diff --git a/.openpublishing.redirection.defender-cloud-apps.json b/.openpublishing.redirection.defender-cloud-apps.json
index 2184bfbf44..efd6656d36 100644
--- a/.openpublishing.redirection.defender-cloud-apps.json
+++ b/.openpublishing.redirection.defender-cloud-apps.json
@@ -994,6 +994,11 @@
"source_path": "CloudAppSecurityDocs/what-is-cloud-app-security.md",
"redirect_url": "/defender-cloud-apps/what-is-defender-for-cloud-apps",
"redirect_document_id": true
+ },
+ {
+ "source_path": "CloudAppSecurityDocs/tutorial-ueba.md",
+ "redirect_url": "/defender-cloud-apps/",
+ "redirect_document_id": true
},
{
"source_path": "CloudAppSecurityDocs/file-filters.md",
diff --git a/CloudAppSecurityDocs/index.yml b/CloudAppSecurityDocs/index.yml
index ccb93be7b2..b948f6f501 100644
--- a/CloudAppSecurityDocs/index.yml
+++ b/CloudAppSecurityDocs/index.yml
@@ -94,16 +94,6 @@ landingContent:
- text: Threat response governance actions
url: governance-actions.md
- - linkListType: how-to-guide
- links:
- - text: Use in-browser protection with Microsoft Edge
- url: in-browser-protection.md
- - text: Investigate behaviors by hunting
- url: behaviors.md
- - text: Investigate anomaly detection alerts
- url: investigate-anomaly-alerts.md
- - text: Investigate risky users
- url: tutorial-ueba.md
# Card (optional)
- title: Information protection
diff --git a/CloudAppSecurityDocs/tutorial-ueba.md b/CloudAppSecurityDocs/tutorial-ueba.md
deleted file mode 100644
index ab53229756..0000000000
--- a/CloudAppSecurityDocs/tutorial-ueba.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-title: Investigate risky users
-description: This tutorial describes the process to investigate risky users in Microsoft Defender for Cloud Apps, across hybrid environments, by integrating with Microsoft Defender for Identity.
-ms.date: 05/19/2024
-ms.topic: tutorial
----
-# Tutorial: Investigate risky users
-
-> [!IMPORTANT]
-> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. As such, the legacy procedure presented in this article is provided for informational purposes only.
->
-
-Security operations teams are challenged to monitor user activity, suspicious or otherwise, across all dimensions of the identity attack surface, using multiple security solutions that often aren't connected. While many companies now have hunting teams to proactively identify threats in their environments, knowing what to look for across the vast amount of data can be a challenge. Microsoft Defender for Cloud Apps removes the need to create complex correlation rules, and lets you look for attacks that span across your cloud and on-premises network.
-
-To help you focus on user identity, Microsoft Defender for Cloud Apps provides user entity behavioral analytics (UEBA) in the cloud. UEBA can be extended to your on-premises environment by integrating with Microsoft Defender for Identity, after which you'll also gain context around user identity from its native integration with Active Directory.
-
-Whether your trigger is an alert you see in the Defender for Cloud Apps dashboard, or whether you have information from a third-party security service, start your investigation from the Defender for Cloud Apps dashboard to deep dive into risky users.
-
-In this tutorial, you learn how to use Defender for Cloud Apps to investigate risky users:
-
-> [!div class="checklist"]
->
-> - [Connect to the apps you want to protect](#connect-apps-protect)
-> - [Identify top risky users](#identify)
-> - [Further investigate users](#investigate)
-> - [Protect your organization](#protect)
-
-
-## Understand the investigation priority score
-
-The **investigation priority score** is a score that Defender for Cloud Apps gives to each user to let you know how risky the user is, relative to other users in your organization. Use the investigation priority score to determine which users to investigate first, detecting both malicious insiders, and external attackers moving laterally in your organizations, without having to rely on standard deterministic detections.
-
-Every Microsoft Entra user has a dynamic investigation priority score, which is constantly updated based on recent behavior and impact built from data evaluated from Defender for Identity and Defender for Cloud Apps.
-
-Defender for Cloud Apps builds user profiles for each user, based on analytics that consider security alerts and abnormal activities over time, peer groups, expected user activity, and the effect any specific user might have on the business or company assets.
-
-Activity that is anomalous to a user's baseline is evaluated and scored. After scoring is complete, Microsoft's proprietary dynamic peer calculations and machine learning are run on the user activities to calculate the investigation priority for each user.
-
-Understand who the real top risky users are right away by filtering according to **Investigation priority score**, directly verifying each user's business impact, and investigating all related activities – whether they're compromised, exfiltrating data, or acting as insider threats.
-
-Defender for Cloud Apps uses the following to measure risk:
-
-- **Alert scoring**: The alert score represents the potential impact of a specific alert on each user. Alert scoring is based on severity, user impact, alert popularity across users, and all entities in the organization.
-
-- **Activity scoring**: The activity score determines the probability of a specific user performing a specific activity, based on behavioral learning of the user and their peers. Activities identified as the most abnormal receive the highest scores.
-
-Select the investigation priority score for an alert or an activity to view the evidence that explains how Defender for Cloud Apps scored the activity.
-
-## Phase 1: Connect to the apps you want to protect
-
-Connect at least one app to Microsoft Defender for Cloud Apps using the [API connectors](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md). We recommend that you start by connecting [Microsoft 365](./connect-office-365.md).
-
-Microsoft Entra ID apps are automatically onboarded for Conditional Access app control.
-
-## Phase 2: Identify top risky users
-
-To identify who your riskiest users are in Defender for Cloud Apps:
-
-1. In the Microsoft Defender Portal, under **Assets**, select **Identities**. Sort the table by **Investigation priority**. Then one by one go to their user page to investigate them.
-The **investigation priority number**, found next to the user name, is a sum of all the user's risky activities over the last week.
-
- 
-
-1. Select the three dots to the right of the user, and choose **View User page**.
-
- 
-
-1. Review the information in the user details page to get an overview of the user and see if there are points at which the user performed activities that were unusual for that user or were performed at an unusual time.
-
- The **User's score compared to the organization** represents which percentile the user is in based on their ranking in your organization - how high they are on the list of users you should investigate, relative to other users in your organization. The number is red if a user is in or above the 90th percentile of risky users across your organization.
-
-The user details page helps you answer the following questions:
-
-|Question |Details |
-|---------|---------|
-|**Who is the user?** | Look for basic details about the user and what the system knows about them, including the user's role in your company and their department.
For example, is the user a DevOps engineer who often performs unusual activities as part of their job? Or is the user a disgruntled employee who just got passed over for a promotion? |
-|**Is the user risky?** | What is the employee's [risk score](#risk-score), and is it worth your while investigating them? |
-|**What's risk does the user present to your organization?** | Scroll down to investigate each activity and alert related to the user to start understanding the type of risk the user represents.
In the timeline, select each line to drill down deeper into the activity or alert itself. Select the number next to the activity so that you can understand the evidence that influenced the score itself. |
-|**What's the risk to other assets in your organization?** | Select the **Lateral movement paths** tab to understand which paths an attacker can use to gain control of other assets in your organization.
For example, even if the user you're investigating has a nonsensitive account, an attacker can use connections to the account to discover and attempt to compromise sensitive accounts in your network.
For more information, see [Use Lateral Movement Paths](/defender-for-identity/investigate-lateral-movement-path). |
-
-
->[!NOTE]
->While user details pages provide information for devices, resources, and accounts across all activities, the investigation priority score includes the **sum** of all risky activities and alerts over the last 7 days.
-
-### Reset user score
-
-If the user was investigated and no suspicion for compromise was found, or if you want to reset the user's investigation priority score for any other reason, so manually as follows:
-
-1. In the Microsoft Defender Portal, under **Assets**, select **Identities**.
-
-1. Select the three dots to the right of the investigated user, and then select **Reset investigation priority score**. You can also select **View user page** and then select **Reset investigation priority score** from the three dots in the user details page.
-
- > [!NOTE]
- > Only users with a non-zero investigation priority score can be reset.
-
- 
-
-1. In the confirmation window, select **Reset score**.
-
- 
-
-## Phase 3: Further investigate users
-
-Some activities might not be cause for alarm on their own, but might be an indication of a suspicious event when aggregated with other activities.
