From 8118f3387ce2165d5f1c283bd08d568642b77321 Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:05:19 -0400 Subject: [PATCH 01/12] Update advanced-hunting-aadsignineventsbeta-table.md --- defender-xdr/advanced-hunting-aadsignineventsbeta-table.md | 1 + 1 file changed, 1 insertion(+) diff --git a/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md b/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md index 3c4b1af60f..f1bcef6d50 100644 --- a/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md +++ b/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md @@ -80,6 +80,7 @@ Use this reference to construct queries that return information from the table. |`NetworkLocationDetails`|`string`|Network location details of the authentication processor of the sign-in event| |`RequestId`|`string`|Unique identifier of the request| |`ReportId`|`string`|Unique identifier for the event| +|`EndpointCall`|`string`|Indicates the endpoint called during a login event. Possible values: "Login:reprocess", "Kmsi:kmsi"| ## Related articles From 2746ce95a9e9795ed3577995977da8c3fc89a1ed Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:26:47 +0200 Subject: [PATCH 02/12] Update whats-new.md --- defender-xdr/whats-new.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index 2f1a2451c9..d941002936 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -32,6 +32,8 @@ You can also get product updates and important notifications through the [messag ## November 2024 - (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. +- If you're using Microsoft's unified security operations (SecOps) platform, with both Microsoft Sentinel and Microsoft Defender XDR, Microsoft Sentinel workbooks are now available directly in the Microsoft Defender portal, and a new tab no longer opens to the Azure portal. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data?tabs=azure-portal). + ## October 2024 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability. From e8534eb422e47124d0c283ecaae12ef01957574b Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 14 Nov 2024 19:05:11 +0200 Subject: [PATCH 03/12] Update defender-xdr/whats-new.md --- defender-xdr/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index d941002936..a1d00135d9 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -32,7 +32,7 @@ You can also get product updates and important notifications through the [messag ## November 2024 - (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. -- If you're using Microsoft's unified security operations (SecOps) platform, with both Microsoft Sentinel and Microsoft Defender XDR, Microsoft Sentinel workbooks are now available directly in the Microsoft Defender portal, and a new tab no longer opens to the Azure portal. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data?tabs=azure-portal). +- If you're using Microsoft's unified security operations (SecOps) platform, with both Microsoft Sentinel and Microsoft Defender XDR, Microsoft Sentinel workbooks are now available to view directly in the Microsoft Defender portal. Continue tabbing out to the Azure portal only to edit your workbooks. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data?tabs=azure-portal). ## October 2024 From 21c28b2071ec514b006eac0ad707e53aaa6f59ce Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 28 Nov 2024 09:47:05 +0200 Subject: [PATCH 04/12] Update api-entities.md --- CloudAppSecurityDocs/api-entities.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CloudAppSecurityDocs/api-entities.md b/CloudAppSecurityDocs/api-entities.md index e8207a3c27..df2c8ff796 100644 --- a/CloudAppSecurityDocs/api-entities.md +++ b/CloudAppSecurityDocs/api-entities.md @@ -1,7 +1,7 @@ --- title: Entities API description: This article provides information about using the Entities API. -ms.date: 01/29/2023 +ms.date: 11/28/2024 ms.topic: reference --- # Entities API @@ -37,6 +37,5 @@ The following table describes the supported filters: | domain | string | eq, neq, isset, isnotset | The entity's related domain | | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit | | status | string | eq, neq | Filter entities by status. Possible values include:

**0**: N/A
**1**: Staged
**2**: Active
**3**: Suspended
**4**: Deleted | -| score | integer | lt, gt, isset, isnotset | Filter entities by their Investigation Priority Score | [!INCLUDE [Open support ticket](includes/support.md)] From 60d4f00a7f689d362d854fd8b566470ff1552ecc Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Thu, 5 Dec 2024 22:17:51 +0530 Subject: [PATCH 05/12] acro fix acro fix --- CloudAppSecurityDocs/api-entities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CloudAppSecurityDocs/api-entities.md b/CloudAppSecurityDocs/api-entities.md index df2c8ff796..f1a76b72ce 100644 --- a/CloudAppSecurityDocs/api-entities.md +++ b/CloudAppSecurityDocs/api-entities.md @@ -32,7 +32,7 @@ The following table describes the supported filters: | entity | entity pk | eq, neq | Filter entities with specific entities pks. If a user is selected, this filter also returns all of the user's accounts. Example: `[{ "id": "entity-id", "inst": 0 }]` | | userGroups |string | eq, neq | Filter entities by their associated group IDs | | app | integer | eq, neq | Filter entities using services with the specified SaaS ID for example: 11770 | -| instance | integer | eq, neq | Filter entities using services with the specified Appstances (SaaS ID and Instance ID), for example: 11770, 1059065 | +| instance | integer | eq, neq | Filter entities using services with the specified App Instances (SaaS ID and Instance ID), for example: 11770, 1059065 | | isExternal | boolean | eq | The entity's affiliation. Possible values include:

**true**: External
**false**: Internal
**null**: No value | | domain | string | eq, neq, isset, isnotset | The entity's related domain | | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit | From 89232361054dc5cb1f3d2329ea8f0aec7d2f46d9 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:06:49 +0200 Subject: [PATCH 06/12] Add December 2024 updates to what's new --- defender-xdr/whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index ceaaddf4ba..154b5af65a 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -30,6 +30,8 @@ For more information on what's new with other Microsoft Defender security produc You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). ## December 2024 + +- If you're using Microsoft's unified security operations (SecOps) platform, with both Microsoft Sentinel and Microsoft Defender XDR, Microsoft Sentinel workbooks are now available to view directly in the Microsoft Defender portal. Continue tabbing out to the Azure portal only to edit your workbooks. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data?tabs=azure-portal). - (Preview) The [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in [Defender XDR advanced hunting](advanced-hunting-link-to-incident.md), you can now specify whether an entity is an impacted asset or related evidence. - (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. - New documentation library for Microsoft's unified security operations platform. Find centralized documentation about [Microsoft's unified SecOps platform in the Microsoft Defender portal](/unified-secops-platform/overview-unified-security). Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. @@ -45,8 +47,6 @@ You can also get product updates and important notifications through the [messag - (Preview) The [CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md) table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. - (Preview) Migrating custom detection queries to **Continuous (near real-time or NRT) frequency** is now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps in [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency). -- If you're using Microsoft's unified security operations (SecOps) platform, with both Microsoft Sentinel and Microsoft Defender XDR, Microsoft Sentinel workbooks are now available to view directly in the Microsoft Defender portal. Continue tabbing out to the Azure portal only to edit your workbooks. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data?tabs=azure-portal). - ## October 2024 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability. From bf104ee6e73dc1fdcad99669b2dac1ad1a07f9c3 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:08:11 +0200 Subject: [PATCH 07/12] Update whats-new.md --- unified-secops-platform/whats-new.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md index fd0bc9d5a9..c108dea648 100644 --- a/unified-secops-platform/whats-new.md +++ b/unified-secops-platform/whats-new.md @@ -6,7 +6,7 @@ ms.service: unified-secops-platform ms.author: cwatson author: cwatson-cat ms.localizationpriority: medium -ms.date: 11/24/2024 +ms.date: 12/10/2024 manager: dansimp audience: ITPro ms.collection: @@ -20,6 +20,18 @@ ms.topic: concept-article This article lists recent features added into Microsoft's unified SecOps platform within the Microsoft Defender portal, and new features in related services that provide an enhanced user experience in the platform. +## December 2024 + +- [Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal](microsoft-sentinel-workbooks-now-available-to-view-directly-in-the-microsoft-defender-portal) + +### Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal + +Microsoft Sentinel workbooks are now available for viewing directly in the Microsoft Defender portal with Microsoft's unified security operations (SecOps) platform. Now, in the Defender portal, when you select **Microsoft Sentinel > Threat management> Workbooks**, you remain in the Defender portal instead of a new tab being opened for workbooks in the Azure portal. Continue tabbing out to the Azure portal only when you need to edit your workbooks. + +Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you visualize and monitor the data ingested to Microsoft Sentinel. Workbooks add tables and charts with analytics for your logs and queries to the tools already available. + +For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data.md) and [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard). + ## November 2024 - [Microsoft Sentinel availability in Microsoft Defender portal](#microsoft-sentinel-availability-in-microsoft-defender-portal) From 939da612292352fa01485b97c24a11591773dbad Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Tue, 10 Dec 2024 14:00:38 -0800 Subject: [PATCH 08/12] Update indicators-overview.md --- defender-endpoint/indicators-overview.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/indicators-overview.md b/defender-endpoint/indicators-overview.md index 39f2def187..efe9aa71a0 100644 --- a/defender-endpoint/indicators-overview.md +++ b/defender-endpoint/indicators-overview.