Merge branch 'main' into docs-editor/enable-network-protection-1747412847

Author: denisebmsft

ATPDocs/deploy/remote-calls-sam.md

@@ -8,18 +8,11 @@ ms.topic: how-to
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
 > [!IMPORTANT]
-> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. This change will happen automatically by the specified dates. No admin action is required. 
+> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
 > 
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
-> [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
-> The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
-> 
-> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
-> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
-
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 
 > [!TIP]

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -56,4 +56,6 @@ For more information, see:
 
 [How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
 
-[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+
+[How to integrate Defender for Identity with BeyondTrust](https://docs.beyondtrust.com/insights/docs/microsoft-defender)

ATPDocs/understand-lateral-movement-paths.md

@@ -7,9 +7,13 @@ ms.topic: conceptual
 
 # Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity
 
+> [!IMPORTANT]
+>  The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
+>
+
 Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts throughout your network. Lateral movement is used by attackers to identify and gain access to the sensitive accounts and machines in your network that share stored sign-in credentials in accounts, groups and machines. Once an attacker makes successful lateral moves towards your key targets, the attacker can also take advantage and gain access to your domain controllers. Lateral movement attacks are carried out using many of the methods described in [Microsoft Defender for Identity Security Alerts](alerts-overview.md).
 
-A key component of Microsoft Defender for Identity's security insights are Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
+A key component of Microsoft Defender for Identity's security insights is Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
 
 For example:
 

ATPDocs/whats-new.md

@@ -25,7 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 ## May 2025
 
 ### Local administrators collection (using SAM-R queries) feature will be disabled
-Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored. This change will happen automatically by the specified dates. No admin action is required. 
+The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue
 

