From 3f2716f45be1b2ab9ddad7b66ee278fbfd8a3e6a Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 9 Dec 2024 12:04:27 +0530
Subject: [PATCH 01/31] Learn Editor: Update linux-preferences.md
---
defender-endpoint/linux-preferences.md | 266 ++++++++++++++++++++++++-
1 file changed, 263 insertions(+), 3 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index c560baeaf1..87d8cf253d 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -18,6 +18,8 @@ ms.subservice: linux
search.appverid: met150
---
+LATEST
+
# Set preferences for Microsoft Defender for Endpoint on Linux
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
@@ -531,7 +533,7 @@ When this feature is enabled, Defender for Endpoint will scan network socket eve
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
-> This feature is applicable only when the `enableRawSocketEvent` feature is enabled. For more information, see [Advanced optional features](linux-preferences.md#configure-monitoring-of-raw-socket-events) section below for details.
+> This feature is applicable only when the `enableRawSocketEvent` feature or the `enableUdpSocketEvent` feature is enabled. For more information, see [Advanced optional features for raw socket events](linux-preferences.md#configure-monitoring-of-raw-socket-events) or [Advanced optional features for UDP socket events](linux-preferences.md#configure-monitoring-of-udp-socket-events) sections below for details.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -676,7 +678,7 @@ Determines whether file modify permissions events (`chmod`) are monitored.
##### Configure monitoring of file modify ownership events
-Determines whether file modify ownership events (chown) are monitored.
+Determines whether file modify ownership events (`chown`) are monitored.
> [!NOTE]
> When this feature is enabled, Defender for Endpoint will monitor changes to the ownership of files, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-file-modify-ownership-events) section for more details.
@@ -694,7 +696,7 @@ Determines whether network socket events involving creation of raw sockets / pac
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
-> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-raw-socket-events) section above for more details.
+> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-network-socket-events) section above for more details.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -703,6 +705,21 @@ Determines whether network socket events involving creation of raw sockets / pac
|**Possible values**|disabled (default) enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+##### Configure monitoring of UDP socket events
+
+Determines whether network socket events involving creation of UDP sockets are monitored.
+
+> [!NOTE]
+> This feature is applicable only when Behavior Monitoring is enabled.
+> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-network-socket-events) section above for more details.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableUdpSocketEvent|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
##### Configure monitoring of boot loader events
Determines whether boot loader events are monitored and scanned.
@@ -759,6 +776,181 @@ Determines whether module load events are monitored using eBPF and scanned.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
+##### Configure monitoring of namespace events
+
+Determines whether creation of namespaces (via `clone` / `unshare` system calls) are monitored. // no sense config so far
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableNamespaceEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24032.0007` or later.|
+
+##### Configure eBPF source enrichment
+
+Determines whether eBPF source enrichment of events is enabled. // no sense config for this so far
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEbpfSourceEnrichment|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+##### Configure open events from specific filesystems
+
+Determines whether open events from specific paths in filesystems such as `procfs` and `devfs` are monitored. // no sense config for this so far
+
+> [!NOTE]
+> This feature is independent of `muteOpenFileEvents`.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableOtherFsOpenEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+
+#### Fanotify sensor configurations
+
+The following settings can be used to configure certain advanced fanotify sensor features.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|fanotifySensorConfigurations|*Not available*|
+|**Data type**|Dictionary (nested preference)|*n/a*|
+|**Comments**|See the following sections for a description of the dictionary contents.|
+
+##### Configure mute open file events feature
+
+Determines whether file open events are monitored.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|muteOpenFileEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.||
+
+##### Configure monitoring of open exec file events
+
+Determines whether events corresponding to files being opened to be executed are monitored. // only test org dogfood sense config
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|openexecFileEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.98.89` or later.|
+
+##### Configure monitoring of mount namespace events
+
+Determines whether file close modified events in namespace mount points are monitored. // no sense config for this so far
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableMountNamespaces|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24022.0001` or later.|
+
+#### Behavior monitoring configurations
+
+The following settings can be used to configure certain advanced behavior monitoring features.
+
+> [!NOTE]
+> The features under this section are applicable only when Behavior Monitoring is enabled.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|behaviorMonitoringConfigurations|*Not available*|
+|**Data type**|Dictionary (nested preference)|*n/a*|
+|**Comments**|See the following sections for a description of the dictionary contents.|
+
+##### Configure scanning of fork events
+
+Determines whether fork process events are scanned by the behavior monitoring antivirus engine. // enabled only on mac till insider slow
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|notifyForks|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+
+#### Throttling configurations
+
+The following settings can be used to configure throttling of different types of events.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|throttlingConfigurations|*Not available*|
+|**Data type**|Dictionary (nested preference)|*n/a*|
+|**Comments**|See the following sections for a description of the dictionary contents.|
+
+##### Configure throttling of file events
+
+Determines whether file events are throttled when they hit a certain limit. // enabled only till dogfood
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|fileEventsThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
+##### Configure throttling of process connector events
+
+Determines whether process connector events are throttled when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|processConnectorThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
+##### Configure throttling of supplementary events
+
+Determines whether supplementary events are throttled when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|supplementaryEventsThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
+##### Configure throttling of eBPF events at per syscall level
+
+Determines whether eBPF events are throttled at a per syscall level when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|ebpfPerSyscallThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
+##### Configure throttling of fanotify events pre- and post-smart filters
+
+Determines whether fanotify events are throttled either pre- or post-smart filters, when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|fanotifyPreSmartfilterThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|fanotifyPostSmartfilterThrottling|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|enabled (default)
disabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+
#### Report AV Suspicious Events to EDR
Determines whether suspicious events from Antivirus are reported to EDR.
@@ -770,6 +962,74 @@ Determines whether suspicious events from Antivirus are reported to EDR.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
+#### Enable Quarantining of files within a namespace
+
+Determines whether malicious files detected within a namespace are quarantined or not. // no sense config pr for this so far
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableQuarantineInsideNamespace|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24042.0002` or later.|
+
+#### Enable Antivirus Engine Cache
+
+Determines whether an optimization for caching process details in the antivirus engine process is enabled. // no sense config pr for this so far
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableAntivirusEngineCache|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0002` or later.|
+
+#### Enable Scanning of Network Protection BM Events
+
+> [!NOTE]
+> This feature is applicable only when Behavior Monitoring is enabled.
+
+Determines whether network protection events are sent to the BM engine for scanning. // enabled upto dogfood via sense
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|nriMpengineMetadata|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0002` or later.|
+
+#### EDR Early Filtering Configurations
+
+The following settings can be used to filter out events before being sent to the EDR process for further processing. // describe in how much detail?
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|edrEarlyFiltering|*Not available*|
+|**Data type**|Dictionary (nested preference)|*n/a*|
+|**Comments**|See the following sections for a description of the dictionary contents.|
+
+##### Configure EDR Early Filtering in Passive Mode
+
+Determines whether events are filtered early before sending to the EDR process in the passive enforcement level. // This is enabled till insider slow as of now
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEarlyFilteringPassive|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+
+##### Configure EDR Early Filtering in Real Time Mode
+
+Determines whether events are filtered early before sending to the EDR process in the real time enforcement level. // This is only enabled till dogfood and i think this is not going to be further rolled out. Should we expose this or not?
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEarlyFilteringRtp|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+
### Network protection configurations
The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
From bc6eb535cf8149f9a5b45d6a49fcc42eb43eeef1 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 9 Dec 2024 13:33:10 +0530
Subject: [PATCH 02/31] Update socket event scanning and version comments
---
defender-endpoint/linux-preferences.md | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index 87d8cf253d..a976473c31 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -18,8 +18,6 @@ ms.subservice: linux
search.appverid: met150
---
-LATEST
-
# Set preferences for Microsoft Defender for Endpoint on Linux
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
@@ -527,9 +525,9 @@ When this feature is enabled, Defender for Endpoint will scan files for which ow
> [!NOTE]
> Available in Defender for Endpoint version `101.23062.0010` or later.
-##### Configure scanning of raw socket events
+##### Configure scanning of network socket events
-When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets, or setting socket option.
+When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets / UDP sockets, or setting socket option.
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
@@ -810,7 +808,7 @@ Determines whether open events from specific paths in filesystems such as `procf
|**Key**|enableOtherFsOpenEvents|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
#### Fanotify sensor configurations
@@ -877,7 +875,7 @@ Determines whether fork process events are scanned by the behavior monitoring an
|**Key**|notifyForks|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
#### Throttling configurations
@@ -982,7 +980,7 @@ Determines whether an optimization for caching process details in the antivirus
|**Key**|enableAntivirusEngineCache|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0002` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
#### Enable Scanning of Network Protection BM Events
@@ -996,7 +994,7 @@ Determines whether network protection events are sent to the BM engine for scann
|**Key**|nriMpengineMetadata|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0002` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
#### EDR Early Filtering Configurations
@@ -1017,7 +1015,7 @@ Determines whether events are filtered early before sending to the EDR process i
|**Key**|enableEarlyFilteringPassive|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
##### Configure EDR Early Filtering in Real Time Mode
@@ -1028,7 +1026,7 @@ Determines whether events are filtered early before sending to the EDR process i
|**Key**|enableEarlyFilteringRtp|*Not available*|
|**Data type**|String|*n/a*|
|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0000` or later.|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
### Network protection configurations
From 448dc321a4e7ddd69137e554a3a70d7861724d79 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 11 Dec 2024 09:46:40 +0530
Subject: [PATCH 03/31] review feedback - part 1
---
defender-endpoint/linux-preferences.md | 148 +------------------------
1 file changed, 5 insertions(+), 143 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index a976473c31..a6c92ff6ed 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -785,31 +785,6 @@ Determines whether creation of namespaces (via `clone` / `unshare` system calls)
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24032.0007` or later.|
-##### Configure eBPF source enrichment
-
-Determines whether eBPF source enrichment of events is enabled. // no sense config for this so far
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableEbpfSourceEnrichment|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
-##### Configure open events from specific filesystems
-
-Determines whether open events from specific paths in filesystems such as `procfs` and `devfs` are monitored. // no sense config for this so far
-
-> [!NOTE]
-> This feature is independent of `muteOpenFileEvents`.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableOtherFsOpenEvents|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
#### Fanotify sensor configurations
The following settings can be used to configure certain advanced fanotify sensor features.
