diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 55346ba39f..98aa6db7f8 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -896,7 +896,7 @@ - name: Troubleshooting mode scenarios href: troubleshooting-mode-scenarios.md - - name: Diagnostics and performance for Microsoft Defender Antivirus + - name: Diagnostics for Microsoft Defender Antivirus items: - name: Device health reports href: device-health-reports.md @@ -907,18 +907,23 @@ href: device-health-sensor-health-os.md - name: Microsoft Defender Core service overview href: microsoft-defender-core-service-overview.md - displayName: Microsoft Defender Core service overview - name: Microsoft Defender Core service configurations and experimentation href: microsoft-defender-core-service-configurations-and-experimentation.md - - name: Troubleshoot performance issues related to real-time protection - href: troubleshoot-performance-issues.md - name: Collect diagnostic data of Microsoft Defender Antivirus href: collect-diagnostic-data.md - - name: Improve performance of Microsoft Defender Antivirus - href: tune-performance-defender-antivirus.md - name: Troubleshooting Microsoft Defender Antivirus items: + - name: Troubleshoot Microsoft Defender Antivirus performance issues + items: + - name: Performance analyzer for Microsoft Defender Antivirus + href: tune-performance-defender-antivirus.md + - name: Performance analyzer reference + href: performance-analyzer-reference.md + displayName: high cpu msmpeng.exe antimalware engine microsoft defender + antivirus windows defender antivirus + - name: Troubleshoot performance issues related to real-time protection + href: troubleshoot-performance-issues.md - name: Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus href: troubleshoot-microsoft-defender-antivirus.yml - name: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution diff --git a/defender-endpoint/android-configure.md b/defender-endpoint/android-configure.md index 85870bec58..74f0c26587 100644 --- a/defender-endpoint/android-configure.md +++ b/defender-endpoint/android-configure.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: conceptual ms.subservice: android search.appverid: met150 -ms.date: 10/18/2024 +ms.date: 11/22/2024 --- # Configure Defender for Endpoint on Android features @@ -57,7 +57,7 @@ This feature provides protection against rogue Wi-Fi related threats and rogue c It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center and add trusted certificates. Admins can enable [privacy controls](android-configure.md#privacy-controls) to configure the data sent to Defender for Endpoint from Android devices. -Network protection in Microsoft Defender for endpoint is disabled by default. Admins can use the following steps to **configure Network protection in Android devices.** +Network protection in Microsoft Defender for endpoint is enabled by default. Admins can use the following steps to **configure Network protection in Android devices.** In the Microsoft Intune admin center, navigate to Apps > App configuration policies. Create a new App configuration policy. diff --git a/defender-endpoint/android-intune.md b/defender-endpoint/android-intune.md index b779cefd69..659870982b 100644 --- a/defender-endpoint/android-intune.md +++ b/defender-endpoint/android-intune.md @@ -15,7 +15,7 @@ ms.custom: partner-contribution ms.topic: conceptual ms.subservice: android search.appverid: met150 -ms.date: 10/11/2024 +ms.date: 11/15/2024 --- # Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune @@ -38,11 +38,13 @@ Learn how to deploy Defender for Endpoint on Android on Microsoft Intune Company ## Deploy on Device Administrator enrolled devices + + Learn how to deploy Defender for Endpoint on Android with Microsoft Intune Company Portal - Device Administrator enrolled devices. ### Add as Android store app -1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** \> **Android store app** and choose **Select**. :::image type="content" source="media/mda-addandroidstoreapp.png" alt-text="The Add Android store application pane in the Microsoft Intune admin center portal" lightbox="media/mda-addandroidstoreapp.png"::: @@ -54,20 +56,19 @@ Learn how to deploy Defender for Endpoint on Android with Microsoft Intune Compa - **Publisher** as Microsoft. - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) - Other fields are optional. Select **Next**. + Other fields are optional. Then select **Next**. :::image type="content" source="media/mda-addappinfo.png" alt-text=" The Add App page displaying the application's publisher and URL information in the Microsoft Intune admin center portal" lightbox="media/mda-addappinfo.png"::: -3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group (or groups) to receive the Defender for Endpoint on Android app. Choose **Select** and then **Next**. +3. In the **Assignments** section, go to the **Required** section and select **Add group.** You can then choose the user group (or groups) to receive the Defender for Endpoint on Android app. Choose **Select** and then **Next**. - > [!NOTE] - > The selected user group should consist of Intune enrolled users. - > - > :::image type="content" source="media/363bf30f7d69a94db578e8af0ddd044b.png" alt-text="The Add group pane in the Add App page in the Microsoft Intune admin center portal" lightbox="media/363bf30f7d69a94db578e8af0ddd044b.png"::: + The selected user group should consist of Intune enrolled users. + + :::image type="content" source="media/363bf30f7d69a94db578e8af0ddd044b.png" alt-text="Screenshot that shows the Add group pane in the Add App page in the Microsoft Intune admin center portal." lightbox="media/363bf30f7d69a94db578e8af0ddd044b.png"::: 4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up in the upper right corner of the screen. + In a few moments, the Defender for Endpoint app should be created, and a notification should show up in the upper right corner of the screen. :::image type="content" source="media/86cbe56f88bb6e93e9c63303397fc24f.png" alt-text="The application status pane in the Microsoft Intune admin center portal" lightbox="media/86cbe56f88bb6e93e9c63303397fc24f.png"::: @@ -93,7 +94,7 @@ Defender for Endpoint on Android supports Android Enterprise enrolled devices. For more information on the enrollment options supported by Microsoft Intune, see [Enrollment Options](/mem/intune/enrollment/android-enroll). -**Currently, Personally-owned devices with work profile, Corporate-owned devices with work profile, and Corporate-owned fully managed user device enrollments are supported in Android Enterprise.** +**Currently, personally-owned devices with work profile, corporate-owned devices with work profile, and corporate-owned, fully managed user device enrollments are supported in Android Enterprise.** ## Add Microsoft Defender for Endpoint on Android as a Managed Google Play app @@ -101,63 +102,60 @@ Follow the steps below to add Microsoft Defender for Endpoint app into your mana 1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** and select **Managed Google Play app**. - :::image type="content" source="media/579ff59f31f599414cedf63051628b2e.png" alt-text="The application-adding pane in the Microsoft Intune admin center portal" lightbox="media/579ff59f31f599414cedf63051628b2e.png"::: + :::image type="content" source="media/579ff59f31f599414cedf63051628b2e.png" alt-text="Screenshot that shows the application-adding pane in the Microsoft Intune admin center portal" lightbox="media/579ff59f31f599414cedf63051628b2e.png"::: 2. On your managed Google Play page that loads, go to the search box and type `Microsoft Defender`. Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Select the Microsoft Defender for Endpoint app from the Apps search results. - :::image type="content" source="media/0f79cb37900b57c3e2bb0effad1c19cb.png" alt-text="The Managed Google Play page in the Microsoft Intune admin center portal" lightbox="media/0f79cb37900b57c3e2bb0effad1c19cb.png"::: + :::image type="content" source="media/0f79cb37900b57c3e2bb0effad1c19cb.png" alt-text="The Managed Google Play page in the Microsoft Intune admin center portal" lightbox="media/0f79cb37900b57c3e2bb0effad1c19cb.png"::: 3. In the **App description** page, you should be able to see app details about the Defender for Endpoint app. Review the information on the page and then select **Approve**. - > [!div class="mx-imgBorder"] - > :::image type="content" source="media/07e6d4119f265037e3b80a20a73b856f.png" alt-text="The page of Managed Google Play in the Microsoft Intune admin center portal" lightbox="media/07e6d4119f265037e3b80a20a73b856f.png"::: + :::image type="content" source="media/07e6d4119f265037e3b80a20a73b856f.png" alt-text="The page of Managed Google Play in the Microsoft Intune admin center portal" lightbox="media/07e6d4119f265037e3b80a20a73b856f.png"::: 4. When you're prompted to approve permissions for Defender for Endpoint obtains, review he information, and then select **Approve**. - :::image type="content" source="media/206b3d954f06cc58b3466fb7a0bd9f74.png" alt-text="The permissions approval page in the Microsoft Defender 365 portal" lightbox="media/206b3d954f06cc58b3466fb7a0bd9f74.png"::: + :::image type="content" source="media/206b3d954f06cc58b3466fb7a0bd9f74.png" alt-text="The permissions approval page in the Microsoft Defender 365 portal" lightbox="media/206b3d954f06cc58b3466fb7a0bd9f74.png"::: 5. On the **Approval settings** page, review your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select **Done**. - By default, managed Google Play selects **Keep approved when app requests new permissions**. + By default, managed Google Play selects **Keep approved when app requests new permissions**. - > [!div class="mx-imgBorder"] - > :::image type="content" source="media/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="media/ffecfdda1c4df14148f1526c22cc0236.png"::: + :::image type="content" source="media/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="media/ffecfdda1c4df14148f1526c22cc0236.png"::: 6. After the permissions handling selection is made, select **Sync** to sync Microsoft Defender for Endpoint to your apps list. - > [!div class="mx-imgBorder"] - > :::image type="content" source="media/34e6b9a0dae125d085c84593140180ed.png" alt-text="The Sync pane in the Microsoft Defender 365 portal" lightbox="media/34e6b9a0dae125d085c84593140180ed.png"::: + :::image type="content" source="media/34e6b9a0dae125d085c84593140180ed.png" alt-text="The Sync pane in the Microsoft Defender 365 portal" lightbox="media/34e6b9a0dae125d085c84593140180ed.png"::: 7. The sync completes in a few minutes. - :::image type="content" source="media/9fc07ffc150171f169dc6e57fe6f1c74.png" alt-text="The application sync status pane in the Android apps page in the Microsoft Defender 365 portal" lightbox="media/9fc07ffc150171f169dc6e57fe6f1c74.png"::: + :::image type="content" source="media/9fc07ffc150171f169dc6e57fe6f1c74.png" alt-text="The application sync status pane in the Android apps page in the Microsoft Defender 365 portal" lightbox="media/9fc07ffc150171f169dc6e57fe6f1c74.png"::: 8. Select the **Refresh** button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list. - :::image type="content" source="media/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="media/fa4ac18a6333335db3775630b8e6b353.png"::: + :::image type="content" source="media/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="media/fa4ac18a6333335db3775630b8e6b353.png"::: 9. Defender for Endpoint supports App configuration policies for managed devices via Microsoft Intune. This capability can be used to select different configurations for Defender for Endpoint. - 1. In the **Apps** page, go to **Policy** > **App configuration policies** > **Add** > **Managed devices**. + 1. In the **Apps** page, go to **Policy** > **App configuration policies** > **Add** > **Managed devices**. - :::image type="content" source="media/android-mem.png" alt-text="The App configuration policies pane in the Microsoft Intune admin center portal" lightbox="media/android-mem.png"::: + :::image type="content" source="media/android-mem.png" alt-text="The App configuration policies pane in the Microsoft Intune admin center portal" lightbox="media/android-mem.png"::: - 2. In the **Create app configuration policy** page, enter the following details: + 2. In the **Create app configuration policy** page, enter the following details: - - Name: **Microsoft Defender for Endpoint**. - - Choose **Android Enterprise** as platform. - - Choose **Personally-owned Work Profile only** or **Fully Managed, Dedicated, and Corporate-owned work profile only** as Profile Type. - - Select **Select App**, choose **Microsoft Defender**, select **OK** and then **Next**. + - Name: **Microsoft Defender for Endpoint**. + - Choose **Android Enterprise** as platform. + - Choose **Personally-owned Work Profile only** or **Fully Managed, Dedicated, and Corporate-owned work profile only** as Profile Type. + - Select **Select App**, choose **Microsoft Defender**, select **OK** and then **Next**. :::image type="content" source="media/android-create-app.png" alt-text=" Screenshot of the Associated app details pane." lightbox="media/android-create-app.png"::: - 3. Select **Permissions** \> **Add**. From the list, select the available app permissions \> **OK**. + 3. Select **Permissions** \> **Add**. From the list, select the available app permissions \> **OK**. - 4. Select an option for each permission to grant with this policy: + 4. Select an option for each permission to grant with this policy: - - **Prompt** - Prompts the user to accept or deny. - - **Auto grant** - Automatically approves without notifying the user. - - **Auto deny** - Automatically denies without notifying the user. + - **Prompt** - Prompts the user to accept or deny. + - **Auto grant** - Automatically approves without notifying the user. + - **Auto deny** - Automatically denies without notifying the user. 5. Go to the **Configuration settings** section and choose **'Use configuration designer'** in Configuration settings format. @@ -177,17 +175,15 @@ Follow the steps below to add Microsoft Defender for Endpoint app into your mana 9. In the **Review + Create** page that comes up next, review all the information and then select **Create**. - The app configuration policy for Defender for Endpoint is now assigned to the selected user group. + The app configuration policy for Defender for Endpoint is now assigned to the selected user group. -10. Select **Microsoft Defender** app in the list \> **Properties** \> -**Assignments** \> **Edit**. +10. Select **Microsoft Defender** app in the list \> **Properties** \> **Assignments** \> **Edit**. :::image type="content" source="media/mda-properties.png" alt-text="The Edit option on the Properties page" lightbox="media/mda-properties.png"::: 11. Assign the app as a *Required* app to a user group. It's automatically installed in the *work profile* during the next sync of the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group**, selecting the appropriate user group, and then choosing **Select**. - > [!div class="mx-imgBorder"] - > :::image type="content" source="media/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="media/ea06643280075f16265a596fb9a96042.png"::: + :::image type="content" source="media/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="media/ea06643280075f16265a596fb9a96042.png"::: 12. In the **Edit Application** page, review all the information that was entered earlier. Then select **Review + Save** and then **Save** again to commence assignment. @@ -210,18 +206,18 @@ Defender for Endpoint supports Device configuration policies for managed devices 3. Select **Connectivity** and configure your VPN: - - Enable **Always-on VPN**. Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. + 1. Enable **Always-on VPN**. Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. - - Select **Custom** in VPN client dropdown list. Custom VPN in this case is Defender for Endpoint VPN, which is used to provide the Web Protection feature. + 2. Select **Custom** in VPN client dropdown list. Custom VPN in this case is Defender for Endpoint VPN, which is used to provide the Web Protection feature. - > [!NOTE] - > Microsoft Defender for Endpoint app must be installed on user's device, in order to functioning of auto setup of this VPN. + > [!NOTE] + > Microsoft Defender for Endpoint app must be installed on user's device, in order to functioning of auto setup of this VPN. - - Enter **Package ID** of the Microsoft Defender for Endpoint app in Google Play store. For the [Defender app URL](https://play.google.com/store/apps/details?id=com.microsoft.scmx), the package ID is `com.microsoft.scmx`. + 3. Enter **Package ID** of the Microsoft Defender for Endpoint app in Google Play store. For the [Defender app URL](https://play.google.com/store/apps/details?id=com.microsoft.scmx), the package ID is `com.microsoft.scmx`. - - Set **Lockdown mode** to **Not configured (Default)**. + 4. Set **Lockdown mode** to **Not configured (Default)**. - :::image type="content" source="media/3autosetupofvpn.png" alt-text="The Connectivity pane under the Configuration settings tab" lightbox="media/3autosetupofvpn.png"::: + :::image type="content" source="media/3autosetupofvpn.png" alt-text="The Connectivity pane under the Configuration settings tab" lightbox="media/3autosetupofvpn.png"::: 4. **Assignment**. On the **Assignments** page, select the user group to which this app config policy would be assigned. Choose **Select groups** to include and selecting the applicable group and then select **Next**. @@ -238,20 +234,19 @@ The device configuration profile is now assigned to the selected user group. 1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the **Device Install Status**. Verify that the device is displayed here. - > [!div class="mx-imgBorder"] - > :::image type="content" source="media/900c0197aa59f9b7abd762ab2b32e80c.png" alt-text="The device installation status pane" lightbox="media/900c0197aa59f9b7abd762ab2b32e80c.png"::: + :::image type="content" source="media/900c0197aa59f9b7abd762ab2b32e80c.png" alt-text="The device installation status pane" lightbox="media/900c0197aa59f9b7abd762ab2b32e80c.png"::: 2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you're enrolled to the **Personally owned devices with work profile**. If you're enrolled to a **Corporate-owned, fully managed user device**, you have a single profile on the device where you can confirm that Defender for Endpoint is available. - :::image type="content" source="media/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="media/c2e647fc8fa31c4f2349c76f2497bc0e.png"::: + :::image type="content" source="media/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="media/c2e647fc8fa31c4f2349c76f2497bc0e.png"::: 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - :::image type="content" source="media/MDE-new.png" alt-text="Th display of a Microsoft Defender for Endpoint application on a mobile device" lightbox="media/MDE-new.png"::: + :::image type="content" source="media/MDE-new.png" alt-text="Th display of a Microsoft Defender for Endpoint application on a mobile device" lightbox="media/MDE-new.png"::: 4. At this point, the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender portal](https://security.microsoft.com) by navigating to the **Device Inventory** page. - :::image type="content" source="media/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="media/9fe378a1dce0f143005c3aa53d8c4f51.png"::: + :::image type="content" source="media/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="media/9fe378a1dce0f143005c3aa53d8c4f51.png"::: ## Configure low-touch onboarding @@ -280,13 +275,10 @@ Android low touch onboarding is disabled by default. Admins can enable it throug 6. Under **Configuration settings**, select `Use Configuration designer`, and then select **Add**. -1. Select **Low touch onboarding and User UPN**. For User UPN, change the value type to `Variable`, and set the configuration value to `User Principal Name`. Enable low-touch onboarding by changing its configuration value to `1`. - - > [!div class="mx-imgBorder"] - > ![Screenshot showing a low touch onboarding configuration policy.](media/low-touch-user-upn.png) +7. Select **Low touch onboarding and User UPN**. For User UPN, change the value type to `Variable`, and set the configuration value to `User Principal Name`. Enable low-touch onboarding by changing its configuration value to `1`. -> [!Note] -> Once the policy is created, these value types will show as string. + > [!NOTE] + > Once the policy is created, these value types will show as string. 8. Assign the policy to the target user group. @@ -300,34 +292,19 @@ Admins can go to the [Microsoft Endpoint Management admin center](https://intune 1. Go to **Apps> App configuration policies** and click on **Add**. Select **Managed Devices**. - > [!div class="mx-imgBorder"] - > ![Image of adding app configuration policy.](media/addpolicy.png) - -1. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **'Android Enterprise'**, Profile type as **'Personally-owned work profile only'** and Targeted app as **'Microsoft Defender'**. +2. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **'Android Enterprise'**, Profile type as **'Personally-owned work profile only'** and Targeted app as **'Microsoft Defender'**. - > [!div class="mx-imgBorder"] - > ![Image of naming configuration policy.](media/selectapp.png) - -1. On the settings page, in **'Configuration settings format'**, select **'Use configuration designer'** and click on **Add**. From the list of configurations that are displayed, select **'Microsoft Defender in Personal profile'**. +3. On the settings page, in **'Configuration settings format'**, select **'Use configuration designer'** and select **Add**. From the list of configurations that are displayed, select **'Microsoft Defender in Personal profile'**. - > [!div class="mx-imgBorder"] - > ![Image of configuring personal profile.](media/addconfiguration.png) - -1. The selected configuration will be listed. Change the **configuration value to 1** to enable Microsoft Defender support personal profiles. A notification will appear informing the admin about the same. Click on **Next**. +4. The selected configuration will be listed. Change the **configuration value to 1** to enable Microsoft Defender support personal profiles. A notification will appear to inform the admin about the same. Click on **Next**. - > [!div class="mx-imgBorder"] - > ![Image of changing config value.](media/changeconfigvalue.png) - -1. **Assign** the configuration policy to a group of users. **Review and create** the policy. +5. **Assign** the configuration policy to a group of users. **Review and create** the policy. - > [!div class="mx-imgBorder"] - > ![Image of reviewing and creating policy.](media/savepolicy.png) - Admins also can set up **privacy controls** from the Microsoft Intune admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see [configuring privacy controls](android-configure.md). Organizations can communicate to their users to protect Personal profile with Microsoft Defender on their enrolled BYOD devices. -- Pre-requisite: Microsoft Defender must be already installed and active in work profile to enabled Microsoft Defender in personal profiles. +Microsoft Defender must be already installed and active in work profile to enabled Microsoft Defender in personal profiles. ### Finish onboarding a device @@ -339,8 +316,8 @@ Organizations can communicate to their users to protect Personal profile with Mi 4. After signing in successfully, users see the following screens: - 1. **EULA screen**: Presented only if the user has not consented already in the Work profile. - 2. **Notice screen**: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app. + - **EULA screen**: Presented only if the user has not consented already in the Work profile. + - **Notice screen**: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app. 5. Provide the required permissions to complete onboarding. diff --git a/defender-endpoint/android-whatsnew.md b/defender-endpoint/android-whatsnew.md index 41874944c3..32ba555813 100644 --- a/defender-endpoint/android-whatsnew.md +++ b/defender-endpoint/android-whatsnew.md @@ -27,18 +27,19 @@ ms.date: 11/15/2024 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -**Ending support for Device Administrator enrolled devices** - -Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024. - -**For devices with access to GMS** - -After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:  - -- Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. -- Intune and Defender for Endpoint technical support will no longer support these devices. +> [!IMPORTANT] +> **Ending support for Device Administrator enrolled devices** +> Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024. +> +> **For devices with access to GMS** +> +> After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: +> +> - Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. +> - Intune and Defender for Endpoint technical support will no longer support these devices. +> +> For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443). -For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443). **Aug-2024 (version: 1.0.6812.0101)** diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md index 3c24802a13..05b3b2d598 100644 --- a/defender-endpoint/attack-surface-reduction-rules-reference.md +++ b/defender-endpoint/attack-surface-reduction-rules-reference.md @@ -15,7 +15,7 @@ ms.collection: - m365-security - tier2 - mde-asr -ms.date: 11/10/2024 +ms.date: 11/18/2024 search.appverid: met150 --- @@ -330,6 +330,11 @@ By default the state of this rule is set to block. In most cases, many processes Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`. +> [!TIP] +> 1. ASR audit events don't generate toast notifications. However, since the LSASS ASR rule produces large volume of audit events, almost all of which are safe to ignore when the rule is enabled in block mode, you can choose to skip the audit mode evaluation and proceed to block mode deployment, beginning with a small set of devices and gradually expanding to cover the rest. +> 2. The rule is designed to suppress block reports/toasts for friendly processes. It is also designed to drop reports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of whether toast notifications are enabled or disabled.  +> 3. ASR in warn mode is designed to present users with a block toast notification that includes an "Unblock" button. Due to the "safe to ignore" nature of LSASS ASR blocks and their large volume, WARN mode is not advisable for this rule (irrespective of whether toast notifications are enabled or disabled). + > [!NOTE] > In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal. > The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode. diff --git a/defender-endpoint/configure-device-connectivity.md b/defender-endpoint/configure-device-connectivity.md index 44ca0d66da..abe1379a4b 100644 --- a/defender-endpoint/configure-device-connectivity.md +++ b/defender-endpoint/configure-device-connectivity.md @@ -173,7 +173,7 @@ To test streamlined connectivity for devices not yet onboarded to Defender for E - Run `mdeclientanalyzer.cmd -g ` , where parameter is of GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable tenant geo. -As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/BetaMDEAnalyzer +As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/MDEClientAnalyzerPreview > [!NOTE] diff --git a/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 55eabe4944..448c5dcb76 100644 --- a/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: Exclude files from Microsoft Defender Antivirus scans based on thei ms.service: defender-endpoint ms.subservice: ngp ms.localizationpriority: medium -ms.date: 09/10/2024 +ms.date: 11/21/2024 author: denisebmsft ms.author: deniseb ms.topic: conceptual @@ -57,7 +57,7 @@ The following table lists some examples of exclusions based on file extension an |Exclusion|Examples|Exclusion list| |---|---|---| |Any file with a specific extension|All files with the specified extension, anywhere on the machine.

Valid syntax: `.test` and `test`|Extension exclusions| -|Any file under a specific folder|All files under the `c:\test\sample` folder|File and folder exclusions| +|Any file or folder under a specific folder|All files and folders under the `c:\test\sample` folder|File and folder exclusions| |A specific file in a specific folder|The file `c:\sample\sample.test` only|File and folder exclusions| |A specific process|The executable file `c:\test\process.exe`|File and folder exclusions| diff --git a/defender-endpoint/controlled-folders.md b/defender-endpoint/controlled-folders.md index 3b122d75f7..ced80bc5c1 100644 --- a/defender-endpoint/controlled-folders.md +++ b/defender-endpoint/controlled-folders.md @@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. ms.service: defender-endpoint ms.localizationpriority: medium -ms.date: 11/06/2024 +ms.date: 11/19/2024 author: denisebmsft ms.author: deniseb audience: ITPro @@ -40,7 +40,7 @@ search.appverid: met150 Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, > [!NOTE] -> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](indicator-certificates.md). +> Scripting engines like PowerShell are not trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders). Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md). diff --git a/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md b/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md index 1d3c2ff622..f58caa9054 100644 --- a/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md +++ b/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md @@ -14,17 +14,15 @@ ms.collection: - demo ms.topic: article ms.subservice: ngp -ms.date: 10/21/2022 +ms.date: 11/22/2024 --- # Cloud-delivered protection demonstration **Applies to:** -- -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) -- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) +- [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md) - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) @@ -39,7 +37,10 @@ Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as ### Scenario -1. Download the [test file](https://aka.ms/ioavtest). Important: The test file isn't malicious, it's just a harmless file simulating a virus. +1. Download and extract the [zipped folder that contains the test file](https://go.microsoft.com/fwlink/?linkid=2298135). The password is *infected*. + + > [!IMPORTANT] + > The test file isn't malicious, it's just a harmless file simulating a virus. 2. If you see file blocked by Microsoft Defender SmartScreen, select on "View downloads" button. diff --git a/defender-endpoint/download-client-analyzer.md b/defender-endpoint/download-client-analyzer.md index 50656abfe8..ab954aae5c 100644 --- a/defender-endpoint/download-client-analyzer.md +++ b/defender-endpoint/download-client-analyzer.md @@ -29,7 +29,7 @@ Learn how to download the Microsoft Defender for Endpoint client analyzer on sup ## Download client analyzer for Windows OS 1. The latest stable edition is available for download from following URL: -2. The latest preview edition is available for download from following URL: +2. The latest preview edition is available for download from following URL: ## Download client analyzer for macOS or Linux diff --git a/defender-endpoint/evaluate-exploit-protection.md b/defender-endpoint/evaluate-exploit-protection.md index 8abdf61afe..d6431b63c7 100644 --- a/defender-endpoint/evaluate-exploit-protection.md +++ b/defender-endpoint/evaluate-exploit-protection.md @@ -15,7 +15,7 @@ ms.collection: - tier2 - mde-asr search.appverid: met150 -ms.date: 11/15/2024 +ms.date: 11/21/2024 --- # Evaluate exploit protection @@ -37,7 +37,7 @@ In audit, you can see how mitigation works for certain apps in a test environmen Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection. -#### What kinds of Software shouldn't be protected by exploit protection? +#### What kinds of software shouldn't be protected by exploit protection? - Anti-malware and intrusion prevention or detection software - Debuggers @@ -55,6 +55,40 @@ Services - System services - Network services +## Exploit protection mitigations enabled by default + +| Mitigation | Enabled by default | +| -------- | -------- | +| Data Execution Prevention (DEP) | 64-bit and 32-bit applications | +| Validate exception chains (SEHOP) | 64-bit applications | +| Validate heap integrity | 64-bit and 32-bit applications | + +## Deprecated "Program settings" mitigations + +| “Program settings” mitigations | Reason | +| -------- | -------- | +| Export address filtering (EAF) | Application compatibility issues | +| Import address filtering (IAF) | Application compatibility issues | +| Simulate execution (SimExec) | Replaced with Arbitrary Code Guard (ACG) | +| Validate API invocation (CallerCheck) | Replaced with Arbitrary Code Guard (ACG) | +| Validate stack integrity (StackPivot) | Replaced with Arbitrary Code Guard (ACG) | + +## Office application best practices + +Instead of using Exploit Protection for Office applications such as Outlook, Word, Excel, PowerPoint, and OneNote, consider using a more modern approach to prevent their misuse: Attack Surface Reduction rules (ASR rules): + +- [Block executable content from email client and webmail ](attack-surface-reduction-rules-reference.md#block-executable-content-from-email-client-and-webmail) +- [Block Office applications from creating executable content](attack-surface-reduction-rules-reference.md#block-office-applications-from-creating-executable-content) +- [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes) +- [Block Office communication application from creating child processes](attack-surface-reduction-rules-reference.md#block-office-communication-application-from-creating-child-processes) +- [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes) +- [Block execution of potentially obfuscated scripts](attack-surface-reduction-rules-reference.md#block-execution-of-potentially-obfuscated-scripts) +- [Block Win32 API calls from Office macros](attack-surface-reduction-rules-reference.md#block-win32-api-calls-from-office-macros) + +For Adobe Reader use the following ASR rule: + +• [Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes) + ## Application compatibility list The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product. Compatibility issues can introduced when you apply certain add-ins or other components to the standard software. @@ -69,7 +103,7 @@ The following table lists specific products that have compatibility issues with | DropBox | EAF | | Excel Power Query, Power View, Power Map and PowerPivot | EAF | | Google Chrome | EAF+ | -| Immidio Flex+ | Cell 4 | +| Immidio Flex+ | EAF | | Microsoft Office Web Components (OWC) | System DEP=AlwaysOn | | Microsoft PowerPoint | EAF | | Microsoft Teams | EAF+ | @@ -82,7 +116,38 @@ The following table lists specific products that have compatibility issues with ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option). -## Enable exploit protection for testing +## Enable exploit protection system settings for testing + +These Exploit Protection system settings are enabled by default except for the Mandatory Address Space Layout Randomization (ASLR) on Windows 10 and later, Windows Server 2019 and later, and on Windows Server version 1803 core edition and later. + +| System settings | Setting | +| -------- | -------- | +| Control flow guard (CFG) | Use default (On) | +| Data Execution Prevention (DEP) | Use default (On) | +| Force randomization for images (Mandatory ASRL) | Use default (Off) | +| Randomize memory allocations (Bottom-up ASRL) | Use default (On) | +| High-entropy ASRL | Use default (On) | +| Validate exception chains (SEHOP) | Use default (On) | + +The xml sample is available below + +``` + + + + + + + + + + +``` + +## Enable exploit protection program settings for testing + +> [!TIP] +> We highly recommend reviewing the modern approach for vulnerability mitigations, which is to use [Attack Surface Reduction rules (ASR rules)](attack-surface-reduction.md). You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell. diff --git a/defender-endpoint/exploit-protection.md b/defender-endpoint/exploit-protection.md index 08243d8810..ae4a649646 100644 --- a/defender-endpoint/exploit-protection.md +++ b/defender-endpoint/exploit-protection.md @@ -16,7 +16,7 @@ ms.collection: - tier2 - mde-asr search.appverid: met150 -ms.date: 12/18/2020 +ms.date: 11/21/2024 --- # Protect devices from exploits @@ -60,6 +60,23 @@ DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` +### Exploit Protection and advanced hunting + +Below are the advanced hunting actiontypes available for Exploit Protection. + +| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes | +|:---|:---| +| Arbitrary code guard | ExploitGuardAcgAudited
ExploitGuardAcgEnforced
| +| Don't allow child processes | ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked
| +| Export address filtering (EAF) | ExploitGuardEafViolationAudited
ExploitGuardEafViolationBlocked
| +| Import address filtering (IAF) | ExploitGuardIafViolationAudited
ExploitGuardIafViolationBlocked
| +| Block low integrity images | ExploitGuardLowIntegrityImageAudited
ExploitGuardLowIntegrityImageBlocked
| +| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited
ExploitGuardNonMicrosoftSignedBlocked
| +|• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate stack integrity (StackPivot)
| ExploitGuardRopExploitAudited
ExploitGuardRopExploitBlocked
| +| Block remote images | ExploitGuardSharedBinaryAudited
ExploitGuardSharedBinaryBlocked
| +| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited
ExploitGuardWin32SystemCallBlocked
| + + ## Review exploit protection events in Windows Event Viewer You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

