From e4b6befd70c986eca6b0a24832e2b35b7474a14d Mon Sep 17 00:00:00 2001 From: Jonathan Brockhausen Date: Thu, 31 Oct 2024 16:48:46 +0100 Subject: [PATCH 01/19] Missing tilde sign causing DISM command to fail DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~ does not work, with one more tilde (or alternatively no tildes at all) it does work --- defender-endpoint/troubleshoot-onboarding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/troubleshoot-onboarding.md b/defender-endpoint/troubleshoot-onboarding.md index 4353fdd419..5ed21d35ed 100644 --- a/defender-endpoint/troubleshoot-onboarding.md +++ b/defender-endpoint/troubleshoot-onboarding.md @@ -85,7 +85,7 @@ If the script fails and the event is an error, you can check the event ID in the |`10`|Onboarding data couldn't be written to registry|Check the permissions on the registry, specifically

`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.

Verify that the script has been run as an administrator.| |`15`|Failed to start SENSE service|Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.| |`15`|Failed to start SENSE service|If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.| -|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.| +|`15`|Failed to start SENSE service|The SENSE Feature on Demand (FoD) may not be installed. To determine whether it is installed, enter the following command from an Admin CMD/PowerShell prompt: `DISM.EXE /Online /Get-CapabilityInfo /CapabilityName:Microsoft.Windows.Sense.Client~~~~` If it returns an error or the state is not "Installed," then the SENSE FoD must be installed. See [Available Features on Demand: SENSE Client for Microsoft Defender for Endpoint](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11&preserve-view=true) for installation instructions.| |`30`|The script failed to wait for the service to start running|The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| |`35`|The script failed to find needed onboarding status registry value|When the SENSE service starts for the first time, it writes onboarding status to the registry location

`HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`.

The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| |`40`|SENSE service onboarding status isn't set to **1**|The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).| From e4ba9ae79e930bab0f82375aee707252b6dbc5e6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 4 Nov 2024 10:17:49 -0800 Subject: [PATCH 02/19] Update troubleshoot-onboarding.md --- defender-endpoint/troubleshoot-onboarding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/troubleshoot-onboarding.md b/defender-endpoint/troubleshoot-onboarding.md index 5ed21d35ed..a2d0f6afa4 100644 --- a/defender-endpoint/troubleshoot-onboarding.md +++ b/defender-endpoint/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ ms.collection: ms.topic: troubleshooting ms.subservice: onboard search.appverid: met150 -ms.date: 09/18/2024 +ms.date: 11/04/2024 --- # Troubleshoot Microsoft Defender for Endpoint onboarding issues From 52c9b8a8fc6f176267ad79a1b2975cdb8830f593 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:31:11 -0800 Subject: [PATCH 03/19] Update health-status.md --- defender-endpoint/health-status.md | 33 +++++++++++++++++------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index b042f75141..e40bb0dfda 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -13,7 +13,7 @@ ms.collection: ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 05/06/2021 +ms.date: 11/04/2024 --- # Investigate agent health issues @@ -24,30 +24,36 @@ ms.date: 05/06/2021 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender XDR](/defender-xdr) -The following table provides information on the values returned when you run the `mdatp health` command and their corresponding descriptions. +The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions. |Value|Description| |---|---| +|app_version|Running defender application version.| |automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.| -|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values:

