to the `install_mdatp/manifests/init.pp` file. You can also download it from [GitHub](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/puppet.install_mdatp_manual.init.pp). 
 
 ```bash
 # Puppet manifest to install Microsoft Defender for Endpoint on Linux.
@@ -286,6 +263,14 @@ class install_mdatp (
 
 ```
 
+> [!NOTE]
+> Defender for Endpoint on Linux can be deployed from one of the following channels: **insiders-fast, insiders-slow, prod**. Each channel corresponds to a Linux software repository. The choice of the channel determines the type and frequency of the updates that are offered to your device. Devices in `insiders-fast` are the first ones to receive updates and new features in preview, followed by `insiders-slow`, and lastly by `prod`.
+>
+> Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/[version]`.
+
+> [!Warning]
+> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
+
 ## Include the manifest inside the site.pp file
 
 Include the manifest described earlier in this article in your `site.pp` file:
diff --git a/defender-for-iot/whats-new.md b/defender-for-iot/whats-new.md
@@ -30,6 +30,8 @@ The suggested sites list now shows all relevant sites that match the search crit
 
 :::image type="content" source="media/set-up-sites/site-security-associate-group.png" alt-text="Screenshot showing the associate devices screen and the suggested list of OT devices per location with the Group column in the site set-up page of Microsoft Defender for IoT in the Microsoft Defender portal." lightbox="media/set-up-sites/site-security-associate-group.png":::
 
+For more information, see [Associate devices](set-up-sites.md#associate-devices).
+
 ## November 2024
 
 |Service area  |Updates  |
diff --git a/defender-office-365/safe-links-about.md b/defender-office-365/safe-links-about.md
@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: overview
 f1_keywords:
   - '197503'
-ms.date: 10/22/2024
+ms.date: 12/24/2024
 ms.localizationpriority: medium
 ms.collection:
   - Strat_O365_IP
@@ -62,7 +62,7 @@ Safe Links protection by Safe Links policies is available in the following locat
   > - Safe Links ignores S/MIME signed messages.
   > - Safe Links no longer wraps URLs pointing to SharePoint or OneDrive sites, but the URLs are still processed by the Safe Links service. This change doesn't degrade protection. Instead, it improves the performance of loading SharePoint or OneDrive URLs.
   > - Using another service to wrap links before Defender for Office 365 might prevent Safe Links from process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.
-
+ 
 - **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels.
 
   For more information about Safe Links protection in Teams, see the [Safe Links settings for Microsoft Teams](#safe-links-settings-for-microsoft-teams) section later in this article.
@@ -108,6 +108,8 @@ You can use a condition or exception only once, but the condition or exception c
 
 Safe Links scans incoming email for known malicious hyperlinks. Scanned URLs are rewritten or _wrapped_ using the Microsoft standard URL prefix: `https://<DataCenterLocation>.safelinks.protection.outlook.com` (for example, `https://nam01.safelinks.protection.outlook.com`). After the link is rewritten, it's analyzed for potentially malicious content.
 
+Safe Links rewrites URLs without altering their appearance in the standard email view. However, these rewritten URLs can be seen by viewing the email's source code. This process ensures secure links, protecting against potential threats while maintaining readability and integrity in the normal email view. When a user hovers over a URL, a pop-up message will display the original URL, indicating that it has been scanned by Safe Links. In plain text format emails, the Safe Links URLs will be directly visible within the content. 
+
 After Safe Links rewrites a URL, the URL is rewritten even if the message is _manually_ forwarded or replied to. Wrapping is done per message recipient (both internal and external recipients). Additional links that are added to the forwarded or replied-to message are also rewritten.
 
 For _automatic_ forwarding by Inbox rules or SMTP forwarding, the URL isn't rewritten in the message that's intended for the final recipient _unless_ one of the following statements is true:
diff --git a/defender-xdr/configure-attack-disruption.md b/defender-xdr/configure-attack-disruption.md
@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 07/18/2024
+ms.date: 12/24/2024
 ms.collection:
 - m365-security
 - tier2
@@ -40,7 +40,7 @@ Then, after you're all set up, you can view and manage containment actions in In
 |Requirement|Details|
 |---|---|
 |Subscription requirements|One of these subscriptions: <ul><li>Microsoft 365 E5 or A5</li><li>Microsoft 365 E3 with the Microsoft 365 E5 Security add-on</li><li>Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on</li><li>Microsoft 365 A3 with the Microsoft 365 A5 Security add-on</li><li>Windows 10 Enterprise E5 or A5</li><li>Windows 11 Enterprise E5 or A5</li><li>Enterprise Mobility + Security (EMS) E5 or A5</li><li>Office 365 E5 or A5</li><li>Microsoft Defender for Endpoint (Plan 2)</li><li>Microsoft Defender for Identity</li><li>Microsoft Defender for Cloud Apps</li><li>Defender for Office 365 (Plan 2)</li><li>Microsoft Defender for Business</li></ul> <p> See [Microsoft Defender XDR licensing requirements](./prerequisites.md#licensing-requirements).|
-|Deployment requirements|<ul><li>Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)</li><ul><li>The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.</li><li>Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device. </li></ul><li>Microsoft Defender for Endpoint's device discovery is set to 'standard discovery'</li></ul>|
+|Deployment requirements|<ul><li>Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)</li><ul><li>The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.</li><li>Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device. </li></ul><li>Microsoft Defender for Endpoint's device discovery is set to 'standard discovery' (prerequisite for the automatic initiation of the "Contain Device" action)</li></ul>|
 |Permissions|To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).|
 
 ### Microsoft Defender for Endpoint Prerequisites
@@ -53,7 +53,7 @@ The Minimum Sense Agent version required for the **Contain User** action to work
 
 #### Automation setting for your organizations devices
 
-Review the configured automation level for your device group policies, wWhether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings. You must be a global administrator or security administrator to perform the following procedure:
+Review the configured automation level for your device group policies, whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings. You must be a global administrator or security administrator to perform the following procedure:
 
 1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 