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: conceptual ms.subservice: edr search.appverid: met150 -ms.date: 11/10/2024 +ms.date: 12/10/2024 --- # Overview of indicators in Microsoft Defender for Endpoint @@ -155,6 +155,8 @@ The IoC API schema and the threat IDs in advance hunting are updated to align wi > File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode. > > The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel. +> +> If indicators are synced to the Indicator in the MDE portal from MDCA sanctioned/unsanctioned applications, the 'Generate Alert' option will be enabled by default in the MDE portal. If you try to uncheck the 'Generate Alert' option in MDE, it will be re-enabled after some time as the MDCA policy will override it. ## Known issues and limitations @@ -176,4 +178,4 @@ Microsoft Store apps cannot be blocked by Defender because they're signed by Mic - [Use partner integrated solutions](partner-applications.md) -[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] +[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] \ No newline at end of file From f47858f72f0e316374fb093fda6d3a561d72609c Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Tue, 10 Dec 2024 14:06:13 -0800 Subject: [PATCH 09/12] Update indicators-overview.md --- defender-endpoint/indicators-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/indicators-overview.md b/defender-endpoint/indicators-overview.md index efe9aa71a0..eda30ec8f6 100644 --- a/defender-endpoint/indicators-overview.md +++ b/defender-endpoint/indicators-overview.md @@ -156,7 +156,7 @@ The IoC API schema and the threat IDs in advance hunting are updated to align wi > > The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel. > -> If indicators are synced to the Indicator in the MDE portal from MDCA sanctioned/unsanctioned applications, the 'Generate Alert' option will be enabled by default in the MDE portal. If you try to uncheck the 'Generate Alert' option in MDE, it will be re-enabled after some time as the MDCA policy will override it. +> If indicators are synced to the Microsoft Defender portal from Microsoft Defender for Cloud Apps for sanctioned or unsanctioned applications, the `Generate Alert` option is enabled by default in the Microsoft Defender portal. If you try to clear the `Generate Alert` option for Defender for Endpoint, it is re-enabled after some time because the Defender for Cloud Apps policy overrides it. ## Known issues and limitations From b2a5ea4c2737fc4fa2b25617062580025ea996e2 Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:10:14 -0500 Subject: [PATCH 10/12] Update advanced-hunting-aadsignineventsbeta-table.md --- defender-xdr/advanced-hunting-aadsignineventsbeta-table.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md b/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md index 595054481f..2c86ebd2fc 100644 --- a/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md +++ b/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md @@ -83,7 +83,7 @@ Use this reference to construct queries that return information from the table. |`NetworkLocationDetails`|`string`|Network location details of the authentication processor of the sign-in event| |`RequestId`|`string`|Unique identifier of the request| |`ReportId`|`string`|Unique identifier for the event| -|`EndpointCall`|`string`|Indicates the endpoint called during a login event. Possible values: "Login:reprocess", "Kmsi:kmsi"| +|`EndpointCall`|`string`|Information about the Microsoft Entra ID endpoint that the request was sent to and the type of request sent during sign in.| ## Related articles From 684ff409832c6d17630fadab1a5017ca3f471ca3 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Wed, 11 Dec 2024 09:38:14 +0200 Subject: [PATCH 11/12] Update whats-new.md --- unified-secops-platform/whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md index c108dea648..7444dc9649 100644 --- a/unified-secops-platform/whats-new.md +++ b/unified-secops-platform/whats-new.md @@ -22,7 +22,7 @@ This article lists recent features added into Microsoft's unified SecOps platfor ## December 2024 -- [Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal](microsoft-sentinel-workbooks-now-available-to-view-directly-in-the-microsoft-defender-portal) +- [Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal](#microsoft-sentinel-workbooks-now-available-to-view-directly-in-the-microsoft-defender-portal) ### Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal @@ -30,7 +30,7 @@ Microsoft Sentinel workbooks are now available for viewing directly in the Micro Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you visualize and monitor the data ingested to Microsoft Sentinel. Workbooks add tables and charts with analytics for your logs and queries to the tools already available. -For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data.md) and [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard). +For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data) and [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard). ## November 2024 From bc6b1dfd6f80c1752055e497134153c7b303b090 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:10:26 +0200 Subject: [PATCH 12/12] Update CloudAppSecurityDocs/api-entities.md --- CloudAppSecurityDocs/api-entities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CloudAppSecurityDocs/api-entities.md b/CloudAppSecurityDocs/api-entities.md index f1a76b72ce..fbc9b9dac8 100644 --- a/CloudAppSecurityDocs/api-entities.md +++ b/CloudAppSecurityDocs/api-entities.md @@ -32,7 +32,7 @@ The following table describes the supported filters: | entity | entity pk | eq, neq | Filter entities with specific entities pks. If a user is selected, this filter also returns all of the user's accounts. Example: `[{ "id": "entity-id", "inst": 0 }]` | | userGroups |string | eq, neq | Filter entities by their associated group IDs | | app | integer | eq, neq | Filter entities using services with the specified SaaS ID for example: 11770 | -| instance | integer | eq, neq | Filter entities using services with the specified App Instances (SaaS ID and Instance ID), for example: 11770, 1059065 | +| instance | integer | eq, neq | Filter entities using services with the specified app instances (SaaS ID and Instance ID). For example: 11770, 1059065 | | isExternal | boolean | eq | The entity's affiliation. Possible values include:

**true**: External
**false**: Internal
**null**: No value | | domain | string | eq, neq, isset, isnotset | The entity's related domain | | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |