Misc changes

Author: paulinbar

defender-endpoint/isolation-exclusions.md

@@ -50,7 +50,9 @@ There are two modes of isolation: **full isolation** and **selective isolation**
 
 * **Selective isolation**: Selective isolation mode allows administrators to apply exclusions to ensure that critical tools and network communications can still function, while maintaining the device's isolated state.
 
-## How to define and apply isolation exclusions
+## How to use isolation exclusion
+
+There are two steps to using isolation exclusion: defining isolation exclusion rules, and applying isolation exclusion on a device. These steps are described in the following sections. To use isolation exclusion, the feature must be enabled, as described in the prerequisites.
 
 ### Prerequisites
 
@@ -64,19 +66,21 @@ There are two modes of isolation: **full isolation** and **selective isolation**
    >
    > Note that Skype has been deprecated and is no longer included in any default exclusions.
 
-### Step 1: Define global exclusions in settings
+### Step 1: Define global exclusions in the settings
 
-1. Navigate to **Settings** > **Endpoints** > **Isolation Exclusion Rules**.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), navigate to **Settings** > **Endpoints** > **Isolation Exclusion Rules**.
 
-1. Select the relevant OS tab (Windows or macOS).
+1. Select the relevant OS tab (Windows rules or Mac rules).
 
 1. Select **+ Add exclusion rule**
 
    :::image type="content" source="./media/isolation-exclusions/add-new-exclusion-rule.png" alt-text="Screenshot showing how to add a new isolation exclusion rule." lightbox="./media/isolation-exclusions/add-new-exclusion-rule.png":::
 
-1. In the **Add new exclusion rule** dialog, fill in the parameters. Red asterisks denote mandatory parameters.
+1. In the **Add new exclusion rule** dialog that appears., fill in the parameters. Red asterisks denote mandatory parameters.
+
+   :::image type="content" source="./media/isolation-exclusions/exclusion-rule-definition.png" alt-text="Screenshot showing the fields required for defining an isolation exclusion rule.":::
 
-   Isolation exclusion rule parameters and their valid values are described in the following table.
+   Fill in the isolation exclusion parameters. Red asterisks denote mandatory parameters. The parameters and their valid values are described in the following table.
 
    | Parameter | Description and valid values |
    |:-----|:-----|
@@ -88,8 +92,6 @@ There are two modes of isolation: **full isolation** and **selective isolation**
    | **Direction** | The connection direction (Inbound/Outbound). Examples:<br><br>**Outbound connection**: If the device initiates a connection, for instance, an HTTPS connection to a remote backend server, define only an outbound rule. Example: The device sends a request to 1.1.1.1 (outbound). In this case, no inbound rule is needed, as the response from the server is automatically accepted as part of the connection.<br><br>**Inbound connection**: If the device is listening to incoming connections, define an **inbound rule**.|
    | **Remote IP** | The IP (or IPs) with which communication is allowed while the device is isolated from the network.<br><br>Supported IP formats:<br>- IPv4/IPv6, with optional CIDR notation<br>- A comma-separated list of valid IPs<br><br>Valid input examples:<br>- Single IP address: `1.1.1.1`<br>- IPV6 address: `2001:db8:85a3::8a2e:370:7334`<br>- IP address with CIDR notation (IPv4 or IPv6): `1.1.1.1/24`<br>&nbsp;&nbsp;This example defines a range of IP addresses. In this case, it includes all IPs from 1.1.1.0 to 1.1.1.255. The /24 represents the subnet mask, which specifies that the first 24 bits of the address are fixed, and the remaining 8 bits define the address range.| 
 
-   :::image type="content" source="./media/isolation-exclusions/exclusion-rule-definition.png" alt-text="Screenshot showing the fields required for defining an isolation exclusion rule." lightbox="./media/isolation-exclusions/exclusion-rule-definition.png":::
-
 1.	Save and apply changes.
 
 **These global rules apply whenever selective isolation is enabled for a device.**
@@ -118,29 +120,29 @@ To trigger isolation with exclusions via API, set the IsolationType parameter to
 * Within a single rule, conditions use AND logic (all must match).
 * Undefined conditions in a rule are treated as "any" (that is, unrestricted for that parameter).
 
-   For example, if the following rules are defined:
+For example, if the following rules are defined:
 
-   ```
-   Rule 1: 
+```
+Rule 1: 
 
-      Process path = c:\example.exe
-      Remote IP = 1.1.1.1
-      Direction = Outbound
+   Process path = c:\example.exe
+   Remote IP = 1.1.1.1
+   Direction = Outbound
       
-   Rule 2:
+Rule 2:
 
-      Process path = c:\example_2.exe
-      Direction = Outbound
+   Process path = c:\example_2.exe
+   Direction = Outbound
 
-   Rule 3:
+Rule 3:
 
-      Remote IP = 18.18.18.18
-      Direction = Inbound
+   Remote IP = 18.18.18.18
+   Direction = Inbound
 
-   ```
-   * *example.exe* will only be able to initiate network connections to remote IP 1.1.1.1.
-   * *example_2.exe* can initiate network connections to every IP address.
-   * The device can receive inbound connection from IP address 18.18.18.18.
+```
+* *example.exe* will only be able to initiate network connections to remote IP 1.1.1.1.
+* *example_2.exe* can initiate network connections to every IP address.
+* The device can receive inbound connection from IP address 18.18.18.18.
 
 ## Considerations and limitations
 

defender-endpoint/media/isolation-exclusions/apply-exclusion-rule.png

@@ -216,7 +216,7 @@ Depending on the severity of the attack and the sensitivity of the device, you m
    - `iptables`
    - `ip6tables`
    - Linux kernel with `CONFIG_NETFILTER`, `CONFID_IP_NF_IPTABLES`, and `CONFIG_IP_NF_MATCH_OWNER`
-- Selective isolation is available for devices running Windows 10, version 1709 or later, and Windows 11.
+- Selective isolation is available for devices running Windows 10, version 1709 or later, and Windows 11. For more information about selective isolation, see [Isolation exclusions](/defender-endpoint/isolation-exclusions.md).
 - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.
 - The feature supports VPN connection.
 - You must have at least the `Active remediation actions` role assigned. For more information, see [Create and manage roles](user-roles.md).