@@ -842,9 +817,9 @@ Determines whether events corresponding to files being opened to be executed are
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.98.89` or later.|
-##### Configure monitoring of mount namespace events
+##### Configure monitoring of mount namespace events [preview]
-Determines whether file close modified events in namespace mount points are monitored. // no sense config for this so far
+Determines whether file events in namespace mount points are monitored. // no sense config for this so far
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -877,77 +852,6 @@ Determines whether fork process events are scanned by the behavior monitoring an
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-#### Throttling configurations
-
-The following settings can be used to configure throttling of different types of events.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|throttlingConfigurations|*Not available*|
-|**Data type**|Dictionary (nested preference)|*n/a*|
-|**Comments**|See the following sections for a description of the dictionary contents.|
-
-##### Configure throttling of file events
-
-Determines whether file events are throttled when they hit a certain limit. // enabled only till dogfood
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|fileEventsThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-
-##### Configure throttling of process connector events
-
-Determines whether process connector events are throttled when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|processConnectorThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-
-##### Configure throttling of supplementary events
-
-Determines whether supplementary events are throttled when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|supplementaryEventsThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-
-##### Configure throttling of eBPF events at per syscall level
-
-Determines whether eBPF events are throttled at a per syscall level when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|ebpfPerSyscallThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-
-##### Configure throttling of fanotify events pre- and post-smart filters
-
-Determines whether fanotify events are throttled either pre- or post-smart filters, when they hit a certain limit. // enabled till prod, but we are disabling it in mitre..
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|fanotifyPreSmartfilterThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|fanotifyPostSmartfilterThrottling|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
#### Report AV Suspicious Events to EDR
@@ -971,21 +875,11 @@ Determines whether malicious files detected within a namespace are quarantined o
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24042.0002` or later.|
-#### Enable Antivirus Engine Cache
-
-Determines whether an optimization for caching process details in the antivirus engine process is enabled. // no sense config pr for this so far
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableAntivirusEngineCache|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
-#### Enable Scanning of Network Protection BM Events
+#### Enable Scanning of Network Protection BM Events [preview]
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
+> For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
Determines whether network protection events are sent to the BM engine for scanning. // enabled upto dogfood via sense
@@ -996,39 +890,7 @@ Determines whether network protection events are sent to the BM engine for scann
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-#### EDR Early Filtering Configurations
-
-The following settings can be used to filter out events before being sent to the EDR process for further processing. // describe in how much detail?
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|edrEarlyFiltering|*Not available*|
-|**Data type**|Dictionary (nested preference)|*n/a*|
-|**Comments**|See the following sections for a description of the dictionary contents.|
-
-##### Configure EDR Early Filtering in Passive Mode
-
-Determines whether events are filtered early before sending to the EDR process in the passive enforcement level. // This is enabled till insider slow as of now
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableEarlyFilteringPassive|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
-##### Configure EDR Early Filtering in Real Time Mode
-
-Determines whether events are filtered early before sending to the EDR process in the real time enforcement level. // This is only enabled till dogfood and i think this is not going to be further rolled out. Should we expose this or not?
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableEarlyFilteringRtp|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
-### Network protection configurations
+### Network protection configurations [preview]
The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
From 9d1f9a75effa8ad46ec48b8fac8ff331c676e304 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 11 Dec 2024 13:23:29 +0530
Subject: [PATCH 04/31] Update Linux preferences documentation for Defender
---
defender-endpoint/linux-preferences.md | 50 ++++++++++++++------------
1 file changed, 28 insertions(+), 22 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index a6c92ff6ed..a0b9703be1 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -74,7 +74,10 @@ Specifies the enforcement preference of antivirus engine. There are three values
> Available in Defender for Endpoint version `101.10.72` or later. Default is changed from `real_time` to `passive` in Defender for Endpoint version `101.23062.0001` or later.
> It is recommended to also use [scheduled scans](/defender-endpoint/linux-schedule-scan-mde) as per requirement.
-#### Enable/disable behavior monitoring
+#### Enable/disable behavior monitoring [only if RTP is enabled]
+
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
Determines whether behavior monitoring and blocking capability is enabled on the device or not.
@@ -86,10 +89,13 @@ Determines whether behavior monitoring and blocking capability is enabled on the
> [!NOTE]
> Available in Defender for Endpoint version `101.45.00` or later.
-> This feature is applicable only when real-time protection is enabled.
+
#### Run a scan after definitions are updated
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
+
Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
|Description|JSON Value|Defender Portal Value|
@@ -100,7 +106,6 @@ Specifies whether to start a process scan after new security intelligence update
> [!NOTE]
> Available in Defender for Endpoint version `101.45.00` or later.
-> This feature only works when the enforcement level is set to `real-time`.
#### Scan archives (on-demand antivirus scans only)
@@ -491,7 +496,7 @@ Specifies a process for which all file activity is excluded from scanning. The p
The following settings can be configured to enable certain advanced scanning features.
-> [!NOTE]
+> [!IMPORTANT]
> Enabling these features might impact device performance. As such, it is recommended to keep the defaults.
##### Configure scanning of file modify permissions events
@@ -527,6 +532,7 @@ When this feature is enabled, Defender for Endpoint will scan files for which ow
##### Configure scanning of network socket events
+
When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets / UDP sockets, or setting socket option.
> [!NOTE]
@@ -627,7 +633,7 @@ Depending on the enforcement level, the automatic security intelligence updates
The following settings can be configured to enable certain advanced features.
->[!NOTE]
+>[!IMPORTANT]
>Enabling these features might impact device performance. It is recommended to keep the defaults.
|Description|JSON Value|Defender Portal Value|
@@ -660,6 +666,17 @@ The following settings can be used to configure certain advanced supplementary s
|**Data type**|Dictionary (nested preference)|*n/a*|
|**Comments**|See the following sections for a description of the dictionary contents.|
+##### Configure monitoring of namespace events [preview]
+
+Determines whether creation of namespaces (via `clone` / `unshare` system calls) are monitored.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableNamespaceEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24032.0007` or later.|
+
##### Configure monitoring of file modify permissions events
Determines whether file modify permissions events (`chmod`) are monitored.
@@ -774,17 +791,6 @@ Determines whether module load events are monitored using eBPF and scanned.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
-##### Configure monitoring of namespace events
-
-Determines whether creation of namespaces (via `clone` / `unshare` system calls) are monitored. // no sense config so far
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableNamespaceEvents|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24032.0007` or later.|
-
#### Fanotify sensor configurations
The following settings can be used to configure certain advanced fanotify sensor features.
@@ -808,7 +814,7 @@ Determines whether file open events are monitored.
##### Configure monitoring of open exec file events
-Determines whether events corresponding to files being opened to be executed are monitored. // only test org dogfood sense config
+Determines whether events corresponding to files being opened to be executed are monitored.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -819,7 +825,7 @@ Determines whether events corresponding to files being opened to be executed are
##### Configure monitoring of mount namespace events [preview]
-Determines whether file events in namespace mount points are monitored. // no sense config for this so far
+Determines whether file events in namespace mount points are monitored.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -843,7 +849,7 @@ The following settings can be used to configure certain advanced behavior monito
##### Configure scanning of fork events
-Determines whether fork process events are scanned by the behavior monitoring antivirus engine. // enabled only on mac till insider slow
+Determines whether fork process events are scanned by the behavior monitoring antivirus engine.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -864,9 +870,9 @@ Determines whether suspicious events from Antivirus are reported to EDR.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-#### Enable Quarantining of files within a namespace
+#### Enable Quarantining of files within a namespace [preview]
-Determines whether malicious files detected within a namespace are quarantined or not. // no sense config pr for this so far
+Determines whether malicious files detected within a namespace are quarantined or not.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -881,7 +887,7 @@ Determines whether malicious files detected within a namespace are quarantined o
> This feature is applicable only when Behavior Monitoring is enabled.
> For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
-Determines whether network protection events are sent to the BM engine for scanning. // enabled upto dogfood via sense
+Determines whether network protection events are sent to the BM engine for scanning.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
From 23ecf1c96433d103909d64df12391c08e3913bee Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 11 Dec 2024 13:47:44 +0530
Subject: [PATCH 05/31] Add preview notes to configuration sections.
---
defender-endpoint/linux-preferences.md | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index a0b9703be1..3c3f3f06bc 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -666,7 +666,10 @@ The following settings can be used to configure certain advanced supplementary s
|**Data type**|Dictionary (nested preference)|*n/a*|
|**Comments**|See the following sections for a description of the dictionary contents.|
-##### Configure monitoring of namespace events [preview]
+##### Configure monitoring of namespace Events
+
+> [!NOTE]
+> This is a preview feature.
Determines whether creation of namespaces (via `clone` / `unshare` system calls) are monitored.
@@ -823,7 +826,10 @@ Determines whether events corresponding to files being opened to be executed are
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.98.89` or later.|
-##### Configure monitoring of mount namespace events [preview]
+##### Configure monitoring of mount namespace events
+
+> [!NOTE]
+> This is a preview feature.
Determines whether file events in namespace mount points are monitored.
@@ -870,7 +876,10 @@ Determines whether suspicious events from Antivirus are reported to EDR.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-#### Enable Quarantining of files within a namespace [preview]
+#### Enable Quarantining of files within a namespace
+
+> [!NOTE]
+> This is a preview feature.
Determines whether malicious files detected within a namespace are quarantined or not.
@@ -881,9 +890,10 @@ Determines whether malicious files detected within a namespace are quarantined o
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24042.0002` or later.|
-#### Enable Scanning of Network Protection BM Events [preview]
+#### Enable Scanning of Network Protection BM Events
> [!NOTE]
+> This is a preview feature.
> This feature is applicable only when Behavior Monitoring is enabled.