| +|behavior_monitoring|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files. Can be one of the following: | +|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: | |cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.| |conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| -|definitions_status|Status of antivirus definitions.| +|definitions_status|Status of antivirus definitions. Can be one of the following: | |definitions_updated|Date and time of last antivirus definition update.| |definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.| |definitions_version|Antivirus definition version.| |edr_client_version|Version of the EDR client running on the device.| |edr_configuration_version|EDR configuration version.| |edr_device_tags|List of tags associated with the device.| +|edr_early_preview_enabled|Setting of edr early preview. Can be one of the following: | |edr_group_ids|Group ID that the device is associated with.| |edr_machine_id|Device identifier used in Microsoft Defender XDR.| +|engine_load_status|Status of antivirus engine whether its running. Can be one of the following: | |engine_version|Version of the antivirus engine.| |healthy|True if the product is healthy, false otherwise.| +|health_issues|Lists health issues if any.| |licensed|True if the device is onboarded to a tenant, false otherwise.| -|log_level|Current log level for the product.| +|log_level|Current log level for the product. Can be one of the following values: | |machine_guid|Unique machine identifier used by the antivirus component.| -|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: | +|network_protection_enforcement_level|Mode of network protection. Can be one of the following: | +|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: | |org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| |passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.| |product_expiration|Date and time when the current product version reaches end of support.| @@ -55,6 +61,7 @@ The following table provides information on the values returned when you run the |real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.| |real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.| |release_ring|Release ring. For more information, see [Deployment rings](onboarding.md).| +|supplementary_events_subsystem|Subsystem that provides supplementary event data. Can be one of the following values: | ## Component specific health @@ -63,14 +70,12 @@ You can get more detailed health information for different Defender's features w ```bash mdatp health --details edr -edr_early_preview_enabled : "disabled" -edr_device_tags : [] -edr_group_ids : "" -edr_configuration_version : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25" -edr_machine_id : "a47ba049f43319ac669b6291ce73275cd445c9cd" -edr_sense_guid : "298a1a8c-04dd-4929-8efd-3bb14cb54b94" -edr_preferred_geo : "unitedstates" +mdatp health --details definitions + +mdatp health --details help + ``` -You can run `mdatp health --help` on recent versions to list all supported `feature`s. +You can run `mdatp health --help` on recent versions to list all supported features. + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 8413bf41b8d9762e3e56872b391a63d7aa20569a Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:39:46 -0800 Subject: [PATCH 04/19] Update health-status.md --- defender-endpoint/health-status.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index e40bb0dfda..13e0f8d37e 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -26,16 +26,16 @@ ms.date: 11/04/2024 The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions. -|Value|Description| +| Value | Description | |---|---| -|app_version|Running defender application version.| -|automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.| -|behavior_monitoring|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files. Can be one of the following: | -|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: | -|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| -|cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.| -|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| -|definitions_status|Status of antivirus definitions. Can be one of the following: | +| `app_version` | Displays Microsoft Defender application version.| +|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.| +|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.

Can be one of the following:
- **disabled** - default
- **enabled** | +|`cloud_automatic_sample_submission_consent`|Current sample submission level.

Can be one of the following values:
- **None**: No suspicious samples are submitted to Microsoft.
- **safe**: Only suspicious samples that don't contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
- **All**: All suspicious samples are submitted to Microsoft.| +|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`.