-
-When you investigate a user, you want to ask the following questions about the activities and alerts you see:
-
-- **Is there a business justification for this employee to perform these activities?** For example, if someone from marketing is accessing the code base, or someone from development accesses the finance database, you should follow up with the employee to make sure this was an intentional and justified activity.
-
-- **Why did this activity receive a high score while others didn't**? Go to the **Activity log** and set the **Investigation priority** to **Is set** to understand which activities are suspicious.
-
- For example, you can filter based on **Investigation priority** for all activities that occurred in a specific geographical area. Then you can see whether there were other activities that were risky, where the user connected from, and you can easily pivot to other drill downs, such as recent nonanomalous cloud and on-premises activities, to continue your investigation.
-
-## Phase 4: Protect your organization
-
-If your investigation leads you to the conclusion that a user is compromised, use the following steps to mitigate the risk.
-
-- **Contact the user** – Using the user contact information integrated with Defender for Cloud Apps from Active Directory, you can drill down into each alert and activity to resolve the user identity. Make sure the user is familiar with the activities.
-
-- Directly from the Microsoft Defender Portal, in the **Identities** page, select the three dots by the investigated user and choose whether to require the user to sign in again, suspend the user, or confirm the user as compromised.
-
-- In the case of a compromised identity, you can ask the user to reset their password, making sure the password meets best practice guidelines for length and complexity.
-- If you drill down into an alert and determine that the activity shouldn't have triggered an alert, in the [Activity drawer](activity-filters.md), select the **Send us feedback** link so that we can be sure to fine-tune our alerting system with your organization in mind.
-- After you remediate the issue, close the alert.
-
-## See also
-
-> [!div class="nextstepaction"]
-> [Best practices for protecting your organization](best-practices.md)
-
-[!INCLUDE [Open support ticket](includes/support.md)]
diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md
index 19f23de9c1..7bf89d1e15 100644
--- a/defender-endpoint/defender-antivirus-compatibility-without-mde.md
+++ b/defender-endpoint/defender-antivirus-compatibility-without-mde.md
@@ -6,7 +6,7 @@ ms.author: deniseb
ms.reviewer: yongrhee
ms.service: defender-endpoint
ms.topic: conceptual
-ms.date: 01/06/2025
+ms.date: 01/23/2025
ms.subservice: ngp
search.appverid: met150
ms.localizationpriority: medium
@@ -67,12 +67,20 @@ gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name
**A:** We don't support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by your non-Microsoft antivirus registering in Windows Security Center (WSC) api. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator):
+Windows Server 2019 and newer
```powershell
Uninstall-WindowsFeature Windows-Defender
```
+Windows Server 2016
+```powershell
+
+Uninstall-WindowsFeature Windows-Defender
+Uninstall-WindowsFeature Windows-Defender-Gui
+```
+
**Q:** Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint?
**A:** No. Passive mode is a functionality in Microsoft Defender for Endpoint Plan 2.
diff --git a/defender-endpoint/indicator-certificates.md b/defender-endpoint/indicator-certificates.md
index 1aacac4bf8..419ce579dc 100644
--- a/defender-endpoint/indicator-certificates.md
+++ b/defender-endpoint/indicator-certificates.md
@@ -15,7 +15,7 @@ ms.collection:
ms.topic: conceptual
ms.subservice: asr
search.appverid: met150
-ms.date: 07/31/2024
+ms.date: 01/23/2025
---
# Create indicators based on certificates
@@ -33,19 +33,19 @@ ms.date: 07/31/2024
You can create indicators for certificates. Some common use cases include:
-- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) but need to allow behaviors from signed applications by adding the certificate in the allow list.
-- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same.
+- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) but need to allow behaviors from signed applications by adding the certificate in the allowlist.
+- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender Antivirus prevents file executions (block and remediate), and automated investigation and remediation behaves the same.
## Before you begin
-It's important to understand the following requirements prior to creating indicators for certificates:
+It's important to understand the following requirements before creating indicators for certificates:
-- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).
-- The Antimalware client version must be 4.18.1901.x or later.
+- This feature is available if your organization uses Microsoft Defender Antivirus (in active mode) and cloud-based protection is enabled. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).
+- The anti-malware client version must be `4.18.1901.x` or later.
- Supported on machines on Windows 10, version 1703 or later, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022.
> [!NOTE]
- > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work.
+ > Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2) for this feature to work.
- The virus and threat protection definitions must be up to date.