> For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
@@ -896,13 +906,14 @@ Determines whether network protection events are sent to the BM engine for scann
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-### Network protection configurations [preview]
-
-The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
+### Network protection configurations
> [!NOTE]
+> This is a preview feature.
> For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
+The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
+
|Description|JSON Value|Defender Portal Value|
|---|---|---|
|**Key**|networkProtection|Network protection|
From 9765574bc5efe34362f7b8edd216d1d8901f31a7 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Wed, 18 Dec 2024 10:33:22 -0800
Subject: [PATCH 06/31] Update
remediate-malicious-email-delivered-office-365.md
Throttling per email request
---
.../remediate-malicious-email-delivered-office-365.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/defender-office-365/remediate-malicious-email-delivered-office-365.md b/defender-office-365/remediate-malicious-email-delivered-office-365.md
index 6a215e57e4..3f6e3a1387 100644
--- a/defender-office-365/remediate-malicious-email-delivered-office-365.md
+++ b/defender-office-365/remediate-malicious-email-delivered-office-365.md
@@ -27,6 +27,13 @@ Remediation means to take a prescribed action against a threat. Malicious email
## What you need to know before you begin
+- There are throttling limits for large-scale remediations that help ensure stability and performance of the service:
+ - **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached. no new remediations are triggered until some actions are completed.
+ - **Email message limits**: If an active remediation involves more than one million email messages, no new email remediations are allowed.
+ - **Recipient requirements in remediations**: The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For example, if the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
+ - If the recipient count is less than 40% of the total email message count, ensure that the percentage of email messages per recipient doesn't exceed 20% of the total number of email messages submitted.
+ - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
+
- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:
- [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email & collaboration advanced actions (manage)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Data Investigator** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.
From de0d2550d17c88450618b32bc53995bca4e2b686 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Wed, 18 Dec 2024 10:39:05 -0800
Subject: [PATCH 07/31] Update
remediate-malicious-email-delivered-office-365.md
---
.../remediate-malicious-email-delivered-office-365.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-office-365/remediate-malicious-email-delivered-office-365.md b/defender-office-365/remediate-malicious-email-delivered-office-365.md
index 3f6e3a1387..2806101e6f 100644
--- a/defender-office-365/remediate-malicious-email-delivered-office-365.md
+++ b/defender-office-365/remediate-malicious-email-delivered-office-365.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
search.appverid: MET150
description: Threat remediation
ms.service: defender-office-365
-ms.date: 1/16/2024
+ms.date: 12/18/2024
appliesto:
- ✅ Microsoft Defender for Office 365 Plan 2
---
From a2832dd07343b662fcd6d65ac92f45cd0136ecd0 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Fri, 20 Dec 2024 15:57:41 +0530
Subject: [PATCH 08/31] feedback 1
---
defender-endpoint/linux-preferences.md | 43 --------------------------
1 file changed, 43 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index f246471209..ee696d5d9c 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -671,20 +671,6 @@ The following settings can be used to configure certain advanced supplementary s
|**Data type**|Dictionary (nested preference)|*n/a*|
|**Comments**|See the following sections for a description of the dictionary contents.|
-##### Configure monitoring of namespace Events
-
-> [!NOTE]
-> This is a preview feature.
-
-Determines whether creation of namespaces (via `clone` / `unshare` system calls) are monitored.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableNamespaceEvents|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default) enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24032.0007` or later.|
-
##### Configure monitoring of file modify permissions events
Determines whether file modify permissions events (`chmod`) are monitored.
@@ -728,21 +714,6 @@ Determines whether network socket events involving creation of raw sockets / pac
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-##### Configure monitoring of UDP socket events
-
-Determines whether network socket events involving creation of UDP sockets are monitored.
-
-> [!NOTE]
-> This feature is applicable only when Behavior Monitoring is enabled.
-> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-network-socket-events) section above for more details.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableUdpSocketEvent|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
##### Configure monitoring of boot loader events
Determines whether boot loader events are monitored and scanned.
@@ -831,20 +802,6 @@ Determines whether events corresponding to files being opened to be executed are
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.98.89` or later.|
-##### Configure monitoring of mount namespace events
-
-> [!NOTE]
-> This is a preview feature.
-
-Determines whether file events in namespace mount points are monitored.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableMountNamespaces|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24022.0001` or later.|
-
#### Behavior monitoring configurations
The following settings can be used to configure certain advanced behavior monitoring features.
From 29af5ee3f517c6b8f2fc0eeac553fe17ff24215b Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Fri, 20 Dec 2024 16:01:17 +0530
Subject: [PATCH 09/31] feedback2
---
defender-endpoint/linux-preferences.md | 95 ++------------------------
1 file changed, 4 insertions(+), 91 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index ee696d5d9c..858e4176b6 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -535,14 +535,14 @@ When this feature is enabled, Defender for Endpoint will scan files for which ow
> [!NOTE]
> Available in Defender for Endpoint version `101.23062.0010` or later.
-##### Configure scanning of network socket events
+##### Configure scanning of raw socket events
-When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets / UDP sockets, or setting socket option.
+When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets, or setting socket option.
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
-> This feature is applicable only when the `enableRawSocketEvent` feature or the `enableUdpSocketEvent` feature is enabled. For more information, see [Advanced optional features for raw socket events](linux-preferences.md#configure-monitoring-of-raw-socket-events) or [Advanced optional features for UDP socket events](linux-preferences.md#configure-monitoring-of-udp-socket-events) sections below for details.
+> This feature is applicable only when the `enableRawSocketEvent` feature is enabled. For more information, see [Advanced optional features for raw socket events](linux-preferences.md#configure-monitoring-of-raw-socket-events) section below for details.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -705,7 +705,7 @@ Determines whether network socket events involving creation of raw sockets / pac
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
-> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-network-socket-events) section above for more details.
+> When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-raw-socket-events) section above for more details.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -770,63 +770,6 @@ Determines whether module load events are monitored using eBPF and scanned.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
-#### Fanotify sensor configurations
-
-The following settings can be used to configure certain advanced fanotify sensor features.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|fanotifySensorConfigurations|*Not available*|
-|**Data type**|Dictionary (nested preference)|*n/a*|
-|**Comments**|See the following sections for a description of the dictionary contents.|
-
-##### Configure mute open file events feature
-
-Determines whether file open events are monitored.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|muteOpenFileEvents|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|enabled (default)
disabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.||
-
-##### Configure monitoring of open exec file events
-
-Determines whether events corresponding to files being opened to be executed are monitored.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|openexecFileEvents|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.98.89` or later.|
-
-#### Behavior monitoring configurations
-
-The following settings can be used to configure certain advanced behavior monitoring features.
-
-> [!NOTE]
-> The features under this section are applicable only when Behavior Monitoring is enabled.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|behaviorMonitoringConfigurations|*Not available*|
-|**Data type**|Dictionary (nested preference)|*n/a*|
-|**Comments**|See the following sections for a description of the dictionary contents.|
-
-##### Configure scanning of fork events
-
-Determines whether fork process events are scanned by the behavior monitoring antivirus engine.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|notifyForks|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
-
#### Report AV Suspicious Events to EDR
Determines whether suspicious events from Antivirus are reported to EDR.
@@ -838,36 +781,6 @@ Determines whether suspicious events from Antivirus are reported to EDR.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.23062.0010` or later.|
-#### Enable Quarantining of files within a namespace
-
-> [!NOTE]
-> This is a preview feature.
-
-Determines whether malicious files detected within a namespace are quarantined or not.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|enableQuarantineInsideNamespace|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24042.0002` or later.|
-
-#### Enable Scanning of Network Protection BM Events
-
-> [!NOTE]
-> This is a preview feature.
-> This feature is applicable only when Behavior Monitoring is enabled.
-> For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
-
-Determines whether network protection events are sent to the BM engine for scanning.
-
-|Description|JSON Value|Defender Portal Value|
-|---|---|---|
-|**Key**|nriMpengineMetadata|*Not available*|
-|**Data type**|String|*n/a*|
-|**Possible values**|disabled (default)
enabled|*n/a*|
-|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
-
### Network protection configurations
> [!NOTE]
From 009fa8760fb3cfbe140e94f82c094f6b915e0624 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Fri, 20 Dec 2024 16:07:01 +0530
Subject: [PATCH 10/31] feedback 3
---
defender-endpoint/linux-preferences.md | 36 ++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index 858e4176b6..a4e45e7923 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -537,12 +537,11 @@ When this feature is enabled, Defender for Endpoint will scan files for which ow
##### Configure scanning of raw socket events
-
When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets, or setting socket option.
> [!NOTE]
> This feature is applicable only when Behavior Monitoring is enabled.
-> This feature is applicable only when the `enableRawSocketEvent` feature is enabled. For more information, see [Advanced optional features for raw socket events](linux-preferences.md#configure-monitoring-of-raw-socket-events) section below for details.
+> This feature is applicable only when the `enableRawSocketEvent` feature is enabled. For more information, see [Advanced optional features](linux-preferences.md#configure-monitoring-of-raw-socket-events) section below for details.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -770,6 +769,39 @@ Determines whether module load events are monitored using eBPF and scanned.
|**Possible values**|disabled (default)
enabled|*n/a*|
|**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
+##### Configure monitoring of open events from specific filesystems using eBPF
+
+Determines whether open events from procfs and devfs are monitored by eBPF.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableOtherFsOpenEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+##### Configure source enrichment of events using eBPF
+
+Determines whether events are enriched with metadata from source in eBPF.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEbpfSourceEnrichment|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+#### Enable Antivirus Engine Cache
+
+Determines whether metadata of events being scanned by the antivirus engine are cached or not.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableAntivirusEngineCache|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default)
enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
#### Report AV Suspicious Events to EDR
Determines whether suspicious events from Antivirus are reported to EDR.
From 866af55c1f63847fadd963626c985dd646a80122 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Fri, 27 Dec 2024 09:10:38 +0530
Subject: [PATCH 11/31] updates
---
defender-endpoint/linux-preferences.md | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index a4e45e7923..dc641f1e1e 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -771,7 +771,10 @@ Determines whether module load events are monitored using eBPF and scanned.