@@ -126,7 +143,6 @@ The table in this section indicates the availability and support of native mitig |Validate image dependency integrity | Yes | No | > [!NOTE] - > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the [Mitigation threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit). ## See also diff --git a/defender-endpoint/mac-whatsnew.md b/defender-endpoint/mac-whatsnew.md index efffe0d537..98d0281771 100644 --- a/defender-endpoint/mac-whatsnew.md +++ b/defender-endpoint/mac-whatsnew.md @@ -6,7 +6,7 @@ author: deniseb ms.author: deniseb manager: deniseb ms.localizationpriority: medium -ms.date: 10/30/2024 +ms.date: 11/18/2024 audience: ITPro ms.collection: - m365-security @@ -41,7 +41,7 @@ For more information on Microsoft Defender for Endpoint on other operating syste - In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device control's ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1. -- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.0.1 or newer. +- In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.1 or newer. ## Sequoia support diff --git a/defender-endpoint/microsoft-defender-core-service-overview.md b/defender-endpoint/microsoft-defender-core-service-overview.md index 8874a30c4f..a74ef77800 100644 --- a/defender-endpoint/microsoft-defender-core-service-overview.md +++ b/defender-endpoint/microsoft-defender-core-service-overview.md @@ -7,7 +7,7 @@ manager: deniseb ms.service: defender-endpoint ms.subservice: ngp ms.topic: overview -ms.date: 06/21/2024 +ms.date: 11/25/2024 search.appverid: met150 ms.localizationpriority: medium audience: ITPro @@ -32,6 +32,8 @@ To enhance your endpoint security experience, Microsoft is releasing the Microso - Mid April 2024 to Enterprise customers running Windows clients. - Beginning of July 2024 to U.S. Government customers running Windows clients. + - Mid January 2025 to Enterprise customers running Windows Server. + 3. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs. 4. If you're using the Microsoft Defender for Endpoint **standard** device connectivity experience: diff --git a/defender-endpoint/performance-analyzer-reference.md b/defender-endpoint/performance-analyzer-reference.md new file mode 100644 index 0000000000..6ccaac06f7 --- /dev/null +++ b/defender-endpoint/performance-analyzer-reference.md @@ -0,0 +1,453 @@ +--- +title: Microsoft Defender Antivirus Performance Analyzer reference +description: Microsoft Defender Antivirus Performance Analyzer reference +author: denisebmsft +ms.author: deniseb +ms.reviewer: yongrhee +ms.service: defender-endpoint +ms.topic: troubleshooting +ms.date: 11/22/2024 +ms.subservice: ngp +manager: deniseb +ms.localizationpriority: medium +audience: ITPro +ms.collection: +- m365-security +- tier2 +- mde-ngp +ms.custom: +- partner-contribution +f1.keywords: NOCSH +ai-usage: human-only +--- + +# Microsoft Defender Antivirus Performance Analyzer reference + +## PowerShell reference + +You can use the following new PowerShell cmdlets to tune the performance of Microsoft Defender Antivirus: + +- [New-MpPerformanceRecording](#new-mpperformancerecording) +- [Get-MpPerformanceReport](#get-mpperformancereport) + +### New-MpPerformanceRecording + +The following section describes the reference for the new PowerShell cmdlet `New-MpPerformanceRecording`. This cmdlet Collects a performance recording of Microsoft Defender Antivirus scans. + +#### Syntax: New-MpPerformanceRecording + +```powershell +New-MpPerformanceRecording -RecordTo +``` + +#### Description: New-MpPerformanceRecording + +The `New-MpPerformanceRecording` cmdlet collects a performance recording of Microsoft Defender Antivirus scans. These performance recordings contain Microsoft-Antimalware-Engine and NT kernel process events and can be analyzed after collection using the [Get-MpPerformanceReport](#get-mpperformancereport) cmdlet. + +This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided as is, and isn't intended to provide suggestions on [exclusions](navigate-defender-endpoint-antivirus-exclusions.md). Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. + +For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs. + +> [!IMPORTANT] +> This cmdlet requires elevated administrator privileges. + + +#### Examples: New-MpPerformanceRecording + +##### Example 1: Collect a performance recording and save it + +```powershell +New-MpPerformanceRecording -RecordTo .\Defender-scans.etl +``` + +The command collects a performance recording and saves it to the specified path: `.\Defender-scans.etl`. + +##### Example 2: Collect a performance recording for remote PowerShell session + +```powershell +$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01 +New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -Session $s +``` + +The command collects a performance recording on `Server02` (as specified by argument $s of parameter Session) and saves it to the specified path: `C:\LocalPathOnServer02\trace.etl` on `Server02`. + + +#### Parameters: New-MpPerformanceRecording + +##### -RecordTo + +Specifies the location in which to save the Microsoft Defender Antimalware performance recording. + +```yaml +Type: String +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -Session + +Specifies the `PSSession` object in which to create and save the Microsoft Defender Antivirus performance recording. When you use this command, the `RecordTo` parameter refers to the local path on the remote machine. Available with Defender platform version `4.18.2201.10` and later. + +```yaml +Type: PSSession[] +Position: 0 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### Get-MpPerformanceReport + +The following section describes the `Get-MpPerformanceReport` PowerShell cmdlet. Analyzes and reports on Microsoft Defender Antivirus performance recording. + +#### Syntax: Get-MpPerformanceReport + +```output + Get-MpPerformanceReport [-Path] [-TopFiles ] [-TopScansPerFile ] [-TopProcessesPerFile +] [-TopScansPerProcessPerFile ] [-TopPaths ] [-TopPathsDepth ] [-TopScansPerPath +] [-TopFilesPerPath ] [-TopScansPerFilePerPath ] [-TopExtensionsPerPath ] + [-TopScansPerExtensionPerPath ] [-TopProcessesPerPath ] [-TopScansPerProcessPerPath ] + [-TopExtensions ] [-TopScansPerExtension ] [-TopPathsPerExtension ] + [-TopScansPerPathPerExtension ] [-TopFilesPerExtension ] [-TopScansPerFilePerExtension ] + [-TopProcessesPerExtension ] [-TopScansPerProcessPerExtension ] [-TopProcesses ] + [-TopScansPerProcess ] [-TopFilesPerProcess ] [-TopScansPerFilePerProcess ] + [-TopExtensionsPerProcess ] [-TopScansPerExtensionPerProcess ] [-TopPathsPerProcess ] + [-TopScansPerPathPerProcess ] [-TopScans ] [-MinDuration ] [-MinStartTime ] + [-MinEndTime ] [-MaxStartTime ] [-MaxEndTime ] [-Overview] [-Raw] + [] +``` + +#### Description: Get-MpPerformanceReport + +The `Get-MpPerformanceReport` cmdlet analyzes a previously collected Microsoft Defender Antivirus performance recording ([New-MpPerformanceRecording](#new-mpperformancerecording)) and reports the file paths, file extensions, and processes that cause the highest impact to Microsoft Defender Antivirus scans. + +The performance analyzer provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "as is" and isn't intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. + +For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs. + +**Supported OS versions**: + +Windows Version 10 and later. + +> [!NOTE] +> This feature is available starting with platform version `4.18.2108.X` and later. + +#### Examples: Get-MpPerformanceReport + +##### Example 1: Single query + +```powershell +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 20 +``` + +##### Example 2: Multiple queries + +```powershell +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -TopExtensions 10 -TopProcesses 10 -TopScans 10 +``` + +##### Example 3: Nested queries + +```powershell +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopProcesses 10 -TopExtensionsPerProcess 3 -TopScansPerExtensionPerProcess 3 +``` + +##### Example 4: Using -MinDuration parameter + +```powershell +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 100 -MinDuration 100ms +``` + +##### Example 5: Using -Raw parameter + +```powershell +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -TopExtensions 10 -TopProcesses 10 -TopScans 10 -Raw | ConvertTo-Json +``` + +Using `-Raw` in the command specifies that the output should be machine readable and readily convertible to serialization formats like JSON. + +#### Parameters: Get-MpPerformanceReport + +##### -TopPaths + +Requests a top-paths report and specifies how many top paths to output, sorted by duration. Aggregates the scans based on their path and directory. User can specify how many directories should be displayed on each level and the depth of the selection. + +```yaml +- Type: Int32 +- Position: Named +- Default value: None +- Accept pipeline input: False +- Accept wildcard characters: False +``` + +##### -TopPathsDepth + +Specifies recursive depth that is used to group and display aggregated path results. For example `C:\` corresponds to a depth of 1, and `C:\Users\Foo` corresponds to a depth of 3. + +This flag can accompany all other Top Path options. If missing, a default value of 3 is assumed. The value can't be 0. + +```yaml +- Type: Int32 +- Position: Named +- Default value: 3 +- Accept pipeline input: False +- Accept wildcard characters: False +``` + +| flag | definition | +|---|---| +| `-TopScansPerPath` | Specifies how many top scans to specify for each top path. | +| `-TopFilesPerPath` | Specifies how many top files to specify for each top path. | +| `-TopScansPerFilePerPath` | Specifies how many top scans to output for each top file for each top path, sorted by "Duration" | +| `-TopExtensionsPerPath` | Specifies how many top extensions to output for each top path | +| `-TopScansPerExtensionPerPath` | Specifies how many top scans to output for each top extension for each top path | +| `-TopProcessesPerPath` | Specifies how many top processes to output for each top path | +| `-TopScansPerProcessPerPath` | Specifies how many top scans to output for each top process for each top path | +| `-TopPathsPerExtension` | Specifies how many top paths to output for each top extension | +| `-TopScansPerPathPerExtension` | Specifies how many top scans to output for each top path for each top extension | +| `-TopPathsPerProcess` | Specifies how many top paths to output for each top process | +| `-TopScansPerPathPerProcess` | Specifies how many top scans to output for each top path for each top process | + +##### -MinDuration + +Specifies the minimum duration of any scan or total scan durations of files, extensions, and processes included in the report; accepts values like `0.1234567sec`, `0.1234ms`, `0.1us`, or a valid TimeSpan. + +```yaml +Type: String +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -Path + +Specifies the path or paths to one or more locations. + +```yaml +Type: String +Position: 0 +Default value: None +Accept pipeline input: True +Accept wildcard characters: False +``` + +##### -Raw + +Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This configuration is recommended for users interested in batch processing with other data processing systems. + +```yaml +Type: +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopExtensions + +Specifies how many top extensions to output, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopExtensionsPerProcess + +Specifies how many top extensions to output for each top process, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopFiles + +Requests a top-files report and specifies how many top files to output, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopFilesPerExtension + +Specifies how many top files to output for each top extension, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopFilesPerProcess + +Specifies how many top files to output for each top process, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopProcesses + +Requests a top-processes report and specifies how many of the top processes to output, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopProcessesPerExtension + +Specifies how many top processes to output for each top extension, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopProcessesPerFile + +Specifies how many top processes to output for each top file, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScans + +Requests a top-scans report and specifies how many top scans to output, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerExtension + +Specifies how many top scans to output for each top extension, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerExtensionPerProcess + +Specifies how many top scans to output for each top extension for each top process, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerFile + +Specifies how many top scans to output for each top file, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerFilePerExtension + +Specifies how many top scans to output for each top file for each top extension, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerFilePerProcess + +Specifies how many top scans for output for each top file for each top process, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerProcess + +Specifies how many top scans to output for each top process in the Top Processes report, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerProcessPerExtension + +Specifies how many top scans for output for each top process for each top extension, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +##### -TopScansPerProcessPerFile + +Specifies how many top scans for output for each top process for each top file, sorted by duration. + +```yaml +Type: Int32 +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] \ No newline at end of file diff --git a/defender-endpoint/run-analyzer-windows.md b/defender-endpoint/run-analyzer-windows.md index 0e7f0bf22c..2a5b10482e 100644 --- a/defender-endpoint/run-analyzer-windows.md +++ b/defender-endpoint/run-analyzer-windows.md @@ -32,7 +32,7 @@ You can collect the Defender for Endpoint analyzer support logs remotely using [ ## Option 2: Run MDE Client Analyzer locally -1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [Beta MDE Client Analyzer tool](https://aka.ms/BetaMDEAnalyzer) to the Windows device you want to investigate. +1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [Beta MDE Client Analyzer tool](https://aka.ms/MDEClientAnalyzerPreview) to the Windows device you want to investigate. The file is saved to your Downloads folder by default. diff --git a/defender-endpoint/troubleshoot-collect-support-log.md b/defender-endpoint/troubleshoot-collect-support-log.md index ec3e832d17..2d5c3a4009 100644 --- a/defender-endpoint/troubleshoot-collect-support-log.md +++ b/defender-endpoint/troubleshoot-collect-support-log.md @@ -14,7 +14,7 @@ ms.collection: ms.topic: troubleshooting ms.subservice: edr search.appverid: met150 -ms.date: 11/07/2024 +ms.date: 11/18/2024 --- # Collect support logs in Microsoft Defender for Endpoint using live response @@ -31,13 +31,13 @@ This article provides instructions on how to run the tool via Live Response on W ## Windows -1. Download and fetch the required scripts available from within the **Tools** subdirectory of the [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/BetaMDEAnalyzer). +1. Download and fetch the required scripts available from within the **Tools** subdirectory of the [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/MDEClientAnalyzerPreview). For example, to get the basic sensor and device health logs, fetch `..\Tools\MDELiveAnalyzer.ps1`. - If you require additional logs related to Microsoft Defender Antivirus, then use `..\Tools\MDELiveAnalyzerAV.ps1`. - If you require [Microsoft Endpoint Data Loss Prevention](/purview/endpoint-dlp-learn-about) related logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`. - If you require network and [Windows Filter Platform](/windows-hardware/drivers/network/windows-filtering-platform-architecture-overview) related logs, then use `..\Tools\MDELiveAnalyzerNet.ps1`. - - If you require [Process Monitor](/sysinternals/downloads/procmon) logs, then use `..\Tools\MDELiveAnalyzerDLP.ps1`. + - If you require [Process Monitor](/sysinternals/downloads/procmon) logs, then use `..\Tools\MDELiveAnalyzerAppCompat.ps1`. 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate. @@ -67,7 +67,7 @@ This article provides instructions on how to run the tool via Live Response on W ### Additional information -- The latest preview version of MDEClientAnalyzer can be downloaded here: . +- The latest preview version of MDEClientAnalyzer can be downloaded here: . - If you can't allow the machine to reach the above URL, then upload `MDEClientAnalyzerPreview.zip` file to the library before running the LiveAnalyzer script: diff --git a/defender-endpoint/troubleshoot-security-config-mgt.md b/defender-endpoint/troubleshoot-security-config-mgt.md index 17bd4d4137..9053f42ac1 100644 --- a/defender-endpoint/troubleshoot-security-config-mgt.md +++ b/defender-endpoint/troubleshoot-security-config-mgt.md @@ -60,7 +60,7 @@ The following table lists errors and directions on what to try/check in order to |Error Code|Enrollment Status|Administrator Actions| |---|---|---| -|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](/mem/intune/protect/mde-security-integration). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn't help, contact support.| +|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](/mem/intune/protect/mde-security-integration). Running the [Client Analyzer](https://aka.ms/MDEClientAnalyzerPreview) on the device can help identify the root cause of the issue. If this doesn't help, contact support.| | `8`, `44` | Microsoft Intune Configuration issue | The device was successfully onboarded to Microsoft Defender for Endpoint. However, Microsoft Intune hasn't been configured through the Admin Center to allow Microsoft Defender for Endpoint Security Configuration. Make sure the [Microsoft Intune tenant is configured and the feature is turned on](/mem/intune/protect/mde-security-integration#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management).| |`13-14`,`20`,`24`,`25`|Connectivity issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow, which could be due to a connectivity issue. Verify that the [Microsoft Entra ID and Microsoft Intune endpoints](/mem/intune/protect/mde-security-integration#connectivity-requirements) are opened in your firewall.| |`10`,`42`|General Hybrid join failure|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow and the OS failed to perform hybrid join. Use [Troubleshoot Microsoft Entra hybrid joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) for troubleshooting OS-level hybrid join failures.| diff --git a/defender-for-iot/TOC.yml b/defender-for-iot/TOC.yml index c6cc333861..241e3c9d7e 100644 --- a/defender-for-iot/TOC.yml +++ b/defender-for-iot/TOC.yml @@ -44,12 +44,16 @@ href: device-discovery.md - name: Discover and manage devices href: manage-devices-inventory.md + - name: Review security initiatives + items: + - name: Review security initiatives + href: review-security-initiatives.md - name: Prioritize and remediate vulnerabilities items: - name: Overview href: discover-vulnerabilities-overview.md - name: Prioritize and remediate vulnerabilities - href: prioritize-vulnerabilities.md + href: prioritize-vulnerabilities.md - name: Investigate and remediate threats items: - name: Investigate incidents and alerts diff --git a/defender-for-iot/media/review-security-initiatives/more-data-required.png b/defender-for-iot/media/review-security-initiatives/more-data-required.png new file mode 100644 index 0000000000..2183aa36b5 Binary files /dev/null and b/defender-for-iot/media/review-security-initiatives/more-data-required.png differ diff --git a/defender-for-iot/media/review-security-initiatives/ot-security-initiative.png b/defender-for-iot/media/review-security-initiatives/ot-security-initiative.png new file mode 100644 index 0000000000..9fc7f9a8fa Binary files /dev/null and b/defender-for-iot/media/review-security-initiatives/ot-security-initiative.png differ diff --git a/defender-for-iot/media/review-security-initiatives/security-recommendations.png b/defender-for-iot/media/review-security-initiatives/security-recommendations.png new file mode 100644 index 0000000000..224598d332 Binary files /dev/null and b/defender-for-iot/media/review-security-initiatives/security-recommendations.png differ diff --git a/defender-for-iot/media/review-security-initiatives/unprotected-ot-devices.png b/defender-for-iot/media/review-security-initiatives/unprotected-ot-devices.png new file mode 100644 index 0000000000..35d866a1fd Binary files /dev/null and b/defender-for-iot/media/review-security-initiatives/unprotected-ot-devices.png differ diff --git a/defender-for-iot/review-security-initiatives.md b/defender-for-iot/review-security-initiatives.md new file mode 100644 index 0000000000..c6b7b1be7b --- /dev/null +++ b/defender-for-iot/review-security-initiatives.md @@ -0,0 +1,80 @@ +--- +title: Review security initiatives with Microsoft Defender for IoT in the Defender portal +description: This article describes how to review security initiatives with Microsoft Defender for IoT in the Defender portal. +ms.service: defender-for-iot +author: limwainstein +ms.author: lwainstein +ms.localizationpriority: medium +ms.date: 11/17/2024 +ms.topic: how-to +--- + +# Review security initiatives + +[Security initiatives](/security-exposure-management/exposure-insights-overview#security-initiatives) offer a focused, metric-driven way of tracking exposure in specific security areas using security initiatives. + +Microsoft Defender for IoT in the Defender portal allows you to review Microsoft Security Exposure Management security initiatives dedicated to OT and enterprise IoT device protection. + +In this article, you learn how to review security initiatives so that your security teams can prioritize, discover, and validate OT-related security findings across your sites. + +[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)] + +## OT Security initiative + +The **OT Security** initiative improves your OT site security posture by monitoring and protecting OT environments in the organization, and employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. + +Your security teams can use the **OT Security** initiative to: + +- Identify unprotected devices. +- Harden posture across sites through vulnerability assessments, with actionable guidance to help remediate at-risk devices. + +## Enterprise IoT Security initiative + +The **Enterprise IoT Security** initiative allows you to identify unmanaged IoT devices and enhance your organization's security. With continuous monitoring, vulnerability assessments, and tailored recommendations specifically designed for enterprise IoT devices, you gain comprehensive visibility into the risks posed by these devices. This initiative not only helps you understand the potential threats but also strengthens your organization's resilience in mitigating them. + +Review the full [security initiatives catalog](/security-exposure-management/initiatives-list). + +## Prerequisites + +- Review the Defender for IoT [prerequisites](prerequisites.md). +- Review the [prerequisites for the **OT Security** initiative](#prerequisites-for-ot-security-initiative). + +### Prerequisites for OT Security initiative + +When you view the **OT security** initiative, if you haven't yet onboarded Defender for IoT and set up sites, the **More data is required to support this initiative** section is displayed. + +:::image type="content" source="media/review-security-initiatives/more-data-required.png" alt-text="Screenshot showing the **More data is required to support this initiative** section in Microsoft Defender for IoT in the Microsoft Defender portal."::: + +If the **More data is required to support this initiative** section is displayed: + +1. Review the **Unprotected OT devices** metric to understand the impact on your network. For example, the **Unprotected OT devices** metric shows 24 affected assets. + + :::image type="content" source="media/review-security-initiatives/unprotected-ot-devices.png" alt-text="Screenshot showing the Unprotected OT devices metric **Overview** tab in Microsoft Defender for IoT in the Microsoft Defender portal."::: + +1. Select **Get started with Microsoft Defender for IoT** and follow the procedure to [onboard Defender for IoT in the Defender portal](get-started.md). + +1. Select **create new sites** to [set up sites](set-up-sites.md). + +## Review initiatives + +1. Follow the procedure to [open the Initiatives page and review an initiative](/security-exposure-management/initiatives#view-initiatives-page). +1. For the **OT Security** initiative, if you haven't yet onboarded Defender for IoT and set up sites, the **More data is required to support this initiative** section is displayed. In this case, see the [prerequisites for the OT Security initiative](#prerequisites-for-ot-security-initiative). + +1. Review the data in the initiative page, including the initiative score, top metrics, and more (learn more about [initiatives](/security-exposure-management/exposure-insights-overview)). For example, this **OT Security** initiative page shows an initiative score of 83%, and shows that 61.9% of the detected OT devices are protected. + + :::image type="content" source="media/review-security-initiatives/ot-security-initiative.png" alt-text="Screenshot showing the OT Security initiative in Microsoft Defender for IoT in the Microsoft Defender portal." lightbox="media/review-security-initiatives/ot-security-initiative.png"::: + +1. Select the metric from the **Top metrics** area in the initiative page or from the **Related metrics** area in the small overview. + - Review the **Overview** tab to drill down into additional security data and recommendations, including the weight of the metrics, affected assets, and score impact. For example, the **Unprotected OT devices** metric shows 24 affected assets, and 3.81 score impact. + + :::image type="content" source="media/review-security-initiatives/unprotected-ot-devices.png" alt-text="Screenshot showing the Unprotected OT devices metric **Overview** tab in Microsoft Defender for IoT in the Microsoft Defender portal."::: + + - Review the recommendations in the **Security recommendations** tab. For example, for the **Site-linked devices using insecure protocols** metric, you're recommended to disable the Telnet administration protocol, and remove the SNMP V1 and SNMP V2 administration protocols. + + :::image type="content" source="media/review-security-initiatives/security-recommendations.png" alt-text="Screenshot showing the **Security recommendations** tab for a metric in Microsoft Defender for IoT in the Microsoft Defender portal."::: + + Learn more about [working with metrics](/security-exposure-management/exposure-insights-overview#working-with-metrics). + +## Next steps + +[Learn about vulnerabilities](discover-vulnerabilities-overview.md) or proceed to [investigate and remediate vulnerabilities](prioritize-vulnerabilities.md). \ No newline at end of file diff --git a/defender-for-iot/whats-new.md b/defender-for-iot/whats-new.md index 56a2f325e7..529d19caa8 100644 --- a/defender-for-iot/whats-new.md +++ b/defender-for-iot/whats-new.md @@ -16,6 +16,25 @@ This article describes features available in Microsoft Defender for IoT in the D [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)] +## November 2024 + +|Service area |Updates | +|---------|---------| +| **OT networks** | - [Secure site-linked devices in Microsoft Security Exposure Management Initiatives page](#secure-site-linked-devices-in-microsoft-security-exposure-management-initiatives-page) | + +### Secure site-linked devices in Microsoft Security Exposure Management Initiatives page + +You can now review the new **OT Security** initiative in the Microsoft Security Exposure Management **Initiatives** page. This new initiative provides a metric-driven way of tracking exposure about unmanaged OT devices. + +:::image type="content" source="media/review-security-initiatives/ot-security-initiative.png" alt-text="Screenshot showing the OT Security initiative in Microsoft Defender for IoT in the Microsoft Defender portal." lightbox="media/review-security-initiatives/ot-security-initiative.png"::: + +This new initiative serves as a powerful tool to improve your OT site security posture. The initiative aims to monitor and safeguard OT environments within the organization by employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. + +For more information, see: + +- [Review security initiatives](review-security-initiatives.md) +- [Microsoft Security Exposure Management release notes](/security-exposure-management/whats-new#ot-security-initiative). + ## September 2024 |Service area |Updates | @@ -24,7 +43,7 @@ This article describes features available in Microsoft Defender for IoT in the D ### Review unmanaged enterprise IoT devices in Microsoft Security Exposure Management Initiatives page -You can now review the new Enterprise IoT Security initiative in the Microsoft Security Exposure Management Initiatives page. This new initiative provides a metric-driven way of tracking exposure about unmanaged enterprise IoT devices. +You can now review the new **Enterprise IoT Security** initiative in the Microsoft Security Exposure Management **Initiatives** page. This new initiative provides a metric-driven way of tracking exposure about unmanaged enterprise IoT devices. For more information, see the [Microsoft Security Exposure Management release notes](/security-exposure-management/whats-new#new-enterprise-iot-security-initiative). diff --git a/defender-office-365/how-policies-and-protections-are-combined.md b/defender-office-365/how-policies-and-protections-are-combined.md index 0cda4e8bf9..45b8f0d7b7 100644 --- a/defender-office-365/how-policies-and-protections-are-combined.md +++ b/defender-office-365/how-policies-and-protections-are-combined.md @@ -68,7 +68,8 @@ There are two major factors that determine which policy is applied to a message: \* Defender for Office 365 only. - The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type. + > [!IMPORTANT] + > The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type. For example, the group named "Contoso Executives" is included in the following policies: diff --git a/defender-office-365/scc-permissions.md b/defender-office-365/scc-permissions.md index 046d677583..213041c20c 100644 --- a/defender-office-365/scc-permissions.md +++ b/defender-office-365/scc-permissions.md @@ -70,8 +70,8 @@ Managing permissions in Defender for Office 365 or Microsoft Purview gives users |**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment

Compliance Manager Contribution

Compliance Manager Reader

Data Connector Admin| |**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution

Compliance Manager Reader

Data Connector Admin| |**Compliance Manager Readers**|View all Compliance Manager content except for administrator functions.|Compliance Manager Reader| -|**Content Explorer Content Viewer**|View the contents files in Content explorer.|Data Classification Content Viewer| -|**Content Explorer List Viewer**|View all items in Content explorer in list format only.|Data Classification List Viewer| +|**Content Explorer Content Viewer**|View the contents of files in content explorer, and the prompts and response in Data Security Posture Management for AI.|Data Classification Content Viewer| +|**Content Explorer List Viewer**|View all items in content explorer in list format only.|Data Classification List Viewer| |**Data Catalog Curators**|Perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects.|Data Map Reader

Data Map Writer| |**Data Estate Insights Admins**|Provides admin access to all insights reports across platforms and providers.|Data Map Reader

Insights Reader

Insights Writer| |**Data Estate Insights Readers**|Provides read-only access to all insights reports across platforms and providers.|Data Map Reader

Insights Reader| @@ -108,7 +108,7 @@ Managing permissions in Defender for Office 365 or Microsoft Purview gives users |**Purview Administrators**|Create, edit, and delete domains and perform role assignments.|Admin Unit Extension Manager

Purview Domain Manager

Role Management| |**Quarantine Administrator**|Members can access all Quarantine actions. For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md)|Quarantine| |**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management

RecordManagement

Retention Management

Scope Manager| -|**Reviewer**|Members can access review sets in [eDiscovery (Premium)](/purview/ediscovery-overview) cases. Members of this role group can see and open the list of cases on the **eDiscovery \> Advanced** page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review| +|**Reviewer**|Members can access review sets in [eDiscovery (Premium)](/purview/ediscovery-overview) cases. Members of this role group can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review| |**Security Administrator**|Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.

By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID.

To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services.

This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.|Audit Logs

Compliance Manager Administration

Device Management

DLP Compliance Management

IB Compliance Management

Manage Alerts

Quarantine

Security Administrator

Sensitivity Label Administrator

Tag Contributor

Tag Manager

Tag Reader

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts| |**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search

Manage Alerts

Security Reader

Tag Contributor

Tag Reader

Tenant AllowBlockList Manager

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts| |**Security Reader**|Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.

By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID.

To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.|Compliance Manager Reader

Security Reader

Sensitivity Label Reader

Tag Reader

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts| diff --git a/defender-vulnerability-management/defender-vulnerability-management-faq.md b/defender-vulnerability-management/defender-vulnerability-management-faq.md index 6a7038f7eb..73ff7555b0 100644 --- a/defender-vulnerability-management/defender-vulnerability-management-faq.md +++ b/defender-vulnerability-management/defender-vulnerability-management-faq.md @@ -130,7 +130,7 @@ The [Windows authenticated scan](windows-authenticated-scan.md) deprecation proc ### Why is this product being deprecated? -The deprecation is to streamline offerings and focus on features that provide greater value to customers. This change allows our teams to allocate resources to innovations that better meet customer needs. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance. +We're deprecating Windows authenticated scan to allow our teams to allocate resources to other product innovations. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance with this change. ### When will the product be officially deprecated? diff --git a/defender-vulnerability-management/tvm-security-baselines.md b/defender-vulnerability-management/tvm-security-baselines.md index 3c3909372f..8630bd81dc 100644 --- a/defender-vulnerability-management/tvm-security-baselines.md +++ b/defender-vulnerability-management/tvm-security-baselines.md @@ -12,7 +12,7 @@ ms.collection: - Tier1 ms.topic: conceptual search.appverid: met150 -ms.date: 03/01/2023 +ms.date: 11/19/2024 --- # Security baselines assessment @@ -153,6 +153,108 @@ You can run advanced hunting queries on the following tables to gain visibility - **DeviceBaselineComplianceAssessment**: device compliance related information. - **DeviceBaselineComplianceAssessmentKB**: general settings for CIS and STIG benchmarks (not related to any device). +## Known issues with data collection + +We are aware of known issues affecting data collection in certain versions of the CIS, STIG, and Microsoft benchmarks. The issues might cause inaccurate or incomplete results when running tests in these versions. These issues are being actively worked on and will be resolved in future updates. + +We recommend to exclude the affected tests from the benchmark profile while running the assessment to avoid the impact of these issues. + +If your benchmark version is not listed below and you're experiencing issues, please contact [Microsoft Support](https://support.microsoft.com) to help us investigate further and assist you with a resolution. + +The following CIS, Microsoft, and STIG benchmarks are affected: + +- **CIS** + - CIS 17.1.1 + - CIS 17.2.1 + - CIS 17.3.1 to 17.3.2 + - CIS 17.5.1 to 17.5.6 + - CIS 17.6.1 to 17.6.4 + - CIS 17.7.1 to 17.7.5 + - CIS 17.8.1 + - CIS 17.9.1 to 17.9.5 + +- **CIS Checks Additions** + - CIS 2.3.7.3 to 2.3.7.5 + - CIS 2.3.10.1 + - CIS 1.1.5 + +- **Microsoft Checks** + - Microsoft 2.1 + - Microsoft 2.10 + - Microsoft 2.12 to 2.30 + - Microsoft 2.33 to 2.37 + - Microsoft 2.40 to 2.50 + - Microsoft 3.55 + - Microsoft 3.57 + - Microsoft 3.60 + - Microsoft 3.72 + +- **Microsoft Certificate Store Checks for Windows and Windows Server** + - MCS 1.1 for Windows 10 1909 (Temporary) 1.1.5 + - MCS 2.0 for Windows 10 1909 (Temporary) 1.1.5 + - MCS 1.1 for Windows 10 20H2 (Temporary) 1.1.5 + - MCS 2.0 for Windows 10 20H2 (Temporary) 1.1.5 + - MCS 2.0 for Windows 10 v21H2 1.1.5 + - MCS 2.0 for Windows 10 v22H2 1.1.5 + - MCS 2.0 for Windows 11 1.1.5 + - MCS 2.0 for Windows 11 23H2 1.1.5 + - MCS 2.0 for Windows Server 2022 1.1.5 + - MCS 2.0 for Windows Server 2022 Domain Controller 1.1.5 + - MCS 2.0 for Windows Server 2019 1.1.5 + - MCS 2.0 for Windows Server 2019 Domain Controller 1.1.5 + - MCS 2.0 for Windows Server 2016 1.1.5 + - MCS 2.0 for Windows Server 2016 Domain Controller 1.1.5 + - MCS 2.0 for Windows Server 2012_R2 1.1.5 + - MCS 1.1 for Windows Server 2008_R2 (Temporary) 1.1.5 + - MCS 2.0 for Windows Server 2022 Domain Controller 2.3.10.1 + - MCS 2.0 for Windows Server 2019 Domain Controller 2.3.10.1 + - MCS 2.0 for Windows Server 2016 Domain Controller 2.3.10.1 + +- **STIG List** + - STIG SV-205678r569188 + - STIG SV-220746r569187 + - STIG SV-220754r569187 + - STIG SV-220757r569187 + - STIG SV-220760r569187 + - STIG SV-220767r569187 + - STIG SV-220768r569187 + - STIG SV-220768r851975 + - STIG SV-220775r569187 + - STIG SV-220775r851978 + - STIG SV-220786r569187 + - STIG SV-220769r569187 + - STIG SV-225273r569185 + - STIG SV-225281r569185 + - STIG SV-225284r569185 + - STIG SV-225287r569185 + - STIG SV-225292r569185 + - STIG SV-225294r569185 + - STIG SV-225294r852189 + - STIG SV-225295r569185 + - STIG SV-225302r569185 + - STIG SV-225302r852194 + - STIG SV-226092r569184 + - STIG SV-226092r794343 + - STIG SV-226099r569184 + - STIG SV-226099r794279 + - STIG SV-226102r569184 + - STIG SV-226102r794335 + - STIG SV-226107r569184 + - STIG SV-226107r794336 + - STIG SV-226110r569184 + - STIG SV-226110r794366 + - STIG SV-226117r569184 + - STIG SV-226117r794356 + - STIG SV-226117r852079 + - STIG SV-226109r569184 + - STIG SV-226109r794353 + - STIG SV-226109r852074 + - STIG SV-226063r569184 + - STIG SV-226063r794292 + - STIG SV-254271r848629 + - STIG SV-224873r569186 + + ## Related articles - [Vulnerabilities in my organization](tvm-weaknesses.md) diff --git a/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md b/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md index 6ad6afed28..a790ddbd88 100644 --- a/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md +++ b/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md @@ -11,7 +11,7 @@ audience: ITPro ms.collection: - m365-security ms.topic: conceptual -ms.date: 11/07/2024 +ms.date: 11/19/2024 --- # What's new in Microsoft Defender Vulnerability Management @@ -23,6 +23,7 @@ This article provides information about new features and important product updat ## November 2024 +- We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, see [Known issues with data collection](tvm-security-baselines.md#known-issues-with-data-collection). - The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, see [Windows authenticated scan deprecation FAQs](defender-vulnerability-management-faq.md#windows-authenticated-scan-deprecation-faqs). ## July 2024 diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml index d9c4da88ea..4c2f7b175e 100644 --- a/defender-xdr/TOC.yml +++ b/defender-xdr/TOC.yml @@ -305,7 +305,13 @@ - name: CloudAuditEvents href: advanced-hunting-cloudauditevents-table.md - name: CloudProcessEvents - href: advanced-hunting-cloudprocessevents-table.md + href: advanced-hunting-cloudprocessevents-table.md + - name: DeviceBaselineComplianceAssessment + href: advanced-hunting-devicebaselinecomplianceassessment-table.md + - name: DeviceBaselineComplianceAssessmentKB + href: advanced-hunting-devicebaselinecomplianceassessmentkb-table.md + - name: DeviceBaselineComplianceProfiles + href: advanced-hunting-devicebaselinecomplianceprofiles-table.md - name: DeviceEvents href: advanced-hunting-deviceevents-table.md - name: DeviceFileCertificateInfo @@ -326,6 +332,12 @@ href: advanced-hunting-deviceprocessevents-table.md - name: DeviceRegistryEvents href: advanced-hunting-deviceregistryevents-table.md + - name: DeviceTvmBrowserExtensions + href: advanced-hunting-devicetvmbrowserextensions-table.md + - name: DeviceTvmBrowserExtensionsKB + href: advanced-hunting-devicetvmbrowserextensionskb-table.md + - name: DeviceTvmCertificateInfo + href: advanced-hunting-devicetvmcertificateinfo-table.md - name: DeviceTvmHardwareFirmware href: advanced-hunting-devicetvmhardwarefirmware-table.md - name: DeviceTvmInfoGathering diff --git a/defender-xdr/activate-defender-rbac.md b/defender-xdr/activate-defender-rbac.md index b0a1f4bfdb..ce980997e1 100644 --- a/defender-xdr/activate-defender-rbac.md +++ b/defender-xdr/activate-defender-rbac.md @@ -29,6 +29,7 @@ search.appverid: met150 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212) - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) +- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/) - [Microsoft Security Exposure Management](/security-exposure-management/) For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads. diff --git a/defender-xdr/advanced-hunting-cloudauditevents-table.md b/defender-xdr/advanced-hunting-cloudauditevents-table.md index dc9a174f24..5c635881f9 100644 --- a/defender-xdr/advanced-hunting-cloudauditevents-table.md +++ b/defender-xdr/advanced-hunting-cloudauditevents-table.md @@ -21,7 +21,7 @@ ms.topic: reference ms.date: 12/29/2023 --- -# CloudAuditEvents +# CloudAuditEvents (Preview) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] diff --git a/defender-xdr/advanced-hunting-devicebaselinecomplianceassessment-table.md b/defender-xdr/advanced-hunting-devicebaselinecomplianceassessment-table.md new file mode 100644 index 0000000000..e90629e376 --- /dev/null +++ b/defender-xdr/advanced-hunting-devicebaselinecomplianceassessment-table.md @@ -0,0 +1,64 @@ +--- +title: DeviceBaselineComplianceAssessment table in the advanced hunting schema +description: Learn about the baseline compliance assessment snapshot, indicating the status of various security configurations related to baseline profiles on devices in Microsoft Defender XDR. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceBaselineComplianceAssessment (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The `DeviceBaselineComplianceAssessment` table in the advanced hunting schema contains baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | `string` | Unique identifier for the device in the service | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | +| `OSVersion` | `string` | Version of the operating system running on the device | +| `ConfigurationId` | `string` | Unique identifier for a specific configuration | +| `ProfileId` | `string` | Unique identifier for the profile | +| `IsCompliant` | `boolean` | Indicates whether the device that initiated the event is compliant or not | +| `IsApplicable` | `boolean` | Indicates whether the configuration or policy is applicable | +| `Source` | `dynamic` | The registry path or other location used to determine the current device setting | +| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant | +| `CurrentValue` | `dynamic` | Set of detected values found on the device | +| `IsExempt` | `boolean` | Indicates whether the device is exempt from having the baseline configuration | + + +## Related topics + +- [Proactively hunt for threats](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] \ No newline at end of file diff --git a/defender-xdr/advanced-hunting-devicebaselinecomplianceassessmentkb-table.md b/defender-xdr/advanced-hunting-devicebaselinecomplianceassessmentkb-table.md new file mode 100644 index 0000000000..64afc333de --- /dev/null +++ b/defender-xdr/advanced-hunting-devicebaselinecomplianceassessmentkb-table.md @@ -0,0 +1,62 @@ +--- +title: DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema +description: Learn about the various security configurations used by baseline compliance to assess devices in the DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceBaselineComplianceAssessmentKB (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The `DeviceBaselineComplianceAssessmentKB` table in the advanced hunting schema contains information about various security configurations used by baseline compliance to assess devices. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `ConfigurationId` | `string` | Unique identifier for a specific configuration | +| `ConfigurationName` | `string` | Display name of the configuration | +| `ConfigurationDescription` | `string` | Description of the configuration | +| `ConfigurationRationale` | `string` | Description of any associated risks and rationale behind the configuration | +| `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs | +| `BenchmarkProfileLevels` | `dynamic` | List of benchmark compliance levels for which the configuration is applicable | +| `CCEReference` | `string` | Unique Common Configuration Enumeration (CCE) identifier for the configuration | +| `RemediationOptions` | `string` | Recommended actions to reduce or address any associated risks | +| `ConfigurationBenchmark` | `string` | Industry benchmark recommending the configuration | +| `Source` | `dynamic` | The registry path or other location used to determine the current device setting | +| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant | + + +## Related topics + +- [DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Overview of Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/advanced-hunting-devicebaselinecomplianceprofiles-table.md b/defender-xdr/advanced-hunting-devicebaselinecomplianceprofiles-table.md new file mode 100644 index 0000000000..e35f064db6 --- /dev/null +++ b/defender-xdr/advanced-hunting-devicebaselinecomplianceprofiles-table.md @@ -0,0 +1,64 @@ +--- +title: DeviceBaselineComplianceProfiles table in the advanced hunting schema +description: Learn about the baseline profiles used for monitoring device baseline compliance in the DeviceBaselineComplianceProfiles table in the advanced hunting schema. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceBaselineComplianceProfiles (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The `DeviceBaselineComplianceProfiles` table in the advanced hunting schema contains baseline profiles used for monitoring device baseline compliance. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `ProfileId` | `string` | Unique identifier for the profile | +| `ProfileName` | `string` | Display name of the profile | +| `ProfileDescription` | `string` | Optional description providing additional information related to the profile | +| `OSPlatform` | `dynamic` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | +| `OSVersion` | `string` | Version of the operating system running on the device | +| `BaseBenchmark` | `string` | Industry benchmark on top of which the profile was created | +| `BenchmarkVersion` | `string` | Version of the industry benchmark on top of which the profile was created | +| `BenchmarkProfileLevel` | `string` | Benchmark compliance level set for the profile | +| `Status` | `boolean` | Indicator of the profile status - can be Enabled or Disabled | +| `CreatedBy` | `string` | Identity of the user account who created the profile | +| `CreatedOn` | `datetime` | Date and time when the profile was created | +| `LastUpdatedBy` | `string` | Identity of the user account who last updated the profile | +| `LastUpdatedOn` | `datetime` | Date and time when the profile was last updated | + + +## Related topics + +- [Proactively hunt for threats](advanced-hunting-overview.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Overview Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/advanced-hunting-devicetvmbrowserextensions-table.md b/defender-xdr/advanced-hunting-devicetvmbrowserextensions-table.md new file mode 100644 index 0000000000..88f3feef15 --- /dev/null +++ b/defender-xdr/advanced-hunting-devicetvmbrowserextensions-table.md @@ -0,0 +1,63 @@ +--- +title: DeviceTvmBrowserExtensions table in the advanced hunting schema +description: Learn about browser extension installations found on devices as shown in Microsoft Defender Vulnerability Management. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceTvmBrowserExtensions (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Each row in the `DeviceTvmBrowserExtensions` table contains information about browser extension installations found on devices from [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | `string` | Unique identifier for the device in the service | +| `BrowserName` | `string` | Name of the web browser with the extension | +| `ExtensionId` | `string` | Unique identifier for the browser extension | +| `ExtensionName` | `string` | Name of the extension | +| `ExtensionDescription` | `string` | Description from the publisher about the extension | +| `ExtensionVersion` | `string` | Version number of the extension | +| `ExtensionRisk` | `string` | Risk level for the extension based on the permissions it has requested | +| `ExtensionVendor` | `string` | Name of the vendor offering the extension | +| `IsActivated` | `string` | Whether the extension is turned on or off on the devices | +| `InstallationTime` | `datetime` | Date and time when the browser extension was first installed | + + +## Related topics + +- [Proactively hunt for threats](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/advanced-hunting-devicetvmbrowserextensionskb-table.md b/defender-xdr/advanced-hunting-devicetvmbrowserextensionskb-table.md new file mode 100644 index 0000000000..2f440d21b5 --- /dev/null +++ b/defender-xdr/advanced-hunting-devicetvmbrowserextensionskb-table.md @@ -0,0 +1,65 @@ +--- +title: DeviceTvmBrowserExtensionsKB table in the advanced hunting schema +description: Learn about the various browser extension details and permission information used in the Microsoft Defender Vulnerability Management browser extensions page in the DeviceTvmBrowserExtensionsKB table in the advanced hunting schema. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceTvmBrowserExtensionsKB (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The `DeviceTvmBrowserExtensionsKB` table in the advanced hunting schema contains information about browser extension details and permission information used in [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) browser extensions page. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `BrowserName` | `string` | Name of the web browser with the extension | +| `ExtensionId` | `string` | Unique identifier for the browser extension | +| `ExtensionName` | `string` | Name of the extension | +| `ExtensionDescription` | `string` | Description from the publisher about the extension | +| `ExtensionVersion` | `dynamic` | Version number of the extension | +| `ExtensionRisk` | `string` | Risk level for the extension based on the permissions it has requested | +| `PermissionId` | `string` | Unique identifier for the permission | +| `PermissionName` | `string` | Name given to each permission based on what the extension is asking for | +| `PermissionDescription` | `string` | Explanation of what the permission is supposed to do | +| `PermissionRisk` | `string` | Risk level for the permission based on the type of access it would allow | +| `IsPermissionRequired` | `string` | Whether the permission is required for the extension to run, or optional | + + +## Related topics + +- [Proactively hunt for threats](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/advanced-hunting-devicetvmcertificateinfo-table.md b/defender-xdr/advanced-hunting-devicetvmcertificateinfo-table.md new file mode 100644 index 0000000000..074bd6a3bd --- /dev/null +++ b/defender-xdr/advanced-hunting-devicetvmcertificateinfo-table.md @@ -0,0 +1,68 @@ +--- +title: DeviceTvmCertificateInfo table in the advanced hunting schema +description: Learn about certificate information for devices in the organization from the DeviceTvmCertificateInfo table in the advanced hunting schema. +search.appverid: met150 +ms.service: defender-xdr +ms.subservice: adv-hunting +f1.keywords: + - NOCSH +ms.author: v-sgoyagoy +author: samanthagy +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security +- tier3 +ms.custom: +- cx-ti +- cx-ah +ms.topic: reference +ms.date: 11/20/2024 +--- + +# DeviceTvmCertificateInfo (Preview) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + + +**Applies to:** +- Microsoft Defender XDR +- Microsoft Defender for Endpoint + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The `DeviceTvmCertificateInfo` table in the advanced hunting schema contains data from [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) related to certificate information for devices in the organization. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | `string` | Unique identifier for the device in the service | +| `Thumbprint` | `string` | Unique identifier for the certificate | +| `Path` | `string` | The location of the certificate | +| `SerialNumber` | `string` | Unique identifier for the certificate within a certificate authority's systems | +| `IssuedTo` | `dynamic` | Entity that a certificate belongs to; can be a device, an individual, or an organization | +| `IssuedBy` | `dynamic` | Entity that verified the information and signed the certificate | +| `FriendlyName` | `string` | Easy-to-understand version of a certificate's title | +| `SignatureAlgorithm` | `string` | Hashing algorithm and encryption algorithm used | +| `KeySize` | `string` | Size of the key used in the signature algorithm | +| `ExpirationDate` | `string` | The date and time beyond which the certificate is no longer valid | +| `IssueDate` | `string` | The earliest date and time when the certificate became valid | +| `SubjectType` | `string` | Indicates if the holder of the certificate is a CA or end entity | +| `KeyUsage` | `string` | The valid cryptographic uses of the certificate's public key | +| `ExtendedKeyUsage` | `string` | Other valid uses for the certificate | + + +## Related topics + +- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) +- [Proactively hunt for threats](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Use shared queries](advanced-hunting-shared-queries.md) +- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md) +- [Understand the schema](advanced-hunting-schema-tables.md) +- [Apply query best practices](advanced-hunting-best-practices.md) + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md index c6f722e067..75088d70ce 100644 --- a/defender-xdr/advanced-hunting-schema-tables.md +++ b/defender-xdr/advanced-hunting-schema-tables.md @@ -18,7 +18,7 @@ ms.custom: - cx-ti - cx-ah ms.topic: reference -ms.date: 04/22/2024 +ms.date: 11/20/2024 --- # Understand the advanced hunting schema @@ -61,8 +61,11 @@ The following reference lists all the tables in the schema. Each table name link | **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** (Preview) | Behavior data types in Microsoft Defender for Cloud Apps (not available for GCC) | | **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps (not available for GCC) | | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services | -| **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview) | Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud | +| **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview)| Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud | | **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers | +| **[DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md)** (Preview) | Baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices | +| **[DeviceBaselineComplianceAssessmentKB](advanced-hunting-devicebaselinecomplianceassessmentkb-table.md)** (Preview) | Information about various security configurations used by baseline compliance to assess devices | +| **[DeviceBaselineComplianceProfiles](advanced-hunting-devicebaselinecomplianceprofiles-table.md)** (Preview) | Baseline profiles used for monitoring device baseline compliance | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection | | **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | | **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events | @@ -73,6 +76,9 @@ The following reference lists all the tables in the schema. Each table name link | **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains | | **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | | **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries | +| **[DeviceTvmBrowserExtensions](advanced-hunting-devicetvmbrowserextensions-table.md)** (Preview)| Browser extension installations found on devices from Microsoft Defender Vulnerability Management | +| **[DeviceTvmBrowserExtensionsKB](advanced-hunting-devicetvmbrowserextensionskb-table.md)** (Preview)| Browser extension details and permission information used in the Microsoft Defender Vulnerability Management browser extensions page| +| **[DeviceTvmCertificateInfo](advanced-hunting-devicetvmcertificateinfo-table.md)** (Preview)| Certificate information for devices in the organization from Microsoft Defender Vulnerability Management | | **[DeviceTvmHardwareFirmware](advanced-hunting-devicetvmhardwarefirmware-table.md)** | Hardware and firmware information of devices as checked by Defender Vulnerability Management | | **[DeviceTvmInfoGathering](advanced-hunting-devicetvminfogathering-table.md)** | Defender Vulnerability Management assessment events including configuration and attack surface area states | | **[DeviceTvmInfoGatheringKB](advanced-hunting-devicetvminfogatheringkb-table.md)** | Metadata for assessment events collected in the `DeviceTvmInfogathering` table| diff --git a/defender-xdr/advanced-hunting-security-copilot.md b/defender-xdr/advanced-hunting-security-copilot.md index ad8904dc66..24b1f016ae 100644 --- a/defender-xdr/advanced-hunting-security-copilot.md +++ b/defender-xdr/advanced-hunting-security-copilot.md @@ -1,6 +1,6 @@ --- -title: Microsoft Copilot for Security in advanced hunting -description: Learn how Microsoft Copilot for Security advanced hunting (NL2KQL) plugin can generate a KQL query for you. +title: Microsoft Security Copilot in advanced hunting +description: Learn how Microsoft Security Copilot advanced hunting (NL2KQL) plugin can generate a KQL query for you. search.appverid: met150 ms.service: defender-xdr ms.subservice: adv-hunting @@ -27,22 +27,30 @@ appliesto: - Microsoft Sentinel in the Microsoft Defender portal --- -# Microsoft Copilot for Security in advanced hunting +# Microsoft Security Copilot in advanced hunting -[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting. -Threat hunters or security analysts who aren't yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Copilot for Security then generates a KQL query that corresponds to the request using the advanced hunting data schema. +**Applies to:** + +- Microsoft Defender +- Microsoft Defender XDR + +## Security Copilot in advanced hunting + +[Microsoft Security Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting. + +Threat hunters or security analysts who aren't yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Security Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema. This feature reduces the time it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats. -Users with access to Copilot for Security have access to this capability in advanced hunting. +Users with access to Security Copilot have access to this capability in advanced hunting. > [!NOTE] -> The advanced hunting capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +> The advanced hunting capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Try your first request -1. Open the **advanced hunting** page from the navigation bar in the Microsoft Defender portal. The Copilot for Security side pane for advanced hunting appears at the right hand side. +1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Security Copilot side pane for advanced hunting appears at the right hand side. :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png"::: @@ -51,11 +59,11 @@ Users with access to Copilot for Security have access to this capability in adva - :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Copilot for Security for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png"::: + :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Security Copilot for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png"::: 1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**. - ![Screenshot of Copilot for Security in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png) + ![Screenshot of Security Copilot in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png) 1. Review the generated query. You can then choose to run the query by selecting **Add and run**. @@ -66,7 +74,7 @@ Users with access to Copilot for Security have access to this capability in adva If you need to make further tweaks, select **Add to editor**. - ![Screenshot of Copilot for Security in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png) + ![Screenshot of Security Copilot in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png) The generated query appears in the query editor as the last query, where you can edit it before running using the regular **Run query** above the query editor. @@ -75,10 +83,11 @@ Users with access to Copilot for Security have access to this capability in adva > [!TIP] -> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used. +> Providing feedback is an important way to let the Security Copilot team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used. -In the [Microsoft Defender portal](advanced-hunting-microsoft-defender.md), you can prompt Copilot for Security to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future. +> [!NOTE] +> In the [unified Microsoft Defender portal](advanced-hunting-microsoft-defender.md), you can prompt Security Copilot to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future. ## Query sessions @@ -86,12 +95,12 @@ You can start your first session anytime by asking a question in the Copilot sid Select the chat bubble icon (**New chat**) to discard the current session. - ![Screenshot of Copilot for Security in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png) + ![Screenshot of Security Copilot in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png) ## Modify settings Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting. - ![Screenshot of Copilot for Security in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png) + ![Screenshot of Security Copilot in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png) Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**). diff --git a/defender-xdr/copilot-in-defender-device-summary.md b/defender-xdr/copilot-in-defender-device-summary.md index 4866de6822..e1c5fa53ea 100644 --- a/defender-xdr/copilot-in-defender-device-summary.md +++ b/defender-xdr/copilot-in-defender-device-summary.md @@ -18,37 +18,37 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/04/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR -- Microsoft Sentinel in the Microsoft Defender portal +- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal --- # Summarize device information with Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities. +[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks. The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -The device summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. +The device summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot. -This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +This capability is also available in the Security Copilot standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -75,16 +75,16 @@ You can access the device summary capability through the following ways: :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png"::: -Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card. +Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the device summary card. ## Sample device summary prompt -In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary: +In the Security Copilot standalone portal, you can use the following prompt to generate a device summary: - *Summarize device information in Defender incident {incident number.* > [!TIP] -> When investigating devices in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the device summary capability delivers the results. +> When investigating devices in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the device summary capability delivers the results. ## Provide feedback @@ -92,7 +92,7 @@ Your feedback helps improve the quality of the results generated by Copilot. You ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/copilot-in-defender-file-analysis.md b/defender-xdr/copilot-in-defender-file-analysis.md index 235a8e9c06..d7f85290a1 100644 --- a/defender-xdr/copilot-in-defender-file-analysis.md +++ b/defender-xdr/copilot-in-defender-file-analysis.md @@ -18,7 +18,7 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/04/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal @@ -28,27 +28,27 @@ appliesto: [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities. +[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques. The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Copilot for Security. +The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Security Copilot. -Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +Security Copilot standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -71,16 +71,16 @@ You can access the file analysis capability through the following ways: Select a file to investigate, then select **Analyze** on the side pane to begin analysis. The results are then displayed on the Copilot pane. :::image type="content" source="/defender/media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane-small.png" alt-text="Screenshot of the incident page with the file analysis button highlighted." lightbox="/defender/media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane.png"::: -You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card. +You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the file analysis card. ## Sample file analysis prompt -In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary: +In the Security Copilot standalone portal, you can use the following prompt to generate a device summary: - *Tell me about the files in Defender incident {incident number). Which files are malicious?* > [!TIP] -> When investigating files in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the file analysis capability delivers the results. +> When investigating files in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the file analysis capability delivers the results. ## Provide feedback @@ -88,7 +88,7 @@ Always review the results generated by Copilot in Defender. Your feedback helps ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/custom-detection-rules.md b/defender-xdr/custom-detection-rules.md index c8345eb026..6faa318fd7 100644 --- a/defender-xdr/custom-detection-rules.md +++ b/defender-xdr/custom-detection-rules.md @@ -58,7 +58,7 @@ To manage required permissions, a Global Administrator can: - Check RBAC settings for Microsoft Defender for Endpoint in [Microsoft Defender XDR](https://security.microsoft.com/) under **Settings** \> **Permissions** > **Roles**. Select the corresponding role to assign the **manage security settings** permission. > [!NOTE] -> A user also needs to have the appropriate permissions for the devices in the [device scope](#5-set-the-rule-scope) of a custom detection rule that they are creating or editing before they can proceed. A user can't edit a custom detection rule that is scoped to run on all devices, if the same user does not permissions for all devices. +> A user also needs to have the appropriate permissions for the devices in the [device scope](#5-set-the-rule-scope) of a custom detection rule that they are creating or editing before they can proceed. A user can't edit a custom detection rule that is scoped to run on all devices, if the same user does not have permissions for all devices. ## Create a custom detection rule @@ -143,10 +143,20 @@ When you edit a rule, it will run with the applied changes in the next run time ##### Continuous (NRT) frequency -Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster. +Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster. Using the Continuous (NRT) frequency has minimal to no impact to your resource usage and should thus be considered for any qualified custom detection rule in your organization. -> [!NOTE] -> Using the Continuous (NRT) frequency has minimal to no impact to your resource usage and should thus be considered for any qualified custom detection rule in your organization. +From the custom detection rules page, you can migrate custom detections rules that fit the Continuous (NRT) frequency with a single button, **Migrate now**: + +:::image type="content" source="media/custom-detection-migrate-now.png" alt-text="Screenshot of the migrate now button in advanced hunting." lightbox="media/custom-detection-migrate-now.png"::: + + +Selecting **Migrate now** gives you a list of all compatible rules according to their KQL query. You can choose to migrate all or selected rules only according to your preferences: + +:::image type="content" source="media/custom-detection-compatible-queries.png" alt-text="Screenshot of the continuous frequency compatible queries in advanced hunting." lightbox="media/custom-detection-compatible-queries.png"::: + + +Once you click **Save**, the selected rules' frequency gets updated to Continuous (NRT) frequency. + ###### Queries you can run continuously @@ -219,8 +229,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul - Select **Disable user** to temporarily prevent a user from logging in. - Select **Force password reset** to prompt the user to change their password on the next sign in session. - -Both the `Disable user` and `Force password reset` options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`. +- Both the `Disable user` and `Force password reset` options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`. For more details on user actions, read [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). @@ -253,7 +262,7 @@ Only data from devices in the scope will be queried. Also, actions are taken onl After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. > [!IMPORTANT] -> Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detect ion rules](#manage-existing-custom-detection-rules). +> Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detection rules](#manage-existing-custom-detection-rules). > > You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules. diff --git a/defender-xdr/image-1.png b/defender-xdr/image-1.png new file mode 100644 index 0000000000..c0e558bb4e Binary files /dev/null and b/defender-xdr/image-1.png differ diff --git a/defender-xdr/image.png b/defender-xdr/image.png new file mode 100644 index 0000000000..c0e558bb4e Binary files /dev/null and b/defender-xdr/image.png differ diff --git a/defender-xdr/investigate-incidents.md b/defender-xdr/investigate-incidents.md index 64da981ef0..d68759e894 100644 --- a/defender-xdr/investigate-incidents.md +++ b/defender-xdr/investigate-incidents.md @@ -16,8 +16,8 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 11/13/2024 -appliesto: +ms.date: 11/19/2024 +appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal --- @@ -38,13 +38,14 @@ You can start by selecting the incident from the check mark column. Here's an ex :::image type="content" source="/defender/media/investigate-incidents/incidents-ss-incident-select.png" alt-text="Selecting an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incidents-ss-incident-select.png"::: -When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the [MITRE ATT&CK™](https://attack.mitre.org/) categories for the incident. Here's an example. +When you do, a summary pane opens with key information about the incident, like the incident's details, recommended actions, and related threats. Here's an example. -:::image type="content" source="/defender/media/investigate-incidents/incidents-ss-incident-side-panel.png" alt-text="The pane that displays the summary details for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incidents-ss-incident-side-panel.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-pane-small.png" alt-text="The pane that displays the summary details for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-pane.png"::: -From here, you can select **Open incident page**. This opens the main page for the incident where you'll find the full attack story information and tabs for alerts, devices, users, investigations, and evidence. +From here, you can select **Open incident page**. This opens the main page for the incident where you'll find the full attack story information and tabs for alerts, devices, users, investigations, and evidence. You can also open the main page for an incident by selecting the incident name from the incident queue. -You can also open the main page for an incident by selecting the incident name from the incident queue. +> [!NOTE] +> Users with provisioned access to Microsoft Security Copilot will see the Copilot pane on the right side of the screen when they open an incident. Copilot provides real-time insights and recommendations to help you investigate and respond to incidents. For more information, see [Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md). ## Attack story @@ -81,7 +82,7 @@ From the graph, you can: - Highlight the alerts based on the entity to which they are related. -- Hunt for entity information of a device, file, IP address, or URL. +- Hunt for entity information of a device, file, IP address, URL, user, email, mailbox, or cloud resource. ### Go hunt @@ -98,43 +99,46 @@ The resulting logs or alerts can be linked to an incident by selecting a results :::image type="content" source="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png" alt-text="Highlighting the link to incident option in go hunt query results" lightbox="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png"::: If the incident or related alerts were the result of an analytics rule you've set, you can also select ***Run query*** to see other related results. - -## Summary -Use the **Summary** page to assess the relative importance of the incident and quickly access the associated alerts and impacted entities. The **Summary** page gives you a snapshot glance at the top things to notice about the incident. +> [!IMPORTANT] +> Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. -:::image type="content" source="/defender/media/incidents-overview/incidents-investigate-summary.png" alt-text="Screenshot that shows the summary information for an incident in the Microsoft Defender portal." lightbox="/defender/media/incidents-overview/incidents-investigate-summary.png"::: +### Attack paths -Information is organized in these sections. +The incident graph also contains information about **attack paths**. These paths allows security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **Show attack paths**. Attack paths are available for entities with the **critical asset** tag. -| Section | Description | -|:-------|:-----| -| Alerts and categories | A visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft Defender XDR is aligned to the [MITRE ATT&CK™](https://attack.mitre.org/) framework. The alerts timeline shows the chronological order in which the alerts occurred and for each, their status and name. | -| Scope | Displays the number of impacted devices, users, and mailboxes and lists the entities in order of risk level and investigation priority. | -| Evidence | Displays the number of entities affected by the incident. | -| Incident information | Displays the properties of the incident, such as tags, status, and severity. | -||| +:::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting the Show attack paths action in the incident graph." lightbox="/defender/media/investigate-incidents/attack-path.png"::: + +Upon selecting **Show attack paths**, a side pane opens, displaying a list of attack paths for the selected entity. The attack paths are displayed in a table format, showing the attack path name, entry point, entry point type, target, target type, the target criticality. + +Selecting an attack path from the list displays the attack path graph, which shows the attack path from the entry point to the target. Selecting **View map** opens a new window to view the attack path in full. + +:::image type="content" source="/defender/media/investigate-incidents/attack-path-pane-small.png" alt-text="An example of the attack path graph shown in the side pane." lightbox="/defender/media/investigate-incidents/attack-path-pane.png"::: + +> [!NOTE] +> To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management).

