diff --git a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md index 4dde9a602e..ac89969d30 100644 --- a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md +++ b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md @@ -13,7 +13,7 @@ This article lists daily operational activities that we recommend you perform wi Alerts and incidents are two of the most important items your security operations (SOC) team should be reviewing on a daily basis. -- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents-queue) in Microsoft Defender XDR, prioritizing high and medium severity alerts. +- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents) in Microsoft Defender XDR, prioritizing high and medium severity alerts. - If you're working with a SIEM system, your SIEM system is usually the first stop for triage. SIEM systems provide more context with extra logs and SOAR functionality. Then, use Microsoft Defender XDR for a deeper understanding of an alert or incident timeline. diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 5fe2259865..becadd494f 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -11,7 +11,7 @@ - name: Trial user guide - Microsoft Defender for Endpoint href: defender-endpoint-trial-user-guide.md - name: Pilot and deploy Defender for Endpoint - href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json + href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-endpoint/TOC.json&bc=/defender-endpoint/breadcrumb/toc.json - name: Minimum requirements href: minimum-requirements.md - name: Supported Microsoft Defender for Endpoint capabilities by platform diff --git a/defender-endpoint/breadcrumb/toc.yml b/defender-endpoint/breadcrumb/toc.yml index f2f5363fb8..8cbb9188d0 100644 --- a/defender-endpoint/breadcrumb/toc.yml +++ b/defender-endpoint/breadcrumb/toc.yml @@ -5,10 +5,9 @@ - name: 'Microsoft Defender for Endpoint' tocHref: /defender-endpoint/ topicHref: /defender-endpoint/index - items: - - name: 'Microsoft Defender XDR' - tocHref: /defender-xdr/ - topicHref: /defender-xdr/pilot-deploy-defender-office-365 - name: 'Microsoft Defender for Endpoint' tocHref: /mem/intune/protect/ topicHref: /mem/intune/protect/ + - name: 'Microsoft Defender for Endpoint' + tocHref: /defender-xdr/ + topicHref: /defender-xdr/pilot-deploy-defender-endpoint diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index b042f75141..d518707443 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -13,7 +13,7 @@ ms.collection: ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 05/06/2021 +ms.date: 11/04/2024 --- # Investigate agent health issues @@ -24,53 +24,59 @@ ms.date: 05/06/2021 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender XDR](/defender-xdr) -The following table provides information on the values returned when you run the `mdatp health` command and their corresponding descriptions. +The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions. -|Value|Description| +| Value | Description | |---|---| -|automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.| -|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: | -|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| -|cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.| -|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| -|definitions_status|Status of antivirus definitions.| -|definitions_updated|Date and time of last antivirus definition update.| -|definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.| -|definitions_version|Antivirus definition version.| -|edr_client_version|Version of the EDR client running on the device.| -|edr_configuration_version|EDR configuration version.| -|edr_device_tags|List of tags associated with the device.| -|edr_group_ids|Group ID that the device is associated with.| -|edr_machine_id|Device identifier used in Microsoft Defender XDR.| -|engine_version|Version of the antivirus engine.| -|healthy|True if the product is healthy, false otherwise.| -|licensed|True if the device is onboarded to a tenant, false otherwise.| -|log_level|Current log level for the product.| -|machine_guid|Unique machine identifier used by the antivirus component.| -|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: | -|org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| -|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.| -|product_expiration|Date and time when the current product version reaches end of support.| -|real_time_protection_available|True if the real-time protection component is healthy, false otherwise.| -|real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.| -|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.| -|release_ring|Release ring. For more information, see [Deployment rings](onboarding.md).| +| `app_version` | Displays Microsoft Defender application version.| +|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.| +|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.

Can have one of the following values:
- **disabled** - default
- **enabled** | +|`cloud_automatic_sample_submission_consent`|Current sample submission level.

Can have one of the following values:
- **None**: No suspicious samples are submitted to Microsoft.
- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.
- **All**: All suspicious samples are submitted to Microsoft.| +|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`.

For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| +|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| +|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| +|`definitions_status`|Status of antivirus definitions. Can have one of the following values:
- **up_to_date**
- **updating**
- **unavailable**| +|`definitions_updated`|Date and time of last antivirus definition update.| +|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.| +|`definitions_version`|Antivirus definition version.| +|`edr_client_version`|Version of the EDR client running on the device.| +|`edr_configuration_version`|EDR configuration version.| +|`edr_device_tags`|List of tags associated with the device.| +|`edr_early_preview_enabled`|Setting of edr early preview. Can have one of the following values:
- **disabled**
- **enabled**| +|`edr_group_ids`|Group ID that the device is associated with.| +|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| +|`engine_load_status`|Status of antivirus engine to determine whether it's running.

Can have one of the following values:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| +|`engine_version`|Version of the antivirus engine.| +|`healthy`|`True` if the product is healthy; otherwise, `false`.| +|`health_issues`|Lists health issues if any.| +|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.| +|`log_level`|Current log level for the product.

Can have one of the following values:
- **info**
- **debug**| +|`machine_guid`|Unique machine identifier used by the antivirus component.| +|`network_protection_enforcement_level`|Mode of network protection.