##### Configure monitoring of open events from specific filesystems using eBPF
-Determines whether open events from procfs and devfs are monitored by eBPF.
+Determines whether open events from procfs are monitored by eBPF.
+
+> [!NOTE]
+> This feature is applicable only when Behavior Monitoring is enabled.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
@@ -782,7 +785,7 @@ Determines whether open events from procfs and devfs are monitored by eBPF.
##### Configure source enrichment of events using eBPF
-Determines whether events are enriched with metadata from source in eBPF.
+Determines whether events are enriched with metadata at source in eBPF.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
From 61e4d8f28bbd0151ead7a69a2d98a7ab6292cf95 Mon Sep 17 00:00:00 2001
From: MishraSoumyaMS <78144677+MishraSoumyaMS@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:12:47 +0530
Subject: [PATCH 12/31] Update
remediate-malicious-email-delivered-office-365.md
---
.../remediate-malicious-email-delivered-office-365.md | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/defender-office-365/remediate-malicious-email-delivered-office-365.md b/defender-office-365/remediate-malicious-email-delivered-office-365.md
index 2806101e6f..e986828163 100644
--- a/defender-office-365/remediate-malicious-email-delivered-office-365.md
+++ b/defender-office-365/remediate-malicious-email-delivered-office-365.md
@@ -30,9 +30,10 @@ Remediation means to take a prescribed action against a threat. Malicious email
- There are throttling limits for large-scale remediations that help ensure stability and performance of the service:
- **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached. no new remediations are triggered until some actions are completed.
- **Email message limits**: If an active remediation involves more than one million email messages, no new email remediations are allowed.
- - **Recipient requirements in remediations**: The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For example, if the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
- - If the recipient count is less than 40% of the total email message count, ensure that the percentage of email messages per recipient doesn't exceed 20% of the total number of email messages submitted.
- - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
+ - **Recipient requirements in remediations**:
+
+ - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For instance, if an email is sent to 5 recipients, Threat Explorer counts it as 5 emails. If the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
+ - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:
- [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email & collaboration advanced actions (manage)**.
@@ -108,6 +109,9 @@ Open any remediation item to view details about it, including its remediation na
- **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
+ > [!NOTE]
+ > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**,**Move to inbox** action, **Delete sender's copy** and **Move to inbox** from qurantine folder are not availabe.
+
Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Explorer retention period for your organization.
Unless you're remediating old messages after your organization's Explorer retention period, it's advisable to retry remediating items if you see number inconsistencies. For system delays, remediation updates are typically refreshed within a few hours.
@@ -154,3 +158,4 @@ In case of remediating large batches of email, export the messages sent for reme
:::image type="content" source="media/microsoft-365-defender-advanced-hunting-actions-pane.png" lightbox="media/microsoft-365-defender-advanced-hunting-actions-pane.png" alt-text="The Advanced Hunting, Take Actions panel with your choice of actions.":::
Remediation mitigates threats, addresses suspicious emails, and helps keep an organization secure.
+
From b9b99831a774b5f6cff032d03b49f9db2294df53 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Mon, 6 Jan 2025 08:40:57 -0800
Subject: [PATCH 13/31] Update date and clarify Explorer references
---
...te-malicious-email-delivered-office-365.md | 22 +++++++++----------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/defender-office-365/remediate-malicious-email-delivered-office-365.md b/defender-office-365/remediate-malicious-email-delivered-office-365.md
index e986828163..e68e9f6b2e 100644
--- a/defender-office-365/remediate-malicious-email-delivered-office-365.md
+++ b/defender-office-365/remediate-malicious-email-delivered-office-365.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
search.appverid: MET150
description: Threat remediation
ms.service: defender-office-365
-ms.date: 12/18/2024
+ms.date: 01/06/2025
appliesto:
- ✅ Microsoft Defender for Office 365 Plan 2
---
@@ -31,9 +31,8 @@ Remediation means to take a prescribed action against a threat. Malicious email
- **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached. no new remediations are triggered until some actions are completed.
- **Email message limits**: If an active remediation involves more than one million email messages, no new email remediations are allowed.
- **Recipient requirements in remediations**:
-
- - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For instance, if an email is sent to 5 recipients, Threat Explorer counts it as 5 emails. If the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
- - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
+ - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For instance, if an email is sent to 5 recipients, Explorer (Threat Explorer) counts it as 5 email messages. If the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
+ - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:
- [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email & collaboration advanced actions (manage)**.
@@ -43,15 +42,15 @@ Remediation means to take a prescribed action against a threat. Malicious email
## Manual and automated remediation
-*Manual hunting* occurs when security teams identify threats manually by using the search and filtering capabilities in Explorer. Manual email remediation can be triggered through any email view (*Malware*, *Phish*, or *All email*) after you identify a set of emails that need to be remediated.
+*Manual hunting* occurs when security teams identify threats manually by using the search and filtering capabilities in Explorer (Threat Explorer). Manual email remediation can be triggered through any email view (*Malware*, *Phish*, or *All email*) after you identify a set of emails that need to be remediated.
-:::image type="content" source="media/microsoft-365-defender-threat-explorer-manual-remediation.png" lightbox="media/microsoft-365-defender-threat-explorer-manual-remediation.png" alt-text="Screenshot of manual hunting in Office 365 Explorer by date.":::
+:::image type="content" source="media/microsoft-365-defender-threat-explorer-manual-remediation.png" lightbox="media/microsoft-365-defender-threat-explorer-manual-remediation.png" alt-text="Screenshot of manual hunting in Explorer (Threat Explorer) by date.":::
Security teams can use Explorer to select emails in several ways:
- Choose emails by hand: Use filters in various views. Select up to 100 emails to remediate.
-- Query selection: Select an entire query by using the top **select all** button. The same query is also shown in action center mail submission details. Customers can submit maximum 200,000 emails from threat explorer.
+- Query selection: Select an entire query by using the top **select all** button. The same query is also shown in action center mail submission details. Customers can submit maximum 200,000 emails from Explorer.
- Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 200,000 emails.
@@ -79,7 +78,7 @@ Unified Action Center shows remediation actions for the past 30 days. Actions ta
Open any remediation item to view details about it, including its remediation name, approval Id, Investigation Id, creation date, description, status, action source, action type, decided by, status. It also opens a side pane with action details, email cluster details, alert and Incident details.
- *Open Investigation page* this opens up an admin Investigation that contains fewer details and tabs. It shows details like: related alert, entity selected for remediation, action taken, remediation status, entity count, logs, approver of action. This investigation keeps a track of investigation done by the admin manually and contains details to selections made by the admin, hence is called admin action investigation. No need to act on the investigation and alert its already in approved state.
-- *Email count* Displays the number of emails submitted through Threat Explorer. These emails can be actionable or not actionable.
+- *Email count* Displays the number of emails submitted through Explorer. These emails can be actionable or not actionable.
- *Action logs* Show the details of remediation statuses like successful, failed, and already in destination.
:::image type="content" source="media/microsoft-365-defender-action-center-history-panel.png" lightbox="media/microsoft-365-defender-action-center-history-panel.png" alt-text="The Action Center with the Move to Inbox option open.":::
@@ -110,7 +109,7 @@ Open any remediation item to view details about it, including its remediation na
- **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
> [!NOTE]
- > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**,**Move to inbox** action, **Delete sender's copy** and **Move to inbox** from qurantine folder are not availabe.
+ > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from qurantine folder aren't available.
Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Explorer retention period for your organization.
@@ -145,9 +144,9 @@ Open any remediation item to view details about it, including its remediation na
- **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails won't be acted upon again, they'll just show as "already in destination", since no action was taken on them as they existed in the destination location.
- - **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Threat Explorer to signal if the mail has already been remediated. *Already in destination* helps security teams understand the total number of messages that still need to be addressed.
+ - **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Explorer to signal if the mail has already been remediated. *Already in destination* helps security teams understand the total number of messages that still need to be addressed.
-Actions can only be taken on messages in Inbox, Junk, Deleted, and Soft Deleted folders of Threat Explorer. Here's an example of how the new column works. A *soft delete action* takes place on the message present in the Inbox, then the message is handled according to policies. The next time a soft delete is performed, this message will show under the column 'Already in destination' signaling it doesn't need to be addressed again.
+Actions can only be taken on messages in the Inbox, Junk, Deleted, and Soft Deleted folders of Explorer. Here's an example of how the new column works. A *soft delete action* takes place on the message present in the Inbox, then the message is handled according to policies. The next time a soft delete is performed, this message will show under the column 'Already in destination' signaling it doesn't need to be addressed again.
Select any item in the action log to display remediation details. If the details say "successful" or "not found in mailbox", that item was already removed from the mailbox. Sometimes there's a system error during remediation. In those cases, it's a good idea to retry the remediation action.
@@ -158,4 +157,3 @@ In case of remediating large batches of email, export the messages sent for reme
:::image type="content" source="media/microsoft-365-defender-advanced-hunting-actions-pane.png" lightbox="media/microsoft-365-defender-advanced-hunting-actions-pane.png" alt-text="The Advanced Hunting, Take Actions panel with your choice of actions.":::
Remediation mitigates threats, addresses suspicious emails, and helps keep an organization secure.
-
From 115d823035d641d18a422c43950d19d26b59a988 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Wed, 8 Jan 2025 11:24:38 -0800
Subject: [PATCH 14/31] Learn Editor: Update
troubleshoot-av-performance-issues-with-wprui.md
---
...eshoot-av-performance-issues-with-wprui.md | 61 ++++++++++++++-----
1 file changed, 47 insertions(+), 14 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 75cb45eedc..2310191ad2 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -21,6 +21,12 @@ ms.custom:
# Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
+> [!TIP]
+> First review common reasons for performance issues such as high cpu in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) which makes analyzing the reason for a high cpu in Microsoft Defender Antivirus (Antimalware Service Executable or Microsoft Defender Antivirus service or MsMpEng.exe)
+> If for any reason, the Microsoft Defender Antivirus Performance Analyzer doesn't provide with the root cause of the high cpu utilization, then, next run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to find narrow down or root cause the high cpu utilization in Microsoft Defender Antivirus.