+> To view attack path details in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the Security Administrator role is required. ## Alerts -On the **Alerts** tab, you can view the alert queue for alerts related to the incident and other information about them such as: +On the **Alerts** tab, you can view the alert queue for alerts related to the incident and other information about them like the following: -- Severity. +- Severity of the alerts. - The entities that were involved in the alert. - The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Defender for Cloud Apps, and the app governance add-on). - The reason they were linked together. Here's an example. -:::image type="content" source="/defender/media/investigate-incidents/incident-alerts.png" alt-text="The Alerts pane for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-alerts.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-page-alerts-small.png" alt-text="The Alerts pane for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-page-alerts.png"::: By default, the alerts are ordered chronologically to allow you to see how the attack played out over time. When you select an alert within an incident, Microsoft Defender XDR displays the alert information specific to the context of the overall incident. -You can see the events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including devices, files, users, and mailboxes. +You can see the events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including devices, files, users, cloud apps, and mailboxes. Here's an example. -:::image type="content" source="/defender/media/investigate-incidents/incident-alert-example.png" alt-text="The details of an alert within an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-alert-example.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-alert-page-small.png" alt-text="The details of an alert within an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-alert-page.png"::: Learn how to use the alert queue and alert pages in [investigate alerts](investigate-alerts.md). @@ -144,7 +148,7 @@ Easily view and manage all your assets in one place with the new **Assets** tab. The Assets tab displays the total number of assets beside its name. A list of different categories with the number of assets within that category is presented when selecting the Assets tab. -:::image type="content" source="/defender/media/investigate-incidents/incident-assets.png" alt-text="The Assets page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-assets.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-assetstab-small.png" alt-text="The Assets page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-assetstab.png"::: ### Devices @@ -158,12 +162,7 @@ You can select the check mark for a device to see details of the device, directo :::image type="content" source="/defender/media/investigate-incidents/incident-devicebar.png" alt-text="The Devices options in the Assets page in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-devicebar.png"::: -From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. For example, from the **Timeline** tab, you can scroll through the device timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised. Here's an example - -:::image type="content" source="/defender/media/investigate-incidents/incident-devices-details.png" alt-text="The details of a device in the Device page in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-devices-details.png"::: - -> [!TIP] -> You can do on-demand scans on a device page. In the Microsoft Defender portal, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices). +From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. For example, from the **Timeline** tab, you can scroll through the device timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised. ### Users @@ -189,15 +188,23 @@ The **Apps** view lists all the apps identified to be part of or related to the :::image type="content" source="/defender/media/investigate-incidents/incident-apps.png" alt-text="The Apps page for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-apps.png"::: -You can select the check mark for an app to see a list of active alerts. Select the app name to see additional details on the Explorer page for Defender for Cloud Apps. +You can select the check mark for an app to see a list of active alerts. Select the app name to see additional details on the Explorer page for Defender for Cloud Apps. + +### Cloud resources + +The **Cloud resources** view lists all the cloud resources identified to be part of or related to the incident. Here's an example. + +:::image type="content" source="/defender/media/investigate-incidents/incident-assets-cloudresource-small.png" alt-text="The Cloud resources page for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-assets-cloudresource.png"::: + +You can select the check mark for a cloud resource to see the resource's details and a list of active alerts. Select *Open cloud resource page* to see additional details and to view its full details in Microsoft Defender for Cloud. ## Investigations The **Investigations** tab lists all the [automated investigations](m365d-autoir.md) triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender for Endpoint and Defender for Office 365. -:::image type="content" source="/defender/media/investigate-incidents/incident-investigations.png" alt-text="The Investigations page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-investigations.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-investigationspage-small.png" alt-text="The Investigations page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-investigationspage.png"::: -Select an investigation to navigate to its details page for full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the **Pending actions history** tab. Take action as part of incident remediation. +Select an investigation to navigate to its details page for full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the **Pending actions** tab. Take action as part of incident remediation. There is also an **Investigation graph** tab that shows: @@ -213,7 +220,7 @@ For more information, see [Automated investigation and response in Microsoft Def The **Evidence and Response** tab shows all the supported events and suspicious entities in the alerts in the incident. Here's an example. -:::image type="content" source="/defender/media/investigate-incidents/incident-evidence.png" alt-text="The Evidence and Response page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incident-evidence.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incidents-evidenceresponse-small.png" alt-text="The Evidence and Response page for an incident in the Microsoft Defender portal" lightbox="/defender/media/investigate-incidents/incidents-evidenceresponse.png"::: Microsoft Defender XDR automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more. This helps you quickly detect and block potential threats in the incident. @@ -221,18 +228,31 @@ Each of the analyzed entities is marked with a verdict (Malicious, Suspicious, C ### Approve or reject remediation actions -For incidents with a remediation status of **Pending approval**, you can approve or reject a remediation action from within the incident. +For incidents with a remediation status of **Pending approval**, you can approve or reject a remediation action, open in Explorer, or Go hunt from within Evidence and Response tab. Here's an example. + +:::image type="content" source="/defender/media/investigate-incidents/evidence-approve-small.png" alt-text="The Approve\Reject option in the Evidence and Response management pane for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/evidence-approve.png"::: + +## Summary + +Use the **Summary** page to assess the relative importance of the incident and quickly access the associated alerts and impacted entities. The **Summary** page gives you a snapshot glance at the top things to notice about the incident. + +:::image type="content" source="/defender/media/investigate-incidents/incident-summary.png" alt-text="Screenshot that shows the summary information for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-summary-small.png"::: + +Information is organized in these sections. + +| Section | Description | +|:-------|:-----| +| Alerts and categories | A visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft Defender XDR is aligned to the [MITRE ATT&CK™](https://attack.mitre.org/) framework. The alerts timeline shows the chronological order in which the alerts occurred and for each, their status and name. | +| Scope | Displays the number of impacted devices, users, and mailboxes and lists the entities in order of risk level and investigation priority. | +| Alerts | Displays the alerts involved in the incident. | +| Evidence | Displays the number of entities affected by the incident. | +| Incident information | Displays the properties of the incident, such as tags, status, and severity. | + +## Similar incidents -1. In the navigation pane, go to **Incidents & alerts** \> **Incidents**. -2. Filter on **Pending action** for the Automated investigation state (optional). -3. Select an incident name to open its summary page. -4. Select the **Evidence and Response** tab. -5. Select an item in the list to open its flyout pane. -6. Review the information, and then take one of the following steps: - - Select the Approve pending action option to initiate a pending action. - - Select the Reject pending action option to prevent a pending action from being taken. +Some incidents might have similar incidents listed on the **Similar incidents** page. This section shows incidents that have similar alerts, entities, and other properties. This can help you understand the scope of the attack and identify other incidents that might be related. Here's an example. -:::image type="content" source="/defender/media/defender/m365-defender-approve-reject-action.png" alt-text="The Approve\Reject option in the Evidence and Response management pane for an incident in the Microsoft Defender portal." lightbox="/defender/media/defender/m365-defender-approve-reject-action.png"::: +:::image type="content" source="/defender/media/investigate-incidents/incident-similartab-small.png" alt-text="Screenshot that shows the Similar incidents tab for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-similartab.png"::: ## Next steps diff --git a/defender-xdr/investigate-respond-container-threats.md b/defender-xdr/investigate-respond-container-threats.md index fb591e6570..ec81b298d3 100644 --- a/defender-xdr/investigate-respond-container-threats.md +++ b/defender-xdr/investigate-respond-container-threats.md @@ -18,7 +18,8 @@ search.appverid: - MET150 ms.date: 11/18/2024 appliesto: -- Microsoft Defender XDR +- ✅ Microsoft Defender XDR +- Microsoft's unified security operations platform --- # Investigate and respond to container threats in the Microsoft Defender portal @@ -99,11 +100,7 @@ To determine the full scope of a container attack, you can deepen your investiga In the [Advanced hunting](advanced-hunting-overview.md) page, you can extend your search for container-related activities using the **CloudProcessEvents** and **CloudAuditEvents** tables. -:::image type="content" source="/defender/media/defender-containers/adv-hunting-cloud-small.png" alt-text="Highlighting the advanced hunting tables related to cloud events." lightbox="/defender/media/defender-containers/adv-hunting-cloud.png"::: - -The **CloudProcessEvents** table contains information about process events in multi-cloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine. - -The **CloudAuditEvents table** contains cloud audit events from cloud platforms protected by Microsoft Defender for Cloud. It also contains Kubeaudit logs, which holds information about Kubernetes-related events. +The [CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md) table contains information about process events in multi-cloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine. On the other hand, the [CloudAuditEvents](advanced-hunting-cloudauditevents-table.md) table contains cloud audit events from cloud platforms protected by Microsoft Defender for Cloud. It also contains Kubeaudit logs, which holds information about Kubernetes-related events. ## See also diff --git a/defender-xdr/investigate-users.md b/defender-xdr/investigate-users.md index c18da6eca7..977a41e5cb 100644 --- a/defender-xdr/investigate-users.md +++ b/defender-xdr/investigate-users.md @@ -10,16 +10,16 @@ author: diannegali manager: dansimp audience: ITPro ms.collection: - - m365-security - - tier2 - - usx-security +- m365-security +- tier2 +- usx-security ms.topic: conceptual search.appverid: met150 ms.custom: seo-marvel-jun2020 -ms.date: 03/29/2024 +ms.date: 09/30/2024 appliesto: - - Microsoft Defender XDR - - Microsoft Sentinel in the Microsoft Defender portal +- Microsoft Defender XDR +- Microsoft Sentinel in the Microsoft Defender portal --- # User entity page in Microsoft Defender @@ -56,8 +56,10 @@ The user page shows the Microsoft Entra organization as well as groups, helping ### Entity details -The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled. +The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the insider risk severity level (Preview), the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled. +> [!NOTE] +> (Preview) Microsoft Defender XDR users with access to [Microsoft Purview Insider Risk Management](/purview/insider-risk-management-solution-overview) can now see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the **insider risk severity** under Entity details to see the risk insights about the user. ### Visual view of incidents and alerts This card includes all incidents and alerts associated with the user entity, grouped by severity. diff --git a/defender-xdr/m365d-autoir-actions.md b/defender-xdr/m365d-autoir-actions.md index 16c37c3d96..1813248d81 100644 --- a/defender-xdr/m365d-autoir-actions.md +++ b/defender-xdr/m365d-autoir-actions.md @@ -8,7 +8,7 @@ f1.keywords: ms.author: diannegali author: diannegali ms.localizationpriority: medium -ms.date: 08/11/2023 +ms.date: 11/25/2024 manager: dansimp audience: ITPro ms.collection: @@ -67,7 +67,7 @@ If you've determined that a device or a file is not a threat, you can undo remed | Action source | Supported Actions | |:---|:---| -| - Automated investigation
- Microsoft Defender Antivirus
- Manual response actions | - Isolate device
- Restrict code execution
- Quarantine a file
- Remove a registry key
- Stop a service
- Disable a driver
- Remove a scheduled task | +| - Automated investigation
- Microsoft Defender Antivirus
- Manual response actions | - Isolate device
- Contain device
- Contain user
- Restrict code execution
- Quarantine a file
- Remove a registry key
- Stop a service
- Disable a driver
- Remove a scheduled task | ### Undo one remediation action diff --git a/defender-xdr/media/custom-detection-compatible-queries.png b/defender-xdr/media/custom-detection-compatible-queries.png new file mode 100644 index 0000000000..8ea254cea2 Binary files /dev/null and b/defender-xdr/media/custom-detection-compatible-queries.png differ diff --git a/defender-xdr/media/custom-detection-migrate-now.png b/defender-xdr/media/custom-detection-migrate-now.png new file mode 100644 index 0000000000..912edb7d17 Binary files /dev/null and b/defender-xdr/media/custom-detection-migrate-now.png differ diff --git a/defender-xdr/microsoft-365-defender.md b/defender-xdr/microsoft-365-defender.md index ab5050a342..ce36966b32 100644 --- a/defender-xdr/microsoft-365-defender.md +++ b/defender-xdr/microsoft-365-defender.md @@ -43,6 +43,9 @@ Microsoft Defender XDR helps security teams protect and detect their organizatio With the integrated Microsoft Defender XDR solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft Defender XDR takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities. +> [!NOTE] +> Microsoft Defender XDR correlates signals from Microsoft security products that you have licensed and provisioned access to. + ## Microsoft Defender XDR protection diff --git a/defender-xdr/microsoft-sentinel-onboard.md b/defender-xdr/microsoft-sentinel-onboard.md index 3b3229d92c..5c9660918e 100644 --- a/defender-xdr/microsoft-sentinel-onboard.md +++ b/defender-xdr/microsoft-sentinel-onboard.md @@ -1,6 +1,6 @@ --- -title: Connect Microsoft Sentinel to Microsoft Defender XDR -description: Learn how to connect your Microsoft Sentinel environment to Microsoft Defender XDR to unify your security operations. +title: Connect Microsoft Sentinel to the Microsoft Defender portal +description: Learn how to connect your Microsoft Sentinel environment to the Defender portal to unify your security operations. ms.service: defender-xdr f1.keywords: - NOCSH @@ -22,22 +22,23 @@ search.appverid: appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal -ms.date: 07/10/2024 +ms.date: 10/16/2024 --- -# Connect Microsoft Sentinel to Microsoft Defender XDR +# Connect Microsoft Sentinel to the Microsoft Defender portal -Microsoft Sentinel is generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see: +Microsoft Sentinel is generally available within Microsoft's unified security operations (SecOps) platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Defender portal with Microsoft Defender XDR, you unify capabilities like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see: -- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement) +- Blog post: [General availability of the Microsoft's unified security operations platform](https://aka.ms/unified-soc-announcement) - Blog post: [Frequently asked questions about the unified security operations platform](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/frequently-asked-questions-about-the-unified-security-operations/ba-p/4212048) - [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) - [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration) +For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. ## Prerequisites -Before you begin, review the feature documentation to understand the product changes and limitations: +Before you begin, review the feature documentation to understand the product changes and limitations. - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal) - [Advanced hunting in the Microsoft Defender portal](advanced-hunting-microsoft-defender.md) @@ -46,16 +47,17 @@ Before you begin, review the feature documentation to understand the product cha The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled. -To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access: +### Microsoft Sentinel prerequisites + +To onboard and use Microsoft Sentinel in the Defender portal, you must have the following resources and access: - A Log Analytics workspace that has Microsoft Sentinel enabled -- The data connector for Microsoft Defender XDR (formerly named Microsoft 365 Defender) enabled in Microsoft Sentinel for incidents and alerts. For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](/azure/sentinel/connect-microsoft-365-defender). -- Access to Microsoft Defender XDR in the Defender portal -- Microsoft Defender XDR onboarded to the Microsoft Entra tenant +- The data connector for Microsoft Defender XDR enabled in Microsoft Sentinel for incidents and alerts. Install the Defender XDR solution and configure the data connector to connect Microsoft Sentinel to the Defender portal. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy). - An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed. - |Task |Azure built-in role required |Scope | + |Task |Microsoft Entra or Azure built-in role required |Scope | |---------|---------|---------| + |Onboard Microsoft Sentinel to the Defender portal|[Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) in Microsoft Entra ID|Tenant| |Connect or disconnect a workspace with Microsoft Sentinel enabled|[Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor | |View Microsoft Sentinel in the Defender portal|[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) |Subscription, resource group, or workspace resource | |Query Sentinel data tables or view incidents |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:
- Microsoft.OperationalInsights/workspaces/read
- Microsoft.OperationalInsights/workspaces/query/read
- Microsoft.SecurityInsights/Incidents/read
- Microsoft.SecurityInsights/incidents/comments/read
- Microsoft.SecurityInsights/incidents/relations/read
- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource | @@ -64,28 +66,39 @@ To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see [Roles and permissions in Microsoft Sentinel | Microsoft Learn](/azure/sentinel/roles) and [Manage access to Microsoft Sentinel data by resource | Microsoft Learn](/azure/sentinel/resource-context-rbac). +### Microsoft's unified SecOps platform prerequisites + +To unify capabilities with Defender XDR in Microsoft's unified SecOps platform, you must have the following resources and access: + +- Licensing for Defender XDR, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites) +- Account for Defender XDR is a member of the same Microsoft Entra tenant with which Microsoft Sentinel is associated +- Access to Microsoft Defender XDR in the Defender portal, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites#required-permissions) + ## Onboard Microsoft Sentinel -To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, complete the following steps: +To connect a Microsoft Sentinel workspace to the Defender portal, complete the following steps. If you're onboarding Microsoft Sentinel without Defender XDR (preview) there is an extra step to trigger the connection with Microsoft Sentinel and Defender portal. 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in. -1. In Microsoft Defender XDR, select **Overview**. +1. To onboard Microsoft Sentinel without Defender XDR in the Defender portal: + 1. To trigger the connection with Microsoft Sentinel, select **Investigation & response** > **Incidents**. + 1. Wait a few minutes for the connection to complete. +1. In the Defender portal, select **Overview**. 1. Select **Connect a workspace**. 1. Choose the workspace you want to connect and select **Next**. 1. Read and understand the product changes associated with connecting your workspace. These changes include: - - Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within Defender XDR. + - Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within the Defender portal. - The Microsoft Sentinel Contributor role is assigned to the Microsoft Threat Protection and WindowsDefenderATP apps within the subscription. - Active [Microsoft security incident creation rules](/azure/sentinel/threat-detection#microsoft-security-rules) are deactivated to avoid duplicate incidents. This change only applies to incident creation rules for Microsoft alerts and not to other analytics rules. - All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency. Make sure you have incidents and alerts from this connector turned on in the workspace. 1. Select **Connect**. -After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. +After your workspace is connected, the banner on the **Overview** page shows that your environment is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. ## Explore Microsoft Sentinel features in the Defender portal -After you connect your workspace to the Defender portal, **Microsoft Sentinel** is on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. For more information about the unified capabilities and differences between portals, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). +After you connect your workspace to the Defender portal, **Microsoft Sentinel** is on the left-hand side navigation pane. If you have Defender XDR enabled, pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. If you don't have Defender XDR enabled, these pages just include data from Microsoft Sentinel (preview). For more information about the unified capabilities and differences between portals, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. @@ -135,5 +148,5 @@ If you want to connect to a different workspace, from the **Workspaces** page, s - [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) - [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410) - [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md) -- [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md) +- [Investigate incidents in Microsoft Defender portal](investigate-incidents.md) - [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal) diff --git a/defender-xdr/mssp-access.md b/defender-xdr/mssp-access.md index ec00dd6b96..92a3860af3 100644 --- a/defender-xdr/mssp-access.md +++ b/defender-xdr/mssp-access.md @@ -16,7 +16,7 @@ search.appverid: ms.collection: - m365-security - tier2 -ms.date: 06/21/2024 +ms.date: 11/19/2024 --- # Provide managed security service provider (MSSP) access @@ -25,6 +25,10 @@ ms.date: 06/21/2024 [!INCLUDE [Prerelease](../includes/prerelease.md)] + +> [!IMPORTANT] +> Procedures in this article use features that require at a minimum Microsoft Entra ID P2 [for each user under scope of management](/entra/id-governance/licensing-fundamentals#how-can-i-license-usage-of-microsoft-entra-id-governance-features-for-business-guests). + **Applies to:** - [Microsoft Defender XDR](microsoft-365-defender.md) @@ -125,4 +129,5 @@ To implement a multitenant delegated access solution, take the following steps: At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft Defender portal: `https://security.microsoft.com/?tid=` with the permissions and roles they were assigned. + [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/prerequisites.md b/defender-xdr/prerequisites.md index f346d59ec7..f8ed2be6b8 100644 --- a/defender-xdr/prerequisites.md +++ b/defender-xdr/prerequisites.md @@ -17,20 +17,21 @@ search.appverid: - MOE150 - MET150 ms.date: 07/18/2024 +appliesto: +- Microsoft Defender XDR --- # Microsoft Defender XDR prerequisites [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] - -**Applies to:** -- Microsoft Defender XDR - Learn about licensing and other requirements for provisioning and using [Microsoft Defender XDR](microsoft-365-defender.md). ## Licensing requirements -Any of these licenses gives you access to Microsoft Defender XDR features via the Microsoft Defender portal without additional cost: + +Microsoft Defender XDR natively correlates Microsoft security products' signals, providing security operations teams a single pane of glass to detect, investigate, respond, and protect your assets. These signals are dependent on the license that you have and the access provisioned to you. + +Any of the these licenses gives you access to Microsoft Defender XDR features via the Microsoft Defender portal without additional cost: - Microsoft 365 E5 or A5 - Microsoft 365 E3 with the Microsoft 365 E5 Security add-on @@ -65,10 +66,8 @@ Go to Microsoft 365 admin center ([admin.microsoft.com](https://admin.microsoft. You must at least be a **security administrator** in Microsoft Entra ID to turn on Microsoft Defender XDR. For the list of roles required to use Microsoft Defender XDR and information on how access to data is regulated, read about [managing access to Microsoft Defender XDR](m365d-permissions.md). ->[!IMPORTANT] ->Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. - - +> [!IMPORTANT] +> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. ## Browser requirements @@ -86,10 +85,10 @@ Currently, the Microsoft Defender for Office 365 integration into the unified Mi - Sweden - Singapore - ## Related articles - [Microsoft Defender XDR overview](microsoft-365-defender.md) - [Turn on Microsoft Defender XDR](m365d-enable.md) - [Manage access and permissions](m365d-permissions.md) + [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/security-copilot-defender-identity-summary.md b/defender-xdr/security-copilot-defender-identity-summary.md index 46db849722..720c5eef12 100644 --- a/defender-xdr/security-copilot-defender-identity-summary.md +++ b/defender-xdr/security-copilot-defender-identity-summary.md @@ -21,14 +21,14 @@ search.appverid: ms.date: 10/14/2024 appliesto: - Microsoft Defender XDR -- Microsoft Sentinel in the Microsoft Defender portal +- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal --- # Summarize identity information with Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -Security operations teams investigating users can easily understand identity information with the identity summary capability in [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in Microsoft Defender. Through generative AI and harnessing the power of Microsoft Defender for Identity, Copilot creates contextual insights about an identity in an organization, helping analysts quickly understand important data to speed up their investigation. +Security operations teams investigating users can easily understand identity information with the identity summary capability in [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in Microsoft Defender. Through generative AI and harnessing the power of Microsoft Defender for Identity, Copilot creates contextual insights about an identity in an organization, helping analysts quickly understand important data to speed up their investigation. With the identity summary capability, analysts can immediately identify suspicious or risky identity-related changes and actions that can negatively impact an organization. The summary also includes potential misconfigurations that affect an identity. Using natural language, Copilot delivers clear and actionable user information that analysts can use in their incident investigation activities. The capability currently focuses on users and will include service accounts in its next iteration. @@ -36,19 +36,21 @@ This guide describes what the identity summary capability is and how it works, i ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) -## Copilot for Security integration in Microsoft Defender +With the identity summary capability, analysts can immediately identify suspicious or risky identity-related changes and actions that can negatively impact an organization. The summary also includes potential misconfigurations that affects an identity. Using natural language, Copilot delivers clear and actionable user information that analysts can use in their incident investigation activities. The capability currently focuses on users and will include service accounts in its next iteration. -The identity summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. +## Security Copilot integration in Microsoft Defender -Users who access the Copilot for Security standalone portal can use this capability through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +The identity summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot. + +Users who access the Security Copilot standalone portal can use this capability through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -84,16 +86,16 @@ You can access the identity summary capability in the following ways: - Type a username in the Microsoft Defender portal’s **search box** then select the username from the search results. In the user details side panel, select **Summarize** to generate the identity summary. -Review the identity summary results. You can copy the results to clipboard, regenerate the results, or open Security Copilot by selecting the More actions ellipsis (...) on top of the identity summary card. You can extend your investigation of identity using prompts and other plugins in the Copilot for Security portal. +Review the identity summary results. You can copy the results to clipboard, regenerate the results, or open Security Copilot by selecting the More actions ellipsis (...) on top of the identity summary card. You can extend your investigation of identity using prompts and other plugins in the Security Copilot portal. ## Sample identity summary prompt -In the Copilot for Security standalone portal, you can use the following prompt to generate an identity summary: +In the Security Copilot standalone portal, you can use the following prompt to generate an identity summary: - *Show the Defender summary of this user in the last {time frame}.* > [!TIP] -> When investigating users in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the identity summary capability delivers the results. You can specify up to 120 days on the investigation time frame, with the default being 30 days when you don’t indicate one. +> When investigating users in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the identity summary capability delivers the results. You can specify up to 120 days on the investigation time frame, with the default being 30 days when you don’t indicate one. ## Provide feedback @@ -105,7 +107,7 @@ Fill in the dedicated text box to share your thoughts, experiences, and requests ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/security-copilot-in-microsoft-365-defender.md b/defender-xdr/security-copilot-in-microsoft-365-defender.md index 3768a95a30..a177bf1d68 100644 --- a/defender-xdr/security-copilot-in-microsoft-365-defender.md +++ b/defender-xdr/security-copilot-in-microsoft-365-defender.md @@ -1,6 +1,6 @@ --- title: Microsoft Copilot in Microsoft Defender -description: Learn about Microsoft Copilot for Security capabilities embedded in Microsoft Defender. +description: Learn about Microsoft Security Copilot capabilities embedded in Microsoft Defender. ms.service: defender-xdr f1.keywords: - NOCSH @@ -18,7 +18,7 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/10/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal @@ -35,17 +35,17 @@ This article provides an overview for users of Microsoft Copilot in Microsoft De ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) ## Microsoft Copilot integration in Microsoft Defender -[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Copilot for Security. +[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Security Copilot. ## Key features @@ -101,7 +101,7 @@ Copilot in Defender helps security teams proactively hunt for threats in their n #### Generate KQL queries from natural-language input -Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question, in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in [Copilot for Security in advanced hunting](advanced-hunting-security-copilot.md). +Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question, in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in [Security Copilot in advanced hunting](advanced-hunting-security-copilot.md). :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png"::: @@ -111,7 +111,7 @@ Empower your security organization to make informed decisions with the latest th #### Monitor threat intelligence -Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about [Copilot for Security in threat intelligence](/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr). +Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about [Security Copilot in threat intelligence](/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr). :::image type="content" source="/defender/media/copilot-in-defender/TI/copilot-defender-threat-intel-small.png" alt-text="Screenshot of the Copilot pane in threat intelligence in Defender XDR." lightbox="/defender/media/copilot-in-defender/TI/copilot-defender-threat-intel-full.png"::: @@ -119,7 +119,7 @@ Ask Copilot to summarize the relevant threats impacting your environment, to pri ## Access Copilot in Defender -To ensure that you have access to Copilot in Defender, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot). Once you have access to Copilot for Security, the key features become available in the Microsoft Defender portal. +To ensure that you have access to Copilot in Defender, see the [Security Copilot purchase and licensing information](/security-copilot/faq-security-copilot). Once you have access to Security Copilot, the key features become available in the Microsoft Defender portal. ## Sample prompts in Copilot @@ -133,7 +133,7 @@ Threat intelligence prompts: :::image type="content" source="/defender/media/copilot-in-defender/sample-prompt-threat-intel-small.png" alt-text="Screenshot highlighting the Copilot prompts in the threat intelligence page." lightbox="/defender/media/copilot-in-defender/sample-prompt-threat-intel.png"::: -You can extend your investigation in the Copilot for Security standalone portal using natural language prompts. The following are sample prompts that you can type in the prompt bar to help you summarize an incident with recommendations: +You can extend your investigation in the Security Copilot standalone portal using natural language prompts. The following are sample prompts that you can type in the prompt bar to help you summarize an incident with recommendations: - Type **Summarize incident {incident number} and conclude with a set of recommendations** to generate the incident summary and recommendations. - Type **What can you tell me about the reputation of the indicators in the script? Are they malicious? If so, why?** to analyze the script and generate details about the script. @@ -157,7 +157,7 @@ Because of its continuing evolution, Copilot might miss some things. Reviewing a -## Plugins in Copilot for Security +## Plugins in Security Copilot Copilot uses [preinstalled Microsoft plugins](/security-copilot/manage-plugins#preinstalled-plugins) like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that [plugins are turned on in Copilot](/security-copilot/manage-plugins#managing-preinstalled-plugins) to allow access to relevant data and to generate requested content from other Microsoft services in your organization. @@ -175,9 +175,9 @@ Copilot uses [preinstalled Microsoft plugins](/security-copilot/manage-plugins#p ## See also -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) - [Privacy and data security in Copilot](/security-copilot/privacy-data-security) - [Responsible AI FAQs](/security-copilot/responsible-ai-overview-security-copilot) -- Other [Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) +- Other [Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/security-copilot-m365d-create-incident-report.md b/defender-xdr/security-copilot-m365d-create-incident-report.md index 1f036bc531..c9ae34f9bf 100644 --- a/defender-xdr/security-copilot-m365d-create-incident-report.md +++ b/defender-xdr/security-copilot-m365d-create-incident-report.md @@ -18,7 +18,7 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/14/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal @@ -28,19 +28,19 @@ appliesto: [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal assists security operations teams with writing incident reports efficiently. Utilizing Copilot for Security's AI-powered data processing, security teams can immediately create incident reports with a click of a button in the Microsoft Defender portal. +[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal assists security operations teams with writing incident reports efficiently. Utilizing Security Copilot's AI-powered data processing, security teams can immediately create incident reports with a click of a button in the Microsoft Defender portal. This guide lists the data in incident reports and contains steps on how to access the incident report creation capability within the Microsoft Defender portal. It also includes information on how to provide feedback about the generated report. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams. Collecting, organizing, and summarizing incident information from multiple sources requires focus and detailed analysis to create an information-rich report. With Copilot in Defender, security teams can now instantly create an extensive incident report within the portal. @@ -48,11 +48,11 @@ While an [incident summary](security-copilot-m365d-incident-summary.md) provides Copilot generates the incident report based on the automatic and manual actions implemented, and the analysts' comments and notes posted in the incident. You can review and follow [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure that Copilot creates a comprehensive incident report. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -The incident report generation capability in Microsoft Defender is available for customers who have provisioned access to Copilot for Security. +The incident report generation capability in Microsoft Defender is available for customers who have provisioned access to Security Copilot. -This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +This capability is also available in the Security Copilot standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -86,9 +86,9 @@ To create an incident report with Copilot in Defender, perform the following ste :::image type="content" source="/defender/media/copilot-in-defender/create-report/incident-report-main2-small.png" alt-text="Screenshot of the incident report card in the incident page showing the lower bottom of the card." lightbox="/defender/media/copilot-in-defender/create-report/incident-report-main2.png"::: -4. Select the More actions ellipsis (...) located on the upper right of the incident report card. To copy the report, select **Copy to clipboard** and paste the report to your preferred system, **Post to activity log** to add the report to the activity log in the Microsoft Defender portal, or **Export incident as PDF** to [export the incident data to PDF](manage-incidents.md#export-incident-data-to-pdf). Select **Regenerate** to restart report creation. You can also **Open in Copilot for Security** to view the results and continue accessing other plugins available in the Copilot for Security standalone portal. +4. Select the More actions ellipsis (...) located on the upper right of the incident report card. To copy the report, select **Copy to clipboard** and paste the report to your preferred system, **Post to activity log** to add the report to the activity log in the Microsoft Defender portal, or **Export incident as PDF** to [export the incident data to PDF](manage-incidents.md#export-incident-data-to-pdf). Select **Regenerate** to restart report creation. You can also **Open in Security Copilot** to view the results and continue accessing other plugins available in the Security Copilot standalone portal. - ![Screenshot of additional actions in the incident report results card.](/defender/media/copilot-in-defender/create-report/incident-report-more-actions1.png) + ![Screenshot of additional actions in the incident report results card.](/defender/media/copilot-in-defender/create-report/incident-report-options.png) 5. Review the generated incident report. You can provide feedback on the report by selecting the feedback icon found on the bottom of the results ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/create-report/copilot-defender-feedback.png). @@ -112,12 +112,12 @@ Here are some recommendations to consider to ensure that Copilot generates a com ## Sample prompt for incident report creation -In the Copilot for Security standalone portal, you can use the following prompt to create the incident report: +In the Security Copilot standalone portal, you can use the following prompt to create the incident report: - *Generate the incident report for Defender incident {incident ID}.* > [!TIP] -> When generating incident reports in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the incident report creation capability delivers the results. +> When generating incident reports in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the incident report creation capability delivers the results. ## Provide feedback @@ -125,7 +125,7 @@ Microsoft highly encourages you to provide feedback to Copilot, as it’s crucia ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] \ No newline at end of file diff --git a/defender-xdr/security-copilot-m365d-guided-response.md b/defender-xdr/security-copilot-m365d-guided-response.md index d23510e090..7629f0a0e1 100644 --- a/defender-xdr/security-copilot-m365d-guided-response.md +++ b/defender-xdr/security-copilot-m365d-guided-response.md @@ -1,6 +1,6 @@ --- title: Triage and investigate incidents with guided responses with Microsoft Copilot in Microsoft Defender -description: Resolve incidents using guided responses delivered by Microsoft Copilot in Microsoft Defender. +description: Triage, mitigate, and respond to incidents using guided responses delivered by Microsoft Copilot in Microsoft Defender. ms.service: defender-xdr f1.keywords: - NOCSH @@ -18,37 +18,37 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/14/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR -- Microsoft Sentinel in the Microsoft Defender portal +- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal --- # Triage and investigate incidents with guided responses from Microsoft Copilot in Microsoft Defender [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal supports incident response teams in immediately resolving incidents with guided responses. Copilot in Defender uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions. +[Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal supports incident response teams in immediately resolving incidents with guided responses. Copilot in Defender uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions. This guide outlines how to access the guided response capability, including information on providing feedback about the responses. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) Responding to incidents in the Microsoft Defender portal often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Copilot in Defender allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -Guided responses are available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. +Guided responses are available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot. -Guided responses are also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +Guided responses are also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -73,9 +73,9 @@ To use guided responses, perform the following steps: 2. Review each card before applying the recommendations. Select the More actions ellipsis (...) on top of a response card to view the options available for each recommendation. Here are some examples. - ![Screenshot that shows the options available to users in a guided response card in the Copilot side panel.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions1.png) + ![Screenshot that shows the options available to users in a guided response card in the Copilot side panel.](/defender/media/copilot-in-defender/guided-response/guided-response-options1.png) - ![Screenshot that shows the options available to users in an automation response card in the Copilot pane in Microsoft Defender XDR.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions2.png) + ![Screenshot that shows the options available to users in an automation response card in the Copilot pane in Microsoft Defender XDR.](/defender/media/copilot-in-defender/guided-response/guided-response-options2.png) 3. To apply an action, select the desired action found on each card. The guided response action on each card is tailored to the type of incident and the specific entity involved. @@ -98,12 +98,12 @@ The **View similar emails** action, which is specific to phishing incidents, tak ## Sample guided responses prompt -In the Copilot for Security standalone portal, you can use the following prompt to generate guided responses: +In the Security Copilot standalone portal, you can use the following prompt to generate guided responses: - *Generate guided responses and recommendations for Defender incident {incident ID}.* > [!TIP] -> When generating guided responses in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the guided responses capability delivers the results. +> When generating guided responses in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the guided responses capability delivers the results. ## Provide feedback @@ -111,7 +111,7 @@ Microsoft highly encourages you to provide feedback to Copilot, as it’s crucia ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/security-copilot-m365d-incident-summary.md b/defender-xdr/security-copilot-m365d-incident-summary.md index b3ca4ab037..8ad463fafd 100644 --- a/defender-xdr/security-copilot-m365d-incident-summary.md +++ b/defender-xdr/security-copilot-m365d-incident-summary.md @@ -18,7 +18,7 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/14/2024 +ms.date: 11/18/2024 appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal @@ -28,27 +28,27 @@ appliesto: [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -Microsoft Defender XDR applies the capabilities of [Copilot for Security](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can often be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack. +Microsoft Defender XDR applies the capabilities of [Security Copilot](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can often be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack. This guide outlines what to expect and how to access the summarizing capability of Copilot in Defender, including information on providing feedback. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) -Incident responders can easily gain the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Copilot for Security's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation. +Incident responders can easily gain the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Security Copilot's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -The incident summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. +The incident summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot. -This capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +This capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -72,20 +72,20 @@ To summarize an incident, perform the following steps: > [!TIP] > You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results. -3. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Copilot for Security portal. Selecting **Open in Copilot for Security** opens a new tab to the Copilot for Security standalone portal where you can input prompts and access other plugins. +3. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Security Copilot portal. Selecting **Open in Security Copilot** opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins. - :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png" alt-text="Screenshot that shows the actions available on the incident summary card." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png"::: + :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/incident-summary-options.png" alt-text="Screenshot that shows the actions available on the incident summary card."::: 4. Review the summary and use the information to guide your investigation and response to the incident. ## Sample incident summary prompt -In the Copilot for Security standalone portal, you can use the following prompt to generate incident summaries: +In the Security Copilot standalone portal, you can use the following prompt to generate incident summaries: - *Provide a summary for Defender incident {incident ID}.* > [!TIP] -> When generating an incident summary in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the incident summary capability delivers the results. +> When generating an incident summary in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the incident summary capability delivers the results. ## Provide feedback @@ -93,7 +93,7 @@ Microsoft highly encourages you to provide feedback to Copilot, as it’s crucia ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] diff --git a/defender-xdr/security-copilot-m365d-script-analysis.md b/defender-xdr/security-copilot-m365d-script-analysis.md index a5831d3180..c7c29c027d 100644 --- a/defender-xdr/security-copilot-m365d-script-analysis.md +++ b/defender-xdr/security-copilot-m365d-script-analysis.md @@ -18,7 +18,7 @@ ms.topic: conceptual search.appverid: - MOE150 - MET150 -ms.date: 10/14/2024 +ms.date: 11/20/2024 appliesto: - Microsoft Defender XDR - Microsoft Sentinel in the Microsoft Defender portal @@ -28,29 +28,29 @@ appliesto: [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -Through AI-powered investigation capabilities from [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal, security teams can speed up their analysis of malicious or suspicious scripts and command lines. +Through AI-powered investigation capabilities from [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal, security teams can speed up their analysis of malicious or suspicious scripts and command lines. This guide describes what the script analysis capability is and how it works, including how you can provide feedback on the results generated. ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles: -- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Copilot for Security](/security-copilot/authentication) -- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Security Copilot?](/security-copilot/microsoft-security-copilot) +- [Security Copilot experiences](/security-copilot/experiences-security-copilot) +- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Understand authentication in Security Copilot](/security-copilot/authentication) +- [Prompting in Security Copilot](/security-copilot/prompting-security-copilot) Most complex and sophisticated attacks like [ransomware](/security/ransomware) evade detection through numerous ways, including the use of scripts and PowerShell command lines. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. Security operations teams need to quickly analyze scripts to understand capabilities and apply appropriate mitigation, immediately stopping attacks from progressing further within a network. The script analysis capability provides security teams added capacity to inspect scripts without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign. -## Copilot for Security integration in Microsoft Defender +## Security Copilot integration in Microsoft Defender -The script analysis capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. +The script analysis capability is available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot. -Script analysis is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins). +Script analysis is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Key features @@ -68,22 +68,26 @@ To begin analysis, perform the following steps: 2. Copilot runs script analysis and displays the results in the Copilot pane. Select **Show code** to expand the script, or **Hide code** to close the expansion. - :::image type="content" source="/defender/media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results-small.png" alt-text="Screenshot that shows the Copilot pane with script analysis results in the Microsoft Defender XDR incident page." lightbox="/defender/media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results.png"::: + :::image type="content" source="/defender/media/copilot-in-defender/script-analyzer/show-code-script-small.png" alt-text="Screenshot highlighting the show or hide code option within the script analysis results." lightbox="/defender/media/copilot-in-defender/script-analyzer/show-code-script.png"::: -3. Select the **More actions** ellipsis (...) on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Copilot for Security standalone experience. Selecting **Open in Copilot for Security** opens a new tab to the Copilot standalone portal where you can input prompts and access other plugins. +3. Select **Show MITRE techniques** to view the MITRE ATT&CK techniques associated with the script. This information helps you understand the techniques used by the script and how it can impact your environment. Select **Hide MITRE techniques** to close the expansion. + + :::image type="content" source="/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script-small.png" alt-text="Screenshot highlighting the show or hide MITRE techniques option within the script analysis results." lightbox="/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script.png"::: + +4. Select the **More actions** ellipsis (...) on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Security Copilot standalone experience. Selecting **Open in Security Copilot** opens a new tab to the Copilot standalone portal where you can input prompts and access other plugins. - ![Screenshot that shows the More actions option in the Copilot script analysis card.](/defender/media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-more-actions.png) + ![Screenshot that shows the More actions option in the Copilot script analysis card.](/defender/media/copilot-in-defender/script-analyzer/script-analysis-options.png) -4. Review the results an use the information to guide your investigation and response to the incident. +5. Review the results an use the information to guide your investigation and response to the incident. ## Sample script analysis prompt -In the Copilot for Security standalone portal, you can use the following prompt identify and analyze scripts: +In the Security Copilot standalone portal, you can use the following prompt identify and analyze scripts: - *Identify the scripts in Defender incident {incident ID}. Are these malicious scripts?