For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| +|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| +|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| +|definitions_status|Status of antivirus definitions. Can be one of the following:
- **up_to_date**
- **updating**
- **unavailable**| |definitions_updated|Date and time of last antivirus definition update.| |definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.| |definitions_version|Antivirus definition version.| From 16687f1642ebc653c96b379124746a34cbb0d850 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:50:58 -0800 Subject: [PATCH 05/19] Update health-status.md --- defender-endpoint/health-status.md | 52 +++++++++++++++--------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index 13e0f8d37e..b75d77997e 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -36,32 +36,32 @@ The following table provides information about the values that are returned when |`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| |`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| |definitions_status|Status of antivirus definitions. Can be one of the following:
- **up_to_date**
- **updating**
- **unavailable**| -|definitions_updated|Date and time of last antivirus definition update.| -|definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.| -|definitions_version|Antivirus definition version.| -|edr_client_version|Version of the EDR client running on the device.| -|edr_configuration_version|EDR configuration version.| -|edr_device_tags|List of tags associated with the device.| -|edr_early_preview_enabled|Setting of edr early preview. Can be one of the following:
  • **disabled**
  • **enabled**
| -|edr_group_ids|Group ID that the device is associated with.| -|edr_machine_id|Device identifier used in Microsoft Defender XDR.| -|engine_load_status|Status of antivirus engine whether its running. Can be one of the following:
  • **Engine not loaded** - AV engine process is down
  • **Engine load succeeded** - AV engine process is up and running
| -|engine_version|Version of the antivirus engine.| -|healthy|True if the product is healthy, false otherwise.| -|health_issues|Lists health issues if any.| -|licensed|True if the device is onboarded to a tenant, false otherwise.| -|log_level|Current log level for the product. Can be one of the following values:
  • **info**
  • **debug**
| -|machine_guid|Unique machine identifier used by the antivirus component.| -|network_protection_enforcement_level|Mode of network protection. Can be one of the following:
  • **disabled** - all components associated with network protection are disabled
  • **block** - network protection prevents connection to malicious websites
  • **audit** - Check how blocks occur
| -|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values:
  • **starting** - Network protection is starting
  • **failed_to_start** - Network protection couldn't be started due to an error
  • **started** - Network protection is running on the device
  • **restarting** - Network protection is restarting
  • **stopping** - Network protection is stopping
  • **stopped** - Network protection isn't running
| -|org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| -|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.| -|product_expiration|Date and time when the current product version reaches end of support.| -|real_time_protection_available|True if the real-time protection component is healthy, false otherwise.| -|real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.| -|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.| -|release_ring|Release ring. For more information, see [Deployment rings](onboarding.md).| -|supplementary_events_subsystem|Subsystem that provides supplementary event data. Can be one of the following values:
  • **ebpf** - Default from app version: 101.2408.0000
  • **auditd**
| +|`definitions_updated`|Date and time of last antivirus definition update.| +|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.| +|`definitions_version`|Antivirus definition version.| +|`edr_client_version`|Version of the EDR client running on the device.| +|`edr_configuration_version`|EDR configuration version.| +|`edr_device_tags`|List of tags associated with the device.| +|`edr_early_preview_enabled`|Setting of edr early preview. Can be one of the following:
- **disabled**
- **enabled**| +|`edr_group_ids`|Group ID that the device is associated with.| +|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| +|`engine_load_status`|Status of antivirus engine to determine whether it's running. Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| +|`engine_version`|Version of the antivirus engine.| +|`healthy`|`True` if the product is healthy, `false` otherwise.| +|`health_issues`|Lists health issues if any.| +|`licensed`|`True` if the device is onboarded to a tenant, `false` otherwise.| +|`log_level`|Current log level for the product. Can be one of the following values:
- **info**
- **debug**| +|`machine_guid`|Unique machine identifier used by the antivirus component.| +|`network_protection_enforcement_level`|Mode of network protection.

Can be one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| +|`network_protection_status`|Status of the network protection component (macOS only).

Can be one of the following values:
- **starting** - Network protection is starting
- **failed_to_start** - Network protection couldn't be started due to an error
- **started** - Network protection is running on the device
- **restarting** - Network protection is restarting
- **stopping** - Network protection is stopping
- **stopped** - Network protection isn't running| +|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| +|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode, `false` otherwise.| +|`product_expiration`|Date and time when the current product version reaches end of support.| +|`real_time_protection_available`|`True` if the real-time protection component is healthy, `false` otherwise.| +|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled, `false` otherwise.| +|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.| +|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).| +|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can be one of the following values:
- **ebpf** - Default from app version: `101.2408.0000`
- **auditd**| ## Component specific health From d6e3dc19c7f5d6ff20d77250fee1b2b485f3a972 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:53:11 -0800 Subject: [PATCH 06/19] Update health-status.md --- defender-endpoint/health-status.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index b75d77997e..b9bbf7a61a 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -47,9 +47,9 @@ The following table provides information about the values that are returned when |`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| |`engine_load_status`|Status of antivirus engine to determine whether it's running. Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| |`engine_version`|Version of the antivirus engine.| -|`healthy`|`True` if the product is healthy, `false` otherwise.| +|`healthy`|`True` if the product is healthy; otherwise, `false`.| |`health_issues`|Lists health issues if any.| -|`licensed`|`True` if the device is onboarded to a tenant, `false` otherwise.| +|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.| |`log_level`|Current log level for the product. Can be one of the following values:
- **info**
- **debug**| |`machine_guid`|Unique machine identifier used by the antivirus component.| |`network_protection_enforcement_level`|Mode of network protection.