+> And the last tool in the toolbelt is to run a Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line) discussed in this article.
+
## Capture performance logs using Windows Performance Recorder
Windows Performance Recorder (WPR) is a powerful recording tool that creates Event Tracing for Windows recordings and allows you to include additional information in your submission to Microsoft support.
@@ -29,6 +35,33 @@ WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can b
Alternatively, follow the steps in [Capture performance logs using the WPR UI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C), or use the command-line tool *wpr.exe* [Capture performance logs using the WPR CLI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C). Both are available in Windows 8 and later versions.
+There are two ways to capture a Windows Performance Recorder (WPRUI) trace:
+
+Using the MDE Client Analyzer
+
+Manually
+
+## Using the MDE Client Analyzer
+
+1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
+
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+
+> [!TIP]
+> Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
+
+
+
+1. Run the MDE Client Analyzer with the -a and -v switches
+
+ PowerShellCopy
+
+ ```
+ C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
+ ```
+
+## Manually:
+
### Capture performance logs using the WPR UI
> [!TIP]
@@ -39,26 +72,26 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
-
+
1. Select **More**. Select **Run as administrator**.
1. Right-click **Yes** when the User Account Control dialog box appears.
-
+
1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
1. In the WPR dialog box, select **More options**.
-
+
1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
-
- > [!WARNING]
+
+ > [!WARNING]
> If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
> This custom profile provides the necessary context for in-depth performance analysis.
@@ -80,11 +113,11 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
-
+
1. Select **Start**.
-
+
1. Reproduce the issue.
> [!TIP]
@@ -93,25 +126,25 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
1. Select **Save**.
-
+
1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
-
+
1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
- 1. Select **Save**.
+1. Select **Save**.
-
+
1. After the trace has been merged and saved, right-click **Open folder**.
-
- Include both the file and the folder in your submission to Microsoft Support.
+
+ Include both the file and the folder in your submission to Microsoft Support.
-
+
### Capture performance logs using the WPR CLI
To collect a WPR trace using the command-line tool wpr.exe:
From 5802703f4b1bb28f48d6312e810349955599704d Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Wed, 8 Jan 2025 11:25:04 -0800
Subject: [PATCH 15/31] Learn Editor: Update
troubleshoot-av-performance-issues-with-wprui.md
---
.../troubleshoot-av-performance-issues-with-wprui.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 2310191ad2..37a176484b 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -22,7 +22,7 @@ ms.custom:
# Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
> [!TIP]
-> First review common reasons for performance issues such as high cpu in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> First, review common reasons for performance issues such as high cpu in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) which makes analyzing the reason for a high cpu in Microsoft Defender Antivirus (Antimalware Service Executable or Microsoft Defender Antivirus service or MsMpEng.exe)
> If for any reason, the Microsoft Defender Antivirus Performance Analyzer doesn't provide with the root cause of the high cpu utilization, then, next run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to find narrow down or root cause the high cpu utilization in Microsoft Defender Antivirus.
> And the last tool in the toolbelt is to run a Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line) discussed in this article.
From 70e1b1b2ee0e162e3109e6688c7dcc6f11e9ee1a Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Wed, 8 Jan 2025 11:26:51 -0800
Subject: [PATCH 16/31] Learn Editor: Update
troubleshoot-av-performance-issues-with-wprui.md
---
...eshoot-av-performance-issues-with-wprui.md | 53 +++++++++----------
1 file changed, 26 insertions(+), 27 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 37a176484b..e2770aec9a 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -45,14 +45,13 @@ Manually
1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
-1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+2. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
> [!TIP]
> Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
-
-1. Run the MDE Client Analyzer with the -a and -v switches
+3. Run the MDE Client Analyzer with the -a and -v switches
PowerShellCopy
@@ -69,25 +68,25 @@ Manually
1. Download and install WPR.
-1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
+2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
-1. Select **More**. Select **Run as administrator**.
+3. Select **More**. Select **Run as administrator**.
-1. Right-click **Yes** when the User Account Control dialog box appears.
+4. Right-click **Yes** when the User Account Control dialog box appears.
-1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
+5. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
-1. In the WPR dialog box, select **More options**.
+6. In the WPR dialog box, select **More options**.
-1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
+7. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
-1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
+8. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
@@ -95,7 +94,7 @@ Manually
> If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
> This custom profile provides the necessary context for in-depth performance analysis.
-1. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
+9. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups.
@@ -110,34 +109,34 @@ Manually
> [!IMPORTANT]
> Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you cannot directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
-1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
+10. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
-1. Select **Start**.
+11. Select **Start**.
-1. Reproduce the issue.
+12. Reproduce the issue.
> [!TIP]
> Limit the data collection to a maximum of five minutes. Ideally, aim for two to three minutes, as a significant amount of data is being collected.
-1. Select **Save**.
+13. Select **Save**.
-1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
+14. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
-1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
+15. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
-1. Select **Save**.
+16. Select **Save**.
-1. After the trace has been merged and saved, right-click **Open folder**.
+17. After the trace has been merged and saved, right-click **Open folder**.
@@ -151,11 +150,11 @@ To collect a WPR trace using the command-line tool wpr.exe:
1. Download **[Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp)** performance trace profile as `MDAV.wprp` in a local directory such as `C:\traces`.
-1. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
+2. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
-1. Select **Yes** in the User Account Control dialog box.
+3. Select **Yes** in the User Account Control dialog box.
-1. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
+4. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
```console
@@ -166,20 +165,20 @@ To collect a WPR trace using the command-line tool wpr.exe:
> [!WARNING]
> If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability.
-1. Reproduce the issue.
+5. Reproduce the issue.
> [!TIP]
> Limit the data collection to a maximum of five minutes. Ideally, aim for two to three minutes, as a significant amount of data is being collected.
-1. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
+6. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
```console
wpr.exe -stop merged.etl "Timestamp when the issue was reproduced, in HH:MM:SS format" "Description of the issue" "Any error that popped up"
```
-1. Wait until the trace is merged.
+7. Wait until the trace is merged.
-1. Include both the file and the folder in your submission to Microsoft Support.
+8. Include both the file and the folder in your submission to Microsoft Support.
## See also
@@ -187,4 +186,4 @@ To collect a WPR trace using the command-line tool wpr.exe:
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
\ No newline at end of file
From ebb93d69a140e1edd985e816860308dd4becb9f3 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Wed, 8 Jan 2025 13:37:44 -0800
Subject: [PATCH 17/31] Learn Editor: Update
troubleshoot-av-performance-issues-with-wprui.md
---
...leshoot-av-performance-issues-with-wprui.md | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index e2770aec9a..1f92ff8b5f 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -140,9 +140,9 @@ Manually
- Include both the file and the folder in your submission to Microsoft Support.
-
- 
+```
+ Include both the file and the folder in your submission to Microsoft Support.
+``` 
### Capture performance logs using the WPR CLI
@@ -182,8 +182,20 @@ To collect a WPR trace using the command-line tool wpr.exe:
## See also
+- [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows)
+
- [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md)
+
+- [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+
+- [Troubleshoot performance issues related to Microsoft Defender Antivirus](/defender-endpoint/troubleshoot-performance-issues)
+
- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
+- [Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)
+
+- [Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)
+
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
\ No newline at end of file
From 6f03a64230d7c96afc3b16c2817b7d90703dc4a3 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Wed, 8 Jan 2025 13:37:56 -0800
Subject: [PATCH 18/31] Learn Editor: Update
troubleshoot-av-performance-issues-with-wprui.md
From a01b83906b0520c0846357ded8cfeee3c37e398f Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 13 Jan 2025 11:03:46 +0530
Subject: [PATCH 19/31] feedback
---
defender-endpoint/linux-preferences.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index dc641f1e1e..b748b61f4c 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -502,7 +502,7 @@ Specifies a process for which all file activity is excluded from scanning. The p
The following settings can be configured to enable certain advanced scanning features.
> [!IMPORTANT]
-> Enabling these features might impact device performance. As such, it is recommended to keep the defaults.
+> Enabling these features might impact device performance. As such, it is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
##### Configure scanning of file modify permissions events
@@ -638,7 +638,7 @@ Depending on the enforcement level, the automatic security intelligence updates
The following settings can be configured to enable certain advanced features.
>[!IMPORTANT]
->Enabling these features might impact device performance. It is recommended to keep the defaults.
+>Enabling these features might impact device performance. It is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
|Description|JSON Value|Defender Portal Value|
|---|---|---|
From 61b8accdf14c9c53bac8132705d0e639e36e62a1 Mon Sep 17 00:00:00 2001
From: Ravi Kiran Allumalla
Date: Mon, 13 Jan 2025 12:44:11 +0530
Subject: [PATCH 20/31] 2411 release notes
---
defender-endpoint/linux-whatsnew.md | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index 13878c72ca..0e7501f8cb 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -43,6 +43,35 @@ This article is updated frequently to let you know what's new in the latest rele
## Releases for Defender for Endpoint on Linux
+### Jan-2025 Build: 101.24112.0001 | Release version: 30.124112.0001.0
+
+| Build: | **101.24112.0001** |
+|--------------------|-----------------------|
+| Released: | **January 13, 2025** |
+| Published: | **January 13, 2025** |
+| Release version: | **30.124112.0001.0** |
+| Engine version: | **1.1.24090.13** |
+| Signature version: | **1.421.226.0** |
+
+#### What's new
+
+- Upgraded the Bond version to 13.0.1 to address security vulnerabilities in versions 12 or lower.
+
+- Mdatp package no longer has a dependency on selinux packages.
+
+- User can now query the status of supplementary event provider eBPF using the threat hunting query in DeviceTvmInfoGathering. To learn more about this query check: [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf). The result of this query can return the following two values as eBPF status:
+ - Enabled: When eBPF is enabled as working as expected.