* > [!TIP] -> When analyzing scripts in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the script analysis capability delivers the results. +> When analyzing scripts in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the script analysis capability delivers the results. ## Provide feedback @@ -91,7 +95,7 @@ Microsoft highly encourages you to provide feedback to Copilot, as it’s crucia ## See also -- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot) -- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) +- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security) [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] \ No newline at end of file diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index af2305a8cf..9b648c2d0a 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -31,11 +31,13 @@ You can also get product updates and important notifications through the [messag ## November 2024 +- (Preview) **Attack paths** in the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, see [attack paths in the attack story](investigate-incidents.md#attack-paths). - (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**. - (GA) The **last update time** column in the [incident queue](incident-queue.md#incident-queue) is now generally available. - (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, see [Investigate and respond to container threats in the Microsoft Defender portal](investigate-respond-container-threats.md). - (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. - (Preview) The [CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md) table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. +- (Preview) Migrating custom detection queries to **Continuous (near real-time or NRT) frequency** is now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps in [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency). ## October 2024 @@ -54,6 +56,9 @@ You can also get product updates and important notifications through the [messag - In the [query resources report](advanced-hunting-limits.md#find-resource-heavy-queries), you can view any of the queries by selecting the three dots on the query row and selecting **Open in query editor**. - For device entities involved in incidents or alerts, **Go hunt** is also available as one of the options after selecting the three dots on the device side panel. + + + ## August 2024 - (Preview) Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see [Microsoft Defender multitenant management](mto-overview.md) and [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal). @@ -97,6 +102,8 @@ You can also get product updates and important notifications through the [messag ## May 2024 +- (Preview) Security analysts can now investigate a user's insider risk in the Microsoft Defender portal with **insider risk severity and insights** available for Microsoft Defender XDR users with provisioned access to Microsoft Purview Insider Risk Management. See the [entity details in the user page](investigate-users.md#entity-details) for more information. + - (GA) The endpoint security policies page is now available in multitenant management in Microsoft Defender XDR. Create, edit, and delete security policies for your tenants' devices from the **Endpoint security policies** page. For more information, see [Endpoint security policies in multitenant management](mto-endpoint-security-policy.md). - Create alert tuning rules using **Alert severity** and **Alert title** values as conditions. Alert tuning can help you streamline the alert queue, saving triage time by hiding or resolving alerts automatically, each time a certain expected organizational behavior occurs, and rule conditions are met. For more information, see [Tune an alert](investigate-alerts.md#tune-an-alert). @@ -232,7 +239,7 @@ You can also get product updates and important notifications through the [messag - (Preview) Microsoft Defender Threat Intelligence (Defender TI) is now available in the Microsoft Defender portal. -This change introduces a new navigation menu within the Microsoft Defender portal named **Threat Intelligence**. [Learn more](defender-threat-intelligence.md) +This change introduces a new navigation menu within the Microsoft Defender portal named **Threat Intelligence**. [Learn more](defender-threat-intelligence.md). - (Preview) Complete device reports for the [`DeviceInfo` table](advanced-hunting-deviceinfo-table.md) in advanced hunting are now sent *every hour* (instead of the previous daily cadence). In addition, complete device reports are also sent whenever there's a change to any previous report. New columns were also added to the `DeviceInfo` table, along with several improvements to existing data in `DeviceInfo` and [DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md) tables. diff --git a/defender/index.yml b/defender/index.yml index f93b94a810..a3ae950d1e 100644 --- a/defender/index.yml +++ b/defender/index.yml @@ -227,4 +227,4 @@ additionalContent: - url: /azure/defender-for-cloud/defender-for-resource-manager-introduction text: Microsoft Defender for Resource Manager - url: /azure/defender-for-cloud/defender-for-databases-introduction - text: Microsoft Defender for open-source relational databases \ No newline at end of file + text: Microsoft Defender for open-source relational databases diff --git a/defender/media/copilot-in-defender/create-report/incident-report-options.png b/defender/media/copilot-in-defender/create-report/incident-report-options.png new file mode 100644 index 0000000000..1c79748d53 Binary files /dev/null and b/defender/media/copilot-in-defender/create-report/incident-report-options.png differ diff --git a/defender/media/copilot-in-defender/guided-response/guided-response-options1.png b/defender/media/copilot-in-defender/guided-response/guided-response-options1.png new file mode 100644 index 0000000000..a5817b1581 Binary files /dev/null and b/defender/media/copilot-in-defender/guided-response/guided-response-options1.png differ diff --git a/defender/media/copilot-in-defender/guided-response/guided-response-options2.png b/defender/media/copilot-in-defender/guided-response/guided-response-options2.png new file mode 100644 index 0000000000..c03572ad83 Binary files /dev/null and b/defender/media/copilot-in-defender/guided-response/guided-response-options2.png differ diff --git a/defender/media/copilot-in-defender/incident-summary/incident-summary-options.png b/defender/media/copilot-in-defender/incident-summary/incident-summary-options.png new file mode 100644 index 0000000000..b0e1599dfd Binary files /dev/null and b/defender/media/copilot-in-defender/incident-summary/incident-summary-options.png differ diff --git a/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script-small.png b/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script-small.png new file mode 100644 index 0000000000..e9d21ef665 Binary files /dev/null and b/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script-small.png differ diff --git a/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script.png b/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script.png new file mode 100644 index 0000000000..5c84354b57 Binary files /dev/null and b/defender/media/copilot-in-defender/script-analyzer/hide-mitre-script.png differ diff --git a/defender/media/copilot-in-defender/script-analyzer/script-analysis-options.png b/defender/media/copilot-in-defender/script-analyzer/script-analysis-options.png new file mode 100644 index 0000000000..9008d1d1da Binary files /dev/null and b/defender/media/copilot-in-defender/script-analyzer/script-analysis-options.png differ diff --git a/defender/media/copilot-in-defender/script-analyzer/show-code-script-small.png b/defender/media/copilot-in-defender/script-analyzer/show-code-script-small.png new file mode 100644 index 0000000000..682ef02e59 Binary files /dev/null and b/defender/media/copilot-in-defender/script-analyzer/show-code-script-small.png differ diff --git a/defender/media/copilot-in-defender/script-analyzer/show-code-script.png b/defender/media/copilot-in-defender/script-analyzer/show-code-script.png new file mode 100644 index 0000000000..fb99458c38 Binary files /dev/null and b/defender/media/copilot-in-defender/script-analyzer/show-code-script.png differ diff --git a/defender/media/custom-detection-compatible-queries.png b/defender/media/custom-detection-compatible-queries.png new file mode 100644 index 0000000000..8ea254cea2 Binary files /dev/null and b/defender/media/custom-detection-compatible-queries.png differ diff --git a/defender/media/custom-detection-migrate-now.png b/defender/media/custom-detection-migrate-now.png new file mode 100644 index 0000000000..912edb7d17 Binary files /dev/null and b/defender/media/custom-detection-migrate-now.png differ diff --git a/defender/media/investigate-incidents/attack-path-pane-small.png b/defender/media/investigate-incidents/attack-path-pane-small.png new file mode 100644 index 0000000000..93012cca62 Binary files /dev/null and b/defender/media/investigate-incidents/attack-path-pane-small.png differ diff --git a/defender/media/investigate-incidents/attack-path-pane.png b/defender/media/investigate-incidents/attack-path-pane.png new file mode 100644 index 0000000000..d78b5fb69f Binary files /dev/null and b/defender/media/investigate-incidents/attack-path-pane.png differ diff --git a/defender/media/investigate-incidents/attack-path-small.png b/defender/media/investigate-incidents/attack-path-small.png new file mode 100644 index 0000000000..dd3c072fa5 Binary files /dev/null and b/defender/media/investigate-incidents/attack-path-small.png differ diff --git a/defender/media/investigate-incidents/attack-path.png b/defender/media/investigate-incidents/attack-path.png new file mode 100644 index 0000000000..38066cc544 Binary files /dev/null and b/defender/media/investigate-incidents/attack-path.png differ diff --git a/defender/media/investigate-incidents/evidence-approve-small.png b/defender/media/investigate-incidents/evidence-approve-small.png new file mode 100644 index 0000000000..543cb4dd18 Binary files /dev/null and b/defender/media/investigate-incidents/evidence-approve-small.png differ diff --git a/defender/media/investigate-incidents/evidence-approve.png b/defender/media/investigate-incidents/evidence-approve.png new file mode 100644 index 0000000000..d8afb8304c Binary files /dev/null and b/defender/media/investigate-incidents/evidence-approve.png differ diff --git a/defender/media/investigate-incidents/incident-alert-page-small.png b/defender/media/investigate-incidents/incident-alert-page-small.png new file mode 100644 index 0000000000..ac3cf16ecd Binary files /dev/null and b/defender/media/investigate-incidents/incident-alert-page-small.png differ diff --git a/defender/media/investigate-incidents/incident-alert-page.png b/defender/media/investigate-incidents/incident-alert-page.png new file mode 100644 index 0000000000..7f5f595c36 Binary files /dev/null and b/defender/media/investigate-incidents/incident-alert-page.png differ diff --git a/defender/media/investigate-incidents/incident-assets-cloudresource-small.png b/defender/media/investigate-incidents/incident-assets-cloudresource-small.png new file mode 100644 index 0000000000..b26a22aed1 Binary files /dev/null and b/defender/media/investigate-incidents/incident-assets-cloudresource-small.png differ diff --git a/defender/media/investigate-incidents/incident-assets-cloudresource.png b/defender/media/investigate-incidents/incident-assets-cloudresource.png new file mode 100644 index 0000000000..252afa523d Binary files /dev/null and b/defender/media/investigate-incidents/incident-assets-cloudresource.png differ diff --git a/defender/media/investigate-incidents/incident-assets-small.png b/defender/media/investigate-incidents/incident-assets-small.png new file mode 100644 index 0000000000..aff9dc1b7b Binary files /dev/null and b/defender/media/investigate-incidents/incident-assets-small.png differ diff --git a/defender/media/investigate-incidents/incident-assetstab-small.png b/defender/media/investigate-incidents/incident-assetstab-small.png new file mode 100644 index 0000000000..aff9dc1b7b Binary files /dev/null and b/defender/media/investigate-incidents/incident-assetstab-small.png differ diff --git a/defender/media/investigate-incidents/incident-assetstab.png b/defender/media/investigate-incidents/incident-assetstab.png new file mode 100644 index 0000000000..cfb9efa022 Binary files /dev/null and b/defender/media/investigate-incidents/incident-assetstab.png differ diff --git a/defender/media/investigate-incidents/incident-investigationspage-small.png b/defender/media/investigate-incidents/incident-investigationspage-small.png new file mode 100644 index 0000000000..34d6d2802e Binary files /dev/null and b/defender/media/investigate-incidents/incident-investigationspage-small.png differ diff --git a/defender/media/investigate-incidents/incident-investigationspage.png b/defender/media/investigate-incidents/incident-investigationspage.png new file mode 100644 index 0000000000..7cd1255398 Binary files /dev/null and b/defender/media/investigate-incidents/incident-investigationspage.png differ diff --git a/defender/media/investigate-incidents/incident-page-alerts-small.png b/defender/media/investigate-incidents/incident-page-alerts-small.png new file mode 100644 index 0000000000..f4da3bb5db Binary files /dev/null and b/defender/media/investigate-incidents/incident-page-alerts-small.png differ diff --git a/defender/media/investigate-incidents/incident-page-alerts.png b/defender/media/investigate-incidents/incident-page-alerts.png new file mode 100644 index 0000000000..5161045321 Binary files /dev/null and b/defender/media/investigate-incidents/incident-page-alerts.png differ diff --git a/defender/media/investigate-incidents/incident-pane-small.png b/defender/media/investigate-incidents/incident-pane-small.png new file mode 100644 index 0000000000..193cebb4e8 Binary files /dev/null and b/defender/media/investigate-incidents/incident-pane-small.png differ diff --git a/defender/media/investigate-incidents/incident-pane.png b/defender/media/investigate-incidents/incident-pane.png new file mode 100644 index 0000000000..f91bfaa502 Binary files /dev/null and b/defender/media/investigate-incidents/incident-pane.png differ diff --git a/defender/media/investigate-incidents/incident-similartab-small.png b/defender/media/investigate-incidents/incident-similartab-small.png new file mode 100644 index 0000000000..670c972991 Binary files /dev/null and b/defender/media/investigate-incidents/incident-similartab-small.png differ diff --git a/defender/media/investigate-incidents/incident-similartab.png b/defender/media/investigate-incidents/incident-similartab.png new file mode 100644 index 0000000000..e93dfed0eb Binary files /dev/null and b/defender/media/investigate-incidents/incident-similartab.png differ diff --git a/defender/media/investigate-incidents/incident-summary-small.png b/defender/media/investigate-incidents/incident-summary-small.png new file mode 100644 index 0000000000..0aadeb8e31 Binary files /dev/null and b/defender/media/investigate-incidents/incident-summary-small.png differ diff --git a/defender/media/investigate-incidents/incident-summary.png b/defender/media/investigate-incidents/incident-summary.png new file mode 100644 index 0000000000..40678c802d Binary files /dev/null and b/defender/media/investigate-incidents/incident-summary.png differ diff --git a/defender/media/investigate-incidents/incidents-evidenceresponse-small.png b/defender/media/investigate-incidents/incidents-evidenceresponse-small.png new file mode 100644 index 0000000000..7d3e82f981 Binary files /dev/null and b/defender/media/investigate-incidents/incidents-evidenceresponse-small.png differ diff --git a/defender/media/investigate-incidents/incidents-evidenceresponse.png b/defender/media/investigate-incidents/incidents-evidenceresponse.png new file mode 100644 index 0000000000..19f8a4a6a0 Binary files /dev/null and b/defender/media/investigate-incidents/incidents-evidenceresponse.png differ diff --git a/defender/threat-intelligence/analyst-insights.md b/defender/threat-intelligence/analyst-insights.md index e64858f7e2..e61eed7c35 100644 --- a/defender/threat-intelligence/analyst-insights.md +++ b/defender/threat-intelligence/analyst-insights.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: overview -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Analyst insights >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) In Microsoft Defender Threat Intelligence (Defender TI), the **Analyst insights** section provides you with quick insights about an artifact that might help determine your next step in an investigation. This section lists any insights that apply to the artifact, and insights that don't apply for extra visibility. diff --git a/defender/threat-intelligence/data-sets.md b/defender/threat-intelligence/data-sets.md index 43f25b8488..7655b086db 100644 --- a/defender/threat-intelligence/data-sets.md +++ b/defender/threat-intelligence/data-sets.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: conceptual -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-concept - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Data sets >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft centralizes numerous data sets into Microsoft Defender Threat Intelligence (Defender TI), making it easier for Microsoft's customers and community to conduct infrastructure analysis. Microsoft's primary focus is to provide as much data as possible about internet infrastructure to support various security use cases. diff --git a/defender/threat-intelligence/gathering-threat-intelligence-and-infrastructure-chaining.md b/defender/threat-intelligence/gathering-threat-intelligence-and-infrastructure-chaining.md index c632e3a21e..c14961d5a6 100644 --- a/defender/threat-intelligence/gathering-threat-intelligence-and-infrastructure-chaining.md +++ b/defender/threat-intelligence/gathering-threat-intelligence-and-infrastructure-chaining.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: tutorial -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -17,7 +17,7 @@ ms.custom: # Tutorial: Gathering threat intelligence and infrastructure chaining >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) This tutorial walks you through how to perform several types of indicator searches and gather threat and adversary intelligence using Microsoft Defender Threat Intelligence (Defender TI) in the Microsoft Defender portal. diff --git a/defender/threat-intelligence/gathering-vulnerability-intelligence.md b/defender/threat-intelligence/gathering-vulnerability-intelligence.md index a502bcdb1a..99a8b45a7a 100644 --- a/defender/threat-intelligence/gathering-vulnerability-intelligence.md +++ b/defender/threat-intelligence/gathering-vulnerability-intelligence.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: tutorial -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Tutorial: Gathering vulnerability intelligence >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) This tutorial walks you through how to perform several types of indicator searches to gather vulnerability intelligence using Microsoft Defender Threat Intelligence (Defender TI) in the Microsoft Defender portal. diff --git a/defender/threat-intelligence/infrastructure-chaining.md b/defender/threat-intelligence/infrastructure-chaining.md index 87f865b7c3..4720d8396c 100644 --- a/defender/threat-intelligence/infrastructure-chaining.md +++ b/defender/threat-intelligence/infrastructure-chaining.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: conceptual -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Infrastructure chaining >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Infrastructure chaining uses the relationships between highly connected datasets to build out an investigation. This process is the core of threat infrastructure analysis and allows organizations to surface new connections, group similar attack activity and substantiate assumptions during incident response. diff --git a/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md b/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md index a1b93e364e..49f762d0a9 100644 --- a/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md +++ b/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: quickstart -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -17,7 +17,7 @@ ms.collection: essentials-get-started # Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) This guide walks you through how to access Microsoft Threat Intelligence (Defender TI) from the Microsoft Defender portal, adjust the portal's theme to make it easier on your eyes when using it, and find sources for enrichment so you can see more results when gathering threat intelligence. diff --git a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-generate-response.png b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-generate-response.png index aba18b1095..ef4aab677d 100644 Binary files a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-generate-response.png and b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-generate-response.png differ diff --git a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-new-chat.png b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-new-chat.png index 0e5341bedd..c5e13ad6cb 100644 Binary files a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-new-chat.png and b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-new-chat.png differ diff --git a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-response.png b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-response.png index 615b5f9ba1..ec7904b012 100644 Binary files a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-response.png and b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-response.png differ diff --git a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png index cdf1c0df1a..e0e24849cc 100644 Binary files a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png and b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png differ diff --git a/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png new file mode 100644 index 0000000000..3b9d78abe2 Binary files /dev/null and b/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png differ diff --git a/defender/threat-intelligence/reputation-scoring.md b/defender/threat-intelligence/reputation-scoring.md index f4764ca501..f1c82b27ec 100644 --- a/defender/threat-intelligence/reputation-scoring.md +++ b/defender/threat-intelligence/reputation-scoring.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: overview -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Reputation scoring >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) provides proprietary reputation scores for any host, domain, or IP address. Whether validating the reputation of a known or unknown entity, this score helps you quickly understand any detected ties to malicious or suspicious infrastructure. Defender TI provides quick information about the activity of these entities (for example, first- and last-seen timestamps, autonomous system numbers, and associated infrastructure) and a list of rules that affect the reputation score when applicable. diff --git a/defender/threat-intelligence/searching-and-pivoting.md b/defender/threat-intelligence/searching-and-pivoting.md index 6cd7d4cf97..065022ad60 100644 --- a/defender/threat-intelligence/searching-and-pivoting.md +++ b/defender/threat-intelligence/searching-and-pivoting.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: how-to -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Searching and pivoting >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) offers a robust and flexible search engine to streamline the investigation process. Defender TI is designed to let you pivot across various indicators from different data sources, making it easier than ever to discover relationships between disparate infrastructure. diff --git a/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md b/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md index 18f5b12865..477e8f54a9 100644 --- a/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md +++ b/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md @@ -1,7 +1,7 @@ --- -title: Microsoft Copilot for Security in Microsoft Defender Threat Intelligence -description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Copilot for Security. -keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins +title: Microsoft Security Copilot in Microsoft Defender Threat Intelligence +description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Security Copilot. +keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, Security Copilot, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins ms.service: defender-xdr ms.author: pauloliveria author: poliveria @@ -16,52 +16,52 @@ ms.custom: - cx-ti - cx-mdti ms.topic: conceptual -ms.date: 10/18/2024 +ms.date: 11/18/2024 --- -# Microsoft Copilot for Security in Microsoft Defender Threat Intelligence +# Microsoft Security Copilot in Microsoft Defender Threat Intelligence >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) -Microsoft Copilot for Security is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot). +Microsoft Security Copilot is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot). -Copilot for Security customers gain for each of their authenticated Copilot users access to Microsoft Defender Threat Intelligence (Defender TI). To ensure that you have access to Copilot, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot). +Security Copilot customers gain for each of their authenticated Copilot users access to Microsoft Defender Threat Intelligence (Defender TI). To ensure that you have access to Copilot, see the [Security Copilot purchase and licensing information](/copilot/security/faq-security-copilot). -Once you have access to Copilot for Security, the key features discussed in this article become accessible in either the Copilot for Security portal or the [Microsoft Defender portal](using-copilot-threat-intelligence-defender-xdr.md). +Once you have access to Security Copilot, the key features discussed in this article become accessible in either the Security Copilot portal or the [Microsoft Defender portal](using-copilot-threat-intelligence-defender-xdr.md). ## Know before you begin -If you're new to Copilot for Security, you should familiarize yourself with it by reading these articles: +If you're new to Security Copilot, you should familiarize yourself with it by reading these articles: -- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Microsoft Copilot for Security experiences](/security-copilot/experiences-security-copilot) -- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot) -- [Understand authentication in Microsoft Copilot for Security](/security-copilot/authentication) -- [Prompting in Microsoft Copilot for Security](/security-copilot/prompting-security-copilot) +- [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot) +- [Microsoft Security Copilot experiences](/copilot/security/experiences-security-copilot) +- [Get started with Microsoft Security Copilot](/copilot/security/get-started-security-copilot) +- [Understand authentication in Microsoft Security Copilot](/copilot/security/authentication) +- [Prompting in Microsoft Security Copilot](/copilot/security/prompting-security-copilot) -## Copilot for Security integration in Defender TI +## Security Copilot integration in Defender TI -Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Defender TI. You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape. +Security Copilot delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Defender TI. You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape. - Be clear and specific with your prompts. You might get better results if you include specific threat actor names or IOCs in your prompts. It might also help if you add **threat intelligence** to your prompt, like: - Show me threat intelligence data for Aqua Blizzard. - Summarize threat intelligence data for "malicious.com." - Be specific when referencing an incident (for example, "incident ID 15324"). - Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive. -- Copilot saves your prompt sessions. To see the previous sessions, from the Copilot for Security [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. +- Copilot saves your prompt sessions. To see the previous sessions, from the Security Copilot [Home menu](/copilot/security/navigating-security-copilot#home-menu), go to **My sessions**. - ![Screenshot that shows the Microsoft Copilot for Security Home menu with My sessions highlighted.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png) + ![Screenshot that shows the Microsoft Security Copilot Home menu with My sessions highlighted.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-my-sessions.png) > [!NOTE] - > For a walkthrough on Copilot, including the pin and share feature, read [Navigate Microsoft Copilot for Security](/security-copilot/navigating-security-copilot). + > For a walkthrough on Copilot, including the pin and share feature, read [Navigate Microsoft Security Copilot](/copilot/security/navigating-security-copilot). -[Learn more about creating effective prompts](/security-copilot/prompting-tips) +[Learn more about creating effective prompts](/copilot/security/prompting-tips) ## Key features -Copilot for Security lets security teams understand, prioritize, and take action on threat intelligence information immediately. +Security Copilot lets security teams understand, prioritize, and take action on threat intelligence information immediately. You can ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, and Copilot generates responses based on threat analytics reports, intel profiles and articles, and other Defender TI content. @@ -74,38 +74,40 @@ You can also select any of the built-in prompts that are available in the Defend [Learn more about using Copilot in Defender for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md) -## Enable the Copilot for Security integration in Defender TI +## Turn on the Security Copilot integration in Defender TI -1. Go to [Microsoft Copilot for Security](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials. +1. Go to [Microsoft Security Copilot](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials. 2. Make sure that the Defender TI plugin is turned on. In the prompt bar, select the **Sources** icon ![Screenshot of the Sources icon.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-sources-icon.png). - ![Screenshot of the prompt bar in Microsoft Copilot for Security with the Sources icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-sources.png) + ![Screenshot of the prompt bar in Microsoft Security Copilot with the Sources icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-sources.png) In the **Manage sources** pop-up window that appears, under **Plugins**, confirm that the **Microsoft Threat Intelligence** toggle is turned on, then close the window. ![Screenshot of the Manage plugins pop-up window with the Microsoft Threat Intelligence plugin highlighted.](media/defender-ti-and-copilot/copilot-manage-plugins.png) > [!NOTE] - > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins). + > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Security Copilot](/copilot/security/manage-plugins). 3. Enter your prompt in the prompt bar. ### Built-in system features -Copilot for Security has built-in system features that can get data from the different plugins that are turned on. +Security Copilot has built-in system features that can get data from the different plugins that are turned on. To view the list of built-in system capabilities for Defender TI: 1. In the prompt bar, select the **Prompts** icon ![Screenshot of the prompts icon.](/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-prompts-icon.png). - ![Screenshot of the prompt bar in Microsoft Copilot for Security with the Prompts icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-prompts.png) + ![Screenshot of the prompt bar in Microsoft Security Copilot with the Prompts icon highlighted.](media/defender-ti-and-copilot/copilot-prompts-bar-prompts.png) -2. Select **See all system capabilities**. The *Microsoft Defender Threat Intelligence* section lists all the available capabilities for Defender TI that you can use. +2. Select **See all system capabilities**. The *Microsoft Threat Intelligence* section lists all the available capabilities for Defender TI that you can use. Copilot also has the following promptbooks that also deliver information from Defender TI: -- **Threat actor profile** – Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics. -- **Vulnerability impact assessment** – Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it. +- [**Check impact of an external threat article**](/copilot/security/using-promptbooks#check-impact-of-an-external-threat-article) – Analyzes an external or third-party (that is, not published in Defender TI) article to extract related IOCs, summarize the intelligence, and generate hunting queries so you can assess the potential impact of the threat reported in the article to your organization. +- [**Threat actor profile**](/copilot/security/using-promptbooks#threat-actor-profile) – Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics. +- [**Threat Intelligence 360 report based on MDTI article**](/copilot/security/using-promptbooks#threat-intelligence-360-report-based-on-mdti-article) – Analyzes a [Defender TI article](what-is-microsoft-defender-threat-intelligence-defender-ti.md#articles) to extract related IOCs, summarize the intelligence, and generate hunting queries so you can assess the potential impact of the threat reported in the article to your organization. +- [**Vulnerability impact assessment**](/copilot/security/using-promptbooks#vulnerability-impact-assessment) – Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it. To view these promptbooks, in the prompt bar, select the **Prompts** icon then select **See all promptbooks**. @@ -113,7 +115,7 @@ To view these promptbooks, in the prompt bar, select the **Prompts** icon then s You can use many prompts to get information from Defender TI. This section lists some ideas and examples. -#### General information about threat intelligence trends +### General information about threat intelligence trends Get threat intelligence from threat articles and threat actors. @@ -123,16 +125,7 @@ Get threat intelligence from threat articles and threat actors. - Show me the latest threat articles. - Get threat articles related to ransomware in the last six months. -#### IP address and host contextual information in relation to threat intelligence - -Get information on datasets associated with IP addresses and hosts, such as ports, reputation scores, components, certificates, cookies, services, and host pairs. - -**Sample prompts**: - -- Show me the reputation of the host _\_. -- Get resolutions for IP address _\_. - -#### Threat actor mapping and infrastructure +### Threat actor mapping and infrastructure Get information on threat actors and the tactics, techniques, and procedures (TTPs), sponsored states, industries, and IOCs associated with them. **Sample prompts**: @@ -142,9 +135,9 @@ Get information on threat actors and the tactics, techniques, and procedures (TT - Share the TTPs associated with Silk Typhoon. - Share threat actors associated with Russia. -#### Vulnerability data by CVE +### Vulnerability data by CVE -Get contextual information and threat intelligence on Common Vulnerabilities and Exposures (CVEs). +Get contextual information and threat intelligence on Common Vulnerabilities and Exposures (CVEs), which are derived from Defender TI articles, [threat analytics reports](/defender-xdr/threat-analytics), and data from [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) and [Microsoft Defender Endpoint Attack Surface Management](/azure/external-attack-surface-management/overview). **Sample prompts**: @@ -154,9 +147,23 @@ Get contextual information and threat intelligence on Common Vulnerabilities and - Show me threat actors associated with CVE-2021-44228. - Show me the threat articles associated with CVE-2021-44228. +### Indicator data in relation to threat intelligence + +Get detailed information about an indicator (for example, IP addresses, domains, and file hashes) based on the numerous [data sets](data-sets.md) available in Defender TI, including reputation scores, WHOIS information, domain name system (DNS), host pairs, and certificates. + +**Sample prompts**: + +- What can you tell me about the domain _\_? +- Show me indicators related to _\_. +- Show me all resolutions for _\_. +- Show me host pairs related to _\_. +- Show me the reputation of the host _\_. +- Show me all resolutions for IP address _\_. +- Show me the open services in _\_. + ## Provide feedback -Your feedback on the Defender TI integration in Copilot for Security helps with development. To provide feedback, in Copilot, select **How's this response?** At the bottom of each completed prompt and choose any of the following options: +Your feedback on the Defender TI integration in Security Copilot helps with development. To provide feedback, in Copilot, select **How's this response?** At the bottom of each completed prompt and choose any of the following options: - **Looks right** - Select this button if the results are accurate, based on your assessment. - **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment. - **Inappropriate** - Select this button if the results contain questionable, ambiguous, or potentially harmful information. @@ -164,12 +171,12 @@ Your feedback on the Defender TI integration in Copilot for Security helps with For each feedback button, you can provide more information in the next dialog box that appears. Whenever possible, and when the result is **Needs improvement**, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Defender TI and the results aren't related, then include that information. -## Privacy and data security in Copilot for Security +## Privacy and data security in Security Copilot -When you interact with Copilot for Security to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. [Learn more about privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security) +When you interact with Security Copilot to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. [Learn more about privacy and data security in Microsoft Security Copilot](/copilot/security/privacy-data-security) ### See also -- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security) -- [Using Microsoft Copilot for Security for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md) +- [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot) +- [Privacy and data security in Microsoft Security Copilot](/copilot/security/privacy-data-security) +- [Using Microsoft Security Copilot for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md) diff --git a/defender/threat-intelligence/sorting-filtering-and-downloading-data.md b/defender/threat-intelligence/sorting-filtering-and-downloading-data.md index 4899265cb9..6166236ec6 100644 --- a/defender/threat-intelligence/sorting-filtering-and-downloading-data.md +++ b/defender/threat-intelligence/sorting-filtering-and-downloading-data.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: how-to -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Sorting, filtering, and downloading data >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) lets you access our vast collection of crawling data in an indexed and pivot table format. These data sets can be large, returning expansive amounts of historic and recent data. By letting you appropriately sort and filter the data, we help you surface the connections of interest easily. diff --git a/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md b/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md index 3e49b5ca5c..b40cc3a15d 100644 --- a/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md +++ b/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md @@ -1,7 +1,7 @@ --- -title: Use Microsoft Copilot for Security for threat intelligence -description: Learn about Copilot for Security embedded experience in Microsoft Defender for Microsoft Defender Threat Intelligence. -keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins +title: Use Microsoft Security Copilot for threat intelligence +description: Learn about Security Copilot embedded experience in Microsoft Defender for Microsoft Defender Threat Intelligence. +keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, Security Copilot, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins ms.service: defender-xdr ms.author: pauloliveria author: poliveria @@ -16,29 +16,29 @@ ms.custom: - cx-ti - cx-mdti ms.topic: conceptual -ms.date: 10/18/2024 +ms.date: 11/18/2024 --- -# Using Microsoft Copilot for Security for threat intelligence +# Using Microsoft Security Copilot for threat intelligence **Applies to:** - [Microsoft Defender XDR](/defender-xdr) >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) -Microsoft Copilot in Defender applies the capabilities of [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape. +Microsoft Copilot in Defender applies the capabilities of [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot) to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape. > [!NOTE] -> Defender TI capabilities are also available in Copilot for Security standalone experience through the Microsoft Threat Intelligence plugin. [Learn more about Defender TI integration with Copilot for Security](security-copilot-and-defender-threat-intelligence.md) +> Defender TI capabilities are also available in Security Copilot standalone experience through the Microsoft Threat Intelligence plugin. [Learn more about Defender TI integration with Security Copilot](security-copilot-and-defender-threat-intelligence.md) ## Technical requirements -Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. [Learn how you can get started with Copilot for Security](/security-copilot/get-started-security-copilot) +Security Copilot customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. [Learn how you can get started with Security Copilot](/copilot/security/get-started-security-copilot) ## Accessing Copilot in Defender for threat intelligence content -You can experience Copilot for Security's capability to look up threat intelligence in the following pages of the Defender portal: +You can experience Security Copilot's capability to look up threat intelligence in the following pages of the Defender portal: - Threat analytics - Intel profiles @@ -62,14 +62,14 @@ You can experience Copilot for Security's capability to look up threat intellige ![Screenshot that shows the response generated by Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-response.png) -5. You can provide feedback about the generated response by selecting the **Provide feedback** icon ![Screenshot that shows the Provide feedback icon in Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-feedback.png) and choosing **Confirmed, it looks great**; **Off-target, inaccurate**; or **Potentially harmful, inappropriate**. [Learn more](/defender-xdr/security-copilot-in-microsoft-365-defender#data-security-and-feedback-in-copilot) +5. You can provide feedback about the generated response by selecting the **Provide feedback** icon ![Screenshot that shows the Provide feedback icon in Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-feedback.png) and choosing **Looks right**, **Needs improvement**, or **Inappropriate**. [Learn more](/defender-xdr/security-copilot-in-microsoft-365-defender#provide-feedback) 6. To start a new chat session with Copilot, select the **New chat** icon ![Screenshot that shows the New chat icon in Copilot in Defender.](media/defender-ti-and-copilot/copilot-defender-new-chat.png). > [!NOTE] -> Copilot saves your sessions from the Defender portal in the [Copilot for Security standalone portal](https://go.microsoft.com/fwlink/?linkid=2247989). To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. [Learn more about navigating Microsoft Copilot for Security](/security-copilot/navigating-security-copilot) +> Copilot saves your sessions from the Defender portal in the [Security Copilot standalone portal](https://go.microsoft.com/fwlink/?linkid=2247989). To see the previous sessions, from the Copilot [Home menu](/copilot/security/navigating-security-copilot#home-menu), go to **My sessions**. [Learn more about navigating Microsoft Security Copilot](/copilot/security/navigating-security-copilot) > [!IMPORTANT] -> Copilot in Defender starts a new chat session every time you navigate to a different *Threat intelligence* page (for example, when you go from *Threat analytics* to *Intel profiles*) in the Defender portal. If you wish to go back or continue a previous session, go to the Copilot for Security standalone portal. +> Copilot in Defender starts a new chat session every time you navigate to a different *Threat intelligence* page (for example, when you go from *Threat analytics* to *Intel profiles*) in the Defender portal. If you wish to go back or continue a previous session, go to the Security Copilot standalone portal. ## Use the built-in Defender TI prompts @@ -95,5 +95,5 @@ An important aspect of threat intelligence is keeping up to date with the global ### See also -- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot) -- [Microsoft Copilot for Security and Microsoft Defender Threat Intelligence](security-copilot-and-defender-threat-intelligence.md) +- [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot) +- [Microsoft Security Copilot and Microsoft Defender Threat Intelligence](security-copilot-and-defender-threat-intelligence.md) diff --git a/defender/threat-intelligence/using-projects.md b/defender/threat-intelligence/using-projects.md index dc901f290a..48eef5446c 100644 --- a/defender/threat-intelligence/using-projects.md +++ b/defender/threat-intelligence/using-projects.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: how-to -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Using projects >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) lets you develop private personal or team projects to organize indicators of interest and indicators of compromise (IOCs) from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles. diff --git a/defender/threat-intelligence/using-tags.md b/defender/threat-intelligence/using-tags.md index e633452428..64991ea2c3 100644 --- a/defender/threat-intelligence/using-tags.md +++ b/defender/threat-intelligence/using-tags.md @@ -6,7 +6,7 @@ ms.author: aroland manager: dolmont ms.service: threat-intelligence ms.topic: how-to -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -16,7 +16,7 @@ ms.custom: # Using tags >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) tags provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis. diff --git a/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md b/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md index 82d85ef8b2..957816f649 100644 --- a/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md +++ b/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md @@ -7,7 +7,7 @@ manager: dolmont ms.service: threat-intelligence ms.collection: essentials-overview ms.topic: overview -ms.date: 10/18/2024 +ms.date: 11/18/2024 ms.custom: - template-overview - cx-ti @@ -17,7 +17,7 @@ ms.custom: # What is Microsoft Defender Threat Intelligence (Defender TI)? >[!IMPORTANT] -> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) +> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (`https://ti.defender.microsoft.com`) was retired and is no longer accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Security Copilot](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal) Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a threat analysis an intelligence platform that allows for accurate and timely assessments of alerting is important. diff --git a/exposure-management/Qualys-data-connector.md b/exposure-management/Qualys-data-connector.md index 77884d0404..b370ee5cdf 100644 --- a/exposure-management/Qualys-data-connector.md +++ b/exposure-management/Qualys-data-connector.md @@ -61,8 +61,8 @@ Here are some common issues that might arise when configuring the Qualys Connect | **Error Type** | **Troubleshooting Action** | | ------------------------------------------------------------ | ------------------------------------------------------------ | -| **Error code** 401: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the Qualys data. Check your credentials and make sure they're correct and valid. Also check that your credentials have the required permissions. See the Qualys [configuration section](#qualys-configuration) for details on how to assign the appropriate role and scope.
You can validate your user credentials by running the following:
curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list" "[https://qualysapi.qg1.apps.qualys.ca/qps/rest/2.0/search/am/hostasset](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fqualysapi.qg1.apps.qualys.ca%2Fqps%2Frest%2F2.0%2Fsearch%2Fam%2Fhostasset&data=05\|02\|dlanger@microsoft.com\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889139624\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=cnChKl0R%2BvXdnHEyWXwtokJXLWfJTBEkZksbJEvqiqA%3D&reserved=0)" >output.txt | -| **Error code** 409: Possible insufficient permissions | Qualys connector utilizes the knowledge_base API which requires specific permissions. You can see more details in the KnowledgeBase section of [this Qualys API document](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcdn2.qualys.com%2Fdocs%2Fqualys-api-vmpc-user-guide.pdf&data=05\|02\|dlanger@microsoft.com\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889160705\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=6VlESEXXIudzrf3WFAqAqXu775Q72%2FynZxGt75W0%2BVk%3D&reserved=0).
To validate the provided user has sufficient permissions, run the following command and verify it succeeds:
curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list""[https://qualysapi.qg1.apps.qualys.ca/api/2.0/fo/knowledge_base/vuln/](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fqualysapi.qg1.apps.qualys.ca%2Fapi%2F2.0%2Ffo%2Fknowledge_base%2Fvuln%2F&data=05\|02\|dlanger@microsoft.com\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889173173\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=g8%2BzcLq3rI%2B2%2F6ii9WNiyKBsHzGU7vQPfMKT232C5f4%3D&reserved=0)" >output.txt
In case it fails, refer to Qualys documentation to mitigate. | +| **Error code** 401: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the Qualys data. Check your credentials and make sure they're correct and valid. Also check that your credentials have the required permissions. See the Qualys [configuration section](#qualys-configuration) for details on how to assign the appropriate role and scope.
You can validate your user credentials by running the following:
curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list" "[https://qualysapi.qg1.apps.qualys.ca/qps/rest/2.0/search/am/hostasset](https://qualysapi.qg1.apps.qualys.ca/qps/rest/2.0/search/am/hostasset)" >output.txt | +| **Error code** 409: Possible insufficient permissions | Qualys connector utilizes the knowledge_base API which requires specific permissions. You can see more details in the KnowledgeBase section of [this Qualys API document](https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).
To validate the provided user has sufficient permissions, run the following command and verify it succeeds:
curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list""[https://qualysapi.qg1.apps.qualys.ca/api/2.0/fo/knowledge_base/vuln/](https://qualysapi.qg1.apps.qualys.ca/api/2.0/fo/knowledge_base/vuln/)" >output.txt
In case it fails, refer to Qualys documentation to mitigate. | | **Error code 403:** Access forbidden error | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [configuration section](#qualys-configuration), and make sure they have at minimum the Read Asset permissions. | | **Error code 404:** Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your Qualys API endpoint is correct, see the [configuration section](#qualys-configuration) for details. | | **Error code 429** 'Too many requests" | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated user or account for the connector to avoid reaching this limit. | diff --git a/exposure-management/Rapid7-data-connector.md b/exposure-management/Rapid7-data-connector.md index 4bce3851a7..74e65f06c1 100644 --- a/exposure-management/Rapid7-data-connector.md +++ b/exposure-management/Rapid7-data-connector.md @@ -44,10 +44,10 @@ Here are some common issues that might arise when configuring the Rapid7 Connect | **Error Type** | **Troubleshooting Action** | | ------------------------------------------------------------ | ------------------------------------------------------------ | -| 'The remote server name couldn't be resolved' error message | Verify the Rapid7 endpoint. Learn more about how to determine your Rapid7 API endpoint [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.rapid7.com%2Finsight%2Fapi-overview%23endpoint&data=05\|02\|dlanger@microsoft.com\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889184920\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=s1lGW1eKqmNLGqe%2FNxbMZvszhRwRzGM6AD6Gv0w26IU%3D&reserved=0). | +| 'The remote server name couldn't be resolved' error message | Verify the Rapid7 endpoint. Learn more about how to determine your Rapid7 API endpoint [here](https://docs.rapid7.com/insight/api-overview/#endpoint). | | **Error code 401**: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the Rapid7 data. Check your API key and verify that it's valid, and that the account isn't locked. In some cases, we have found that using an organization key works more successfully than generating a user key.
Try testing the connection with an organization key. You can test your credentials by running the following commands:
`curl -l --request POST --location 'https://\.api.insight.rapid7.com/vm/v4/integration/assets?size=2&includeSame=true' --header 'X-API-Key:\' --header 'Content-Type: application/json' –header ‘Accept: application/json’`
`curl -l --request POST --location 'https://\.api.insight.rapid7.com/vm/v4/integration/vulnerabilities?size=2’ --header 'X-API-Key:\' --header 'Content-Type: application/json' –header ‘Accept: application/json’`
If these fail and describe the error, refer to the Rapid7 documentation to mitigate. | | **Error code 403:** Access forbidden error | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Ensure that your API key is generated with a user that has sufficient permissions to access the Rapid7 data. | -| **Error code 404:** Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your Rapid7 endpoint is correct. Learn more about how to determine your Rapid7 API endpoint [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.rapid7.com%2Finsight%2Fapi-overview%23endpoint&data=05\|02\|dlanger@microsoft.com\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889196555\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=2aWPJYDlYwjkR6RFf3hrzT0daw%2BmFGE53W4rLf3zpY8%3D&reserved=0). | +| **Error code 404:** Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your Rapid7 endpoint is correct. Learn more about how to determine your Rapid7 API endpoint [here](https://docs.rapid7.com/insight/api-overview/#endpoint). | | 'Temporary connectivity issues' error message | Check the configuration details (endpoint URL and API Key) and make sure they're valid. Review the Rapid7 the [configuration section](#rapid7-configuration) for details. | | Not seeing my assets or the vulnerabilities reported by Rapid7 in the ingested data | See [Retrieved data](#retrieved-data) for a description of the expected data to be retrieved by the Rapid7 connector. If there's still missing data, contact Support. | | Rapid7 allowed IPs need to be configured to enable Exposure Management connectors to access Rapid7 | Read how to add the set of IPs to add to your allowlist here: [Allowlist IP addresses](configure-data-connectors.md#allowlist-ip-addresses). | diff --git a/exposure-management/TOC.yml b/exposure-management/TOC.yml index 38b7208b18..01a03c2340 100644 --- a/exposure-management/TOC.yml +++ b/exposure-management/TOC.yml @@ -1,4 +1,4 @@ -- name: Microsoft Security Exposure Management (preview) +- name: Microsoft Security Exposure Management href: index.yml expanded: true items: diff --git a/exposure-management/Tenable-data-connector.md b/exposure-management/Tenable-data-connector.md index 031abf39f5..7259756ff0 100644 --- a/exposure-management/Tenable-data-connector.md +++ b/exposure-management/Tenable-data-connector.md @@ -31,7 +31,7 @@ Instructions for generating API keys for Tenable Vulnerability Management can be ### For more information -To understand the Tenable API authorization model, see: [Authorization (tenable.com)](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.tenable.com%2Fdocs%2Fauthorization&data=05|02|dlanger@microsoft.com|2f15f56aca59477d800108dcfdb761d8|72f988bf86f141af91ab2d7cd011db47|1|0|638664211268030543|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=HMJD9P0Nqfot0ghZx9ZC7mmremd58oPuuKkVqGDmf1A%3D&reserved=0) +To understand the Tenable API authorization model, see: [Authorization (tenable.com)](https://developer.tenable.com/docs/authorization) ## Establish Tenable connection in Exposure Management @@ -57,7 +57,7 @@ The vulnerability data retrieved for Tenable is applicable to CVEs only, and not > [!NOTE] > -> To retrieve the data on criticality of your Tenable assets (Tenable [Asset Criticality Rating](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.tenable.com%2Fvulnerability-management%2FContent%2FLumin%2FLuminMetrics.htm%23ACR&data=05|02|dlanger@microsoft.com|2f15f56aca59477d800108dcfdb761d8|72f988bf86f141af91ab2d7cd011db47|1|0|638664211268041890|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=vvsho76yIUdOqtQjjHLFvz8wyZ%2BD5Z694b6USengAso%3D&reserved=0)), you must have a [Tenable Lumin license](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.tenable.com%2Fvulnerability-management%2FContent%2FLumin%2FLuminGetStarted.htm&data=05|02|dlanger@microsoft.com|2f15f56aca59477d800108dcfdb761d8|72f988bf86f141af91ab2d7cd011db47|1|0|638664211268053146|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=Jn%2FcNYVEFw4RdsRkHK4hF6f9%2FR9NPiSf9GQxAaz8zFQ%3D&reserved=0) with Tenable. Criticality on devices is used by Exposure Management to discover attack paths to the most critical devices in your environment. +> To retrieve the data on criticality of your Tenable assets (Tenable [Asset Criticality Rating](https://developer.tenable.com/docs/lumin-tio)), you must have a [Tenable Lumin license](https://docs.tenable.com/vulnerability-management/Content/Lumin/Lumin.htm?_gl=1*129gx63*_ga*OTMzMjE4NDQ4LjE3MzE5MzcxOTM.*_ga_HSJ1XWV6ND*MTczMTkzNzE5Mi4xLjEuMTczMTkzNzMyMS41OS4wLjEyNDQzNzMzOTc.) with Tenable. Criticality on devices is used by Exposure Management to discover attack paths to the most critical devices in your environment. ## Troubleshooting the connector diff --git a/exposure-management/classify-critical-assets.md b/exposure-management/classify-critical-assets.md index 73b266ff9d..8c9b67f6b4 100644 --- a/exposure-management/classify-critical-assets.md +++ b/exposure-management/classify-critical-assets.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Review and classify critical assets [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) helps keep your business critical assets secure and available. This article describes how to work with critical assets. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites - Before you start, learn about [critical asset management](critical-asset-management.md) in Security Exposure Management. diff --git a/exposure-management/compare-secure-score-security-exposure-management.md b/exposure-management/compare-secure-score-security-exposure-management.md index 9a890e5668..34ba99f095 100644 --- a/exposure-management/compare-secure-score-security-exposure-management.md +++ b/exposure-management/compare-secure-score-security-exposure-management.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Compare Microsoft Security Exposure Management with secure score This article discusses the differences between Microsoft [Secure Score](/defender-xdr/microsoft-secure-score) and [Microsoft Security Exposure Management](microsoft-security-exposure-management.md). -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Comparison **Area** | **Security Exposure Management** | **Secure Score** diff --git a/exposure-management/critical-asset-management.md b/exposure-management/critical-asset-management.md index 216f4a7a3b..a660081a8e 100644 --- a/exposure-management/critical-asset-management.md +++ b/exposure-management/critical-asset-management.md @@ -6,7 +6,7 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Overview of critical asset management @@ -16,10 +16,6 @@ In [Microsoft Security Exposure Management](microsoft-security-exposure-manageme - Identifying critical assets helps ensure that the most important assets in your organization are protected against risk of data breaches and operational disruptions. Critical asset identification contributes to availability and business continuity. - You can prioritize security investigations, posture recommendations, and remediation steps to focus on critical assets first. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Predefined classifications Security Exposure Management provides an out-of-the-box catalog of predefined critical asset classifications for assets that include devices, identities, and cloud resources. Predefined classifications include: diff --git a/exposure-management/cross-workload-attack-surfaces.md b/exposure-management/cross-workload-attack-surfaces.md index c20a7a8df7..71e12f9787 100644 --- a/exposure-management/cross-workload-attack-surfaces.md +++ b/exposure-management/cross-workload-attack-surfaces.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Overview of attack surface management [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) helps you to visualize, analyze, and remediate cross-workload attack surfaces. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Enterprise exposure graph The enterprise exposure graph is the central tool for exploring and managing attack surfaces. The graph gathers information about assets, users, workloads, and more, from across your enterprise to provide a unified, comprehensive view of your organizational security posture. diff --git a/exposure-management/enterprise-exposure-map.md b/exposure-management/enterprise-exposure-map.md index c8ff8f3db9..9eae82f1a8 100644 --- a/exposure-management/enterprise-exposure-map.md +++ b/exposure-management/enterprise-exposure-map.md @@ -6,17 +6,14 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 11/13/2024 +ms.date: 11/18/2024 + --- # Explore with the attack surface map To visualize exposure data, use the attack surface map in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md), together with the enterprise exposure graph schema. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites - [Read about](cross-workload-attack-surfaces.md) attack surface management. diff --git a/exposure-management/exposure-insights-overview.md b/exposure-management/exposure-insights-overview.md index acedc50ef9..43f544fd61 100644 --- a/exposure-management/exposure-insights-overview.md +++ b/exposure-management/exposure-insights-overview.md @@ -13,10 +13,6 @@ ms.date: 11/04/2024 Exposure insights in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) continuously aggregate security posture data and insights across workloads and resources, into a single pipeline. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Exposure insights Exposure insights provide rich context around the security posture state of your asset inventory. @@ -38,7 +34,7 @@ Security initiatives provide a simple way to assess security readiness for a spe Security Exposure Management provides initiatives that currently include: - **Workload initiatives**: Assess and manage the risk associated with specific workload domains, such as security for endpoints, identity resources, and cloud assets. -- **Horizontal threat initiatives**: Assess and manage risk for specific threat areas, such as ransomware protection, or financial fraud. +- **Horizontal threat initiatives**: Assess and manage risk for specific threat areas, such as ransomware protection, or business email compromise - financial fraud. - **Threat analytics initiatives**: Assess threat risk with initiatives that are based on up-to-date research from Microsoft threat analytics. Microsoft threat analytics is a set of reports from expert Microsoft security researchers that provide information about real and relevant threats. These threat initiatives focus on: - Threat actors and threat vectors. diff --git a/exposure-management/get-started-exposure-management.md b/exposure-management/get-started-exposure-management.md index 99c896019a..9780e564a7 100644 --- a/exposure-management/get-started-exposure-management.md +++ b/exposure-management/get-started-exposure-management.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 06/24/2024 +ms.date: 11/04/2024 --- # Start using Microsoft Security Exposure Management This article describes how to start working with the [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) dashboard. -Security Exposure Management is currently in public preview. Initially, your data uses default settings in Security Exposure Management. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Reviewing security exposure state On the Exposure Management > **Overview** dashboard, you can review the overall state of your organizational security exposure. diff --git a/exposure-management/index.yml b/exposure-management/index.yml index 9fbcc2fca2..04fb0a2841 100644 --- a/exposure-management/index.yml +++ b/exposure-management/index.yml @@ -41,6 +41,8 @@ landingContent: url: get-started-exposure-management.md - text: Review prerequisites url: prerequisites.md + - text: Import data from external data connectors + url: overview-data-connectors.md # Card diff --git a/exposure-management/initiatives-list.md b/exposure-management/initiatives-list.md index 4823100d35..c2c4c59adb 100644 --- a/exposure-management/initiatives-list.md +++ b/exposure-management/initiatives-list.md @@ -39,6 +39,8 @@ Monitor the coverage and configuration of physical and virtual workstations, ser IoT devices are often connected to endpoints, to one another or to the internet, which means they're potential targets for cyber attacks. It's imperative for businesses to monitor the security of their IoT devices, including their spread, configuration, connectivity, exposure, and behavior. This initiative provides overall visibility into the risk introduced by IoT devices in the enterprise and the resilience the organization has to mitigate it. +[Learn more here.](/defender-for-iot/review-security-initiatives) + ## External Attack Surface Protection Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization. This initiative requires no license and is complementary. @@ -53,6 +55,8 @@ Identity security is the practice of protecting the digital identities of indivi Monitors and safeguards Operational Technology (OT) environments within the organization by employing network layer monitoring. This initiative identifies devices across physical sites, pinpoints their risks, and ensures comprehensive protection and security management of OT systems. +[Learn more here.](/defender-for-iot/review-security-initiatives) + ## Ransomware Protection Ransomware attacks have become increasingly common in recent years, and they can have a devastating impact on organizations. Organizations can and should be proactive in managing a good security posture against ransomware. One of the first steps is to ensure that recommended controls are in place and are utilized and configured properly, hence reducing the risk of a successful ransomware attack making way into corporate networks and assets. diff --git a/exposure-management/initiatives.md b/exposure-management/initiatives.md index 3cc289f873..51b60c6136 100644 --- a/exposure-management/initiatives.md +++ b/exposure-management/initiatives.