Can have one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| +|`network_protection_status`|Status of the network protection component (macOS only).

Can have one of the following values:
- **starting** - Network protection is starting
- **failed_to_start** - Network protection couldn't be started due to an error
- **started** - Network protection is running on the device
- **restarting** - Network protection is restarting
- **stopping** - Network protection is stopping
- **stopped** - Network protection isn't running| +|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| +|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.| +|`product_expiration`|Date and time when the current product version reaches end of support.| +|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.| +|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`.| +|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.| +|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).| +|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can have one of the following values:
- **ebpf** - Default from app version: `101.2408.0000`
- **auditd**| ## Component specific health You can get more detailed health information for different Defender's features with `mdatp health --details `. For example: ```bash + mdatp health --details edr -edr_early_preview_enabled : "disabled" -edr_device_tags : [] -edr_group_ids : "" -edr_configuration_version : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25" -edr_machine_id : "a47ba049f43319ac669b6291ce73275cd445c9cd" -edr_sense_guid : "298a1a8c-04dd-4929-8efd-3bb14cb54b94" -edr_preferred_geo : "unitedstates" +mdatp health --details definitions + +mdatp health --details help + ``` -You can run `mdatp health --help` on recent versions to list all supported `feature`s. +You can run `mdatp health --help` on recent versions to list all supported features. + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] diff --git a/defender-endpoint/troubleshoot-onboarding.md b/defender-endpoint/troubleshoot-onboarding.md index 4353fdd419..a2d0f6afa4 100644 --- a/defender-endpoint/troubleshoot-onboarding.md +++ b/defender-endpoint/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ ms.collection: ms.topic: troubleshooting ms.subservice: onboard search.appverid: met150 -ms.date: 09/18/2024 +ms.date: 11/04/2024 --- # Troubleshoot Microsoft Defender for Endpoint onboarding issues @@ -85,7 +85,7 @@ If the script fails and the event is an error, you can check the event ID in the |`10`|Onboarding data couldn't be written to registry|Check the permissions on the registry, specifically

`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.

Verify that the script has been run as an administrator.| |`15`|Failed to start SENSE service|Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.| |`15`|Failed to start SENSE service|If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.| -|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.| +|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.| |`30`|The script failed to wait for the service to start running|The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| |`35`|The script failed to find needed onboarding status registry value|When the SENSE service starts for the first time, it writes onboarding status to the registry location

`HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`.

The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| |`40`|SENSE service onboarding status isn't set to **1**|The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml index 8e49fe3e4b..b5e990b60c 100644 --- a/defender-office-365/TOC.yml +++ b/defender-office-365/TOC.yml @@ -38,7 +38,7 @@ - name: Deploy items: - name: Pilot and deploy Defender for Office 365 - href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json + href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-office-365/TOC.json&bc=/defender-office-365/breadcrumb/toc.json - name: Get started with Microsoft Defender for Office 365 href: mdo-deployment-guide.md - name: Step 1 - Configure email authentication diff --git a/defender-office-365/breadcrumb/toc.yml b/defender-office-365/breadcrumb/toc.yml index 7bb4e72e14..cb856c7895 100644 --- a/defender-office-365/breadcrumb/toc.yml +++ b/defender-office-365/breadcrumb/toc.yml @@ -5,7 +5,7 @@ - name: 'Microsoft Defender for Office 365' tocHref: /defender-office-365/ topicHref: /defender-office-365/index - items: - - name: 'Microsoft Defender XDR' - tocHref: /defender-xdr/ - topicHref: /defender-xdr/pilot-deploy-defender-endpoint + - name: 'Microsoft Defender for Office 365' + tocHref: /defender-xdr/ + topicHref: /defender-xdr/pilot-deploy-defender-endpoint + diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md index 175a995099..00a40a1a4b 100644 --- a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md +++ b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md @@ -27,7 +27,7 @@ appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents queue_. +An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents queue_. Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity. @@ -36,7 +36,7 @@ Watch this short video on how to manage Microsoft Defender for Office 365 alerts Defender for Office 365 alerts, investigations, and their data are automatically correlated. When a relationship is determined, the system creates an incident to give security teams visibility for the entire attack. -We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: +We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: - Multiple options for [management](/defender-xdr/manage-incidents): - Prioritization @@ -75,7 +75,7 @@ We strongly recommend that SecOps teams manage incidents and alerts from Defende > [!NOTE] > Incidents don't just represent static events. They also represent attack stories that happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR investigations, and their data are continuously added to the existing incident. -Manage incidents on the **Incidents** page in the Microsoft Defender portal at : +Manage incidents on the **Incidents** page in the Microsoft Defender portal at : :::image type="content" source="media/mdo-sec-ops-incidents.png" alt-text="Incidents page in the Microsoft Defender portal." lightbox="media/mdo-sec-ops-incidents.png"::: @@ -106,7 +106,7 @@ Security teams can take wide variety of response actions on email using Defender You can take these actions from the following locations: - - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). + - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). - **Threat Explorer** at . - The unified **Action center** at .