+ - Disabled: When eBPF is disabled due to one of the following reasons:
+ - When MDE is using auditD as a supplementary sensor
+ - When eBPF is not present and we fallback to Netlink as supplementory event provider
+ - There is no supplementary sensor present.
+
+- Starting from 2411, the MDATP package release to Production on packages.microsoft.com will follow a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
+
+- Stability and performance improvements.
+
+- Critical bugs fixes around definition update flow.
+
### Jan-2025 Build: 101.24102.0000 | Release version: 30.124102.0000.0
| Build: | **101.24102.0000** |
From 924643ede120830d3fa0a68ea9e06b275f65cd5e Mon Sep 17 00:00:00 2001
From: Emm Walsh
Date: Mon, 13 Jan 2025 11:05:04 +0000
Subject: [PATCH 21/31] =?UTF-8?q?=C3=A8dits?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
...eshoot-av-performance-issues-with-wprui.md | 78 +++++++++----------
1 file changed, 39 insertions(+), 39 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 1f92ff8b5f..318d5af2c3 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -22,10 +22,10 @@ ms.custom:
# Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
> [!TIP]
-> First, review common reasons for performance issues such as high cpu in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
-> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) which makes analyzing the reason for a high cpu in Microsoft Defender Antivirus (Antimalware Service Executable or Microsoft Defender Antivirus service or MsMpEng.exe)
-> If for any reason, the Microsoft Defender Antivirus Performance Analyzer doesn't provide with the root cause of the high cpu utilization, then, next run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to find narrow down or root cause the high cpu utilization in Microsoft Defender Antivirus.
-> And the last tool in the toolbelt is to run a Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line) discussed in this article.
+> First, review common reasons for performance issues such as high CPU usage in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) to analyze the cause of high CPU usage in Microsoft Defender Antivirus (Antimalware Service Executable, Microsoft Defender Antivirus service, or MsMpEng.exe).
+> If the Microsoft Defender Antivirus Performance Analyzer does not identify the root cause of high CPU utilization, run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to narrow down or determine the root cause of the high CPU utilization in Microsoft Defender Antivirus.
+> The final tool in your toolkit is to run the Windows Performance Recorder UI (WPRUI) or the Windows Performance Recorder (WPR command-line) as discussed in this article.
## Capture performance logs using Windows Performance Recorder
@@ -35,23 +35,23 @@ WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can b
Alternatively, follow the steps in [Capture performance logs using the WPR UI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C), or use the command-line tool *wpr.exe* [Capture performance logs using the WPR CLI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C). Both are available in Windows 8 and later versions.
-There are two ways to capture a Windows Performance Recorder (WPRUI) trace:
+There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
-Using the MDE Client Analyzer
+1. Using the MDE Client Analyzer
-Manually
+1. Manually
## Using the MDE Client Analyzer
1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
-2. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
> [!TIP]
-> Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
+> Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
-3. Run the MDE Client Analyzer with the -a and -v switches
+1. Run the MDE Client Analyzer with the -a and -v switches
PowerShellCopy
@@ -64,79 +64,79 @@ Manually
### Capture performance logs using the WPR UI
> [!TIP]
-> If multiple devices are experiencing this issue, try using the one with the most RAM.
+> If multiple devices are experiencing this issue, use the one with the most RAM.
1. Download and install WPR.
-2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
+1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
-3. Select **More**. Select **Run as administrator**.
+1. Select **More**. Select **Run as administrator**.
-4. Right-click **Yes** when the User Account Control dialog box appears.
+1. Right-click **Yes** when the User Account Control dialog box appears.
-5. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
+1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
-6. In the WPR dialog box, select **More options**.
+1. In the WPR dialog box, select **More options**.
-7. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
+1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
-8. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
+1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
> [!WARNING]
- > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
+ > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system may consume a high amount of non-paged pool memory or buffers, leading to system instability.To address this, explore **Resource Analysis** to choose profiles to add.
> This custom profile provides the necessary context for in-depth performance analysis.
-9. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
+1. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups.
- 2. Select **Custom measurements**.
+ 1. Select **Custom measurements**.
- 3. Select **Microsoft Defender for Endpoint analysis**.
+ 1. Select **Microsoft Defender for Endpoint analysis**.
- 4. Select **Verbose** under *Detail* level.
+ 1. Select **Verbose** under *Detail* level.
- 5. Select **File** or **Memory** under Logging mode.
+ 1. Select **File** or **Memory** under Logging mode.
> [!IMPORTANT]
> Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you cannot directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
-10. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
+1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
-11. Select **Start**.
+1. Select **Start**.
-12. Reproduce the issue.
+1. Reproduce the issue.
> [!TIP]
> Limit the data collection to a maximum of five minutes. Ideally, aim for two to three minutes, as a significant amount of data is being collected.
-13. Select **Save**.
+1. Select **Save**.
-14. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
+1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
-15. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
+1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
-16. Select **Save**.
+1. Select **Save**.
-17. After the trace has been merged and saved, right-click **Open folder**.
+1. After the trace has been merged and saved, right-click **Open folder**.
@@ -150,11 +150,11 @@ To collect a WPR trace using the command-line tool wpr.exe:
1. Download **[Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp)** performance trace profile as `MDAV.wprp` in a local directory such as `C:\traces`.
-2. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
+1. Right-click the **Start Menu** icon and select **Windows PowerShell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
-3. Select **Yes** in the User Account Control dialog box.
+1. Select **Yes** in the User Account Control dialog box.
-4. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
+1. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
```console
@@ -165,20 +165,20 @@ To collect a WPR trace using the command-line tool wpr.exe:
> [!WARNING]
> If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability.
-5. Reproduce the issue.
+1. Reproduce the issue.
> [!TIP]
> Limit the data collection to a maximum of five minutes. Ideally, aim for two to three minutes, as a significant amount of data is being collected.
-6. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
+1. At the **Command Prompt (Admin)**, run the following command to start a Microsoft Defender for Endpoint performance trace:
```console
wpr.exe -stop merged.etl "Timestamp when the issue was reproduced, in HH:MM:SS format" "Description of the issue" "Any error that popped up"
```
-7. Wait until the trace is merged.
+1. Wait until the trace is merged.
-8. Include both the file and the folder in your submission to Microsoft Support.
+1. Include both the file and the folder in your submission to Microsoft Support.
## See also
From 0d50233284d1af9f1ed61bcfc969218ca1ef30bf Mon Sep 17 00:00:00 2001
From: Emm Walsh
Date: Mon, 13 Jan 2025 11:10:00 +0000
Subject: [PATCH 22/31] Acrolinx Edits
---
...roubleshoot-av-performance-issues-with-wprui.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 318d5af2c3..6cdd4ecff1 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -22,9 +22,9 @@ ms.custom:
# Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
> [!TIP]
-> First, review common reasons for performance issues such as high CPU usage in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> First, review common reasons for performance issues such as high CPU usage in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (RTP) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) to analyze the cause of high CPU usage in Microsoft Defender Antivirus (Antimalware Service Executable, Microsoft Defender Antivirus service, or MsMpEng.exe).
-> If the Microsoft Defender Antivirus Performance Analyzer does not identify the root cause of high CPU utilization, run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to narrow down or determine the root cause of the high CPU utilization in Microsoft Defender Antivirus.
+> If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of high CPU utilization, run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to narrow down or determine the root cause of the high CPU utilization in Microsoft Defender Antivirus.
> The final tool in your toolkit is to run the Windows Performance Recorder UI (WPRUI) or the Windows Performance Recorder (WPR command-line) as discussed in this article.
## Capture performance logs using Windows Performance Recorder
@@ -48,7 +48,7 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
> [!TIP]
-> Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.
+> Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that don't contribute to the reproduction of the issue.
1. Run the MDE Client Analyzer with the -a and -v switches
@@ -91,7 +91,7 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
> [!WARNING]
- > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system may consume a high amount of non-paged pool memory or buffers, leading to system instability.To address this, explore **Resource Analysis** to choose profiles to add.
+ > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system might consume a high amount of nonpaged pool memory or buffers, leading to system instability. To address this, explore **Resource Analysis** to choose profiles to add.
> This custom profile provides the necessary context for in-depth performance analysis.
1. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
@@ -107,9 +107,9 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
1. Select **File** or **Memory** under Logging mode.
> [!IMPORTANT]
- > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you cannot directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
+ > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you can't directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
-1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
+1. Now you're ready to collect data. Close all unnecessary applications. Select **Hide options** to keep the space occupied by the WPR window small.
@@ -163,7 +163,7 @@ To collect a WPR trace using the command-line tool wpr.exe:
```
> [!WARNING]
- > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability.
+ > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of nonpaged pool memory or buffers, leading to system instability.
1. Reproduce the issue.
From 1b5aa3c9e98a84638b35c034cb89aa5f0911cffc Mon Sep 17 00:00:00 2001
From: Padma Jayaraman
Date: Mon, 13 Jan 2025 17:18:26 +0530
Subject: [PATCH 23/31] Fix formatting and punctuation in documentation
Corrected alignment
---
...roubleshoot-av-performance-issues-with-wprui.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index 6cdd4ecff1..d8215bceb5 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -43,15 +43,15 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
## Using the MDE Client Analyzer
-1. Download the [MDE Client Analyzer ](/defender-endpoint/download-client-analyzer).
+1. Download the [MDE Client Analyzer](/defender-endpoint/download-client-analyzer).
1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
-> [!TIP]
-> Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that don't contribute to the reproduction of the issue.
+ > [!TIP]
+ > Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that don't contribute to the reproduction of the issue.
-1. Run the MDE Client Analyzer with the -a and -v switches
+1. Run the MDE Client Analyzer with the `-a` and `-v` switches.
PowerShellCopy
@@ -59,7 +59,7 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
```
-## Manually:
+## Manually
### Capture performance logs using the WPR UI
@@ -90,7 +90,7 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
- > [!WARNING]
+ > [!WARNING]
> If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system might consume a high amount of nonpaged pool memory or buffers, leading to system instability. To address this, explore **Resource Analysis** to choose profiles to add.
> This custom profile provides the necessary context for in-depth performance analysis.