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Review security initiatives [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) offers a focused, metric-driven way of tracking exposure in specific security areas using security initiatives. This article describes how to work with initiatives. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites - Learn about [initiatives](exposure-insights-overview.md#security-initiatives) before you start. diff --git a/exposure-management/media/get-started-exposure-management/exposure-management-overview.png b/exposure-management/media/get-started-exposure-management/exposure-management-overview.png index 9cf3cec111..3a19dce20e 100644 Binary files a/exposure-management/media/get-started-exposure-management/exposure-management-overview.png and b/exposure-management/media/get-started-exposure-management/exposure-management-overview.png differ diff --git a/exposure-management/microsoft-security-exposure-management.md b/exposure-management/microsoft-security-exposure-management.md index 25186782d1..df54267b52 100644 --- a/exposure-management/microsoft-security-exposure-management.md +++ b/exposure-management/microsoft-security-exposure-management.md @@ -6,7 +6,7 @@ ms.author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- @@ -14,10 +14,6 @@ ms.date: 08/20/2024 Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - > [!NOTE] > Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD. @@ -79,7 +75,7 @@ For more information on data connectors, see [Data connectors overview](overview ## How do I buy Microsoft Security Exposure Management? -Exposure Management is available in the Microsoft Defender portal at [https://security.microsoft.com](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.microsoft.com%2F&data=05|02|dlanger@microsoft.com|535bfb9f198d4313d96108dd05e1a9d4|72f988bf86f141af91ab2d7cd011db47|1|0|638673189066169502|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=vOA7%2FeI4WU4tRMWSPiHTs4jrZX8%2B%2FN70wheiTBFPSDk%3D&reserved=0) +Exposure Management is available in the Microsoft Defender portal at [https://security.microsoft.com](https://security.microsoft.com) Access to the exposure management blade and features in the Microsoft Defender portal is available with any of these licenses: @@ -96,7 +92,7 @@ Access to the exposure management blade and features in the Microsoft Defender p Integration of data from the above tools and other Microsoft Security tools like Microsoft Defender for Cloud, Microsoft Defender Cloud Security Posture Management and Microsoft Defender External Attack Surface Management is available with those licenses. -Integration of non-Microsoft security tools will be a consumption-based cost based on number of assets in the connected security tool. The external connectors are in public preview with plan to be generally available (GA) end of Q1 2025. Pricing will be announced before billing of external connectors starts at GA. +Integration of non-Microsoft security tools will be a consumption-based cost based on number of assets in the connected security tool. The external connectors are free during public preview, and pricing will be announced before starting to bill for external connectors at GA. ### Data freshness, retention, and related functionality @@ -104,7 +100,7 @@ We currently ingest and process supported data from first-party Microsoft produc Microsoft product data is retained for no less than 14 days in the enterprise exposure graph and/or Microsoft Security Exposure Management. Only the latest data snapshot received from Microsoft products is retained; we do not store historical data. -Some enterprise exposure graph and/or Microsoft Security Exposure Management experiences data is available for querying via Advanced Hunting and is subject to [Advanced Hunting service limitations](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fdefender-xdr%2Fadvanced-hunting-limits&data=05|02|dlanger@microsoft.com|2eeaacf0c0f2494a51a308dd06ea1a99|72f988bf86f141af91ab2d7cd011db47|1|0|638674324732464247|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=cPz7p6NX%2BvUWkVwR4Wx0%2F5pJ0wbP6h8ZXsFSa4JrLxA%3D&reserved=0). +Some enterprise exposure graph and/or Microsoft Security Exposure Management experiences data is available for querying via Advanced Hunting and is subject to Advanced Hunting service limitations. We reserve the right to modify some or all of these parameters in the future, including: diff --git a/exposure-management/prerequisites.md b/exposure-management/prerequisites.md index 270ea993bd..ea397fd521 100644 --- a/exposure-management/prerequisites.md +++ b/exposure-management/prerequisites.md @@ -6,17 +6,14 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 11/11/2024 +ms.date: 11/18/2024 + --- # Prerequisites and support This article describes the requirements and prerequisites for using Microsoft Security Exposure Management. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes/prerelease.md)] - ## Permissions > [!IMPORTANT] diff --git a/exposure-management/query-enterprise-exposure-graph.md b/exposure-management/query-enterprise-exposure-graph.md index 18a912ed38..c2a23cabca 100644 --- a/exposure-management/query-enterprise-exposure-graph.md +++ b/exposure-management/query-enterprise-exposure-graph.md @@ -6,7 +6,7 @@ ms.author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Query the enterprise exposure graph @@ -15,10 +15,6 @@ Use the enterprise exposure graph in [Microsoft Security Exposure Management](mi This article provides some examples, tips, and hints for constructing queries in the enterprise exposure graph. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites - [Read about](cross-workload-attack-surfaces.md) attack surface management. diff --git a/exposure-management/review-attack-paths.md b/exposure-management/review-attack-paths.md index 039dec8c26..866b9cc4f3 100644 --- a/exposure-management/review-attack-paths.md +++ b/exposure-management/review-attack-paths.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Review attack paths Attack paths in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) help you to proactively identify and visualize potential routes that attackers can exploit using vulnerabilities, gaps, and misconfigurations. Simulated attack paths allow you to proactively investigate and remediate potential threats. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes/prerelease.md)] - ## Prerequisites - [Read about attack paths](work-attack-paths-overview.md) before you start. diff --git a/exposure-management/schemas-operators.md b/exposure-management/schemas-operators.md index 9c221684fe..3c57463197 100644 --- a/exposure-management/schemas-operators.md +++ b/exposure-management/schemas-operators.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Schemas and operators overview [Enterprise exposure graph schemas](cross-workload-attack-surfaces.md#enterprise-exposure-graph-schemas) in Microsoft Security Exposure Management provide attack surface information, to help you understand how potential threats might reach, and compromise, valuable assets. This article summarizes the exposure graph schema tables and operators. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Schema tables The exposure graph relies on the following tables: diff --git a/exposure-management/security-events.md b/exposure-management/security-events.md index 5e9bc8baec..7ce16ea4b4 100644 --- a/exposure-management/security-events.md +++ b/exposure-management/security-events.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Explore security events Security events in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md) track initiative and metric score drop incidents in order to determine how they affect organizational security posture. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites [Learn about](exposure-insights-overview.md#reviewing-events) security events. diff --git a/exposure-management/security-metrics.md b/exposure-management/security-metrics.md index 9f13d01a49..fe11cf2d6f 100644 --- a/exposure-management/security-metrics.md +++ b/exposure-management/security-metrics.md @@ -6,7 +6,8 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 11/13/2024 +ms.date: 11/18/2024 + --- # Investigate security initiative metrics diff --git a/exposure-management/security-recommendations.md b/exposure-management/security-recommendations.md index d5cc053b6b..53fbb3be11 100644 --- a/exposure-management/security-recommendations.md +++ b/exposure-management/security-recommendations.md @@ -6,17 +6,13 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 08/20/2024 +ms.date: 11/04/2024 --- # Review security recommendations This article describes how to work with security recommendations in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md). -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes//prerelease.md)] - ## Prerequisites - Learn about the [recommendations catalog](exposure-insights-overview.md#working-with-recommendations) before you start. diff --git a/exposure-management/whats-new.md b/exposure-management/whats-new.md index e053162b6d..b0e5531eef 100644 --- a/exposure-management/whats-new.md +++ b/exposure-management/whats-new.md @@ -6,7 +6,8 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 11/12/2024 +ms.date: 11/18/2024 + --- # What's new in Microsoft Security Exposure Management? @@ -18,8 +19,6 @@ This page is updated frequently with the latest updates in Microsoft Security Ex Learn more about MSEM by reading the blogs, [here](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/bg-p/MicrosoftSecurityandCompliance). -Security Exposure Management is currently in public preview. - > [!TIP] > Get notified when this page is updated by copying and pasting the following URL into your feed reader: > @@ -27,6 +26,35 @@ Security Exposure Management is currently in public preview. ## November 2024 +### Announcing the General Availability of Microsoft Security Exposure Management + +We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. By integrating security insights across the entire digital estate, it provides a comprehensive view of risk posture, enabling faster, more informed decisions to reduce exposure before attackers can exploit it. + +With this GA release, you can now build and enhance a Continuous Threat Exposure Management (CTEM) program, continuously identifying, prioritizing, and mitigating risks across your digital landscape. + +### Attack path enhancements + +##### **Hybrid attack paths: On-Prem to Cloud** + +We now support the discovery and visualization of hybrid attack paths that originate from on-premises environments and traverse into cloud infrastructures. We have introduced a new **Type column** for the attack paths to display the support for hybrid paths that transition between +on-premises and cloud environments, or vice versa. This feature equips security teams to: + +- **Identify cross-environment attack vectors:** See how vulnerabilities in on-prem environments can be leveraged to target assets in the cloud. +- **Prioritize remediation effectively:** Gain clarity on the potential risks to critical cloud assets stemming from your hybrid infrastructure. +- **Enhance hybrid defense strategies:** Use these insights to strengthen both on-prem and cloud security postures. + +This capability bridges a critical gap in securing hybrid environments by offering end-to-end visibility into interconnected attack paths. + +##### **DACL-based path analysis** + +Our attack path calculations now include support for **Discretionary Access Control Lists (DACLs)**, providing a more accurate representation of potential attack paths by incorporating group-based permissions. This enhancement enables defenders to: + +- Make more informed decisions when addressing risks related to permission structures. +- View risks in the environment the same way attackers do +- Identify low hanging fruit chokepoints that significantly expose the environment to risk + +For more information, see, [Review attack paths](review-attack-paths.md) + ### External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Data collected through these connectors is normalized within our exposure graph, enhancing your device inventory, mapping relationships, and revealing new attack paths for comprehensive attack surface visibility. These connectors help you to consolidate security posture data from various sources, providing a comprehensive view of your security posture. diff --git a/exposure-management/work-attack-paths-overview.md b/exposure-management/work-attack-paths-overview.md index 4025f1c635..13eb689428 100644 --- a/exposure-management/work-attack-paths-overview.md +++ b/exposure-management/work-attack-paths-overview.md @@ -6,7 +6,8 @@ author: dlanger manager: rayne-wiselman ms.topic: overview ms.service: exposure-management -ms.date: 11/13/2024 +ms.date: 11/18/2024 + --- # Overview of attack paths @@ -16,10 +17,6 @@ Microsoft Security Exposure Management helps you to manage your company attack s > [!NOTE] > The value of attack paths increases based on the data used as a source. If no data is available or the data doesn't reflect your organization's environment, attack paths might not appear. Attack paths might not be fully representative if you don't have licenses defined for workloads integrated and represented in the attack path or if you haven't fully defined critical assets. -Security Exposure Management is currently in public preview. - -[!INCLUDE [prerelease](../includes/prerelease.md)] - ## Attack path dashboard The attack path dashboard provides a high-level view of the attack paths in your organization. It shows the number of attack paths, the number of choke points, and the number of critical assets. You can use this information to understand the security posture of your organization and to prioritize your security efforts. From the dashboard, you can drill down into the details of the attack paths, choke points, and critical assets. diff --git a/includes/mdo-trial-banner.md b/includes/mdo-trial-banner.md index 3cb9f1c48e..a43ddb356c 100644 --- a/includes/mdo-trial-banner.md +++ b/includes/mdo-trial-banner.md @@ -12,4 +12,4 @@ search.appverid: met150 --- > [!TIP] -> *Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free?* Use the 90-day Defender for Office 365 trial at the [Microsoft Defender portal trials hub](https://security.microsoft.com/trialHorizontalHub?sku=MDO&ref=DocsRef). Learn about who can sign up and trial terms on [Try Microsoft Defender for Office 365](/defender-office-365/try-microsoft-defender-for-office-365). +> *Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free?* Use the 90-day Defender for Office 365 trial at the [Microsoft Defender portal trials hub](https://security.microsoft.com/trialHorizontalHub?sku=MDO&ref=DocsRef). Learn about who can sign up and trial terms on [Try Microsoft Defender for Office 365](/defender-office-365/try-microsoft-defender-for-office-365). diff --git a/includes/unified-soc-preview-no-alert.md b/includes/unified-soc-preview-no-alert.md index adcbc2765d..674d78ec3f 100644 --- a/includes/unified-soc-preview-no-alert.md +++ b/includes/unified-soc-preview-no-alert.md @@ -1,7 +1,7 @@ --- title: "include file" description: "include file" -ms.date: 07/10/2024 +ms.date: 10/16/2024 manager: dansimp ms.author: cwatson author: cwatson-cat @@ -10,4 +10,4 @@ ms.topic: include ms.custom: "include file" --- -Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). +Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). diff --git a/includes/unified-soc-preview.md b/includes/unified-soc-preview.md index 84efe59130..bd2ee003a6 100644 --- a/includes/unified-soc-preview.md +++ b/includes/unified-soc-preview.md @@ -1,7 +1,7 @@ --- title: "include file" description: "include file" -ms.date: 07/10/2024 +ms.date: 10/16/2024 manager: dansimp ms.author: cwatson author: cwatson-cat @@ -11,4 +11,4 @@ ms.custom: "include file" --- > [!IMPORTANT] -> Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). +> Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690). diff --git a/unified-secops-platform/TOC.yml b/unified-secops-platform/TOC.yml index cd55dd3dd2..59c1baec20 100644 --- a/unified-secops-platform/TOC.yml +++ b/unified-secops-platform/TOC.yml @@ -1,200 +1,113 @@ -- name: Microsoft's unified security operations platform +- name: "Microsoft's unified SecOps platform" href: index.yml expanded: true items: - name: Overview items: - - name: What is Microsoft's unified security operations platform? + - name: What is Microsoft's unified SecOps platform? href: overview-unified-security.md - name: What's new - href: /defender-xdr/unified-soc-platform/whats-new.md - - name: Defender portal service integration + href: whats-new.md + - name: Service integration items: - name: Overview href: overview-defender-portal.md - - name: Defender XDR - href: /defender-xdr/microsoft-365-defender - - name: Security Exposure Management - href: /security-exposure-management/get-started-exposure-management - - name: Microsoft Copilot for Security in the Defender portal - href: /defender-xdr/security-copilot-in-microsoft-365-defender - - name: Plan ## Leverage existing zero trust articles? One article for USX all up planning (like guide that links out). - items: - - name: Zero trust security ## Discuss principles around Zero Trust security, link to the Zero Trust doc set as needed. + - name: Microsoft Defender XDR + href: defender-xdr-portal.md + - name: Microsoft Sentinel items: - - name: Microsoft Sentinel and Microsoft Defender XDR - href: /security/operations/siem-xdr-overview - - name: Microsoft Defender XDR - href: /defender-xdr/zero-trust-with-microsoft-365-defender - - name: Microsoft Defender for Cloud - href: /azure/defender-for-cloud/zero-trust - - name: Microsoft Defender for Cloud Apps - href: /defender-cloud-apps/zero-trust - - name: Microsoft Defender for Identity - href: /defender-for-identity/zero-trust - - name: Microsoft Defender for IoT - href: /azure/defender-for-iot/organizations/concept-zero-trust - - name: Plan for unified security operations ## NEW article that covers specific to USX all up and link out to service topics - href: /defender-xdr/prerequisites ## PLACEHOLDER LINK - - name: Deploy ## Need new high level article. Put post deployment links at the end of article. Single article outlining deployment steps for Defender portal services. Point to services for more details. NEW article title: Deploy the Microsoft unified security operations - Items: - - name: Connect Microsoft Sentinel to Microsoft Defender - href: /defender-xdr/microsoft-sentinel-onboard - - name: Prevent attacks ## (Pre-breach) - Renamed from reduce risks. one article that summarizes how to do that with USX + - name: Integration overview + href: /azure/sentinel/microsoft-365-defender-sentinel-integration?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal + - name: Experience in the Defender portal + href: /azure/sentinel/microsoft-sentinel-defender-portal?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Microsoft Copilot + href: /defender-xdr/security-copilot-in-microsoft-365-defender?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Microsoft Security Exposure Management + href: /security-exposure-management/microsoft-security-exposure-management?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Microsoft Defender for Cloud + href: /defender-xdr/microsoft-365-security-center-defender-cloud?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Microsoft Defender for IoT + href: /defender-for-iot/microsoft-defender-iot?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Plan items: - - name: Overview ## NEW Single article or perhaps a couple of articles that summarize our pre-breach protection philosophy, with links to relevant service articles. The article should align with the info about preventing attacks that;s in the datasheet. "Through a single portal, continuously monitor your digital environment, assess risk, and implement posture improvements using security controls across all platforms, cloud, and hybrid infrastructure". - href: /azure/sentinel/sap/deployment-attack-disrupt ## PLACEHOLDER LINK - - name: Microsoft Secure Score ## Write a single article or two that condenses all the info in the Protect against threats/Microsoft Secure Score section. Or because this is going away, we just link in all the articles? Or put them in reference? - items: - - name: Overview - href: /defender-xdr/microsoft-secure-score.md - - name: What's new - href: /defender-xdr/microsoft-secure-score-whats-new.md - - name: Assess your security posture - href: /defender-xdr/microsoft-secure-score-improvement-actions.md - - name: Track your score history and meet goals - href: /defender-xdr/microsoft-secure-score-history-metrics-trends.md - - name: Data storage and privacy - href: /defender-xdr/secure-score-data-storage-privacy.md - - name: Detect threats ## Have each writer provide article and then we summarize in one article. Our outline and scope should align to datasheet: "Get visiblity into, and disrupt attacks in real time across identities, endpoints, email, cloud apps, data in hybrid and multicloud environments" - href: /azure/sentinel/threat-detection ## PLACEHOLDER LINK - - name: Hunt for threats ## Seperating this out because per PM hunting might happen in different scenarios. Also wanting it higher level as advanced hunting is one of the things highlighted for USX. + - name: Plan your deployment + href: overview-plan.md + displayName: plan, zero trust + - name: US Government customers + href: gov-support.md + - name: Deploy items: - name: Overview - href: /defender-xdr/advanced-hunting-overview ## PLACEHOLDER - Need overview article about the hunting features across services. Advanced hunting, custom detections, hunts in Sentinel - - name: Search with advanced hunting - items: - - name: Overview - href: /defender-xdr/advanced-hunting-overview - - name: Advanced hunting in the Microsoft Defender portal - href: /defender-xdr/advanced-hunting-microsoft-defender - - name: Guided and advanced modes - href: /defender-xdr/advanced-hunting-modes - - name: Generate KQL queries with Security Copilot - href: /defender-xdr/advanced-hunting-security-copilot - - name: Build hunting queries using guided mode - href: /defender-xdr/advanced-hunting-query-builder - - name: Work with query results - href: /defender-xdr/advanced-hunting-query-results - - name: Take action on query results - href: /defender-xdr/advanced-hunting-take-action - - name: Hunt for ransomware - href: /defender-xdr/advanced-hunting-find-ransomware - - name: Learn the query language - href: /defender-xdr/advanced-hunting-query-language - - name: Get expert training - href: /defender-xdr/advanced-hunting-expert-training - - name: Use shared queries - href: /defender-xdr/advanced-hunting-shared-queries - - name: Investigate incidents ## could be incidents, threats, posture findings. Need an overview article for USX. Current overviews (XDR/Sentinel) don't appear to be updated for USX. + href: overview-deploy.md + - name: Connect Microsoft Sentinel to Microsoft Defender + href: /defender-xdr/microsoft-sentinel-onboard?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Reduce security risk + href: reduce-risk-overview.md + - name: Detect threats + href: detect-threats-overview.md + - name: Hunt for threats items: - - name: Overview - href: /defender-xdr/investigate-incidents ## Would need update to apply to USX. Per Dianne, this isn't XDR specific. - - name: Alerts, incidents, and correlation - href: /defender-xdr/alerts-incidents-correlation - - name: Manage incidents - href: /defender-xdr/manage-incidents - - name: Investigate alerts - href: /defender-xdr/investigate-alerts - - name: Investigate incidents in Copilot for Security ## This article is specific to Sentinel in the context of using outside of USX and with XDR in USX. We don't think it applies to Sentinel only but need to confirm with PM. Austin thought title w/o mentioning Sentinel is misleading. We might need to leave this out of TOC or as part of plan/deploy to integrate Sentinel w/ Copilot features. - href: /azure/sentinel/sentinel-security-copilot - - name: Investigate with Microsoft Copilot in Microsoft Defender ## Copied entire section from XDR TOC - items: - - name: Overview - href: /defender-xdr/security-copilot-in-microsoft-365-defender.md - - name: Summarize incidents - href: /defender-xdr/security-copilot-m365d-incident-summary.md - - name: Run script analysis - href: /defender-xdr/security-copilot-m365d-script-analysis.md - - name: Analyze files - href: /defender-xdr/copilot-in-defender-file-analysis.md - - name: Generate device summaries - href: /defender-xdr/copilot-in-defender-device-summary.md - - name: Use guided responses - href: /defender-xdr/security-copilot-m365d-guided-response.md - - name: Generate KQL queries - href: /defender-xdr/advanced-hunting-security-copilot.md - - name: Create incident reports - href: /defender-xdr/security-copilot-m365d-create-incident-report.md - - name: Investigate entities - items: - - name: Overview - href: /azure/sentinel/entity-pages?tabs=azure-portal - - name: User entity pages - href: /defender-xdr/investigate-users.md - - name: Device entity pages - href: /defender-xdr/entity-page-device.md - - name: IP entity pages - href: /defender-xdr/entity-page-ip.md - - name: Respond to threats + - name: Overview + href: hunting-overview.md + - name: Advanced hunting + href: /defender-xdr/advanced-hunting-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Investigate incidents items: - name: Overview - href: /defender-xdr/incidents-overview - - name: Prioritize incidents - href: /defender-xdr/incident-queue + href: /defender-xdr/incidents-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal + - name: Correlation and merging + href: /defender-xdr/alerts-incidents-correlation?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal + - name: Investigate incidents in Copilot for Security + href: /azure/sentinel/sentinel-security-copilot?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Investigate with Microsoft Copilot in Microsoft Defender + href: /defender-xdr/security-copilot-in-microsoft-365-defender?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Respond to threats automatically + items: - name: Automatic attack disruption - items: - - name: Overview - href: /defender-xdr/automatic-attack-disruption - - name: Configure capabilities - href: /defender-xdr/configure-attack-disruption - - name: View results - href: /defender-xdr/autoad-results - - name: Review remediations in the action center - href: /defender-xdr/m365d-action-center + href: /defender-xdr/automatic-attack-disruption?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Automation in Microsoft Sentinel (SOAR) + href: /azure/sentinel/automation?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Automated investigation and response in Microsoft Defender XDR + href: /defender-xdr/m365d-autoir?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Optimize your security operations + href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - name: Manage your unified SOC items: - - name: Overview - href: /azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal - - name: Interact with recommendations programatically - href: /azure/sentinel/soc-optimization/soc-optimization-api - - name: SOC optimization reference - href: /azure/sentinel/soc-optimization/soc-optimization-reference - - name: Manage your unified SOC ## Need article w/ overview about settings? What else needs to go here? Several other things like permissions and costs would get referenced by planning guide. - items: - - name: Manage multiple tenants ## Work will start soon to integrate Sentinel into one or more of these articles. Copied in entire section from XDR library + - name: Manage multiple tenants items: - name: Overview - href: /defender-xdr/mto-overview + href: /defender-xdr/mto-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Set up multi-tenant management - href: /defender-xdr/mto-requirements + href: /defender-xdr/mto-requirements?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Manage incidents and alerts - href: /defender-xdr/mto-incidents-alerts + href: /defender-xdr/mto-incidents-alerts?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Advanced hunting - href: /defender-xdr/mto-advanced-hunting.md + href: /defender-xdr/mto-advanced-hunting?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Multitenant devices - href: /defender-xdr/mto-tenant-devices.md + href: /defender-xdr/mto-tenant-devices?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Vulnerability management - href: /defender-xdr/mto-dashboard.md + href: /defender-xdr/mto-dashboard?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Manage tenants - href: /defender-xdr/mto-tenants.md + href: /defender-xdr/mto-tenants?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Manage endpoint security policies - href: /defender-xdr/mto-endpoint-security-policy.md + href: /defender-xdr/mto-endpoint-security-policy?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Manage content distribution with tenant groups - href: /defender-xdr/mto-tenantgroups.md + href: /defender-xdr/mto-tenantgroups?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Configure notifications items: - name: Get incident notifications - href: /defender-xdr/m365d-notifications-incidents + href: /defender-xdr/m365d-notifications-incidents?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Configure alert notifications - href: /defender-xdr/configure-email-notifications + href: /defender-xdr/configure-email-notifications?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Resources items: - name: Threat actor naming - href: /defender-xdr/microsoft-threat-actor-naming + href: /defender-xdr/microsoft-threat-actor-naming?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Identification of malware and unwanted apps - href: /defender-xdr/criteria + href: /defender-xdr/criteria?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Submit files for analysis - href: /defender-xdr/submission-guide + href: /defender-xdr/submission-guide?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Microsoft virus initiative - href: /defender-xdr/virus-initiative-criteria + href: /defender-xdr/virus-initiative-criteria?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Microsoft security portals - href: /defender-xdr/portals - - name: Operation guides - items: - - name: Incident response - items: - - name: Overview - href: incident-response-overview.md - - name: Incident response - href: incident-response-planning.md \ No newline at end of file + href: /defender-xdr/portals?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json diff --git a/unified-secops-platform/breadcrumb/toc.yml b/unified-secops-platform/breadcrumb/toc.yml new file mode 100644 index 0000000000..cb37a1e5e1 --- /dev/null +++ b/unified-secops-platform/breadcrumb/toc.yml @@ -0,0 +1,26 @@ +- name: "Microsoft Defender" + tocHref: /defender/ + topicHref: /defender/index + items: + - name: "Microsoft's unified SecOps platform" + tocHref: /unified-secops-platform/ + topicHref: /unified-secops-platform/index + - name: "Microsoft's unified SecOps platform" + tocHref: /security/zero-trust/ + topicHref: /unified-secops-platform/index + - name: "Microsoft's unified SecOps platform" + tocHref: /defender-for-identity/ + topicHref: /unified-secops-platform/index + - name: "Microsoft's unified SecOps platform" + tocHref: /defender-xdr/ + topicHref: /unified-secops-platform/index + +## Azure override +- name: "Microsoft Defender" + tocHref: /azure/ + topicHref: /defender/index + items: + - name: "Microsoft's unified SecOps platform" + tocHref: /azure/sentinel/ + topicHref: /unified-secops-platform/index + diff --git a/unified-secops-platform/breadcrumb/unified-secops-platform/toc.yml b/unified-secops-platform/breadcrumb/unified-secops-platform/toc.yml deleted file mode 100644 index b19191468d..0000000000 --- a/unified-secops-platform/breadcrumb/unified-secops-platform/toc.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: "Microsoft Defender" - tocHref: /defender/ - topicHref: /defender/index - items: - - name: "Microsoft's unified security operations platform" - tocHref: /unified-secops-platform/ - topicHref: /unified-secops-platform/index - -## Azure override -- name: "Microsoft Defender" - tocHref: /azure/ - topicHref: /defender/index - items: - - name: "Microsoft's unified security operations platform" - tocHref: /azure/sentinel/ - topicHref: /unified-secops-platform/index - diff --git a/unified-secops-platform/defender-xdr-portal.md b/unified-secops-platform/defender-xdr-portal.md index ba13be2ccb..2e592a4940 100644 --- a/unified-secops-platform/defender-xdr-portal.md +++ b/unified-secops-platform/defender-xdr-portal.md @@ -1,79 +1,84 @@ --- title: Microsoft Defender XDR in the Defender portal -description: Learn about Microsoft Defender XDR in the Defender portal +description: Learn about the services and features available with Microsoft Defender XDR in the Microsoft Defender portal. search.appverid: met150 ms.service: unified-secops-platform ms.author: cwatson author: cwatson-cat ms.localizationpriority: medium -ms.date: 10/08/2024 +ms.date: 11/18/2024 audience: ITPro ms.collection: - M365-security-compliance - tier1 - usx-security -ms.topic: conceptual +ms.topic: concept-article + +# customer intent: As a security operations center leader, I want to learn about the services and features available with Defender XDR to help me determine whether it meets my organization's requirements. --- -# Defender XDR in the Defender portal +# Microsoft Defender XDR in the Defender portal + +Microsoft Defender XDR in the Microsoft unified SecOps platform unifies and coordinates threat protection across a broad range of assets, including devices and endpoints, identities, email, Microsoft 365 services, and SaaS apps. + +Defender XDR consolidates threat signals and data across assets, so that you can monitor and manage security threats from a single location in the [Microsoft Defender portal](https://security.microsoft.com). + + +Defender XDR combines multiple Microsoft security services. + +Service | Details +--- | --- +**[Protect against email threats with Defender for Office 365](/defender-office-365/mdo-sec-ops-guide)** | Helps protect email and Office 365 resources. +**[Protect devices with Defender for Endpoint](/defender-endpoint/mde-sec-ops-guide)** | Delivers preventative protection, post-breach detection, and automated investigation and response for devices. +**[Protect Active Directory with Defender for Identity](/defender-xdr/microsoft-365-security-center-mdi)** | Uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. +**[Protect SaaS cloud apps with Defender for Cloud Apps](/defender-xdr/microsoft-365-security-center-defender-cloud-apps)** | Provides deep visibility, strong data controls, and enhanced threat protection for SaaS and PaaS cloud apps. +**[Protect against a broad range of threats with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)** | Microsoft Sentinel seamlessly integrates with Defender XDR to combine the capabilities of both products into a unified security platform for threat detection, investigation, hunting, and response. + + +## Detecting threats -Microsoft's unified security platform combines services in the [Microsoft Defender portal](https://security.microsoft.com). In the Defender portal, you can monitor and manage pre-breach and post-breach security across your organization's on-premises and multicloud assets and workloads. +Defender XDR provides continuous threat monitoring. When threats are detected [security alerts](/defender-xdr/alerts-incidents-correlation) are created. Defender automatically aggregates related alerts and security signals into [security incidents](/defender-xdr/alerts-incidents-correlation#incident-creation-and-alert-correlation). -Defender XDR in the Defender portal combines protection, detection, investigation, and response to threats across your entire organization and all its components, in a central place. Defender XDR combines a number of Microsoft's security services into a single location. +Incidents define a complete picture of an attack. Incidents help SOC teams to understand attacks and respond more quickly. Incidents gather together related alerts, information about attack scope and progress, and the entities and assets involved in an attack. +A [single incident queue](/defender-xdr/incident-queue) in the Defender portal provides full visibility into the latest alerts and incidents, and historical data. You can search and query the incident queue, and prioritize responses based on severity. -**[Defender for Office 365](/defender-office-365/mdo-about)** | Helps secure organizations with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources. -**[Defender for Endpoint](/defender-endpoint/)** | Delivers preventative protection, post-breach detection, automated investigation, and response for devices in the organization. -**[Defender for Identity](/defender-for-identity/what-is)** | Provides a cloud-based security solution that uses on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. -**[Defender for Cloud Apps](/cloud-app-security/)** | Provides a comprehensive cross-SaaS and PaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps. +:::image type="content" source="media/defender-xdr-portal/incidents-page.png" alt-text="Screenshot of the Incidents page in the Microsoft Defender portal" lightbox="media/defender-xdr-portal/incidents-page.png"::: -> [!NOTE] -> When you open the portal, you see only the security services included in your subscriptions. For example, if you have Defender for Office 365 but not Defender for Endpoint, you see features and capabilities for Defender for Office 365, but not for device protection. +### Detecting lateral movement attacks -## Investigate incidents and alerts +Defender for XDR includes [deception capability](/defender-xdr/deception-overview) to detect human-operated lateral movement, which is often used in common attacks such as ransomware and email compromise. -Centralizing security information creates a single place to investigate security incidents across your entire organization and all its components including: +Deception capability generates decoy assets. When attackers interact with these assets, deception capability raises high-confidence alerts that can be viewed on the Alerts page in the portal. -- Hybrid identities -- Endpoints -- Cloud apps -- Business apps -- Email and docs -- IoT -- Network -- Business applications -- Operational technology (OT) -- Infrastructure and cloud workloads +## Automatically disrupting threats -A primary example is **Incidents** under **Incidents & alerts**. +Defender XDR uses [automatic attack disruption](/defender-xdr/automatic-attack-disruption) for containing attacks in progress, limiting attack impact, and providing more time for security teams to respond. -:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents.png" alt-text="The Incidents page in the Microsoft Defender portal." lightbox="/defender/media/incidents-queue/incidents-ss-incidents.png"::: +Automatic disruption relies on high-fidelity signals that are produced by incident correlation across million of Defender product signals and continuous investigation insights from Microsoft's security research team, to ensure a high signal-to-noise ratio. -Selecting an incident name displays a page that demonstrates the value of centralizing security information as you get better insights into the full extend of a threat, from email, to identity, to endpoints. +Automatic disruption uses Defender XDR response actions when attacks are detected. Responses include containing or disabling assets. - +Attack disruptions are clearly marked in the Defender XDR incident queue, and on specific incident pages. -Take the time to review the incidents in your environment, drill down into each alert, and practice building an understanding of how to access the information and determine next steps in your analysis. -Learn more about [incidents in the Defender portal](/defender-xdr/incidents-overview), and [managing incidents and alerts](/defender-xdr/manage-incidents). +## Hunting for threats -## Hunt for threats +Proactive hunting inspects and investigates security events and data to locate known and potential security threats. -You can build custom detection rules and hunt for specific threats in your environment. **Hunting** uses a query-based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings. +Defender XDR provides threat hunting capabilities in the Defender portal. -Learn about [proactive threat hunting](/defender-xdr/advanced-hunting-overview), and [hunting for threats across devices, emails, apps, and identities](/defender-xdr/advanced-hunting-query-emails-devices). +- **Advanced hunting**: SOC teams can use [advanced hunting](/defender-xdr/advanced-hunting-overview) with the Kusto Query Language (KQL) in the portal to create custom queries and rules for threat hunting across the enterprise. Analysts can search for indicators of compromise, anomalies, and suspicious activities across Defender XDR data sources. + If you're not familiar with KQL, Defender XDR provides a guided mode to create queries visually, and predefined query templates. -## Respond to emerging threats +- **Custom detection rules**: In addition to advanced hunting, SOC teams can create [custom detection rules](/defender-xdr/custom-detections-overview) to proactively monitor and respond to events and system states. Rules can trigger alerts or automatic response actions. -Threat analytics is the Microsoft threat intelligence solution from expert Microsoft security researchers.In the portal, track and respond to emerging threats with these threat analytics: +## Responding to threats -- Active threat actors and their campaigns -- Popular and new attack techniques -- Critical vulnerabilities -- Common attack surfaces -- Prevalent malware +Defender for XDR provides [automated investigation and response](/defender-xdr/m365d-autoir) capabilities. Automation reduces the volume of alerts that must be handled manually by SOC teams. -Learn about [tracking and responding to emerging threats with threat analytics](/defender-xdr/threat-analytics). +As alerts create incidents, automated investigations produce a verdict that determines whether a threat was found. When suspicious and malicious threats are identified, remediation actions include sending a file to quarantine, stopping a process, blocking a URL, or isolating a device. +You can view a summary of automated investigations and responses in the Home page of the portal. Pending remediation actions are handled in the portal Action Center. diff --git a/unified-secops-platform/detect-threats-overview.md b/unified-secops-platform/detect-threats-overview.md new file mode 100644 index 0000000000..4421813131 --- /dev/null +++ b/unified-secops-platform/detect-threats-overview.md @@ -0,0 +1,88 @@ +--- +title: Threat detection features across the Microsoft unified security platform +description: Learn about the features that help detect threats in the Microsoft unified security platform +search.appverid: met150 +ms.service: unified-secops-platform +ms.author: austinmc +author: austinmccollum +ms.localizationpriority: medium +ms.date: 11/22/2024 +audience: ITPro +ms.collection: +- M365-security-compliance +- tier1 +- usx-security +ms.topic: conceptual +# customer intent: As a security operations center business decision maker, I want to learn about the tools available to detect threats in Microsoft's unified security platform to help me determine whether it meets my organization's requirements. +--- + +# Threat detection in Microsoft's unified SecOps platform + +Cybersecurity threats abound in the current technology landscape. A lot of noise is created by the constant specter of breach and an abundance of signals available to security operation centers. Microsoft's unified SecOps platform separates actionable threats from the noise. Each service in Microsoft's unified SecOps platform adds its own finely tuned detections to match the complexion of the solution it provides and puts it all together into a single dashboard. + +Microsoft's unified SecOps platform in the Microsoft Defender portal pulls detections together in the form of alerts and incidents from Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Defender for Cloud. + +## Threat detection in the Microsoft Defender portal + +Security teams need focus and clarity to eliminate false positives. The Microsoft Defender portal correlates and merges alerts and incidents from all supported Microsoft security and compliance solutions, and unifies threat detection from external solutions through Microsoft Sentinel and Microsoft Defender for Cloud. The correlation and merging of these signals brings rich context and prioritization. For example, an Adversary-in-The-Middle (AiTM) phishing attack might have pieces of the threat puzzle scattered across multiple sources. The Defender portal puts those pieces together into an attack story while providing attack disrupt and guided response to remediate the threat. + +The following image shows the incidents dashboard correlating signals from multiple services, including the individual detection sources for a complete AiTM attack story. + +:::image type="content" source="media/detect-threats-overview/defender-xdr-multiple-source-example.png" alt-text="Screenshot showing an incident stitched together from multiple detection streams." lightbox="media/detect-threats-overview/defender-xdr-multiple-source-example.png"::: + +Each supported Microsoft security product enabled unlocks more signals to stream into the Defender portal. For more information on how these signals are stitched together and prioritized, see [Incidents and alerts in the Microsoft Defender portal](/defender-xdr/incidents-overview). + +## Microsoft Defender XDR threat detection + +Defender XDR has a unique correlation capability that provides an extra layer of data analysis and threat detection. The following table gives examples of how suported security services are tuned to detect threats matching the character of its solution. + +| Defender XDR service | Threat detection specialty | +|---|---| +| [**Microsoft Defender for Endpoint**](/defender-endpoint/microsoft-defender-endpoint) | Microsoft Defender antivirus detects polymorphic malware with behavior-based and heuristic analytics on endpoints such as mobile devices, desktops, and more.| +| [**Microsoft Defender for Office 365**](/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet) | Detects phishing, malware, weaponized links and more in email, Teams, and OneDrive.| +| [**Microsoft Defender for Identity**](/defender-for-identity/what-is) | Detects privilege escalation, lateral movement, discovery, defense evasion, persistence, and more across both on-premises and cloud identities.| +| [**Microsoft Defender for Cloud Apps**](/defender-cloud-apps/what-is-defender-for-cloud-apps) | Detects suspicious activities through user and entity behavioral analytics (UEBA) across cloud applications.| +| [**Microsoft Defender Vulnerability Management**](/defender-vulnerability-management/defender-vulnerability-management) | Detects vulnerabilities in devices providing meaningful context for investigations.| +| [**Microsoft Entra ID Protection**](/azure/active-directory/identity-protection/overview-identity-protection) | Detects risks associated with sign-ins like impossible travel, verified threat actor IPs, leaked credentials, password sprays and more.| +| [**Microsoft Data Loss Prevention**](/microsoft-365/compliance/dlp-learn-about-dlp) | Detects risks and behavior associated with oversharing and exfiltration of sensitive information across Microsoft 365 services, Office applications, endpoints, and more.| + +For more information, see [What is Microsoft Defender XDR?](/defender-xdr/microsoft-365-defender) + +## Microsoft Sentinel threat detection + +Microsoft Sentinel connected to the Defender portal enables data collection from a vast number of Microsoft and non-Microsoft sources, but doesn't stop there. With Microsoft Sentinel's threat management capabilities, you gain the tools needed to detect and organize threats to your environment. + +:::image type="content" source="/azure/sentinel/media/overview/mitre-coverage-defender.png" alt-text="Screenshot showing MITRE ATT&CK coverage in Microsoft Sentinel." lightbox="/azure/sentinel/media/overview/mitre-coverage-defender.png"::: + +| Threat management feature | Detection capability | For more information | +|---|---|---| +| MITRE ATT&CK coverage | Organize your threat detection coverage and understand gaps. | [Understand security coverage by the MITRE ATT&CK® framework](/azure/sentinel/mitre-coverage) | +| Analytics | Rules constantly dig through your data to generate alerts and incidents and integrates those signals in the Defender portal. | [Detect threats out-of-the-box](/azure/sentinel/threat-detection) | +| Watchlists | Curate meaningful relationships in your environment to improve the quality and prioritization of detections. | [Watchlists in Microsoft Sentinel](/azure/sentinel/watchlists) | +| Workbooks | Detect threats with visual insights, especially to monitor the health of your data collection and understand gaps that prevent proper threat detection. | [Visualize your data with workbooks](/azure/sentinel/monitor-your-data?tabs=defender-portal) | +| Summary rules | Optimizes noisy, high volume logs to detect threat in low-security value data. | [Generate alerts on threat intelligence matches against network data](/azure/sentinel/summary-rules#generate-alerts-on-threat-intelligence-matches-against-network-data) | + +For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/defender-xdr/microsoft-sentinel-onboard). + +## Microsoft Defender for Cloud threat detection + +Defender for Cloud provides threat detection to generate alerts and incidents by continuously monitoring your clouds' assets with advanced security analytics. Those signals are integrated directly into the Defender portal for correlation and severity classification. Each plan enabled in Defender for Cloud adds to the detection signals streamed into Defender portal. For more information, see [Alerts and incidents in Microsoft Defender XDR](/azure/defender-for-cloud/concept-integration-365). + +Defender for Cloud detects threats across a wide variety of workloads. The following table gives examples of some of the threats it detects. For more information on specific alerts, see [Security alerts reference list](/azure/defender-for-cloud/alerts-reference). + +| Defender for Cloud plan | Threat detection specialty | +|---|---| +| [Defender for Servers](/azure/defender-for-cloud/tutorial-enable-servers-plan) | Detects threats for Linux and Windows based on antimalware failures, fileless attacks, crypto mining and ransomware attacks, brute force attacks and many more. | +| [Defender for Storage](/azure/defender-for-cloud/tutorial-enable-storage-plan) | Detects phishing content and malware distribution, suspicious access and discovery, unusual data extraction and more. | +| [Defender for Containers](/azure/defender-for-cloud/tutorial-enable-containers-azure) | Detects threats at the control plane and workload runtime for risky exposure, malicious or crypto mining activity, web shell activity, custom simulations and more. | +| [Defender for Databases](/azure/defender-for-cloud/tutorial-enable-databases-plan) | Detects SQL injection, fuzzing, unusual access, brute force attempts and more. | +| [Defender for APIs](/azure/defender-for-cloud/defender-for-apis-introduction) | Detects suspicious spikes in traffic, access from malicious IPs, discovery and enumeration techniques of API endpoints and more. | +| [AI threat protection](/azure/defender-for-cloud/ai-threat-protection) | Detects threats across generative AI applications for jailbreak attempts, sensitive data exposure, corrupted AI and more. | + +For more information, see [Security alerts and incidents](/azure/defender-for-cloud/alerts-overview). + +## Related content + +- [Protect assets](overview-unified-security.md#protect-assets) +- [Microsoft Defender for Cloud integration with Microsoft Defender XDR](/azure/defender-for-cloud/concept-integration-365) +- [Microsoft Sentinel integration with Microsoft Defender XDR](/azure/sentinel/microsoft-365-defender-sentinel-integration) diff --git a/unified-secops-platform/docfx.json b/unified-secops-platform/docfx.json index 4f69621f95..953bba7b68 100644 --- a/unified-secops-platform/docfx.json +++ b/unified-secops-platform/docfx.json @@ -42,7 +42,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "~/breadcrumb/unified-secops-platform/toc.yml", + "breadcrumb_path": "~/breadcrumb/toc.yml", "feedback_system": "Standard", "feedback_product_url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/ct-p/MicrosoftSecurityandCompliance", "uhfHeaderId": "MSDocsHeader-MicrosoftDefender", diff --git a/unified-secops-platform/gov-support.md b/unified-secops-platform/gov-support.md new file mode 100644 index 0000000000..df45b9ffba --- /dev/null +++ b/unified-secops-platform/gov-support.md @@ -0,0 +1,55 @@ +--- +title: Support for US Government customers +description: Learn about support for Microsoft's unified SecOps platform for US Government clouds. +author: batamig +ms.author: bagol +ms.service: unified-secops-platform +ms.topic: concept-article #Don't change. +ms.date: 11/10/2024 +ms.collection: +- usx-security + + +#customer intent: As a US government cloud customer, I want to understand the support available for me in Microsoft's unified security operations platform. + +--- + +# Microsoft's unified security operations platform for US Government customers + +This article provides information about Microsoft's unified security operations (SecOps) platform for US Government customers. + +## Feature availability + +- All features in Microsoft's SecOps platform that are in general availability are available in both commercial and GCC High and DoD clouds. +- Features still in preview are available only in the commercial cloud. + +While [automatic attack disruption](/defender-xdr/automatic-attack-disruption) with Microsoft Defender XDR is generally available, [SAP support for attack disruption](/defender-xdr/automatic-attack-disruption) with Microsoft's unified SecOps platform is available only in the commercial cloud. + +For more information, see: + +- [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov) +- [Microsoft Sentinel feature support for Azure commercial/other clouds](/azure/sentinel/feature-availability) + +## Portal URLs + +The following are the Microsoft Defender portal URLs for US Government customers: + +- **GCC**: https://security.microsoft.com +- **GCC High**: https://security.microsoft.us +- **DoD**: https://security.apps.mil + +If you are a GCC customer and are in the process of moving from Microsoft Defender for Endpoint commercial to GCC, use https://transition.security.microsoft.com to access your Microsoft Defender for Endpoint commercial data. + +## API access + +When using a US government cloud, you need to use the following URIs instead of the public URIs listed in our API documentation: + +- **Login**: + + - **GCC**: https://login.microsoftonline.com + - **GCC High and DoD**: https://login.microsoftonline.us + +- **Microsoft Defender XDR API**: + + - **GCC**: https://api-gcc.security.microsoft.us + - **GCC High and DoD**: https://api-gov.security.microsoft.us diff --git a/unified-secops-platform/hunting-overview.md b/unified-secops-platform/hunting-overview.md new file mode 100644 index 0000000000..f7f1fa51a5 --- /dev/null +++ b/unified-secops-platform/hunting-overview.md @@ -0,0 +1,66 @@ +--- +title: Threat hunting features across Microsoft's unified security operations platform +description: Learn about threat hunting features across Microsoft's unified security operations (SecOps) platform. +search.appverid: met150 +ms.service: unified-secops-platform +ms.author: austinmc +author: austinmccollum +ms.localizationpriority: medium +ms.date: 11/23/2024 +audience: ITPro +ms.collection: +- M365-security-compliance +- tier1 +- usx-security +ms.topic: conceptual + +# customer intent: As a security operations center business decision maker, I want to learn about threat hunting tools available in Microsoft's unified SecOps platform so I can get visibility into, and disrupt attacks in real time across identities, endpoints, email, cloud apps, data in hybrid and multicloud environments. +--- + +# Hunting in Microsoft's unified SecOps platform + +Hunting for security threats is a highly customizable activity that is most effective when accomplished across all stages of threat hunting: proactive, reactive, and post incident. Microsoft's unified security operations (SecOps) platform provides effective hunting tools for every stage of threat hunting. These tools are well fit for analysts who are just starting out in their career, or experienced threat hunters using advanced hunting methods. Threat hunters of all levels benefit from hunting tool features that allow them to share their techniques, queries, and findings with their team along the way. + +## Hunting tools + +The foundation of hunting queries in the Defender portal rests on Kusto Query Language (KQL). KQL is a powerful and flexible language that's optimized for searching through big-data stores in cloud environments. However, crafting complex queries isn't the only way to hunt for threats. Here are some more hunting tools and resources within the Defender portal designed to bring hunting into your reach: + +- [**Security Copilot in advanced hunting**](/defender-xdr/advanced-hunting-security-copilot) generates KQL from natural language prompts. +- [**Guided hunting**](/defender-xdr/advanced-hunting-query-builder) uses a query builder for crafting meaningful hunting queries without knowing KQL or the data schema. +- [**Get help as you write queries**](/defender-xdr/advanced-hunting-query-language#get-help-as-you-write-queries) with features like autosuggest, schema tree, and sample queries. +- [**Content hub**](/azure/sentinel/sentinel-solutions-deploy?tabs=azure-portal#hunting-query) provides expert queries to match out-of-the-box solutions in Microsoft Sentinel. +- [**Microsoft Defender Experts for Hunting**](/defender-xdr/advanced-hunting-overview) compliments even the best threat hunters that want assistance. + +Maximize the full extent of your team's hunting prowess with the following hunting tools in the Defender portal: + +| Hunting tool | Description | +|---|---| +|[**Advanced hunting**](/defender-xdr/advanced-hunting-microsoft-defender) | View and query data sources available within Microsoft's unified SecOps platform and share queries with your team. Use all your existing Microsoft Sentinel workspace content, including queries and functions. | +|[**Microsoft Sentinel hunting**](/azure/sentinel/hunting) | Hunt for security threats across data sources. Use specialized search and query tools like **hunts**, **bookmarks** and **livestream**. | +|[**Go hunt**](/defender-xdr/advanced-hunting-go-hunt) | Quickly pivot an investigation to entities found within an incident. | +|[**Hunts**](/azure/sentinel/hunts) | An end-to-end, proactive threat hunting process with collaboration features. | +|[**Bookmarks**](/azure/sentinel/bookmarks) | Preserve queries and their results, adding notes and contextual observations.| +|[**Livestream**](/azure/sentinel/livestream) | Start an interactive hunting session and use any Log Analytics query. | +|[**Hunting with summary rules**](/azure/sentinel/summary-rules#quickly-find-a-malicious-ip-address-in-your-network-traffic) | Use summary rules to save costs hunting for threats in verbose logs.| +|[**MITRE ATT&CK map**](/azure/sentinel/mitre-coverage#use-the-mitre-attck-framework-in-analytics-rules-and-incidents) | When creating a new hunting query, select specific tactics and techniques to apply.| +|[**Restore historical data**](/azure/sentinel/restore) | Restore data from archived logs to use in high performing queries. | +|[**Search large data sets**](/azure/sentinel/search-jobs?tabs=defender-portal) | Search for specific events in logs up to seven years ago using KQL. | +|[**Infrastructure chaining**](/defender/threat-intelligence/infrastructure-chaining) | Hunt for new connections between threat actors, group similar attack activity and substantiate assumptions.| +|[**Threat explorer**](/defender-office-365/threat-explorer-threat-hunting) | Hunt for specialized threats related to email. | + +## Hunting stages + +The following table describes how you can make the most of the Defender portal's hunting tools across all stages of threat hunting: + +| Hunting stage | Hunting tools | +| --- | --- | +| **Proactive** - Find the weak areas in your environment before threat actors do. Detect suspicious activity extra early. | - Regularly conduct end-to-end [hunts](/azure/sentinel/hunts) to proactively seek out undetected threats and malicious behaviors, validate hypotheses, and act on findings by creating new detections, incidents, or threat intelligence.