- This feature currently supports entering .CER or .PEM file extensions.
@@ -53,8 +53,8 @@ It's important to understand the following requirements prior to creating indica
> [!IMPORTANT]
>
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
-> - The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
-> - Microsoft signed certificates cannot be blocked.
+> - The children or parent of the allow/block certificate IOCs aren't included in the allow/block IoC functionality, only leaf certificates are supported.
+> - Microsoft signed certificates can't be blocked.
## Create an indicator for certificates from the settings page:
@@ -66,11 +66,12 @@ It's important to understand the following requirements prior to creating indica
2. Select **Add indicator**.
3. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-4. Review the details in the Summary tab, then click **Save**.
+ - **Indicator**: Specify the entity details and define the expiration of the indicator.
+ - **Action**: Specify the action to be taken and provide a description.
+ - **Scope**: Define the scope of the machine group.
+
+4. Review the details on the **Summary** tab, and then select **Save**.
## Related articles
@@ -79,4 +80,5 @@ It's important to understand the following requirements prior to creating indica
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Manage indicators](indicator-manage.md)
- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
+
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/machines-view-overview.md b/defender-endpoint/machines-view-overview.md
index 1ab4cccc4d..f0c9c47c9b 100644
--- a/defender-endpoint/machines-view-overview.md
+++ b/defender-endpoint/machines-view-overview.md
@@ -13,7 +13,7 @@ ms.collection:
- tier2
ms.topic: conceptual
search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 01/23/2025
---
# Device inventory
@@ -58,6 +58,11 @@ The following image depicts the devices list:
You can apply the following filters to limit the list of alerts and get a more focused view.
+> [!NOTE]
+> If you're not seeing some devices, try clearing your filters.
+>
+> To clear your filters, navigate to the top-right of the **Devices list** and select the **Filter** icon. On the flight-out pane, select the **Clear all filters** button.
+
### Device name
During the Microsoft Defender for Endpoint onboarding process, devices onboarded to Defender for Endpoint are gradually populated into the device inventory as they begin to report sensor data. The device inventory is also populated by devices that are discovered in your network through the device discovery process. The device inventory has the following tabs:
@@ -129,38 +134,41 @@ The available device properties to use as filters vary based on the device inven
|Property|Tabs|Description|
|---|---|---|
-|**Cloud platforms**|- **All devices**
- **Computers & mobile**
|The cloud platform that the device belongs to. The available values are: - **Azure**
- **AWS**
- **GCP**
- **Arc**
- **None**
|
-|**Criticality level**|- **All devices**
- **Computers & mobile**
|The assigned criticality level of the device (how critical a device is for your organization). The available values are: - **Very high**: The device is considered a business critical asset
- **High**
- **Medium**
- **Low**
- **None**
For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).|
-|**Device category**|**All devices**|The category value assigned to the device. Enter a value or select from the available values: - **BMS**
- **Computers and Mobile**
- **IoT**
- **Medical**
- **Network Device**
- **OT**
- **Unknown**
|
-|**Device subtype**|- **All devices**
- **IoT/OT**
|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
-|**Device type**|- **All devices**
- **IoT/OT**
|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
+|**Cloud platforms**|**All devices**, **Computers & mobile**|The cloud platform that the device belongs to. The available values are:
- **Azure**
- **AWS**
- **GCP**
- **Arc**
- **None**|
+|**Criticality level**|**All devices**, **Computers & mobile**|The available values are:
- **Very high** (The device is considered a business critical asset)
- **High**
- **Medium**
- **Low**
- **None**. For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).|
+|**Device category**|**All devices**|The category value assigned to the device. Enter a value or select from the available values:
- **BMS**
- **Computers and Mobile**
- **IoT**
- **Medical**
- **Network Device**
- **OT**
- **Unknown**|
+|**Device subtype**|**All devices**, **IoT/OT**|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
+|**Device type**|**All devices**, **IoT/OT**|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
|**Device role**|All|The specific role of the device within the organization. For detailed descriptions of each role, see [Predefined classifications](/security-exposure-management/predefined-classification-rules-and-levels).|
|**Device value**|All|The assigned value of the device. The available values are **High** and **Low**.|
|**Discovery sources**|All|The source reporting on the device.|
|**Exclusion state**|All|The available values are **Not excluded** and **Excluded**. For more information, see [Exclude devices](exclude-devices.md).|
-|**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: - **High**
- **Medium**
- **Low**: Devices are less vulnerable to exploitation.