Can be one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| From 8f707af91cd3484bb36499e46df9b87b0d50e60f Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:54:30 -0800 Subject: [PATCH 07/19] Update health-status.md --- defender-endpoint/health-status.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index b9bbf7a61a..b999f8d6da 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -45,20 +45,20 @@ The following table provides information about the values that are returned when |`edr_early_preview_enabled`|Setting of edr early preview. Can be one of the following:
- **disabled**
- **enabled**| |`edr_group_ids`|Group ID that the device is associated with.| |`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| -|`engine_load_status`|Status of antivirus engine to determine whether it's running. Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| +|`engine_load_status`|Status of antivirus engine to determine whether it's running.

Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| |`engine_version`|Version of the antivirus engine.| |`healthy`|`True` if the product is healthy; otherwise, `false`.| |`health_issues`|Lists health issues if any.| |`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.| -|`log_level`|Current log level for the product. Can be one of the following values:
- **info**
- **debug**| +|`log_level`|Current log level for the product.

Can be one of the following values:
- **info**
- **debug**| |`machine_guid`|Unique machine identifier used by the antivirus component.| |`network_protection_enforcement_level`|Mode of network protection.

Can be one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| |`network_protection_status`|Status of the network protection component (macOS only).

Can be one of the following values:
- **starting** - Network protection is starting
- **failed_to_start** - Network protection couldn't be started due to an error
- **started** - Network protection is running on the device
- **restarting** - Network protection is restarting
- **stopping** - Network protection is stopping
- **stopped** - Network protection isn't running| |`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| -|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode, `false` otherwise.| +|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.| |`product_expiration`|Date and time when the current product version reaches end of support.| -|`real_time_protection_available`|`True` if the real-time protection component is healthy, `false` otherwise.| -|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled, `false` otherwise.| +|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.| +|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`.| |`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.| |`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).| |`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can be one of the following values:
- **ebpf** - Default from app version: `101.2408.0000`
- **auditd**| From b233435d7c3ad3c855f21b271c67d66e7ce51dba Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:55:06 -0800 Subject: [PATCH 08/19] Update health-status.md --- defender-endpoint/health-status.md | 1 + 1 file changed, 1 insertion(+) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index b999f8d6da..9c95a595ac 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -68,6 +68,7 @@ The following table provides information about the values that are returned when You can get more detailed health information for different Defender's features with `mdatp health --details `. For example: ```bash + mdatp health --details edr mdatp health --details definitions From 038282ed0122677e760f9478b43b22323136d8de Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:56:47 -0800 Subject: [PATCH 09/19] Update health-status.md --- defender-endpoint/health-status.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index 9c95a595ac..19fe58537a 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -30,8 +30,8 @@ The following table provides information about the values that are returned when |---|---| | `app_version` | Displays Microsoft Defender application version.| |`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.| -|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.

Can be one of the following:
- **disabled** - default
- **enabled** | -|`cloud_automatic_sample_submission_consent`|Current sample submission level.

Can be one of the following values:
- **None**: No suspicious samples are submitted to Microsoft.
- **safe**: Only suspicious samples that don't contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
- **All**: All suspicious samples are submitted to Microsoft.| +|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.

Can have one of the following values:
- **disabled** - default
- **enabled** | +|`cloud_automatic_sample_submission_consent`|Current sample submission level.

Can have one of the following values:
- **None**: No suspicious samples are submitted to Microsoft.
- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.
- **All**: All suspicious samples are submitted to Microsoft.| |`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`.