- Use the [MITRE ATT&CK map](/azure/sentinel/mitre-coverage#use-the-mitre-attck-framework-in-analytics-rules-and-incidents) to identify detection gaps, and then run predefined hunting queries for highlighted techniques.

- Insert new threat intelligence into proven queries to tune detections and confirm if a compromise is in process.

- Take proactive steps to build and test queries against data from new or updated sources.

- Use [advanced hunting](/defender-xdr/advanced-hunting-microsoft-defender) to find early-stage attacks or threats that don't have alerts. | +| **Reactive** - Use hunting tools during an active investigation. | - Use [livestream](/azure/sentinel/livestream) to run specific queries at consistent intervals to actively monitor events.

- Quickly pivot on incidents with the [**Go hunt**](/defender-xdr/advanced-hunting-go-hunt) button to search broadly for suspicious entities found during an investigation.

- Hunt through threat intelligence to perform [infrastructure chaining](/defender/threat-intelligence/infrastructure-chaining).

- Use [Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot) to generate queries at machine speed and scale. | +| **Post incident** - Improve coverage and insights to prevent similar incidents from recurring. | - Turn successful hunting queries into new [analytics and detection rules](/azure/sentinel/threat-detection), or refine existing ones.

- [Restore historical data](/azure/sentinel/restore) and [search large datasets](/azure/sentinel/search-jobs?tabs=defender-portal) for specialized hunting as part of full incident investigations. | + + +## Related content + +- [Threat detection in Microsoft's unified SecOps platform](/unified-secops-platform/detect-threats-overview) +- [Security posture management and risk reduction](/unified-secops-platform/reduce-risk-overview) +- [Service integration](/unified-secops-platform/overview-defender-portal) diff --git a/unified-secops-platform/incident-response-overview.md b/unified-secops-platform/incident-response-overview.md deleted file mode 100644 index 242c00db6a..0000000000 --- a/unified-secops-platform/incident-response-overview.md +++ /dev/null @@ -1,309 +0,0 @@ ---- -title: Incident response overview -description: Get an overview of incident response processes and best practices -search.appverid: met150 -ms.service: unified-secops-platform -author: yelevin -ms.author: yelevin -ms.localizationpriority: medium -ms.date: 10/08/2024 -audience: ITPro -ms.collection: -- M365-security-compliance -- tier1 -- usx-security -ms.topic: conceptual ---- - -# Incident response overview - - -Incident response is the practice of investigating and remediating active attack campaigns on your organization. Incident response is part of the [security operations (SecOps)](/azure/cloud-adoption-framework/secure/security-operations) discipline and is primarily reactive in nature. - -Incident response has the largest direct influence on the overall mean time to acknowledge (MTTA) and mean time to remediate (MTTR) that measure how well security operations are able to reduce organizational risk. Incident response teams heavily rely on good working relationships between threat hunting, intelligence, and incident management teams (if present) to actually reduce risk. For more information, see [SecOps metrics](/azure/cloud-adoption-framework/secure/security-operations#secops-metrics). - -For more information on security operations roles and responsibilities, see [Cloud SOC functions](/azure/cloud-adoption-framework/organize/cloud-security-operations-center). - - -## Incident response process - -The first step is to **have an incident response plan in place** that encompasses both internal and external processes for responding to cybersecurity incidents. The plan should detail how your organization should: - -- Address attacks that vary with the business risk and impact of the incident, which can vary from an isolated web site that is no longer available to the compromise of administrator-level credentials. -- Define the purpose of the response, such as a return to service or to handle legal or public relations aspects of the attack. -- Prioritize the work that needs to get done in terms of how many people should be working on the incident and their tasks. - -See the [incident response planning article](incident-response-planning.md) for a checklist of activities you should consider including in your incident response plan. Once your incident response plan is in place, test it regularly for the most serious types of cyberattacks to ensure that your organization can respond quickly and efficiently. - -Although each organization's incident response process may be different based on organizational structure and capabilities and historical experience, consider the set of recommendations and best practices in this article for responding to security incidents. - -During an incident, it's critical to: - -- Keep calm - - Incidents are extremely disruptive and can become emotionally charged. Stay calm and focus on prioritizing your efforts on the most impactful actions first. - -- Do no harm - - Confirm that your response is designed and executed in a way that avoids loss of data, loss of business-critical functionality, and loss of evidence. Avoid decisions that can damage your ability to create forensic timelines, identify root cause, and learn critical lessons. - -- Involve your legal department - - Determine whether they plan to involve law enforcement so you can plan your investigation and recovery procedures appropriately. - -- Be careful when sharing information about the incident publicly - - Confirm that anything you share with your customers and the public is based on the advice of your legal department. - -- Get help when needed - - Tap into deep expertise and experience when investigating and responding to attacks from sophisticated attackers. - -Like diagnosing and treating a medical disease, cybersecurity investigation and response for a major incident requires defending a system that is both: - -- Critically important (can't be shut down to work on it). -- Complex (typically beyond the comprehension of any one person). - -During an incident, you must strike these critical balances: - -- Speed - - Balance the need to act quickly to satisfy stakeholders with the risk of rushed decisions. - -- Sharing information - - Inform investigators, stakeholders, and customers based on the advice of your legal department to limit liability and avoid setting unrealistic expectations. - -This article is designed to lower the risk to your organization for a cybersecurity incident by identifying common errors to avoid and providing guidance on what actions you can rapidly take that both reduce risk and meet stakeholder needs. - -> [!NOTE] -> For more guidance on preparing your organization for ransomware and other types of multi-stage attacks, see [Prepare your recovery plan](/security/ransomware/protect-against-ransomware-phase1). - -## Response best practices - -Responding to incidents can be done effectively from both technical and operations perspectives with these recommendations. - -> [!NOTE] -> For more detailed industry guidance, see the [NIST Computer Security Incident Handling Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf). - -### Technical response best practices - -For the technical aspects of incident response, here are some goals to consider: - -- Try to identify the scope of the attack operation. - - Most adversaries use multiple persistence mechanisms. - -- Identify the objective of the attack, if possible. - - Persistent attackers will frequently return for their objective (data/systems) in a future attack. - -Here are some useful tips: - -- Don't upload files to online scanners - - Many adversaries monitor instance count on services like VirusTotal for discovery of targeted malware. - -- Carefully consider modifications - - Unless you face an imminent threat of losing business-critical data—such as deletion, encryption, and exfiltration—balance the risk of not making the modification with the projected business impact. For example, temporarily shutting down your organization's internet access may be necessary to protect business-critical assets during an active attack. - - If changes are necessary where the risk of not doing an action is higher than the risk of doing it, document the action in a change log. Changes made during incident response are focused on disrupting the attacker and may impact the business adversely. You'll need to roll back these changes after the recovery process. - -- Don't investigate forever - - You must ruthlessly prioritize your investigation efforts. For example, only perform forensic analysis on endpoints that attackers have used or modified. For example, in a major incident where an attacker has administrative privileges, it's practically impossible to investigate all potentially compromised resources (which may include all organization resources). - -- Share information - - Confirm that all investigation teams, including all internal teams and external investigators or insurance providers, are sharing their data with each other, based on the advice of your legal department. - -- Access the right expertise - - Confirm that you integrate people with deep knowledge of the systems into the investigation—such as internal staff or external entities like vendors—not just security generalists. - -- Anticipate reduced response capability - - Plan for 50% of your staff operating at 50% of normal capacity due to situational stress. - -A key expectation to manage with stakeholders is that you may never be able to identify the initial attack because the data required for identification has been deleted before the investigation starts, such as an attacker covering their tracks by log rolling. - -### Operations response best practices - -For security operations (SecOps) aspects of incident response, here are some goals to consider: - -- Staying focused - - Confirm you keep the focus on business-critical data, customer impact, and getting ready for remediation. - -- Providing coordination and role clarity - - Establish distinct roles for operations in support of the crisis team and confirm that technical, legal, and communications teams are keeping each other informed. - -- Keeping your business perspective - - You should always consider the impact on business operations by both adversary actions and your own response actions. - -Here are some useful tips: - -- Consider the [Incident Command System (ICS)](https://training.fema.gov/is/courseoverview.aspx?code=is-100.c) for crisis management - - If you don't have a permanent organization that manages security incidents, we recommend using the ICS as a temporary organizational structure to manage the crisis. - -- Keep ongoing daily operations intact - - Ensure that normal SecOps aren't completely sidelined to support incident investigations. This work still needs to be done. - -- Avoid wasteful spending - - Many major incidents result in the purchase of expensive security tools under pressure that are never deployed or used. If you can't deploy and use a tool during the investigation, which can include hiring and training for more staff with the skill sets needed to operate the tool, defer acquisition until after you finish the investigation. - -- Access deep expertise - - Confirm you have the ability to escalate questions and issues to deep experts on critical platforms. This ability might require access to the operating system and application vendor for business-critical systems and enterprise-wide components such as desktops and servers. - -- Establish information flows - - Set clear guidance and expectations for the flow of information between senior incident response leaders and organization stakeholders. For more information, see [incident response planning](incident-response-planning.md). - -## Recovery best practices - -Recovering from incidents can be done effectively from both technical and operations perspectives with these recommendations. - -### Technical recovery best practices - -For the technical aspects of recovering from an incident, here are some goals to consider: - -- Don't boil the ocean - - Limit your response scope so that recovery operation can be executed within 24 hours or less. Plan a weekend to account for contingencies and corrective actions. - -- Avoid distractions - - Defer long-term security investments like implementing large and complex new security systems or replacing anti-malware solutions until after the recovery operation. Anything that doesn't have direct and immediate impact on the current recovery operation is a distraction. - -Here are some helpful tips: - -- Never reset all passwords at once - - Password resets should focus first on known compromised accounts based on your investigation and are potentially administrator or service accounts. If warranted, user passwords should be reset only in a staged and controlled manner. - -- Consolidate execution of recovery tasks - - Unless you face an imminent threat of losing business-critical data, you should plan a consolidated operation to rapidly remediate all compromised resources (such as hosts and accounts) versus remediating compromised resources as you find them. Compressing this time window makes it difficult for attack operators to adapt and maintain persistence. - -- Use existing tools - - Research and use the capabilities of tools you deployed before trying to deploy and learn a new tool during a recovery. - -- Avoid tipping off your adversary - - As practical, you should take steps to limit the information available to adversaries about the recovery operation. Adversaries typically have access to all production data and email in a major cybersecurity incident. But in reality, most attackers don't have time to monitor all your communications. - - Microsoft's Security Operations Center (SOC) uses a non-production Microsoft 365 tenant for secure communication and collaboration for members of the incident response team. - -### Operations recovery best practices - -For the operations aspects of recovering from an incident, here are some goals to consider: - -- Have a clear plan and limited scope - - Work closely with your technical teams to build a clear plan with limited scope. While plans may change based on adversary activity or new information, you should work diligently to limit scope expansion and taking on more tasks. - -- Have clear plan ownership - - Recovery operations involve many people doing many different tasks at once, so designate a project lead for the operation for clear decision-making and definitive information to flow among the crisis team. - -- Maintain stakeholder communications - - Work with communication teams to provide timely updates and active expectation management for organizational stakeholders. - -Here are some helpful tips: - -- Know your capabilities and limits - - Managing major security incidents is very challenging, very complex, and new to many professionals in the industry. You should consider bringing in expertise from external organizations or professional services if your teams are overwhelmed or aren't confident about what to do next. - -- Capture the lessons learned - - Build and continually improve role-specific handbooks for SecOps, even if it's your first incident without any written procedures. - -Executive and board-level communications for incident response can be challenging if not practiced or anticipated. Make sure you have a communication plan to manage progress reporting and expectations for recovery. - -## Incident response process for SecOps - -Consider this general guidance about the incident response process for your SecOps and staff. - -### 1. Decide and act - -After a threat detection tool such as Microsoft Sentinel or Microsoft Defender XDR detects a likely attack, it creates an incident. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with the time your security staff notices the attack. - -An analyst on shift is either delegated or takes ownership of the incident and performs an initial analysis. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement. - -As the analyst that owns the incident develops a high enough level of confidence that they understand the story and scope of the attack, they can quickly shift to planning and executing cleanup actions. - -Depending on the nature and scope of the attack, your analysts can clean up attack artifacts as they go (such as emails, endpoints, and identities) or they may build a list of compromised resources to clean up all at once (known as a Big Bang) - -- Clean as you go - - For most typical incidents that are detected early in the attack operation, analysts can quickly clean up the artifacts as they find them. This practice puts the adversary at a disadvantage and prevents them from moving forward with the next stage of their attack. - -- Prepare for a Big Bang - - This approach is appropriate for a scenario where an adversary has already settled in and established redundant access mechanisms to your environment. This practice is frequently seen in customer incidents investigated by the [Microsofts Incident Response Team](https://www.microsoft.com/security/business/microsoft-incident-response). In this approach, analysts should avoid tipping off the adversary until full discovery of the attacker's presence, because surprise can help with fully disrupting their operation. - - Microsoft learned that partial remediation often tips off an adversary, which gives them a chance to react and rapidly make the incident worse. For example, the attacker can spread the attack further, change their access methods to evade detection, cover their tracks, and inflict data and system damage and destruction for revenge. - - Cleaning up phishing and malicious emails can often be done without tipping off the attacker but cleaning up host malware and reclaiming control of accounts has a high chance of discovery. - -These aren't easy decisions to make and there's no substitute for experience in making these judgment calls. A collaborative work environment and culture in your SOC helps ensure that analysts can tap into each other's experience. - -The specific response steps are dependent on the nature of the attack, but the most common procedures used by analysts can include: - -- Client endpoints (devices) - - Isolate the endpoint and contact the user or IT operations/helpdesk to initiate a reinstallation procedure. - -- Server or applications - - Work with IT operations and application owners to arrange rapid remediation of these resources. - -- User accounts - - Reclaim control by disabling the account and resetting password for compromised accounts. These procedures could evolve as your users transition to passwordless authentication using Windows Hello or another form of multi-factor authentication (MFA). A separate step is to expire all authentication tokens for the account with [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security). - - Your analysts can also review the MFA method phone number and device enrollment to ensure it's not hijacked by contacting the user and reset this information as needed. - -- Service Accounts - - Because of the high risk of service or business impact, your analysts should work with the service account owner of record, falling back on IT operations as needed, to arrange rapid remediation of these resources. - -- Emails - - Delete the attack or phishing email and sometimes clear them to prevent users from recovering deleted emails. Always save a copy of original email for later search for post-attack analysis, such as headers, content, and scripts or attachments. - -- Other - - You can execute custom actions based on the nature of the attack such as revoking application tokens and reconfiguring servers and services. - -### 2. Post-incident cleanup - -Because you don't benefit from learned lessons until you change future actions, always integrate any useful information learned from the investigation back into your SecOps. - -Determine the connections between past and future incidents by the same threat actors or methods and capture these learnings to avoid repeating manual work and analysis delays in the future. - -These learnings can take many forms, but common practices include analysis of: - -- Indicators of Compromise (IoCs). - - Record any applicable IoCs such as file hashes, malicious IP addresses, and email attributes into your SOC threat intelligence systems. - -- Unknown or unpatched vulnerabilities. - - Your analysts can initiate processes to ensure that missing security patches get applied, misconfigurations are corrected, and vendors (including Microsoft) are informed of "zero day" vulnerabilities so that they can create and distribute security patches. - -- Internal actions such as enabling logging on assets covering your cloud-based and on-premises resources. - - Review your existing security baselines and consider adding or changing security controls. For example, see the [Microsoft Entra security operations guide](/azure/active-directory/fundamentals/security-operations-introduction) for information on enabling the appropriate level of auditing in the directory before the next incident happens. - -Review your response processes to identify and resolve any gaps found during the incident. diff --git a/unified-secops-platform/incident-response-planning.md b/unified-secops-platform/incident-response-planning.md deleted file mode 100644 index 9bb0d60963..0000000000 --- a/unified-secops-platform/incident-response-planning.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Incident response planning -description: Start planning for incident handling -search.appverid: met150 -ms.service: unified-secops-platform -author: yelevin -ms.author: yelevin -ms.localizationpriority: medium -ms.date: 10/08/2024 -audience: ITPro -ms.collection: -- M365-security-compliance -- tier1 -- usx-security -ms.topic: conceptual ---- - -# Incident response planning - -Use this table as a checklist to prepare your Security Operations Center (SOC) to respond to cybersecurity incidents. - -| Done| Activity | Description | Benefit | -|:-------|:-------|:-----|:-----| -| | Table top exercises | Conduct periodic table top exercises of foreseeable business-impacting cyber incidents that force your organization's management to contemplate difficult risk-based decisions. | Firmly establishes and illustrates cybersecurity as a business issue. Develops muscle memory and surfaces difficult decisions and decisions rights issues across the organization. | -| | Determine pre-attack decisions and decision-makers | As a complement to table top exercises, determine risk-based decisions, criteria for making decisions, and who must make and execute those decisions. For example:

Who/when/if to seek assistance from law enforcement?