defender-endpoint/behavior-monitor-macos.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 01/02/2025
+ms.date: 05/15/2025
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -116,18 +116,7 @@ The following sections describe each of these methods in detail.
                    <dict>
                    <key>behaviorMonitoring</key>
                    <string>enabled</string>
-                   <key>behaviorMonitoringConfigurations</key>
-                   <dict>
-                   <key>blockExecution</key>
-                   <string>enabled</string>
-                   <key>notifyForks</key>
-                   <string>enabled</string>
-                   <key>forwardRtpToBm</key>
-                   <string>enabled</string>
-                   <key>avoidOpenCache</key>
-                   <string>enabled</string>
-                                    </dict>
-                       </dict>
+                   </dict>
                </dict>
            </array>
        </dict>
@@ -162,22 +151,11 @@ The following sections describe each of these methods in detail.
                    <key>behaviorMonitoring</key>
                    <string>enabled</string>
                </dict>
-                   <key>features</key>
-                        <dict>
-                            <key>behaviorMonitoring</key>
-                            <string>enabled</string>
-                            <key>behaviorMonitoringConfigurations</key>
-                                <dict>
-                                    <key>blockExecution</key>
-                                    <string>enabled</string>
-                                    <key>notifyForks</key>
-                                    <string>enabled</string>
-                                    <key>forwardRtpToBm</key>
-                                    <string>enabled</string>
-                                    <key>avoidOpenCache</key>
-                                    <string>enabled</string>
-                                </dict>
-                        </dict>
+           <key>features</key>
+               <dict>
+                   <key>behaviorMonitoring</key>
+                   <string>enabled</string>
+               </dict>
        </dict>
    </plist>
    ```
@@ -219,14 +197,42 @@ sudo mdatp threat list
 
 ```
 
-### Frequently Asked Questions (FAQ)
+### Frequently asked questions (FAQ)
+
+#### What if I see an increase in CPU utilization or memory utilization?
+
+Disable behavior monitoring and see if the issue goes away. If the issue doesn't go away, it isn't related to behavior monitoring.
+
+If the issue goes away, re-enable behavior monitoring and use behavior monitoring statistics to identify and exclude processes generating excessive events:
+
+```bash
+sudo mdatp config behavior-monitoring-statistics --value enabled
+```
+
+Repro the issue and then execute:
+
+```bash
+sudo mdatp diagnostic behavior-monitoring-statistics --sort
+```
+
+This command lists processes running on the machine which are reporting behavior monitoring events to the engine process. The more events, the more CPU/memory impact that process has.
 
-#### What if I see an increase in cpu utilization or memory utilization?
+Exclude identified processes using:
 
-Disable behavior monitoring and see if the issue goes away.
+```bash
+sudo mdatp exclusion process add --path <path to process with lots of events>
+```
+
+> [!IMPORTANT]
+> Please verify the reliability of the processes being excluded. Excluding these processes will prevent all events from being sent to behavior monitoring and from undergoing content scanning. However, EDR will continue to receive events from these processes. It is important to note that this mitigation is unlikely to reduce CPU usage of the `wdavdaemon` or `wdavdaemon_enterprise` processes, but may affect `wdavdaemon_unprivileged`. If the other two processes are also experiencing high CPU usage, behavior monitoring may not be the sole cause, and contacting Microsoft support is recommended.
+
+Once done, disable behavior monitoring statistics:
+
+```bash
+sudo mdatp config behavior-monitoring-statistics --value disabled
+```
 
-- If the issue doesn't go away, it isn't related to behavior monitoring.
-- If the issue goes away, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+If the issue persists, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
 
 ## Network real-time inspection for macOS
 

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 03/04/2025
+ms.date: 05/16/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -58,7 +58,7 @@ Understand the following prerequisites before you create indicators for files:
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
 - The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
-- File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
+- File hash computation is enabled by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable File Hash Computation` to **Enabled**. Or, you can run the following PowerShell command: `Set-MpPreference -EnableFileHashComputation $true`
 
 > [!NOTE]
 > File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
@@ -91,9 +91,6 @@ Understand the following prerequisites before you create indicators for files:
    - Action: Specify the action to be taken and provide a description.
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
-   > [!NOTE]
-   > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2
-
 5. Review the details in the Summary tab, then select **Save**.
 
 ## Create a contextual indicator from the file details page
@@ -124,7 +121,7 @@ The current supported actions for file IOC are allow, audit and block, and remed
    :::image type="content" source="media/indicators-generate-alert.png" alt-text="The Alert settings for file indicators" lightbox="media/indicators-generate-alert.png":::
 
    > [!IMPORTANT]
-   > - Typically, file blocks are enforced and removed within15 minutes, average 30 minutes but can take upwards of 2 hours.
+   > - Typically, file blocks are enforced and removed within 15 minutes, average 30 minutes but can take upwards of 2 hours.
    > - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash 
    IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
    > - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
@@ -147,7 +144,7 @@ Timestamp > ago(30d)
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
 
-Here are other thread names that can be used in the sample query:
+Here are other threat names that can be used in the sample query:
 
 Files:
 
@@ -201,9 +198,13 @@ Microsoft Defender Vulnerability Management's block vulnerable application featu
 ## See also
 
 - [Create indicators](indicators-overview.md)
+
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
+
 - [Create indicators based on certificates](indicator-certificates.md)
+
 - [Manage indicators](indicator-manage.md)
+
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 05/13/2025
+ms.date: 05/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -101,17 +101,17 @@ What's new
 
 Known Issues
 
-- There's a known issue where MDE is deleting the configuration file located at /etc/system/system/mdatp.service.d on each service start. As a workaround, customers can use the Immutable attribute that prevents the files from being modified or deleted.
+- There's a known issue where MDE is deleting the configuration file located at /etc/systemd/system/mdatp.service.d on each service start. As a workaround, customers can use the Immutable attribute that prevents the files from being modified or deleted.
 
   To set the file to be unmodifiable, execute the following command:
-    
+  
 ```bash
 
   sudo chattr +i /etc/systemd/system/mdatp.service.d/[file name]
   ```
 
- This command makes the file unchangeable. T If you need to restore modification permissions, use the following command:
-  
+ This command makes the file unchangeable. If you need to restore modification permissions, use the following command:
+
   ```bash
 
   sudo chattr -i /etc/systemd/system/mdatp.service.d/[file name]

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -7,7 +7,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
-ms.date: 05/14/2025
+ms.date: 05/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -46,10 +46,6 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
-## May 2025
-
-- (GA) New setting for **"Allow Network Protection On Win Server"** to be able to manage Network Protection for Windows Server 2019 and later in Microsoft Defender for Endpoint Security Settings Management and Microsoft Intune. See [Turn on network protection](/defender-endpoint/enable-network-protection).
-
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.