For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| |`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| @@ -42,7 +42,7 @@ The following table provides information about the values that are returned when |`edr_client_version`|Version of the EDR client running on the device.| |`edr_configuration_version`|EDR configuration version.| |`edr_device_tags`|List of tags associated with the device.| -|`edr_early_preview_enabled`|Setting of edr early preview. Can be one of the following:
- **disabled**
- **enabled**| +|`edr_early_preview_enabled`|Setting of edr early preview. Can have one of the following values:
- **disabled**
- **enabled**| |`edr_group_ids`|Group ID that the device is associated with.| |`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| |`engine_load_status`|Status of antivirus engine to determine whether it's running.

Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| From 2cbf5b7825ce7977673a4fa180f53362a633660f Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 4 Nov 2024 10:59:01 -0800 Subject: [PATCH 10/19] Update health-status.md --- defender-endpoint/health-status.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index 19fe58537a..008fc5719e 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -35,7 +35,7 @@ The following table provides information about the values that are returned when |`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`.

For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| |`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| -|definitions_status|Status of antivirus definitions. Can be one of the following:
- **up_to_date**
- **updating**
- **unavailable**| +|definitions_status|Status of antivirus definitions. Can have one of the following values:
- **up_to_date**
- **updating**
- **unavailable**| |`definitions_updated`|Date and time of last antivirus definition update.| |`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.| |`definitions_version`|Antivirus definition version.| @@ -45,15 +45,15 @@ The following table provides information about the values that are returned when |`edr_early_preview_enabled`|Setting of edr early preview. Can have one of the following values:
- **disabled**
- **enabled**| |`edr_group_ids`|Group ID that the device is associated with.| |`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| -|`engine_load_status`|Status of antivirus engine to determine whether it's running.

Can be one of the following:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| +|`engine_load_status`|Status of antivirus engine to determine whether it's running.

Can have one of the following values:
- **Engine not loaded** - antivirus engine process is down
- **Engine load succeeded** - antivirus engine process is up and running| |`engine_version`|Version of the antivirus engine.| |`healthy`|`True` if the product is healthy; otherwise, `false`.| |`health_issues`|Lists health issues if any.| |`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.| -|`log_level`|Current log level for the product.

Can be one of the following values:
- **info**
- **debug**| +|`log_level`|Current log level for the product.

Can have one of the following values:
- **info**
- **debug**| |`machine_guid`|Unique machine identifier used by the antivirus component.| -|`network_protection_enforcement_level`|Mode of network protection.

Can be one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| -|`network_protection_status`|Status of the network protection component (macOS only).

Can be one of the following values:
- **starting** - Network protection is starting
- **failed_to_start** - Network protection couldn't be started due to an error
- **started** - Network protection is running on the device
- **restarting** - Network protection is restarting
- **stopping** - Network protection is stopping
- **stopped** - Network protection isn't running| +|`network_protection_enforcement_level`|Mode of network protection.

Can have one of the following:
- **disabled** - all components associated with network protection are disabled
- **block** - network protection prevents connection to malicious websites
- **audit** - Check how blocks occur| +|`network_protection_status`|Status of the network protection component (macOS only).

Can have one of the following values:
- **starting** - Network protection is starting
- **failed_to_start** - Network protection couldn't be started due to an error
- **started** - Network protection is running on the device
- **restarting** - Network protection is restarting
- **stopping** - Network protection is stopping
- **stopped** - Network protection isn't running| |`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| |`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.| |`product_expiration`|Date and time when the current product version reaches end of support.| @@ -61,7 +61,7 @@ The following table provides information about the values that are returned when |`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`.| |`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.| |`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).| -|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can be one of the following values:
- **ebpf** - Default from app version: `101.2408.0000`
- **auditd**| +|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can have one of the following values:
- **ebpf** - Default from app version: `101.2408.0000`
- **auditd**| ## Component specific health From 59c5585c8a723012482e9b5db26d0c4409936390 Mon Sep 17 00:00:00 2001 From: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com> Date: Mon, 4 Nov 2024 14:19:19 -0500 Subject: [PATCH 11/19] pencil edit --- defender-endpoint/health-status.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md index 008fc5719e..d518707443 100644 --- a/defender-endpoint/health-status.md +++ b/defender-endpoint/health-status.md @@ -35,7 +35,7 @@ The following table provides information about the values that are returned when |`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`.