Who/when/if to enlist incident responders?

Who/when/if to pay ransom?

Who/when/if to notify external auditors?

Who/when/if to notify privacy regulatory authorities?

Who/when/if to notify securities regulators?

Who/when/if to notify board of directors or audit committee?

Who has authority to shut down mission-critical workloads? | Defines the initial response parameters and contacts to involve that streamline the response to an incident. | -| | Maintaining privilege | Typically, advice can be privileged, but facts are discoverable. Train key incident leaders in communicating advice, facts and opinions under privilege so that privilege is preserved and risk is reduced.| Maintaining privilege can be a messy process when considering the multitude of communications channels, including e-mail, collaboration platforms, chats, documents, artifacts. For example, you can use [Microsoft Teams Rooms](/microsoftteams/rooms/). A consistent approach across incident personnel and supporting external organizations can help reduce any potential legal exposure.| -| | Insider trading considerations | Contemplate notifications to management that should be taken to reduce securities violations risk. | Boards and external auditors tend to appreciate that you have mitigations that will reduce the risk of questionable securities trades during periods of turbulence.| -| | Incident roles and responsibilities playbook | Establish basic roles and responsibilities that allow various processes to maintain focus and forward progress.

When your response team is remote, it can require other considerations for time zones and proper handoff to investigators.

You might have to communicate across other teams that might be involved, such as vendor teams. | **Technical Incident Leader** – Always in the incident, synthesizing inputs and findings and planning next actions.

**Communications Liaison** – Removes the burden of communicating to management from the Technical Incident Leader so they can remain involved in the incident without loss of focus.

This activity should include managing executive messaging and interactions with other third parties such as regulators.

**Incident Recorder** – Removes the burden of recording findings, decisions, and actions from an incident responder and produces an accurate accounting of the incident from beginning to end.

**Forward Planner** – Working with mission-critical business process owners, formulates business continuity activities and preparations that contemplate information system impairment that lasts for 24, 48, 72, 96 hours, or more.

**Public Relations** – In the event of an incident that is likely to garner public attention, with Forward Planner, contemplates and drafts public communication approaches that address likely outcomes. | -| | Privacy incident response playbook | To satisfy increasingly strict privacy regulations, develop a jointly owned playbook between SecOps and the privacy office. This playbook will allow rapid evaluation of potential privacy issues that might arising out of security incidents. | It's difficult to evaluate security incidents for their potential to impact privacy because most security incidents arise in a highly technical SOC. The incidents must quickly get surfaced to a privacy office (often with a 72-hour notification expectation) where regulatory risk is determined. | -| | Penetration testing | Conduct point-in-time simulated attacks against business-critical systems, critical infrastructure, and backups to identify weaknesses in security posture. Typically, this activity is conducted by a team of external experts focused on bypassing preventative controls and surfacing key vulnerabilities. | In light of recent human-operated ransomware incidents, penetration testing should be conducted against an increased scope of infrastructure, particularly the ability to attack and control backups of mission-critical systems and data. | -| | Red Team / Blue Team / Purple Team / Green Team | Conduct continuous or periodic simulated attacks against business-critical systems, critical infrastructure, backups to identify weaknesses in security posture. Typically, this activity is conducted by internal attack teams (Red teams) who are focused on testing the effectiveness of detective controls and teams (Blue teams).

For example, you can use [Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights) in Microsoft Defender XDR for Office 365 and [Attack tutorials & simulations](/microsoft-365/security/defender-endpoint/attack-simulations) for Microsoft Defender XDR for Endpoint. | Red, Blue, and Purple team attack simulations, when done well, serve a multitude of purposes:
  • Allows engineers from across the IT organization to simulate attacks on their own infrastructure disciplines.
  • Surfaces gaps in visibility and detection.
  • Raises the security engineering skills across the board.
  • Serves as a more continuous and expansive process.


The Green Team implements changes in IT or security configuration. | -| | Business continuity planning | For mission-critical business processes, design and test continuity processes that allow the minimum viable business to function during times of information systems impairment.

For example, use [an Azure backup and restore plan](/security/compass/backup-plan-to-protect-against-ransomware) to protect your critical business systems during an attack to ensure a rapid recovery of your business operations. |
  • Highlights the fact that there's no continuity workaround for the impairment or absence of IT systems.
  • Can emphasize the need and funding for sophisticated digital resilience over simpler backup and recovery.
| -| | Disaster recovery | For information systems that support mission-critical business processes, you should design and test hot/cold and hot/warm backup and recovery scenarios, including staging times. | Organizations that conduct bare metal builds often find activities that are impossible to replicate or don't fit into the service level objectives.

Mission-critical systems running on unsupported hardware many times can't be restored to modern hardware.

Restore of backups is often not tested and experiences issues. Backups may be further offline such that staging times haven't been factored into recovery objectives. | -| | Out-of-band communications | Prepare for how you would communicate in the the following scenarios:
  • Email and collaboration service impairment
  • Ransom of documentation repositories
  • Unavailability of personnel phone numbers.
| Although it's a difficult exercise, determine how to store important information immutably in off-line devices and locations for distribution at scale. For example:
  • Phone numbers
  • Topologies
  • Build documents
  • IT restoration procedures
| -| | Hardening, hygiene, and lifecycle management | In line with Center for Internet Security (CIS) Top 20 security controls, harden your infrastructure and perform thorough hygiene activities. | In response to recent human-operated ransomware incidents, Microsoft has [issued specific guidance](/security/ransomware/protect-against-ransomware) for protecting every stage of the cyberattack kill chain. This guidance applies to Microsoft capabilities or the capabilities of other providers. Of particular note are:
  • The creation and maintenance of immutable backup copies in the event of ransomed systems. You might also consider how to keep immutable log files that complicate the attacker's ability to cover their tracks.
  • Risks related to unsupported hardware for disaster recovery.
| -| | Incident response planning | At the outset of the incident, decide on:
  • Important organizational parameters.
  • Assignment of people to roles and responsibilities.
  • The sense-of-urgency (such as 24x7 and business hours).
  • Staff for sustainability for the duration.
| There's a tendency to throw all available resources at an incident in the beginning, in the hope of a quick resolution. Once you recognize or anticipate that an incident will go for an extended period of time, take on a different posture that with your staff and suppliers that allows them to settle in for a longer haul. | -| | Incident responders | Establish clear expectations with one another. A popular format of reporting ongoing activities includes:
  • What have we done (and what were the results)?
  • What are we doing (and what results will be produced and when)?
  • What do we plan to do next (and when is it realistic to expect results)?
| Incident responders come with different techniques and approaches, including dead box analysis, big data analysis, and the ability to produce incremental results. Starting with clear expectations will facilitate clear communications. | \ No newline at end of file diff --git a/unified-secops-platform/index.yml b/unified-secops-platform/index.yml index 5a535a237e..5ce80a18bf 100644 --- a/unified-secops-platform/index.yml +++ b/unified-secops-platform/index.yml @@ -12,7 +12,7 @@ metadata: ms.collection: usx-security # Optional; Remove if no collection is used. author: cwatson-cat #Required; your GitHub user alias, with correct capitalization. ms.author: cwatson #Required; microsoft alias of author; optional team alias. - ms.date: 07/30/2024 #Required; mm/dd/yyyy format. + ms.date: 11/13/2024 #Required; mm/dd/yyyy format. # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new @@ -24,9 +24,62 @@ landingContent: linkLists: - linkListType: overview links: - - text: What is the Microsoft security operations platform? - url: /defender-xdr/microsoft-365-defender + - text: "What is Microsoft's unified SecOps platform?" + url: overview-unified-security.md + - text: "Microsoft Defender portal overview" + url: overview-defender-portal.md - linkListType: whats-new links: - - text: What's new in the Microsoft security operations platform - url: /defender-xdr/unified-secops-platform/whats-new + - text: "What's new in Microsoft's unified SecOps platform" + url: whats-new.md + + # Card + - title: Get started + linkLists: + - linkListType: deploy + links: + - text: "Plan your deployment" + url: overview-plan.md + - text: "Deploy Microsoft's unified SecOps platform" + url: overview-deploy.md + + # Card + - title: Prevent, detect, and hunt for threats + linkLists: + - linkListType: concept + links: + - text: "Security posture management and risk reduction" + url: reduce-risk-overview.md + - text: "Threat detection in Microsoft's unified SecOps platform" + url: detect-threats-overview.md + - text: "Hunting in Microsoft's unified SecOps platform" + url: hunting-overview.md + - text: "Advanced hunting" + url: /defender-xdr/advanced-hunting-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + + # Card + - title: Investigate and respond + linkLists: + - linkListType: concept + links: + - text: "Incidents and alerts" + url: /defender-xdr/incidents-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - text: "Alert correlation and incident merging" + url: /defender-xdr/alerts-incidents-correlation?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - text: "Microsoft Copilot in Microsoft Defender" + url: /defender-xdr/security-copilot-in-microsoft-365-defender?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - text: "Automatic attack disruption" + url: /defender-xdr/automatic-attack-disruption?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + +# Card + - title: Optimize and manage security operations + linkLists: + - linkListType: concept + links: + - text: "Optimize your SOC" + url: /azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal&branch=main?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + - text: "Manage multiple tenants" + url: /defender-xdr/mto-overview?branch=main?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + + + diff --git a/unified-secops-platform/media/defender-xdr-portal/incidents-page.png b/unified-secops-platform/media/defender-xdr-portal/incidents-page.png new file mode 100644 index 0000000000..b4148ab960 Binary files /dev/null and b/unified-secops-platform/media/defender-xdr-portal/incidents-page.png differ diff --git a/unified-secops-platform/media/detect-threats-overview/defender-xdr-multiple-source-example.png b/unified-secops-platform/media/detect-threats-overview/defender-xdr-multiple-source-example.png new file mode 100644 index 0000000000..10bb967572 Binary files /dev/null and b/unified-secops-platform/media/detect-threats-overview/defender-xdr-multiple-source-example.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/action-center-page.png b/unified-secops-platform/media/overview-defender-portal/action-center-page.png new file mode 100644 index 0000000000..f8d55129fb Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/action-center-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/advanced-hunting-page.png b/unified-secops-platform/media/overview-defender-portal/advanced-hunting-page.png new file mode 100644 index 0000000000..4cd3559f4c Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/advanced-hunting-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/cloud-apps-sample-report.png b/unified-secops-platform/media/overview-defender-portal/cloud-apps-sample-report.png new file mode 100644 index 0000000000..89e25362f6 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/cloud-apps-sample-report.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/defender-portal.png b/unified-secops-platform/media/overview-defender-portal/defender-portal.png new file mode 100644 index 0000000000..4a14f36da9 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/defender-portal.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/device-inventory-page.png b/unified-secops-platform/media/overview-defender-portal/device-inventory-page.png new file mode 100644 index 0000000000..eb4e292f5d Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/device-inventory-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/email-investigations.png b/unified-secops-platform/media/overview-defender-portal/email-investigations.png new file mode 100644 index 0000000000..d5687ff26e Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/email-investigations.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/exposure-management-page.png b/unified-secops-platform/media/overview-defender-portal/exposure-management-page.png new file mode 100644 index 0000000000..3d0d730cee Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/exposure-management-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/home-page.png b/unified-secops-platform/media/overview-defender-portal/home-page.png new file mode 100644 index 0000000000..c8cf4c27ab Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/home-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/identity-dashboard.png b/unified-secops-platform/media/overview-defender-portal/identity-dashboard.png new file mode 100644 index 0000000000..9b4ab3f884 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/identity-dashboard.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/incidents-page.png b/unified-secops-platform/media/overview-defender-portal/incidents-page.png new file mode 100644 index 0000000000..79474cbe7b Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/incidents-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/reports-page.png b/unified-secops-platform/media/overview-defender-portal/reports-page.png new file mode 100644 index 0000000000..2bf201a512 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/reports-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/sentinel-search-page.png b/unified-secops-platform/media/overview-defender-portal/sentinel-search-page.png new file mode 100644 index 0000000000..14017b9050 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/sentinel-search-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/soc-optimization-page.png b/unified-secops-platform/media/overview-defender-portal/soc-optimization-page.png new file mode 100644 index 0000000000..3decdc8e66 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/soc-optimization-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/technology-partners-page.png b/unified-secops-platform/media/overview-defender-portal/technology-partners-page.png new file mode 100644 index 0000000000..68816628ae Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/technology-partners-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/threat-analytics-page.png b/unified-secops-platform/media/overview-defender-portal/threat-analytics-page.png new file mode 100644 index 0000000000..8e94a7c7a5 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/threat-analytics-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/trials-page.png b/unified-secops-platform/media/overview-defender-portal/trials-page.png new file mode 100644 index 0000000000..da0325c1b8 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/trials-page.png differ diff --git a/unified-secops-platform/media/overview-defender-portal/vulnerability-management-dashboard.png b/unified-secops-platform/media/overview-defender-portal/vulnerability-management-dashboard.png new file mode 100644 index 0000000000..8d0d071024 Binary files /dev/null and b/unified-secops-platform/media/overview-defender-portal/vulnerability-management-dashboard.png differ diff --git a/unified-secops-platform/media/overview-unified-security/attack-disrupt.png b/unified-secops-platform/media/overview-unified-security/attack-disrupt.png new file mode 100644 index 0000000000..325ac0589f Binary files /dev/null and b/unified-secops-platform/media/overview-unified-security/attack-disrupt.png differ diff --git a/unified-secops-platform/media/overview-unified-security/defender-portal-home.png b/unified-secops-platform/media/overview-unified-security/defender-portal-home.png new file mode 100644 index 0000000000..ba0486d3fe Binary files /dev/null and b/unified-secops-platform/media/overview-unified-security/defender-portal-home.png differ diff --git a/unified-secops-platform/media/overview-unified-security/exposure-management-overview.png b/unified-secops-platform/media/overview-unified-security/exposure-management-overview.png new file mode 100644 index 0000000000..c14bfef3c3 Binary files /dev/null and b/unified-secops-platform/media/overview-unified-security/exposure-management-overview.png differ diff --git a/unified-secops-platform/media/overview-unified-security/security-copilot.png b/unified-secops-platform/media/overview-unified-security/security-copilot.png new file mode 100644 index 0000000000..5372f9195d Binary files /dev/null and b/unified-secops-platform/media/overview-unified-security/security-copilot.png differ diff --git a/unified-secops-platform/media/overview-unified-security/unified-incidents.png b/unified-secops-platform/media/overview-unified-security/unified-incidents.png new file mode 100644 index 0000000000..cc9d237c9f Binary files /dev/null and b/unified-secops-platform/media/overview-unified-security/unified-incidents.png differ diff --git a/unified-secops-platform/overview-defender-portal.md b/unified-secops-platform/overview-defender-portal.md index 5bd10997b9..7202c74e45 100644 --- a/unified-secops-platform/overview-defender-portal.md +++ b/unified-secops-platform/overview-defender-portal.md @@ -1,149 +1,275 @@ --- title: Microsoft Defender portal overview -description: Learn about the Microsoft Defender portal +description: Learn about the Microsoft services and features available in the Microsoft Defender portal. search.appverid: met150 ms.service: unified-secops-platform ms.author: cwatson author: cwatson-cat ms.localizationpriority: medium -ms.date: 07/16/2024 +ms.date: 11/14/2024 audience: ITPro ms.collection: - M365-security-compliance - tier1 - usx-security -ms.topic: conceptual +ms.topic: concept-article + +# customer intent: As a security operations center leader, I want to learn about the services and features available in the Defender portal to help me determine whether Microsoft's unified SecOps platform meets my organization's requirements. --- -# Defender portal +# Microsoft Defender portal -Microsoft's unified security platform combines services in the [Microsoft Defender portal](https://security.microsoft.com). Use the Defender portal to monitor and manage pre-breach and post-breach security across on-premises and multicloud assets and workloads. The portal provides quick, centralized access to the state of security across the organization, consolidating security data and context for easy viewing and deep analysis. +[Microsoft's unified security SecOps platform](overview-unified-security.md) combines Microsoft security services in the [Microsoft Defender portal](https://security.microsoft.com). -Microsoft services in the Defender portal include. +The portal provides a single location to monitor, manage, and configure pre-breach and post-breach security across on-premises and multicloud assets. -- Visualize and monitor security state across the entire company. -- Reduce risk by improving security posture and reducing attack surfaces. -- Continuously detect, investigate, and respond to cybersecurity threats. +- **Pre-breach security**: Proactively visualize, assess, remediate, and monitor organizational security posture to reduce security risk and attack surfaces. +- **Post-breach security**: Continuously monitor, detect, investigate, and respond to real-time and emerging cybersecurity threats against organizational assets. +:::image type="content" source="./media/overview-defender-portal/defender-portal.png" alt-text="Screenshot of Microsoft Defender portal landing page" lightbox="./media/overview-defender-portal/defender-portal.png"::: ## Portal services -The Defender portal combines a number of Microsoft security services in a single location. +The Defender portal combines many Microsoft security services. Service | Details --- | --- -**[Microsoft Defender XDR](defender-xdr-portal.md)** | In the Defender portal, protect against security threats to assets and resources across the organization, including devices, email and collaboration tools, SaaS cloud apps, Entra ID threats, cloud and on-premises workloads, and OT/IT resources. Get integrated incidents and alerts, threat hunting, and threat protection services and capabilities included in Defender XDR. -**[Microsoft Defender Threat Intelligence](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti)** | From the Defender portal, conduct threat infrastructure analysis, and gather threat intelligence. -**[Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management)** | In the Defender portal, get a unified view of security posture across organizational assets. Assess the security state of assets, and identify and remediate security risk to reduce attack surfaces. -**[Microsoft Defender for Cloud](/defender-xdr/microsoft-365-security-center-defender-cloud)** | Defender for Cloud improves multicloud and on-premises security posture, and protect cloud workloads against security threats. It integrates into the Defender portal so that security teams can access Defender for Cloud alerts in the portal, providing a single location with added rich context for security investigations. -**[Microsoft Defender for IoT](/defender-for-iot/microsoft-defender-iot)** | Defender for IoT integrates into the Defender portal to identify and protect OT/IT resources by extending Defender XDR protection to OT environments. +**Microsoft Defender XDR**

Detect and respond to cybersecurity threats. | [Defender XDR includes a suite of services](/defender-xdr/microsoft-365-defender) that come together in the Defender portal to provide unified threat protection across the enterprise.

Defender XDR services collect, correlate, and analyze threat data and signals across endpoints and devices, identities, email, apps, and OT/IoT assets. In the portal you can review, investigate, and respond to security alerts and incidents, automatically disrupt attacks, and proactively hunt for threats.

[Learn more](defender-xdr-portal.md) about Defender XDR in the Defender portal. +**Microsoft Sentinel**

Collect, analyze, and manage security data at scale using automation and orchestration.| Microsoft Sentinel fully integrates with Defender XDR in the Defender portal, providing additional threat protection capabilities such as attack disruption, unified entities and incidents, and SOC optimization.

For more information, see [Microsoft Sentinel in the Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal). +**Microsoft Defender Threat Intelligence**

Integrate threat intelligence into SOC operations. | The [Defender Threat Intelligence](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) platform extends the threat intelligence capabilities that are included in Defender XDR and Microsoft Sentinel.

Gather data from multiple sources to provide a pool of threat intelligence signals and data. Security teams use this data to understand adversary activities, analyze attacks, and hunt for security threats. +**Microsoft Security Exposure Management**

Proactively reduce security risk.| Use [Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) to reduce organizational attack surfaces and remediate security posture.

Continuously discover assets and data to get a comprehensive view of security across business assets. With the additional data context that Security Exposure Management provides, you can clearly visualize, analyze, and remediate weak areas of security. +**Microsoft Defender for Cloud**

Protect cloud workloads. | [Defender for Cloud](/defender-xdr/microsoft-365-security-center-defender-cloud) improves multicloud security posture, and protects cloud workloads against threats.

Defender for Cloud integrates into the Defender portal to provide a unified view of cloud security alerts, and a single location for investigations. + +## Accessing the portal -> [!NOTE] -> When you open the portal, you see only the security services included in your subscriptions. For example, if you have Defender for Office 365 but not Defender for Endpoint, you see features and capabilities for Defender for Office 365, but not for device protection. +In the Defender portal **Permissions** page, use the following methods to configure user access: + +Methods | Details +--- | --- +[Global Microsoft Entra roles](/defender-xdr/m365d-permissions) | Accounts with the following Global Microsoft Entra roles can access Microsoft Defender XDR functionality and data:
  • Global administrator
  • Security administrator
  • Security Operator
  • Global Reader
  • Security Reader
    • +[Custom roles](/defender-xdr/custom-roles) | Allow access to specific data, tasks, and features using custom roles. Custom roles control granular access, and can be used together with Microsoft Entra global roles. +[Unified RBAC](/defender-xdr/manage-rbac) | Unified role-based access control (RBAC) provides a permissions management model for controlling user permissions in the Defender portal, and across services within the portal. -Watch this short video to learn more about the Defender portal. +### Microsoft Sentinel permissions -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWBKau] +When you're onboarded to Microsoft's unified SecOps platform, existing Azure RBAC permissions are used to work with Microsoft Sentinel features in the Defender portal. -## Portal permissions +- Manage roles and permissions for Microsoft Sentinel users in the Azure portal. +- Any Azure RBAC changes are reflected in the Defender portal. -Access to the Defender portal is configured with Microsoft Entra global roles, or using custom roles. +For more information, see [Roles and permissions in Microsoft Sentinel](/azure/sentinel/roles). -For Microsoft Sentinel, after you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. +## Working in the portal +On the **Home** page, your view is determined by the services included in your subscriptions. Access settings are based on your [portal permissions](#accessing-the-portal). + +:::image type="content" source="./media/overview-defender-portal/home-page.png" alt-text="Screenshot of the Home page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/home-page.png"::: + +Feature | Details +--- | --- +**Home page** | The Home page provides a view of your environment's security state. Review active threats, resources at risk, and a summary of all-up security posture. Use the dashboard for an up-to-date snapshot, and drill down to details as needed. +**Portal notifications** | Portal notifications keep you up-to-date with important information, including updates, events, complete or in-progress actions, and warnings and errors.

    Notifications are sorted by their generated time in the notification panel, with the most recent displayed first. For more information, see [Configure alert notifications](/defender-xdr/configure-email-notifications?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/). +**Search** | As you search the portal, results are categorized by sections related to your search terms.

    Search provides results from within the portal, from the Microsoft Tech Community, and from Microsoft Learn documentation. Search history is stored in your browser and is accessible for 30 days. +**Guided tour** | Get a guided tour of managing endpoint security, or managing email and collaboration security. +**What's new** | Learn about the latest updates from the [Microsoft Defender XDR blog](https://techcommunity.microsoft.com/category/microsoftsecurityandcompliance/blog/microsoftthreatprotectionblog). +**Community** | Learn from others in [Microsoft security discussion spaces](https://techcommunity.microsoft.com/category/MicrosoftSecurityandCompliance) on Tech Community. +**Add cards** | Customize the **Home** page to get information that's most important to you. -:::image type="content" source="/defender/media/microsoft-365-defender-portal/defender-portal-permissions.png" alt-text="Screenshot of the permissions page in the Microsoft Defender portal" lightbox="/defender/media/microsoft-365-defender-portal/defender-portal-permissions.png"::: +## Exposure management -### Learn more +In **Exposure management**, review the overall state of your security posture, exposure, and risk. -- Learn how to [manage access](/defender-xdr/m365d-permissions). -- Learn how to [create custom roles](/defender-xdr/custom-roles). -- Learn about [roles and permissions in Microsoft Sentinel](/azure/sentinel/roles) -- [Manage access to Microsoft Sentinel data by resource](/azure/sentinel/resource-context-rbac) +:::image type="content" source="./media/overview-defender-portal/exposure-management-page.png" alt-text="Screenshot of the Exposure Management page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/exposure-management-page.png"::: +Feature | Details +--- | --- +**Exposure management overview** | This dashboard provides a quick view of devices and cloud resources, including internet-facing devices and critical assets. Learn how well your key security initiatives are doing and drill down into top metrics for high-value vulnerabilities. Get exposure levels for different types of resources, and track security progress over time. +**Attack surfaces** | Visualize exposure data with the attack surface map.
    Explore resources and connections on the map, and drill down to focus on specific assets.
    In the **Attack path management** dashboard, review potential attack paths across your organization that attackers might exploit, together with choke points and critical assets in the path. +**Exposure insights** | Review and explore aggregated security posture data and insights across resources and workloads.
    Assess posture and readiness for your most important security projects, and track project metrics over time.
    Get security recommendations to remediate exposure issues. +**Secure score** | Review posture metrics based on [Microsoft Secure Score](/defender-xdr/microsoft-secure-score). +**Data connectors** | Connect third-party products to Security Exposure Management, and request new connectors. -## Working with the portal +For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). -The Defender portal helps you to investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for: +## Investigation and response -- Incidents & alerts -- Hunting -- Actions & submissions -- Threat analytics -- Secure score -- Trials -- Partner catalog +The **Investigation and response** section provides a single location for investigating security incidents, and responding to threats across the enterprise. -## Quickly view your environment +### Investigate incidents and alerts -The **Home** page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because the Defender portal uses role-based access control, different roles see cards that are more meaningful to their day to day jobs. +Manage and investigate security incidents in a single location and from a single queue in the Defender portal. The **Incidents** and **Alerts** queues shows current security incidents and alerts across your services. -This at-a-glance information helps you keep up with the latest activities in your organization. Microsoft Defender XDR brings together signals from different sources to present a holistic view of your Microsoft 365 environment. +:::image type="content" source="./media/overview-defender-portal/incidents-page.png" alt-text="Screenshot of the Incidents page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/incidents-page.png"::: -You can add and remove different cards depending on your needs. +Feature | Details +--- | --- +**Incidents** | On the **Incidents** dashboard, review a list of the latest incidents and prioritize those marked as high severity. Each incident groups correlated alerts and associated data that makes up an attack. Drill down in an incident to get a full attack story, including information about associated alerts, devices, users, investigations, and evidence. +**Alerts** | In the **Alerts** dashboard, review alerts. Alerts are signals issued by portal services in response to threat detection activity.

    The unified alerts queue displays new and in progress alerts from the last seven days, with the most recent alerts at the top. Filter on alerts to investigate as needed. -## Get notifications +For more information, see [Incidents and alerts in the Microsoft Defender portal](/defender-xdr/incidents-overview). -Notifications are messages that inform you about important events or updates in the Defender portal. They help you stay on top of your security tasks and alerts. +### Hunt for threats -:::image type="content" source="/defender/media/microsoft-365-defender-portal/notifications-panel.png" alt-text="Screenshot of the notifications icon in the Microsoft Defender portal." lightbox="/defender/media/microsoft-365-defender-portal/notifications-panel.png"::: +The **Hunting** area allows you to proactively inspect security events and data to locate known and potential threats. -Notifications are in the top bar of the portal's user interface. You can access them by clicking on the notification icon, which looks like a bell. A number on the icon indicates that you have that number of unread notifications. +:::image type="content" source="./media/overview-defender-portal/advanced-hunting-page.png" alt-text="Screenshot of the Advanted Hunting page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/advanced-hunting-page.png"::: -Notifications can tell you about various types of events or updates: +Feature | Details +--- | --- +**Advanced hunting** | Explore and query up to 30 days of raw data. You can query using a guided query tool, use sample queries, or use [Kusto Query Language (KQL)](/kusto/query/?view=microsoft-sentinel&preserve-view=true) to build your own queries. +**Custom detection rules** | Create custom detection rules to proactively monitor and respond to events and system states. Use custom detection rules to trigger security alerts or automatic response actions. -- Success: when an action or task has been completed successfully like scanning a device or applying a policy. -- Ongoing: when an action is in progress. -- Information: when there is some information that you might find useful. -- Warning: when there is a potential issue or risk that you should be aware of like a device that is out of compliance or a policy that needs to be updated. -- Error: when there is an error or failure that requires your attention like an incident is deleted or merged, a scan that failed, or a policy that could not be applied. +For more information, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview) and [Custom detections overview](/defender-xdr/custom-detections-overview). -Each notification has a title and content that provides relevant information about the event or update. Each notification also has a timestamp that shows when the notification was generated. +### Review pending threat remediations -You can hide notifications from your view. You can dismiss a single notification by clicking on the *x* icon on the right side of the notification. You can also dismiss all notifications in the list with a single click by using *dismiss all* at the top of the notification panel. +Threat protection activity results in actions to remediate threats. Actions can be automated or manual. Actions that need approval or manual intervention are available in the **Action center**. -Dismissing a notification does not delete it from the portal. You can always view your dismissed notifications by selecting *show dismissed* at the bottom of the notification panel. +:::image type="content" source="./media/overview-defender-portal/action-center-page.png" alt-text="Screenshot of the Action Center page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/action-center-page.png"::: -Notifications are sorted by their generated time in the notification panel, with the most recent ones displayed first. You can scroll through the list of notifications to see older ones. +Feature | Details +--- | --- +**Action center** | Review the list of actions that need attention. Approve or reject actions one at a time, or in bulk. You can review action history to track remediation. +**Submissions** | Submit suspect spam, URLs, email issues and more to Microsoft. +For more information, see [Automated investigation and response](/defender-xdr/m365d-autoir) and [The Action center](/defender-xdr/m365d-action-center). -## Get reports +## Partner catalog -In the portal, you can start with a general security report, and branch into specific reports about endpoints, email & collaboration. The links are dynamically generated based upon workload configuration. +The **Partner catalog** section provides information about Defender partners. +:::image type="content" source="./media/overview-defender-portal/technology-partners-page.png" alt-text="Screenshot of the Technology Partners page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/technology-partners-page.png"::: -## Search the portal +The Defender portal supports the following types of partner integrations: -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The search bar is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities. +- **Third-party integrations** to help secure users with effective threat protection. +- **Professional services** that enhance detection, investigation, and threat intelligence capabilities. -The Microsoft Defender portal's search function is located at the top of the page. As you type, suggestions are provided so that it's easier to find entities. The enhanced search results page centralizes the results from all entities. +## Threat intelligence -:::image type="content" source="/defender/media/microsoft-365-defender-portal/search-panel.png" alt-text="Screenshot of the search bar in the Microsoft Defender portal." lightbox="/defender/media/microsoft-365-defender-portal/search-panel.png"::: +In the **Threat intelligence** section of the portal, get direct visibility into active and ongoing threat campaigns, and access threat intelligence information provided by the Defender Threat Intelligence platform. -Search results are categorized by sections related to your search terms. You can search across the following entities in the Microsoft Defender portal: +:::image type="content" source="./media/overview-defender-portal/threat-analytics-page.png" alt-text="Screenshot of the Threat Analytics page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/threat-analytics-page.png"::: -- **Devices** - supported for Defender for Endpoint, Defender for Identity, Defender for Cloud, and Microsoft Sentinel (Preview). -- **Users** - supported for Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Microsoft Sentinel (Preview). -- **Files, IPs, and URLs** - same capabilities as in Defender for Endpoint. +Feature | Details +--- | --- +**Threat analytics** | Learn which threats are currently relevant in your organization.

    Assess threat severity, drill down into specific threat reports, and identity actions to take. Different types of threat analytics reports are available. +**Intel profiles** | Review curated threat intelligence content organized by threat actors, tools, and known vulnerabilities. +**Intel Explorer** | Review threat intelligence information, and drill down to search and investigate. +**Intel projects** | Review and create projects to organize indicators of interest and indicators of compromise from an investigation. A project includes associated artifacts and a detailed history of names, descriptions, collaborators, and monitoring profiles. - > [!NOTE] - > IP and URL searches are exact match and don't appear in the search results page – they lead directly to the entity page. +For more information, see [Threat analytics](/defender-xdr/threat-analytics). -- **Defender Vulnerability Management** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations). +## Assets -Search also provides results from relevant links in the Microsoft Tech Community portal, relevant documentation in Microsoft Learn, navigation items within the portal, and a link where you can provide feedback. Search history is stored in your browser and is accessible for the next 30 days. +The **Assets** page provides a unified view of discovered and protected assets, including devices, users, mailboxes, and apps. Review the total number of assets of each type, and drill down into specific asset details. -## Partner catalog +:::image type="content" source="./media/overview-defender-portal/device-inventory-page.png" alt-text="Screenshot of the Device Inventory page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/device-inventory-page.png"::: + + +Feature | Details +--- | --- +**Devices** |On the **Device Inventory** page, get an overview of discovered devices in each tenant to which you have access. Review devices by type, and focus on high risk or critical devices.

    Group devices logically by adding tags for context, and exclude devices you don't want to assess. Start an automated investigation for devices. +**Identities** | Get a summary of your user and account inventory. + +For more information, see [Device entity page](/defender-xdr/entity-page-device) and [User entity page](/defender-xdr/investigate-users). + +## Microsoft Sentinel + +Access Microsoft Sentinel capabilities in the Defender portal. + +:::image type="content" source="./media/overview-defender-portal/sentinel-search-page.png" alt-text="Screenshot of the Sentinel Search page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/sentinel-search-page.png"::: + +Feature | Details +--- | --- +**Search** | [Search](/azure/sentinel/investigate-large-datasets) across logs, and access past searches. +**Threat management** | Visualize and monitor connected data with [workbooks](/azure/sentinel/monitor-your-data?tabs=defender-portal).
    [Investigate incidents](/azure/sentinel/investigate-incidents) and [classify alerts with entities](/azure/sentinel/customize-entity-activities?tabs=defender).
    Proactively [hunt for threats](/azure/sentinel/hunts) and [use notebooks](/azure/sentinel/hunting?tabs=azure-portal#notebooks-to-power-investigations) to power investigations.
    [Integrate threat intelligence](/azure/sentinel/threat-intelligence-integration) into threat detection, and [use the MITRE ATT&CK framework](/azure/sentinel/mitre-coverage) in analytics and incidents. +**Content management** | Discover and install out-of-the-box (OOTB) content from the [Content hub](/azure/sentinel/sentinel-solutions#discover-and-manage-microsoft-sentinel-content).
    Use [Microsoft Sentinel repositories](/azure/sentinel/ci-cd-custom-content) to connect to external source systems for continuous integration and delivery (CI/CD), rather than manually deploying and updating custom content. +**Configuration** | Ingest data by using [data connectors](/azure/sentinel/best-practices-data).
    [Create watchlists](/azure/sentinel/watchlists) to correlate and organize data sources.
    [Set up analytics rules](/azure/sentinel/threat-detection) to query and analyze collected data.
    [Automate](/azure/sentinel/automation/automation#automation-with-the-unified-security-operations-platform) threat responses. + +For more information, see [Microsoft Sentinel](/azure/sentinel/overview) and [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal). + +## Identities + +In the **Identities** section of the Defender portal, monitor user and account health, and proactively manage identity-related risks with Defender for Identity. + +:::image type="content" source="./media/overview-defender-portal/identity-dashboard.png" alt-text="Screenshot of the Identity Dashboard page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/identity-dashboard.png"::: + +Feature | Details +--- | --- +**ITDR dashboard** | On the [Identity threat detection and response (ITDR) dashboard](/defender-for-identity/dashboard), get insights and real-time data about the security state of users and accounts.

    The dashboard includes information about Defender for Identity deployment, information about highly privileged identities, and information about identity-related incidents.