@@ -107,7 +107,7 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
1. Select **File** or **Memory** under Logging mode.
> [!IMPORTANT]
- > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you can't directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
+ > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you can't directly reproduce the issue, select **Memory** to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
1. Now you're ready to collect data. Close all unnecessary applications. Select **Hide options** to keep the space occupied by the WPR window small.
From 996ccc34360052d3b06edbd413ff2155555fe1f2 Mon Sep 17 00:00:00 2001
From: Padma Jayaraman
Date: Mon, 13 Jan 2025 17:21:01 +0530
Subject: [PATCH 24/31] Fix formatting in troubleshooting documentation
---
.../troubleshoot-av-performance-issues-with-wprui.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
index d8215bceb5..1e030ae492 100644
--- a/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
+++ b/defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md
@@ -140,9 +140,9 @@ There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
-```
- Include both the file and the folder in your submission to Microsoft Support.
-``` 
+1. Include both the file and the folder in your submission to Microsoft Support.
+
+ 
### Capture performance logs using the WPR CLI
From 0e6cdb7b89a78b474a6d580f45397b6015c91711 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 13 Jan 2025 07:05:56 -0800
Subject: [PATCH 25/31] Update ms.date in linux-preferences.md
---
defender-endpoint/linux-preferences.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index b748b61f4c..3e6ff0052d 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
-ms.date: 10/14/2024
+ms.date: 01/13/2025
manager: deniseb
audience: ITPro
ms.collection:
From ad0d46d376a863b5066cf1e39454888a1f0ec4c2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 13 Jan 2025 07:41:42 -0800
Subject: [PATCH 26/31] Update date in linux-whatsnew.md file
---
defender-endpoint/linux-whatsnew.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index 0e7501f8cb..3a7ea951c4 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -6,7 +6,7 @@ ms.author: deniseb
author: denisebmsft
ms.reviewer: kumasumit, gopkr
ms.localizationpriority: medium
-ms.date: 01/09/2025
+ms.date: 01/13/2025
manager: deniseb
audience: ITPro
ms.collection:
From abbe01cc5d675f47ed6765fe84245a7635466656 Mon Sep 17 00:00:00 2001
From: Padma Jayaraman
Date: Mon, 13 Jan 2025 21:43:13 +0530
Subject: [PATCH 27/31] Fix path formatting in verification instructions
---
defender-endpoint/linux-preferences.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index 3e6ff0052d..5f29659831 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -1065,7 +1065,7 @@ If the JSON is well-formed, the above command outputs it back to the Terminal an
## Verifying that the mdatp_managed.json file is working as expected
-To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is working properly, you should see "[managed]" next to these settings:
+To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is working properly, you should see "[managed]" next to these settings:
- `cloud_enabled`
- `cloud_automatic_sample_submission_consent`
From 4a84d22c26169c55e7ee2bbf6315facaea44621e Mon Sep 17 00:00:00 2001
From: Padma Jayaraman
Date: Mon, 13 Jan 2025 22:03:19 +0530
Subject: [PATCH 28/31] Fix typos and formatting in documentation
---
defender-endpoint/linux-preferences.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
index 5f29659831..5a0e8da02e 100644
--- a/defender-endpoint/linux-preferences.md
+++ b/defender-endpoint/linux-preferences.md
@@ -271,7 +271,7 @@ To remove both NFS and Fuse from unmonitored list of filesystems, do the followi
> [!NOTE]
> Here's the default list of monitored filesystems for RTP: `btrfs`, `ecryptfs`, `ext2`, `ext3`, `ext4`, `fuseblk`, `jfs`, `overlay`, `ramfs`, `reiserfs`, `tmpfs`, `vfat`, `xfs`.
>
-> If any monitored filesystem needs to be added to the list of unmonitored filesystems,then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
+> If any monitored filesystem needs to be added to the list of unmonitored filesystems, then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
@@ -385,7 +385,7 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
### Exclusion setting preferences
-**Exlusion setting preferences are currently in preview**.
+**Exclusion setting preferences are currently in preview**.
> [!NOTE]
> Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
@@ -434,7 +434,7 @@ Specifies the type of content excluded from the scan.
##### Scopes of exclusion (optional)
-Specifies the set of exlusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
+Specifies the set of exclusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
If nothing is specified in for an exclusion under *exclusionSettings* in managed configuration, then `global` is considered as scope.
From f05427bc9d47b411a9cb3e4afb856109eb5eb471 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Mon, 13 Jan 2025 08:37:55 -0800
Subject: [PATCH 29/31] Update
remediate-malicious-email-delivered-office-365.md
Acrolinx
---
...te-malicious-email-delivered-office-365.md | 50 +++++++++----------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/defender-office-365/remediate-malicious-email-delivered-office-365.md b/defender-office-365/remediate-malicious-email-delivered-office-365.md
index e68e9f6b2e..1f2579f0a1 100644
--- a/defender-office-365/remediate-malicious-email-delivered-office-365.md
+++ b/defender-office-365/remediate-malicious-email-delivered-office-365.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
search.appverid: MET150
description: Threat remediation
ms.service: defender-office-365
-ms.date: 01/06/2025
+ms.date: 01/13/2025
appliesto:
- ✅ Microsoft Defender for Office 365 Plan 2
---
@@ -23,16 +23,16 @@ appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-Remediation means to take a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation.
+Remediation means to take a prescribed action against a threat. Malicious email sent to your organization can be cleaned up by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation.
## What you need to know before you begin
- There are throttling limits for large-scale remediations that help ensure stability and performance of the service:
- - **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached. no new remediations are triggered until some actions are completed.
+ - **Organization limits**: The maximum number of active, concurrent email remediations is 50. Once the limit is reached, no new remediations are triggered until some actions are completed.
- **Email message limits**: If an active remediation involves more than one million email messages, no new email remediations are allowed.
- **Recipient requirements in remediations**:
- - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For instance, if an email is sent to 5 recipients, Explorer (Threat Explorer) counts it as 5 email messages. If the remediation requires the deletion of 5000 email messages, the remediation must target at least 2000 recipients.
- - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1000 messages that were sent to a single recipient.
+ - The total percentage of selected recipients must be at least 40% of the total email message count in the remediation. For instance, if an email is sent to five recipients, Explorer (Threat Explorer) counts it as five email messages. If the remediation requires the deletion of 5,000 email messages, the remediation must target at least 2,000 recipients.
+ - If the recipient count is less than 40% of the total email message count, the remediation can't be used to delete more than 1,000 messages that were sent to a single recipient.
- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:
- [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email & collaboration advanced actions (manage)**.
@@ -52,34 +52,34 @@ Security teams can use Explorer to select emails in several ways:
- Query selection: Select an entire query by using the top **select all** button. The same query is also shown in action center mail submission details. Customers can submit maximum 200,000 emails from Explorer.
-- Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 200,000 emails.
+- Query selection with exclusion: Sometimes security operations teams might want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 200,000 emails.
Once emails are selected through Explorer, you can start remediation by taking direct action or by queuing up emails for an action:
- Direct approval: When actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete* are selected by security personnel who have appropriate permissions, and the next steps in remediation are followed, the remediation process begins to execute the selected action.
> [!NOTE]
- > As the remediation gets kicked-off, it generates an alert and an investigation in parallel. Alert shows up in the alerts queue with the name "Administrative action submitted by an Administrator" suggesting that security personnel took the action of remediating an entity. It presents details like name of the person who performed the action, supporting investigation link, time etc. It works really well to know every time a harsh action like remediation is performed on entities. All these actions can be tracked under the **Actions & Submissions** \> **Action center** -> **History tab** (public preview).
+ > As the remediation gets kicked-off, it generates an alert and an investigation in parallel. Alert shows up in the alerts queue with the name "Administrative action submitted by an Administrator" suggesting that security personnel took the action of remediating an entity. It presents details like name of the person who performed the action, supporting investigation link, time, etc. It works really well to know every time a harsh action like remediation is performed on entities. All these actions can be tracked under the **Actions & Submissions** \> **Action center** \> **History tab** (public preview).
- Two-step approval: An "add to remediation" action can be taken by admins who don't have appropriate permissions or who need to wait to execute the action. In this case, the targeted emails are added to a remediation container. Approval is needed before the remediation is executed.
-**Automated investigation and response** actions are triggered by alerts or by security operations teams from Explorer. These may include recommended remediation actions that must be approved by a security operations team. These actions are included on the **Action** tab in the automated investigation.
+**Automated investigation and response** actions are triggered by alerts or by security operations teams from Explorer. These results might include recommended remediation actions that must be approved by a security operations team. These actions are included on the **Action** tab in the automated investigation.
:::image type="content" source="media/tp-RemediationArticle3.png" alt-text="Email with malware on the Zapped page showing the time of ZAP execution." lightbox="media/tp-RemediationArticle3.png":::
All remediation (direct approvals) created in Explorer, Advanced hunting, or through Automated investigation are displayed in the Action center at **Actions & Submissions** \> **Action center** \> **History** tab ().
-Manual actions pending approval using the two-step approval process (1. Add to remediation by one security operation team member, 2. Reviewed and approved by another security operation team member) are visible at **Actions & Submissions** \> **Action center** \> **Pending** tab (). After approval, they're visible at **Actions & Submissions** \> **Action center** \> **History** tab ().
+Manual actions pending approval using the two-step approval process (added to the remediation by one security operation team member, and reviewed and approved by another security operation team member) are visible at **Actions & Submissions** \> **Action center** \> **Pending** tab (). After approval, they're visible at **Actions & Submissions** \> **Action center** \> **History** tab ().
:::image type="content" source="media/microsoft-365-defender-action-center-history.png" lightbox="media/microsoft-365-defender-action-center-history.png" alt-text="The unified Action Center shows you 30 days of remediation actions.":::
-Unified Action Center shows remediation actions for the past 30 days. Actions taken through Explorer are listed by the name that the security operations team provided when the remediation was created as well as approval Id, Investigation Id. Actions taken through automated investigations have titles that begin with the related alert that triggered the investigation, such as *Zap email cluster*.