For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| |`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| -|definitions_status|Status of antivirus definitions. Can have one of the following values:
- **up_to_date**
- **updating**
- **unavailable**| +|`definitions_status`|Status of antivirus definitions. Can have one of the following values:
- **up_to_date**
- **updating**
- **unavailable**| |`definitions_updated`|Date and time of last antivirus definition update.| |`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.| |`definitions_version`|Antivirus definition version.| From 170be74d78da1df1e2a9c6e8057d4e64d42e9bd5 Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:38:41 -0800 Subject: [PATCH 12/19] Fix line 14 contextual link --- defender-endpoint/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 5fe2259865..becadd494f 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -11,7 +11,7 @@ - name: Trial user guide - Microsoft Defender for Endpoint href: defender-endpoint-trial-user-guide.md - name: Pilot and deploy Defender for Endpoint - href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json + href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-endpoint/TOC.json&bc=/defender-endpoint/breadcrumb/toc.json - name: Minimum requirements href: minimum-requirements.md - name: Supported Microsoft Defender for Endpoint capabilities by platform From 1aed488a63dfb76a6dc3a78f403d17abc918a0d1 Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:39:33 -0800 Subject: [PATCH 13/19] remove xdr entry --- defender-endpoint/breadcrumb/toc.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/defender-endpoint/breadcrumb/toc.yml b/defender-endpoint/breadcrumb/toc.yml index f2f5363fb8..6cf155cdb9 100644 --- a/defender-endpoint/breadcrumb/toc.yml +++ b/defender-endpoint/breadcrumb/toc.yml @@ -5,10 +5,6 @@ - name: 'Microsoft Defender for Endpoint' tocHref: /defender-endpoint/ topicHref: /defender-endpoint/index - items: - - name: 'Microsoft Defender XDR' - tocHref: /defender-xdr/ - topicHref: /defender-xdr/pilot-deploy-defender-office-365 - name: 'Microsoft Defender for Endpoint' tocHref: /mem/intune/protect/ topicHref: /mem/intune/protect/ From ba989c7e777e63fd351ccf7b57f6686e2f03838b Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:41:35 -0800 Subject: [PATCH 14/19] fix line 41 contextual link --- defender-office-365/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml index 8e49fe3e4b..b5e990b60c 100644 --- a/defender-office-365/TOC.yml +++ b/defender-office-365/TOC.yml @@ -38,7 +38,7 @@ - name: Deploy items: - name: Pilot and deploy Defender for Office 365 - href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json + href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-office-365/TOC.json&bc=/defender-office-365/breadcrumb/toc.json - name: Get started with Microsoft Defender for Office 365 href: mdo-deployment-guide.md - name: Step 1 - Configure email authentication From 897d838e82534cbd13460982fb6616059b7a86de Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:42:01 -0800 Subject: [PATCH 15/19] remove xdr items --- defender-office-365/breadcrumb/toc.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/defender-office-365/breadcrumb/toc.yml b/defender-office-365/breadcrumb/toc.yml index 7bb4e72e14..bf932d308d 100644 --- a/defender-office-365/breadcrumb/toc.yml +++ b/defender-office-365/breadcrumb/toc.yml @@ -5,7 +5,4 @@ - name: 'Microsoft Defender for Office 365' tocHref: /defender-office-365/ topicHref: /defender-office-365/index - items: - - name: 'Microsoft Defender XDR' - tocHref: /defender-xdr/ - topicHref: /defender-xdr/pilot-deploy-defender-endpoint + From e45e5d9e428519b5d7a05b66f51b1bf4c16621ae Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:54:28 -0800 Subject: [PATCH 16/19] add xdr entry --- defender-endpoint/breadcrumb/toc.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defender-endpoint/breadcrumb/toc.yml b/defender-endpoint/breadcrumb/toc.yml index 6cf155cdb9..8cbb9188d0 100644 --- a/defender-endpoint/breadcrumb/toc.yml +++ b/defender-endpoint/breadcrumb/toc.yml @@ -8,3 +8,6 @@ - name: 'Microsoft Defender for Endpoint' tocHref: /mem/intune/protect/ topicHref: /mem/intune/protect/ + - name: 'Microsoft Defender for Endpoint' + tocHref: /defender-xdr/ + topicHref: /defender-xdr/pilot-deploy-defender-endpoint From b44367dfa2847a900f1a49562d0876687ba5c8bd Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:55:11 -0800 Subject: [PATCH 17/19] add xdr entry --- defender-office-365/breadcrumb/toc.