    If there's a problem with a Defender for Identity workspace, it's raised on the [Health issues page](/defender-for-identity/health-alerts). +**Health issues** | Any Defender for Identity global or sensor-based health issues are displayed on this page. +**Tools** | Access common tools to help you manage Defender for Identity. + +For more information, see [Microsoft Defender for Identity](/defender-for-identity). + +## Endpoints + +In the **Endpoints** section of the portal, monitor and manage asset vulnerabilities with Microsoft Defender Vulnerability Management. + +:::image type="content" source="./media/overview-defender-portal/vulnerability-management-dashboard.png" alt-text="Screenshot of the Microsoft Defender Vulnerability Management dashboard in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/vulnerability-management-dashboard.png"::: + +Feature | Details +--- | --- +**Vulnerability management** | Review vulnerability state in the dashboard. Get recommendations based on vulnerability assessment of devices, and remediate as needed.
    Review your organizational [software inventory](/defender-vulnerability-management/tvm-software-inventory), including vulnerable components, certificates, and hardware.
    Review [CVEs and security advisories](/defender-vulnerability-management/tvm-weaknesses-security-advisories).
    Review the [event timeline](/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline) to determine the impact of vulnerabilities.
    Use [security baseline assessment](/defender-vulnerability-management/tvm-security-baselines) to assess devices against security benchmarks. +**Connected applications** | Get information about the [Microsoft Entra applications connected to Defender for Endpoint](/defender-endpoint/connected-applications). +**API explorer** | [Use the API explorer](/defender-endpoint/api/api-explorer) to construct and run API queries, test, and sent requests for available Defender for Endpoint API endpoints. + +For more information, see [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) and [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint). + +## Email and collaboration + +In the **Email & collaboration** section, monitor, investigate, and manage security threats and responses to email and collaboration apps with Microsoft Defender for Office 365. + + + +:::image type="content" source="./media/overview-defender-portal/email-investigations.png" alt-text="Screenshot of the Email Investigations page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/email-investigations.png"::: + +Feature | Details +--- | --- +**Investigations** | Run and review automated investigations. +**Explorer** | Hunt, investigate, and explore threats to emails and documents. Drill down into specific types of threats, including malware, phishing, and campaigns. +**Review** | Manage quarantined items and restricted senders. +**Campaigns** | Analyze coordinated attacks against your organization. +**Threat tracker** | Review saved and tracked queries, and follow trending campaigns. +**Policies and rules** | Configure and manage security policies to protect against threats, and receive activity alerts. + +For more information, see [Microsoft Defender for Office 365](/defender-office-365/mdo-about). + +## Cloud apps + +In the **Cloud apps** section, review security to minimize risk and exposure to cloud apps using Microsoft Defender for Cloud Apps. + +:::image type="content" source="./media/overview-defender-portal/cloud-apps-sample-report.png" alt-text="Screenshot of a Cloud Apps sample report in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/cloud-apps-sample-report.png"::: + +Feature | Details +--- | --- +**Cloud discovery** | Get an overview of cloud app security with [discovery reports](/defender-cloud-apps/set-up-cloud-discovery). Review a sample report, and create new reports. +**Cloud app catalog** | Get an overview of well-known cloud apps and their associated risk. You can sanction and unsanction apps as needed. +**OAuth apps** | Get visibility into [OAuth apps](/defender-cloud-apps/investigate-risky-oauth). Review apps, and filter settings to drill down. +**Activity log** | Review connected [app activity](/defender-cloud-apps/activity-filters) by cloud name, IP address, and related devices. +**Governance log** | Review [governance actions](/defender-cloud-apps/governance-actions). +**Policies** | Configure security policies for cloud apps. + +For more information, see [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps). + +## SOC optimization + +In the **SOC optimization** page, tighten up security controls to close threat coverage gaps, and tighten data ingestion rates based on high-fidelity and actionable recommendations. SOC optimizations are tailored to your environment and based on your current coverage and threat landscape. + +:::image type="content" source="./media/overview-defender-portal/soc-optimization-page.png" alt-text="Screenshot of the SOC Optimization page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/soc-optimization-page.png"::: + +For more information, see [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access). -The Defender portal has a couple of kinds of partner integration: +## Reports -- Third-party integrations to help secure users with effective threat protection, detection, investigation, and response in various security fields of endpoints, vulnerability management, email, identities, and cloud apps. -- Professional services where organizations can enhance the detection, investigation, and threat intelligence capabilities of the platform. +In the **Reports** page, review security reports across all areas, assets, and workloads. Available reports depend on the security services you have access to. -## Send us your feedback +:::image type="content" source="./media/overview-defender-portal/reports-page.png" alt-text="Screenshot of the Reports page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/reports-page.png"::: -We need your feedback. If there's something you'd like to see, [watch this video to find out how you can trust us to read your feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci). +## Trials +In the **Trials** page, review trial solutions, designed to help you make decisions about upgrades and purchases. +:::image type="content" source="./media/overview-defender-portal/trials-page.png" alt-text="Screenshot of the page Microsoft Security Trials page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/trials-page.png"::: diff --git a/unified-secops-platform/overview-deploy.md b/unified-secops-platform/overview-deploy.md new file mode 100644 index 0000000000..bcc2ef32f5 --- /dev/null +++ b/unified-secops-platform/overview-deploy.md @@ -0,0 +1,98 @@ +--- +title: Deploy Microsoft's unified SecOps platform | Microsoft Defender +description: Deploy Microsoft's unified security operations platform with the Microsoft Defender portal, Microsoft Sentinel, and other Microsoft Defender services. +author: batamig +ms.author: bagol +ms.service: unified-secops-platform +ms.topic: how-to #Don't change. +ms.date: 11/10/2024 +ms.collection: +- usx-security + + +#customer intent: As a security administrator, I want to deploy Microosft's unified security operations platform so that I can access Microsoft Sentinel services together with other Microsoft Defender services in the Microsoft Defender portal. + +--- + +# Deploy Microsoft's unified SecOps platform + +Microsoft's unified security operations platform combines the capabilities of Microsoft Defender portal, Microsoft Sentinel, and other Microsoft Defender services. This platform provides a comprehensive view of your organization's security posture and helps you to detect, investigate, and respond to threats across your organization. + +Microsoft Security Exposure Management and Microsoft Threat Intelligence are available in any environment that meets the prerequisites, to users configured with required permissions. + +## Prerequisites + +- Before you deploy Microsoft's unified security operations platform, make sure that you have a plan in place, including a workspace design and an understanding of Microsoft Sentinel costs and billing. + + For more information, see [Unified security operations platform planning overview](overview-plan.md). + +## Deploy Microsoft Defender XDR services + +Microsoft Defender XDR unifies incident response by integrating key capabilities across services, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. This unified experience adds powerful features you can access in the Microsoft Defender portal. + +1. Microsoft Defender XDR automatically turns on when eligible customers with the required permissions visit Microsoft Defender portal. For more information, see [Turn on Microsoft Defender XDR](/defender-xdr/m365d-enable). + +1. Continue by deploying Microsoft Defender XDR services. We recommend using the following order: + + 1. [Deploy Microsoft Defender for Identity](/defender-for-identity/deploy/quick-installation-guide). + 1. [Deploy Microsoft Defender for Office 365](/defender-xdr/pilot-deploy-defender-office-365?toc=%2Fdefender-office-365%2FTOC.json&bc=%2Fdefender-office-365%2Fbreadcrumb%2Ftoc.json). + 1. [Deploy Microsoft Defender for Endpoint](/defender-endpoint/mde-planning-guide). Add [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/get-defender-vulnerability-management) and / or [Enterprise monitoring for IoT devices](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint), as relevant for your environment. + + 1. [Deploy Microsoft Defender for Cloud Apps](/defender-cloud-apps/general-setup). + +## Configure Microsoft Entra ID Protection + +Microsoft Defender XDR can ingest and include signals from Microsoft Entra ID Protection, which evaluates risk data from billions of sign-in attempts and evaluates the risk of each sign-in to your environment. Microsoft Entra ID Protection data is used by Microsoft Entra ID to allow or prevent account access, depending on how Conditional Access policies are configured. + +Configure Microsoft Entra ID Protection to enhance your security posture and add Microsoft Entra signals to your unified security operations. For more information, see [Configure your Microsoft Entra ID Protection policies](/entra/id-protection/how-to-deploy-identity-protection). + +## Deploy Microsoft Defender for Cloud + +Microsoft Defender for Cloud provides a unified security management experience for your cloud resources, and can also send signals to Microsoft Defender XDR. For example, you might want to start by connecting your Azure subscriptions to Microsoft Defender for Cloud, and then move on to other cloud environments. + +For more information, see [Connect your Azure subscriptions](/azure/defender-for-cloud/connect-azure-subscription). + +## Onboard to Microsoft Copilot for Security + +Onboard to Microsoft Copilot for Security to enhance your security operations by leveraging advanced AI capabilities. Copilot for Security assists in threat detection, investigation, and response, providing actionable insights and recommendations to help you stay ahead of potential threats. Use Copilot for Security to automate routine tasks, reduce the time to detect and respond to incidents, and improve the overall efficiency of your security team. + +For more information, see [Get started with Copilot for Security](/copilot/security/get-started-security-copilot). + +## Architect your workspace and onboard to Microsoft Sentinel + +The first step in using Microsoft Sentinel is to create a Log Analytics workspace, if you don't have one already. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements. Microsoft's unified security operations platform supports only a single workspace. + +1. Create a Security resource group for governance purposes, which allows you to isolate Microsoft Sentinel resources and role-based access to the collection. +1. Create a Log Analytics workspace in the Security resource group and onboard Microsoft Sentinel into it. + +For more information, see [Onboard Microsoft Sentinel](/azure/sentinel/quickstart-onboard). + +## Configure roles and permissions + +Provision your users based on the access plan you'd [prepared earlier](overview-plan.md#plan-roles-and-permissions). To comply with Zero Trust principles, we recommend that you use role-based access control (RBAC) to provide user access only to the resources that are allowed and relevant for each user, instead of providing access to the entire environment. + +For more information, see: + +- [Activate Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/activate-defender-rbac) +- [Assign Microsoft Entra ID roles to users](/entra/identity/role-based-access-control/manage-roles-portal) +- [Grant a user access to Azure roles](/azure/role-based-access-control/quickstart-assign-role-user-portal) + +## Onboard to unified SecOps + +When you onboard Microsoft Sentinel to the Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting, creating a unified SecOps platform. + +1. Install the **Microsoft Defender XDR** solution for Microsoft Sentinel from the **Content hub**. For more information, see [Deploy and manage out-of-the-box-content](/azure/sentinel/sentinel-solutions-deploy). +1. Enable the **Microsoft Defender XDR** data connector to collect incidents and alerts. For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](/azure/sentinel/connect-microsoft-365-defender). +1. Onboard to Microsoft's unified SecOps platform. For more information, see [Connect Microsoft Sentinel to Microsoft Defender](/defender-xdr/microsoft-sentinel-onboard). + +## Fine-tune system configurations + +Use the following Microsoft Sentinel configuration options to fine-tune your deployment: + +|Task |Description | +|---------|---------| +|**Enable health and auditing** | Monitor the health and audit the integrity of supported Microsoft Sentinel resources by turning on the auditing and health monitoring feature in Microsoft Sentinel's Settings page. Get insights on health drifts, such as the latest failure events or changes from success to failure states, and on unauthorized actions, and use this information to create notifications and other automated actions.

    For more information, see [Turn on auditing and health monitoring for Microsoft Sentinel](/azure/sentinel/enable-monitoring?tabs=azure-portal). | +|**Configure Microsoft Sentinel content** | Based on the [data sources you selected](overview-plan.md#plan-microsoft-sentinel-costs-and-data-sources) when planning your deployment, install Microsoft Sentinel solutions and configure your data connectors.

    Microsoft Sentinel provides a wide range of built-in solutions and data connectors, but you can also build custom connectors and set up connectors to ingest CEF or Syslog logs.

    For more information, see:
    - [Configure content](/azure/sentinel/configure-content)
    - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy?tabs=azure-portal)
    - [Find your data connector](/azure/sentinel/data-connectors-reference) | +|**Enable User and Entity Behavior Analytics (UEBA)** | After setting up data connectors in Microsoft Sentinel, make sure to enable user entity behavior analytics to identify suspicious behavior that could lead to phishing exploits and eventually attacks such as ransomware.

    For more information, see [Enable UEBA in Microsoft Sentinel](/azure/sentinel/enable-entity-behavior-analytics?tabs=azure). | +|**Set up interactive and long-term data retention** | Set up interactive and long-term data retention to make sure your organization retains the data that's important in the long term.

    For more information, see [Configure interactive and long-term data retention](/azure/sentinel/configure-data-retention-archive). | +|**Avoid duplicate incidents** | After you [connect Microsoft Sentinel to Microsoft Defender](/defender-xdr/microsoft-sentinel-onboard), a bi-directional sync between Microsoft Defender XDR incidents and Microsoft Sentinel is automatically established.

    To avoid creating duplicate incidents for the same alerts, we recommend that you turn off all Microsoft incident creation rules for Microsoft Defender XDR-integrated products, including Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Microsoft Entra ID Protection.

    For more information, see [Microsoft incident creation rules](/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal).| diff --git a/unified-secops-platform/overview-plan.md b/unified-secops-platform/overview-plan.md new file mode 100644 index 0000000000..2b81c85d86 --- /dev/null +++ b/unified-secops-platform/overview-plan.md @@ -0,0 +1,153 @@ +--- +title: Plan your deployment | Microsoft Defender +description: Plan to deploy Microsoft's unified security operations platform with the Microsoft Defender portal, Microsoft Sentinel, and other Microsoft Defender services. +author: batamig +ms.author: bagol +ms.service: unified-secops-platform +ms.topic: concept-article #Don't change. +ms.date: 11/10/2024 +ms.collection: +- usx-security + + +#customer intent: As a security administrator, I want to plan my unified security operations platform deployment so that I can access Microsoft Sentinel services together with other Microsoft Defender services in the Microsoft Defender portal. + +--- + +# Microsoft's unified security operations platform planning overview + +This article outlines activities to plan a deployment of Microsoft's security products to Microsoft's unified security operations platform for end-to-end security operations (SecOps). Unify your SecOps on Microsoft's platform to help you reduce risk, prevent attacks, detect and disrupt cyberthreats in real time, and respond faster with AI-enhanced security capabilities, all from the [Microsoft Defender portal](https://security.microsoft.com). + +## Plan your deployment + +Microsoft's unified SecOps platform combines services like Microsoft Defender XDR, Microsoft Sentinel, Microsoft Security Exposure Management, and Microsoft Copilot for Security in the Microsoft Defender portal. + +The first step in planning your deployment is to select the services you want to use. + +As a basic prerequisite, you'll need both [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender) and [Microsoft Sentinel](/azure/sentinel/overview) to monitor and protect both Microsoft and non-Microsoft services and solutions, including both cloud and on-premises resources. + +Deploy any of the following services to add security across your endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. + +Microsoft Defender XDR services include: + +| Service | Description | +| ------- | ----------- | +| [**Microsoft Defender for Identity**](/defender-for-identity/what-is) | Identifies, detects, and investigates threats from both on-premises Active Directory and cloud identities like Microsoft Entra ID. | +| [**Microsoft Defender for Office 365**](/defender-office-365/mdo-about) | Protects against threats posed by email messages, URL links, and Office 365 collaboration tools. | +| [**Microsoft Defender for Endpoint**](/defender-endpoint/microsoft-defender-endpoint) | Monitors and protects endpoint devices, detects and investigates device breaches, and automatically responds to security threats. | +| **Enterprise IoT monitoring** from [Microsoft Defender for IoT](/defender-for-iot/organizations/concept-enterprise) | Provides both IoT device discovery and security value for IoT devices. | +| [**Microsoft Defender Vulnerability Management**](/defender-vulnerability-management/defender-vulnerability-management) | Identifies assets and software inventory, and assesses device posture to find security vulnerabilities. | +| [**Microsoft Defender for Cloud Apps**](/defender-cloud-apps/what-is-defender-for-cloud-apps) | Protects and controls access to SaaS cloud apps. | + +Other services supported in the Microsoft Defender portal as part of Microsoft's unified SecOps platform, but not licensed with Microsoft Defender XDR, include: + +| Service | Description | +| ------- | ----------- | +| [**Microsoft Security Exposure Management**](/exposure-management/microsoft-security-exposure-management) | Provides a unified view of security posture across company assets and workloads, enriching asset information with security context. | +| [**Microsoft Copilot for Security**](/copilot/security/microsoft-security-copilot) | Provides AI-driven insights and recommendations to enhance your security operations. | +| [**Microsoft Defender for Cloud**](/azure/defender-for-cloud/) | Protects multi-cloud and hybrid environments with advanced threat detection and response. | +| [**Microsoft Defender Threat Intelligence**](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) | Streamlines threat intelligence workflows by aggregating and enriching critical data sources to correlate indicators of compromise (IOCs) with related articles, actor profiles, and vulnerabilities. | +| [**Microsoft Entra ID Protection**](/entra/id-protection/overview-identity-protection) | Evaluates risk data from sign-in attempts to evaluate the risk of each sign-in to your environment. | + +## Review service prerequisites + +Before you deploy Microsoft's unified security operations platform, review the prerequisites for each service you plan to use. The following table lists the services and links to their prerequisites: + +| Security service | Link to prerequisites | +| ------------------------ | --------------------------------------- | +| **Required for unified SecOps** | | +| Microsoft Defender XDR and Microsoft Defender for Office | [Microsoft Defender XDR prerequisites](/defender-xdr/prerequisites) | +| Microsoft Sentinel | [Prerequisites to deploy Microsoft Sentinel](/azure/sentinel/prerequisites) | +| **Optional Microsoft Defender XDR services** | | +| Microsoft Defender for Identity | [Microsoft Defender for Identity prerequisites](/defender-for-identity/deploy/prerequisites) | +| Microsoft Defender for Endpoint | [Set up Microsoft Defender for Endpoint deployment](/defender-endpoint/production-deployment) | +| Enterprise monitoring with Microsoft Defender for IoT | [Prerequisites for Enterprise IoT security](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint#prerequisites) | +| Microsoft Defender Vulnerability Management | [Prerequisites & Permissions for Microsoft Defender Vulnerability Management](/defender-vulnerability-management/tvm-prerequisites) | +| Microsoft Defender for Cloud Apps | [Get started with Microsoft Defender for Cloud Apps](/defender-cloud-apps/get-started) | +| **Other services supported in the Microsoft Defender portal** | | +| Microsoft Security Exposure Management | [Prerequisites and support](/exposure-management/prerequisites) | +| Microsoft Copilot for Security | [Minimum requirements](/copilot/security/get-started-security-copilot#minimum-requirements) | +| Microsoft Defender for Cloud | [Start planning multicloud protection](/azure/defender-for-cloud/plan-multicloud-security-get-started) and other articles in the same section. | +| Microsoft Defender Threat Intelligence | [Prerequisites for Defender Threat Intelligence](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal#prerequisites) | +| Microsoft Entra ID Protection | [Prerequisites for Microsoft Entra ID Protection](/entra/id-protection/how-to-deploy-identity-protection#prerequisites) | + +## Plan your Log Analytics workspace architecture + +To use Microsoft's unified SecOps platform, you need a Log Analytics workspace enabled for Microsoft Sentinel. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements. Microsoft's unified SecOps platform supports only a single workspace. + +Design the Log Analytics workspace you want to enable for Microsoft Sentinel. Consider parameters such as any compliance requirements you have for data collection and storage and how to control access to Microsoft Sentinel data. + +For more information, see: + +1. [Design workspace architecture](/azure/azure-monitor/logs/workspace-design?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json) +1. [Review sample workspace designs](/azure/sentinel/sample-workspace-designs) + +## Plan Microsoft Sentinel costs and data sources + +Microsoft's unified SecOps platform ingests data from first-party Microsoft services, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud. We recommend expanding your coverage to other data sources in your environment by adding Microsoft Sentinel data connectors. + +- **Determine the full set of data sources you'll be ingesting data from, and the data size requirements** to help you accurately project your deployment's budget and timeline. + + You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel. + + For more information, see [Prioritize data connectors](/azure/sentinel/prioritize-data-connectors). + +- **Plan your Microsoft Sentinel budget, considering cost implications for each planned scenario**. + + Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. For more information, see: + + - [Log retention plans in Microsoft Sentinel](/azure/sentinel/log-plans) + - [Plan costs and understand Microsoft Sentinel pricing and billing](/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers) + +## Plan roles and permissions + +Use Microsoft Entra role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to services included in Microsoft's unified SecOps platform. + +The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across several security solutions. For more information, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac). + +For the following services, use the different roles available, or create custom roles, to give you fine-grained control over what users can see and do. For more information, see: + + +| Security service | Link to role requirements | +| ------------------------ | ------------------------------------------- | +| **Required for unified SecOps** | | +| Microsoft Defender XDR | [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](/defender-xdr/m365d-permissions) | +| Microsoft Sentinel | [Roles and permissions in Microsoft Sentinel](/azure/sentinel/roles) | +| **Optional Microsoft Defender XDR services** | | +| Microsoft Defender for Identity | [Microsoft Defender for Identity role groups](/defender-for-identity/role-groups) | +| Microsoft Defender for Office | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/defender-office-365/mdo-portal-permissions) | +| Microsoft Defender for Endpoint | [Assign roles and permissions for Microsoft Defender for Endpoint deployment](/defender-endpoint/prepare-deployment) | +| Microsoft Defender Vulnerability Management | [Relevant permission options for Microsoft Defender Vulnerability Management ](/defender-vulnerability-management/tvm-prerequisites#relevant-permission-options) | +| Microsoft Defender for Cloud Apps | [Configure admin access for Microsoft Defender for Cloud Apps](/defender-cloud-apps/manage-admins) | +| **Other services supported in the Microsoft Defender portal** | | +| Microsoft Security Exposure Management | [Permissions for Microsoft Security Exposure Management](/exposure-management/prerequisites) | +| Microsoft Defender for Cloud | [User roles and permissions](/azure/defender-for-cloud/permissions) | + +## Plan Zero Trust activities + +Microsoft's unified SecOps platform is part of [Microsoft's Zero Trust security model](/security/zero-trust/), which includes the following principles: + +|Principle | Description| +| ------------------------ | ------------------------------------------- | +| **Verify explicitly** | Always authenticate and authorize based on all available data points. | +| **Use least privilege access** | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | +| **Assume breach** | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. | + +Zero Trust security is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing least-privileged access, and using advanced analytics to detect and respond to threats. + +For more information about implementing Zero Trust principles in Microsoft's unified SecOps platform, see Zero Trust content for the following services: + +- [Microsoft Defender XDR](/defender-xdr/zero-trust-with-microsoft-365-defender?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Sentinel](/security/operations/siem-xdr-overview?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Defender for Identity](/defender-for-identity/zero-trust?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Defender for Office 365](/defender-office-365/zero-trust-with-microsoft-365-defender-office-365?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Defender for Endpoint](/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/zero-trust?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Security Exposure Management](https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/respond-to-trending-threats-and-adopt-zero-trust-with-exposure-management/4130133) +- [Microsoft Defender for Cloud](/azure/defender-for-cloud/zero-trust?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json) +- [Microsoft Copilot for Security](/security/zero-trust/copilots/zero-trust-microsoft-copilot-for-security) +- [Microsoft Entra ID Protection](/entra/id-protection/how-to-deploy-identity-protection) + +## Next step + +[Deploy Microsoft's unified security operations platform](overview-deploy.md) diff --git a/unified-secops-platform/overview-unified-security.md b/unified-secops-platform/overview-unified-security.md index 9218b38bb6..9bed9ba50a 100644 --- a/unified-secops-platform/overview-unified-security.md +++ b/unified-secops-platform/overview-unified-security.md @@ -1,80 +1,111 @@ --- -title: What is the Microsoft unified security operations platform? -description: Provides an overview of features and functionality in the Microsoft unified security operations platform +title: "What is Microsoft's unified security operations platform?" +description: Provides an overview of features and functionality in the Microsoft's unified security operations platform search.appverid: met150 ms.service: unified-secops-platform ms.author: cwatson author: cwatson-cat ms.localizationpriority: medium -ms.date: 07/16/2024 +ms.date: 11/15/2024 audience: ITPro ms.collection: - M365-security-compliance - tier1 - usx-security -ms.topic: conceptual +ms.topic: overview + +# customer intent: As a security operations center leader, I want to learn about the services and features available with Microsoft's unified security operations platform to help me determine whether it meets my organization's requirements. --- -# What is the Microsoft unified security operations platform? +# What is Microsoft's unified security operations platform? - +Microsoft's unified security operations platform provides a single platform for end-to-end security operations (SecOps). It integrates security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and generative AI solutions. -Microsoft unified security operations provides a single platform for end-to-end security operations (SecOps). Within the platform, you can reduce risk and prevent attacks with integrated exposure management, detect and disrupt cyberthreats in real time, and investigate and respond faster with generative AI solutions that innovate and enhance security capabilities. +To cover all those capabilities, Microsoft's unified SecOps platform combines services like [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender), [Microsoft Sentinel](/azure/sentinel/overview), [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management), and [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot) in the Microsoft Defender portal. Integrate more Microsoft Defender services to add security and provide integrated protection against sophisticated attacks. The Defender portal provides a single location to monitor, detect, investigate, remediate, and respond against pre- and post-breach cybersecurity risks and threats. -The unified security operations platform combines services in the [Defender portal](https://security.microsoft.com). The portal provides a single location to monitor, detect, investigate, remediate, and respond against prebreach and postbreach cybersecurity risks and threats. +:::image type="content" source="media/overview-unified-security/defender-portal-home.png" lightbox="media/overview-unified-security/defender-portal-home.png" alt-text="Screenshot of the home page of Microsoft's unified SecOps platform in the Defender portal."::: +## Protect assets -## Why adopt a unified SecOps platform? +Protect a wide range of assets by integrating Defender XDR, Microsoft Sentinel, and other Defender services in Microsoft's unified SecOps platform. -### Protect assets +Microsoft Defender XDR services include the following asset protection capabilities: -Use the unified security platform to protect a wide range of assets, including: +|Capability |Security product | +|---------|---------| +|Identify, detect, and investigate Microsoft Entra ID threats.|[Microsoft Defender for Identity](/defender-for-identity/what-is)| +|Protect against threats posed by email messages, URL links, and Office 365 collaboration tools. | [Microsoft Defender for Office 365](/defender-office-365/mdo-about) | +|Monitor and protect endpoint devices. Monitor, detect, and investigate device breaches, and automatically respond to security threats. | [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) | +|Identify and protect operational technology (OT) and IT resources by extending Defender XDR protection to OT environments.|[Microsoft Defender for IoT](/defender-for-iot/microsoft-defender-iot)| +|Identify assets and software inventory, and assess device posture to find security vulnerabilities.|[Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)| +|Protect and control access to SaaS cloud apps.|[Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)| +Asset protection for services not licensed with Microsoft Defender XDR includes the following capabilities: -- Protect against threats posed by email messages, URL links, and Office 365 collaboration tools with Defender for Office 365. -- Monitor and protect endpoint devices with Microsoft Defender for Endpoint. You can monitor, detect, and investigate device breaches, and automatically respond to security threats. -- With Defender Vulnerability Management, you can identify assets and software inventory, and assess device posture to find security vulnerabilities. -- Protect and control access to SaaS cloud apps with Defender for Cloud Apps. -- Identify, detect, and investigate Entra ID threats with Defender for Identity. -- Improve multicloud and on-premises security posture, and protect cloud workloads against threats with Microsoft Defender for Cloud -- Discover and assess assets, and remediate risk to reduce attack surfaces with Microsoft Security Exposure Management. -- Identify and protect OT/IT resources by extending Defender XDR protection to OT environments with Microsoft Defender for IoT. +|Capability |Security product | +|---------|---------| +|Monitor and protect non-Microsoft and on-premises devices, services, and solutions. | [Microsoft Sentinel](/azure/sentinel/overview) | +|Discover and assess assets, and remediate risk to reduce attack surfaces.|[Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management)| +|Improve multicloud and on-premises security posture, and protect cloud workloads against threats.|[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)| -### Simplify security management +## Simplify security management -Use combined security services for end-to-end pre and post breach protection of endpoints, identities, cloud apps and workloads, and email across your organization. +Combine Microsoft security services like [Defender XDR](/defender-xdr/microsoft-365-defender), [Microsoft Sentinel](/azure/sentinel/overview), and more for end-to-end pre- and post-breach protection of endpoints, identities, cloud apps and workloads, and email across your organization. -The Defender portal provides a single, centralized view of organizational security posture and threat detections and response, and provides a combined incidents queue that groups together information security risks and breaches. +The Defender portal provides a single, centralized view of organizational security posture and threat detections and response. It provides a combined incidents queue that groups together information about security risks and breaches. Free up analyst time as unified security dashboards enable analysts to cross organization silos, prioritize the most critical threats, and hunt effectively for attempted breaches. +The following image shows the unified incident queue in Microsoft's unified SecOps platform, with incidents from multiple service sources. +:::image type="content" source="media/overview-unified-security/unified-incidents.png" alt-text="Screenshot of the unified incident queue that shows incidents with multiple service sources." lightbox="media/overview-unified-security/unified-incidents.png"::: -### Reduce security risk and prevent attacks +## Reduce security risk and prevent attacks -Consistently reducing security risk and preventing cybersecurity attacks is an important part of your organizational risk management framework. The unified security operations platform offers comprehenive exposure management and cloud protection capabilities. With Microsoft Security Exposure Management, and Microsoft Defender for Cloud you can: +Consistently reduce security risk and prevent cybersecurity attacks as a part of your organizational risk management framework. Microsoft's unified SecOps platform offers comprehensive exposure management and cloud protection capabilities. With [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management), and [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction): -- Continuously discover organizational assets and asses their security posture. +- Continuously discover organizational assets and assess their security posture. - Protect cloud workloads from code to runtime. - Aggregate data and threat intelligence to discover security gaps and weaknesses, including analysis of potential attack paths. - Investigate and query to get insights into security posture. -- Prioritize asset remediation, with focus on critical resources, to reduce security gaps and attack surfaces. +- Prioritize asset remediation, with the focus on critical resources, to reduce security gaps and attack surfaces. + +The following image shows the overview page for exposure management in Microsoft's unified SecOps platform. + +:::image type="content" source="media/overview-unified-security/exposure-management-overview.png" alt-text="Screenshot of the overview page in the exposure management of the Defender portal." lightbox="media/overview-unified-security/exposure-management-overview.png"::: + +## Reduce threat detection and response times + +Standard cybersecurity metrics focus on the time to detect (TTD) and time to respond (TTR). Time to detect (TTD) measures how long it takes security teams to discover an incident. Time to respond (TTR) measures the amount of time it takes to respond after a threat is detected. The shorter the TTD and TTR, the more effective your detection, and response strategy is. -### Reduce threat detection and response times +Microsoft's unified SecOps platform correlates millions of signals from Defender products, Microsoft Sentinel, Microsoft security research, and threat intelligence to identify attacks in progress. It initiates automatic attack disruption to automatically contain attacks, limiting lateral movement early and reducing attack impact. Automatic attack disruption helps to reduce costs associated with loss of productivity, provide control to the SecOps team control to investigate and remediate compromised assets. -Standard cybersecurity metrics focus on the time to detect (TTD) which measures how long it takes security teams to discover an incident, and time to respond (TTR) which measures the amount of time it takes to respond after a threat is detected. The shorter the TTD and TTR, the more effective your detection and response strategy is. +Automatic attack disruption responds to threats by containing devices and containing or disabling users to mitigate attacks. -Microsoft's unified security platform correlates millions of signals from Defender products, Microsoft security research, and threat intelligence to identify attacks in progress. It initiates automatic attack disruption to automatically contain attacks, limiting lateral movement early, and reduce attack impact. Automatic attack disruption helps to reduce costs associated with loss of productivity, provide control to the SecOps team control to investigate and remediate compromised assets. +The following image shows an example of an incident where automatic attack disruption was triggered. -Automatic attack disruption responds to threats by containing devices and containing/disabling users to mitigate attacks. +:::image type="content" source="media/overview-unified-security/attack-disrupt.png" alt-text="Screenshot of the incidents attack that triggered automatic attack disruption." lightbox="media/overview-unified-security/attack-disrupt.png"::: -## Transform SOC productivity +For more information, see [Automatic attack disruption in Microsoft Defender XDR](/defender-xdr/automatic-attack-disruption). + +## Transform SOC productivity with AI Microsoft Security Copilot brings together the power of AI and human expertise to help your SOC team respond to attacks faster and more effectively. Security Copilot is embedded in the Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, and create incident reports. Security Copilot helps you to: - **Reduce exposure and improve posture**. Prevent breaches with insights to uncover critical exposure risk, and risk reduction recommendations. - **Prevent and disrupt threats**. Identify and prioritize with incident summaries MITRE ATT&CK framework mapping, and automatic alert enrichment. - **Empower analysts**: - - Accelerate incident resolution with guided responses, automated remediation, and summary report generation. - - Provide intelligent assistance provides tailored prompts based on best practices, that analyze malicious scripts and files, and suggest KQL queries. + - Accelerate incident resolution with guided responses, automated remediation, and summary report generation. + - Provide intelligent assistance with tailored prompts based on best practices that analyze malicious scripts and files, and suggest KQL queries. + +The following image shows the integration of Microsoft Copilot in an incident page in the Defender portal. + +:::image type="content" source="media/overview-unified-security/security-copilot.png" alt-text="Screenshot that shows the incidents integration of Microsoft Copilot in the Defender." lightbox="media/overview-unified-security/security-copilot.png"::: + +For more information, see [Microsoft Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender). + +## Related content +- Blog post: [AI-powered, unified SecOps](https://www.microsoft.com/security/business/solutions/ai-powered-unified-secops-platform) +- [Microsoft's unified security operations platform planning overview](overview-plan.md) +- [Deploy Microsoft's unified security operations platform](overview-deploy.md) diff --git a/unified-secops-platform/reduce-risk-overview.md b/unified-secops-platform/reduce-risk-overview.md new file mode 100644 index 0000000000..401cb32896 --- /dev/null +++ b/unified-secops-platform/reduce-risk-overview.md @@ -0,0 +1,54 @@ +--- +title: "Overview - Improve security posture and reduce risk" +description: Provides an overview of solutions that help reduce security risk in Microsoft's unified security operations platform. +search.appverid: met150 +ms.service: unified-secops-platform +ms.author: cwatson +author: cwatson-cat +ms.localizationpriority: medium +ms.date: 11/19/2024 +audience: ITPro +ms.collection: +- M365-security-compliance +- tier1 +- usx-security +ms.topic: concept-article +# customer intent: As a security administrator, I want to learn how to proactively improve security posture and reduce risk exposure in my organization. +--- + +# Security posture management and risk reduction + +To battle increasingly sophisticated and well-resourced threat actors, security teams need a comprehensive strategy that reduces vulnerabilities, prevents breaches, and mitigates threats in real-time. + +Microsoft's unified SecOps platform provides a set of integrated tools and solutions that work together to help security teams proactively reduce security risk. + +Proactive security management allows you to manage cybersecurity as an ongoing risk, rather than series of unpredictable events. Proactive risk management helps to reduce the likelihood of breaches, minimize business disruptions when attacks do occur, and raise security awareness as an ongoing practice across the business. + + +## Improving prebreach security + +Security teams must address key activities for effective prebreach security. + +Activity | Details +--- | --- +**Protect assets and workloads** | Teams must be able to improve posture across all types of corporate resources, including devices, identities, apps, and cloud workloads from code to runtime. +**Discover the digital estate** | Discovering organizational assets in the first step in understanding security posture. Centralizing assets into a single inventory provides unified and broad visibility across company silos. +**Understand asset connections** | In addition to continuously discovering and tracking assets, security teams must be able to visualize and understand complex connections and interactions between discovered resources. +**Aggregate asset data** | Collecting data and correlating signals from multiple sources to arrive at a single accurate contextual representation of each digital asset helps security teams to understand and uncover security gaps and weaknesses, including potential attack paths. +**Get security insights** | Security teams need the ability to investigate and query security findings to understand misconfigurations and security posture drift as risks change. Over time, insights help security teams to answer questions such as - How secure are we right now? How are we doing over time? Where do we stand on mitigation? What areas are weakest? Are we protected against the latest threats? +**Adhere to compliance standards** | Compliance standards provide structured, well-known guidelines around security controls and measures. Proactive and ongoing security posture management ensures that your organization meets compliance requirements. +**Remediate security** | Prioritizing asset remediation by focusing on critical resources helps focus team effort by reducing security gaps and attack surfaces in the most important areas of the business. +**Measure progress** | Security posture improvement and attack surface reduction are ongoing activities. Consistent measurement of how you're doing over time helps to ensure that you reach security targets and maintain compliance in your most critical security initiatives. +**Continuously improve** | Use security posture management to provide fast and continuous feedback to risk management frameworks and SOC teams. + +## Microsoft solutions + +A range of solutions within Microsoft's unified SecOps platform helps security teams to proactively improve security posture. + +Solution | Details | Capabilities +--- | --- | --- +**[Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management)**

    Reduce security risk by reducing attack surfaces. | Automatically discover assets, including devices, identities, cloud apps, and more. Extend visibility to non-Microsoft solutions.

    Aggregate security posture data across data silos into a single location.

    Organize data into security initiatives to monitor, track, measure, and prioritize posture in the areas that are most important to you.

    identify, classify, and protect critical business assets to reduce the likelihood of them being attacked.

    Discover and visualize attack surfaces and potential blast radius.

    Understand and analyze potential attack paths to map how attackers might exploit vulnerabilities across the organization.

    Get contextual insights to understand, prioritize, and mitigate security risk. +**[Microsoft Defender for Cloud](/defender-for-cloud/defender-for-cloud-introduction)**

    Detect real-time threats to cloud workloads, and proactively improve security posture. | Cloud security posture management capabilities assess the posture of resources across Azure, AWS, GCP, and on-premises. Defender for Cloud improves security posture for machines, containers, sensitive data, databases, AI workloads, storage, and DevOps.

    Security recommendations provide information and manual/automatic actions to remediate issues and harden resource security. +**[Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)**

    Improve security posture and protect against threats. | Defender for Endpoint includes a number of security posture management features.

    [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) proactively blocks common activities associated with malicious actions, and provides [attack surface reduction rules](/defender-endpoint/attack-surface-reduction) to constrain risky software-based behavior.

    Other features include [controlled folder access](/defender-endpoint/controlled-folders), [peripheral device control](/defender-endpoint/device-control-overview), [exploit protection](/defender-endpoint/exploit-protection), [network](/defender-endpoint/network-protection) and [web](/defender-endpoint/network-protection) protection. +**[Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)**

    Remediate security vulnerabilities across the organization. | Defender Vulnerability Management continuously identifies vulnerabilities and misconfigurations, providing contextual insights into potential threats, and recommendations to mitigate them. +**[Microsoft Secure Score](/defender-xdr/microsoft-secure-score)**

    Measure organizational security posture. | Secure Score helps to monitor the security posture of Microsoft 365 workloads, including devices, identities, and apps. [Compare Security Score with security posture in Security Exposure Management](/security-exposure-management/compare-secure-score-security-exposure-management). diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md index 4fb8379c71..fd0bc9d5a9 100644 --- a/unified-secops-platform/whats-new.md +++ b/unified-secops-platform/whats-new.md @@ -1,28 +1,44 @@ --- -title: What's new in the Microsoft unified security operations platform +title: "What's new in the Microsoft's unified SecOps platform" description: Lists the new features and functionality in the Microsoft unified security operations platform search.appverid: met150 ms.service: unified-secops-platform ms.author: cwatson author: cwatson-cat ms.localizationpriority: medium -ms.date: 07/16/2024 +ms.date: 11/24/2024 manager: dansimp audience: ITPro ms.collection: - M365-security-compliance - tier1 - usx-security -ms.topic: conceptual +ms.topic: concept-article --- -# What's new in the Microsoft unified security operations platform +# What's new in Microsoft's unified security operations platform - +This article lists recent features added into Microsoft's unified SecOps platform within the Microsoft Defender portal, and new features in related services that provide an enhanced user experience in the platform. -This article lists recent features added into the Microsoft unifed security operations platform within the Microsoft Defender portal, and new features in related services that provide an enhanced user experience in the platform. +## November 2024 -The listed features were released in the last three months. For information about earlier features delivered, see our [Tech Community blogs](https://techcommunity.microsoft.com/t5/azure-sentinel/bg-p/AzureSentinelBlog/label-name/What's%20New). +- [Microsoft Sentinel availability in Microsoft Defender portal](#microsoft-sentinel-availability-in-microsoft-defender-portal) +- [Feature availability for Government clouds](#feature-availability-for-government-clouds) + +### Microsoft Sentinel availability in Microsoft Defender portal + +We previously announced Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is now available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see: + + - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal) + - [Connect Microsoft Sentinel to the Microsoft Defender portal](/defender-xdr/microsoft-sentinel-onboard) + +### Feature availability for Government clouds + +In the Defender portal, all Microsoft Sentinel features for unified SecOps that are in general availability are now available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud. + +For more information, see [Microsoft Sentinel feature support for Azure commercial/other clouds](/azure/sentinel/feature-availability#experience-in-the-defender-portal) and [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov). + +## Related content For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see: @@ -34,44 +50,3 @@ For more information on what's new with other Microsoft Defender security produc - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes) You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). - - -## July 2024 - -- [SOC optimizations now generally available](#soc-optimizations-now-generally-available) -- [SAP Business Technology Platform (BTP) connector now generally available](#sap-business-technology-platform-btp-connector-now-generally-available-ga) -- [Microsoft unified security platform now generally available](#microsoft-unified-security-platform-now-generally-available) - -### SOC optimizations now generally available - -The SOC optimization experience in both the Azure and Defender portals is now generally available for all Microsoft Sentinel customers, including both data value and threat-based recommendations. - -- **Use data value recommendations** to improve your data usage of ingested billable logs, gain visibility to underused logs, and discover the right detections for those logs or the right adjustments to your log tier or ingestion. - -- **Use threat-based recommendations** to help identify gaps in coverage against specific attacks based on Microsoft research and mitigate them by ingesting the recommended logs and adding recommended detections. - -The [`recommendations`](/azure/sentinel/soc-optimization/soc-optimization-api) API is still in Preview. - -For more information, see: - -- [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access) -- [SOC optimization reference of recommendations](/azure/sentinel/soc-optimization/soc-optimization-reference) - -### SAP Business Technology Platform (BTP) connector now generally available (GA) - -The Microsoft Sentinel Solution for SAP BTP is now generally available (GA). This solution provides visibility into your SAP BTP environment, and helps you detect and respond to threats and suspicious activities. - -For more information, see: - -- [Microsoft Sentinel Solution for SAP Business Technology Platform (BTP)](/azure/sentinel/sap/sap-btp-solution-overview) -- [Deploy the Microsoft Sentinel solution for SAP BTP](/azure/sentinel/sap/deploy-sap-btp-solution) -- [Microsoft Sentinel Solution for SAP BTP: security content reference](/azure/sentinel/sap/sap-btp-security-content) - -### Microsoft unified security platform now generally available - -Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. The Microsoft unified security operations platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources: - -- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement) -- [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal) -- [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard) -- [Microsoft Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender) \ No newline at end of file