+Unified Action Center shows remediation actions for the past 30 days. Actions taken through Explorer are listed by the name that the security operations team provided when the remediation was created as well as approval ID, Investigation ID. Actions taken through automated investigations have titles that begin with the related alert that triggered the investigation, such as *Zap email cluster*.
-Open any remediation item to view details about it, including its remediation name, approval Id, Investigation Id, creation date, description, status, action source, action type, decided by, status. It also opens a side pane with action details, email cluster details, alert and Incident details.
+Open any remediation item to view details about it, including its remediation name, approval ID, Investigation ID, creation date, description, status, action source, action type, decided by, status. It also opens a side pane with action details, email cluster details, alert, and Incident details.
-- *Open Investigation page* this opens up an admin Investigation that contains fewer details and tabs. It shows details like: related alert, entity selected for remediation, action taken, remediation status, entity count, logs, approver of action. This investigation keeps a track of investigation done by the admin manually and contains details to selections made by the admin, hence is called admin action investigation. No need to act on the investigation and alert its already in approved state.
-- *Email count* Displays the number of emails submitted through Explorer. These emails can be actionable or not actionable.
-- *Action logs* Show the details of remediation statuses like successful, failed, and already in destination.
+- **Open Investigation page**: Opens an admin investigation that contains fewer details and tabs. It shows details like: related alert, entity selected for remediation, action taken, remediation status, entity count, logs, and approver of action. Tracks an investigation manually done by the admin manually and contains details to selections made by the admin. There's no need to act on the investigation and alert (it's already in the Approved state).
+- **Email count**: Displays the number of email messages submitted through Explorer. These messages can be actionable or not actionable.
+- **Action logs**: Shows the details of remediation status like successful, failed, and already in destination.
:::image type="content" source="media/microsoft-365-defender-action-center-history-panel.png" lightbox="media/microsoft-365-defender-action-center-history-panel.png" alt-text="The Action Center with the Move to Inbox option open.":::
@@ -109,24 +109,24 @@ Open any remediation item to view details about it, including its remediation na
- **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
> [!NOTE]
- > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from qurantine folder aren't available.
+ > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from quarantine folder aren't available.
- Suspicious messages are categorized as either remediable or nonremediable. In most cases, remediable and nonremediable messages combine equals total messages submitted. But in rare cases this may not be true. This can happen because of system delays, timeouts, or expired messages. Messages expire based on the Explorer retention period for your organization.
+ Suspicious messages are categorized as either remediable or nonremediable. In most cases, the total of remediable and nonremediable messages equals the total number of messages submitted. But the totals might not match because of system delays, time-outs, or expired messages. Messages expire based on the Explorer retention period for your organization.
Unless you're remediating old messages after your organization's Explorer retention period, it's advisable to retry remediating items if you see number inconsistencies. For system delays, remediation updates are typically refreshed within a few hours.
- If your organization's retention period for email in Explorer is 30 days and you're remediating emails going back 29-30 days, mail submission counts may not always add up. The emails might have started moving out of the retention period already.
+ If your organization's retention period for email in Explorer is 30 days and you're remediating emails going back 29-30 days, mail submission counts might not always add up. The emails might have started moving out of the retention period already.
- If remediations are stuck in the "In progress" state for a while, it's likely due to system delays. It could take up to a few hours to remediate. You might see variations in mail submission counts, as some of the emails may not have been included the query at the start of remediation due to system delays. It's a good idea to retry remediating in such cases.
+ If remediations are stuck in the "In progress" state for a while, it's likely due to system delays. It could take up to a few hours to remediate. You might see variations in mail submission counts, as some of the emails might not have been included the query at the start of remediation due to system delays. It's a good idea to retry remediating in such cases.
- > [!NOTE]
+ > [!TIP]
> For best results, remediation should be done in batches of 50,000 or fewer.
- Only remediable emails are acted on during remediation. Nonremediable emails can't be remediated by the Office 365 email system, as they aren't stored in cloud mailboxes.
+ Only remediable email messages are acted on during remediation. Nonremediable emails can't be remediated by Microsoft 365, becayse they aren't stored in cloud mailboxes.
- Admins can take actions on emails in quarantine if necessary, but those emails expire out of quarantine if they're not manually purged. By default, emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-prem* external filter in Explorer. For failed or dropped email, or email not accessible by users, there won't be any email to mitigate, since these mails don't reach the mailbox.
+ Admins can take actions on emails in quarantine if necessary, but those emails expire out of quarantine if they're not manually purged. By default, emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-premises* external filter in Explorer. For failed or dropped email, or email not accessible by users, there isn't any email to mitigate, since these mails don't reach the mailbox.
-- **Action logs**: This shows the messages remediated, successful, failed, already in destination.
+- **Action logs**: Shows the messages remediated, successful, failed, already in destination.
Status can be:
@@ -142,15 +142,15 @@ Open any remediation item to view details about it, including its remediation na
- **Failure**: The desired action on remediable emails failed. For example: An admin wants to remove emails from mailboxes, so the admin takes the action of soft-deleting emails. If a remediable email is still found in the mailbox after the action is taken, status will show as failed.
- - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails won't be acted upon again, they'll just show as "already in destination", since no action was taken on them as they existed in the destination location.
+ - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these messages aren't acted upon. Instead, they show as Already in destination, since no action was taken on them as they existed in the destination location.
- **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Explorer to signal if the mail has already been remediated. *Already in destination* helps security teams understand the total number of messages that still need to be addressed.
Actions can only be taken on messages in the Inbox, Junk, Deleted, and Soft Deleted folders of Explorer. Here's an example of how the new column works. A *soft delete action* takes place on the message present in the Inbox, then the message is handled according to policies. The next time a soft delete is performed, this message will show under the column 'Already in destination' signaling it doesn't need to be addressed again.
-Select any item in the action log to display remediation details. If the details say "successful" or "not found in mailbox", that item was already removed from the mailbox. Sometimes there's a system error during remediation. In those cases, it's a good idea to retry the remediation action.
+Select any item in the action log to display remediation details. If the details show **Successful** or **Not found in mailbox**, that item was already removed from the mailbox. Sometimes there's a system error during remediation. In those cases, it's a good idea to retry the remediation action.
-In case of remediating large batches of email, export the messages sent for remediation via Mail Submission, and messages that were remediated via Action Logs. The export limit is increased to 100,000 records.
+If you need to remediate large batches of email, export the messages sent for remediation via Mail Submission, and export messages that were remediated via Action Logs. The export limit is increased to 100,000 records.
Admins can take remediation actions like moving email messages to Junk, Inbox, or Deleted items folder and delete actions like soft deleted or hard delete from Advanced Hunting pages.
From e14198d095f2fc0aa93c470ff0e7e89c685ecfae Mon Sep 17 00:00:00 2001
From: Ruchika Mittal
Date: Mon, 13 Jan 2025 22:50:29 +0530
Subject: [PATCH 30/31] Fix typos and update SELinux capitalization
---
defender-endpoint/linux-whatsnew.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index 3a7ea951c4..ecdbf22b90 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -57,13 +57,13 @@ This article is updated frequently to let you know what's new in the latest rele
- Upgraded the Bond version to 13.0.1 to address security vulnerabilities in versions 12 or lower.
-- Mdatp package no longer has a dependency on selinux packages.
+- Mdatp package no longer has a dependency on SELinux packages.
- User can now query the status of supplementary event provider eBPF using the threat hunting query in DeviceTvmInfoGathering. To learn more about this query check: [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf). The result of this query can return the following two values as eBPF status:
- Enabled: When eBPF is enabled as working as expected.
- Disabled: When eBPF is disabled due to one of the following reasons:
- When MDE is using auditD as a supplementary sensor
- - When eBPF is not present and we fallback to Netlink as supplementory event provider
+ - When eBPF is not present and we fallback to Netlink as supplementary event provider
- There is no supplementary sensor present.
- Starting from 2411, the MDATP package release to Production on packages.microsoft.com will follow a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
From 0a80a7faba31e211b0d0dac1abb27ad9af31448f Mon Sep 17 00:00:00 2001
From: Dan Orum <19275382+danorum@users.noreply.github.com>
Date: Mon, 13 Jan 2025 11:28:30 -0600
Subject: [PATCH 31/31] Update anti-spam-bulk-senders-insight.md
Typo of compliant instead of complaint for BCL (Bulk Complaint Level).
---
defender-office-365/anti-spam-bulk-senders-insight.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-office-365/anti-spam-bulk-senders-insight.md b/defender-office-365/anti-spam-bulk-senders-insight.md
index 079c36ae34..c7e17ea4a3 100644
--- a/defender-office-365/anti-spam-bulk-senders-insight.md
+++ b/defender-office-365/anti-spam-bulk-senders-insight.md
@@ -63,7 +63,7 @@ This article describes how to use the bulk senders insight in the Microsoft Defe
> [!TIP]
> Settings in the default or custom anti-spam policies are ignored if a recipient is also included in the [Standard or Strict preset security policies](preset-security-policies.md). For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
>
-> The **Bulk threshold** value in an anti-spam policy determines the BCL threshold that's used to identify a message as bulk. For example, the **Bulk threshold** value 7 means that messages with the BCL value 7, 8, or 9 are identified as bulk. What happens to bulk messages is determined by the **Bulk compliant level (BCL) met or exceeded** action in the anti-spam policy (for example, **Move message to Junk Email folder**, **Quarantine**, or **Delete message**). For simplicity, identifying a message as bulk and taking action on it is called **blocked** in the bulk senders insight.
+> The **Bulk threshold** value in an anti-spam policy determines the BCL threshold that's used to identify a message as bulk. For example, the **Bulk threshold** value 7 means that messages with the BCL value 7, 8, or 9 are identified as bulk. What happens to bulk messages is determined by the **Bulk complaint level (BCL) met or exceeded** action in the anti-spam policy (for example, **Move message to Junk Email folder**, **Quarantine**, or **Delete message**). For simplicity, identifying a message as bulk and taking action on it is called **blocked** in the bulk senders insight.
## Open the bulk senders insight in the Microsoft Defender portal