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defender-office-365/breadcrumb/toc.yml b/defender-office-365/breadcrumb/toc.yml index bf932d308d..cb856c7895 100644 --- a/defender-office-365/breadcrumb/toc.yml +++ b/defender-office-365/breadcrumb/toc.yml @@ -5,4 +5,7 @@ - name: 'Microsoft Defender for Office 365' tocHref: /defender-office-365/ topicHref: /defender-office-365/index + - name: 'Microsoft Defender for Office 365' + tocHref: /defender-xdr/ + topicHref: /defender-xdr/pilot-deploy-defender-endpoint From 31ecad61c3ced87396d6a96c271108924a42927d Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Mon, 4 Nov 2024 14:56:59 -0800 Subject: [PATCH 18/19] Update mdo-sec-ops-manage-incidents-and-alerts.md Similar updates as [#135](https://github.com/MicrosoftDocs/defender-docs/pull/135/files) --- .../mdo-sec-ops-manage-incidents-and-alerts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md index 175a995099..00a40a1a4b 100644 --- a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md +++ b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md @@ -27,7 +27,7 @@ appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents queue_. +An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents queue_. Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity. @@ -36,7 +36,7 @@ Watch this short video on how to manage Microsoft Defender for Office 365 alerts Defender for Office 365 alerts, investigations, and their data are automatically correlated. When a relationship is determined, the system creates an incident to give security teams visibility for the entire attack. -We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: +We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: - Multiple options for [management](/defender-xdr/manage-incidents): - Prioritization @@ -75,7 +75,7 @@ We strongly recommend that SecOps teams manage incidents and alerts from Defende > [!NOTE] > Incidents don't just represent static events. They also represent attack stories that happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR investigations, and their data are continuously added to the existing incident. -Manage incidents on the **Incidents** page in the Microsoft Defender portal at : +Manage incidents on the **Incidents** page in the Microsoft Defender portal at : :::image type="content" source="media/mdo-sec-ops-incidents.png" alt-text="Incidents page in the Microsoft Defender portal." lightbox="media/mdo-sec-ops-incidents.png"::: @@ -106,7 +106,7 @@ Security teams can take wide variety of response actions on email using Defender You can take these actions from the following locations: - - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). + - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). - **Threat Explorer** at . - The unified **Action center** at . From b06ba561f6be0c7d7da922b74689134a6b1f83f1 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Mon, 4 Nov 2024 14:59:31 -0800 Subject: [PATCH 19/19] Update ops-guide-daily.md --- CloudAppSecurityDocs/ops-guide/ops-guide-daily.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md index 4dde9a602e..ac89969d30 100644 --- a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md +++ b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md @@ -13,7 +13,7 @@ This article lists daily operational activities that we recommend you perform wi Alerts and incidents are two of the most important items your security operations (SOC) team should be reviewing on a daily basis. -- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents-queue) in Microsoft Defender XDR, prioritizing high and medium severity alerts. +- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents) in Microsoft Defender XDR, prioritizing high and medium severity alerts. - If you're working with a SIEM system, your SIEM system is usually the first stop for triage. SIEM systems provide more context with extra logs and SOAR functionality. Then, use Microsoft Defender XDR for a deeper understanding of an alert or incident timeline.