- **No data available**: Possible causes for this value include:
- The device is inactive (stopped reporting for more than 30 days).
- The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).
- The agent software on the device is stale (unlikely).
|
+|**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are:
- **High**
- **Medium**
- **Low**: Devices are less vulnerable to exploitation.
- **No data available**: Possible causes for this value include:
- The device is inactive (stopped reporting for more than 30 days). - The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). - The agent software on the device is stale (unlikely).|
|**First seen**|All tabs except **Network devices**|How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are **Last 7 days** or **Over 7 days ago**.|
-|**Group**|- **All devices**
- **Computers & mobile**
- **Network devices**
|Device groups. Enter a value in the box.|
-|**Internet facing**|- **All devices**
- **Computers & mobile**
|Whether the device is internet facing. The available values are **Yes** and **No**.|
-|**Managed by**|- **All devices**
- **Computers & mobile**
|How the device is being managed. The available values are: - **Intune**
- **Intune**: Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach.
- **ConfigMgr**: Microsoft Configuration manager.
- **MDE**: Microsoft Defender for Endpoint.
- **Unknown**: This value is caused by one of the following conditions:
- An outdated version of Windows.
- GPO management.
- Non-Microsoft mobile device management (MDM).
|
-|**Mitigation status**|- **All devices**
- **Computers & mobile**
|The available values are **Contained** and **Isolated**.|
+|**Group**|**All devices**, **Computers & mobile**, **Network devices**|Device groups. Enter a value in the box.|
+|**Internet facing**|**Tabs**|**Description**|
+|**All devices**|**Computers & mobile**|Whether the device is internet facing. The available values are **Yes** and **No**.|
+|**Managed by**|**All devices**, **Computers & mobile**|How the device is being managed. The available values are:
- **Intune**: Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach
- **ConfigMgr**: Microsoft Configuration manager
- **MDE**: Microsoft Defender for Endpoint
- **Unknown**: This value is caused by one of the following conditions: An outdated version of Windows, GPO management, Non-Microsoft mobile device management (MDM).|
+|**Mitigation status**|**All devices**, **Computers & mobile**|The available values are **Contained** and **Isolated**.|
|**Model**|**All devices**|The model of the device. Enter a value or select from the available values.|
-|**Onboarding status**|- **All devices**
- **Computers & mobile**
|Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are: - **Onboarded**: The device is onboarded to Defender for Endpoint.
- **Can be onboarded**: The supported device was discovered, but it isn't currently onboarded. We highly recommend onboarding these devices.
- **Unsupported**: The unsupported device was discovered.
- **Insufficient info**: The system couldn't determine the supportability of the device.|
-|**OS Platform**|
- **All devices**
- **Computers & mobile**
|The operating system on the device. The available values are: - **Windows 11**
- **Windows 10**
- **Windows 8.1**
- **Windows 8**
- **Windows 7**
- **Windows Server 2022**
- **Windows Server 2019**
- **Windows Server 2016**
- **Windows Server 2012 R2**
- **Windows Server 2008 R2**
- **Linux**
- **macOS**
- **iOS**
- **Android**
- **Windows 10 WVD**
- **Other**
|
-|**OS Version**|**All devices**|The version of the operating system, which includes Windows versions. On the **Computers & mobile** tab, the **Windows version** filter is also available.|
-|**Risk level**|All|The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are: - **High**
- **Medium**
- **Low**
- **Informational**
- **No known risk**
Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.|
-|**Sensor health state**|- **All devices**
- **Computers & mobile**
|The available values for onboarded devices are: - **Active**: Devices that are actively reporting sensor data to the service.
- **Inactive**: Devices that stopped sending signals for more than seven days.
- **Misconfigured**: Devices with impaired communications or devices that can't send sensor data. For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md)
.|
-|**Site**|- **All devices**
- **IoT/OT**
|Used for Defender for IoT [site security](/defender-for-iot/site-security-overview) (requires a Defender for IoT license).|
+|**Onboarding status**|**All devices**, **Computers & mobile**|Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are:
- **Onboarded**: The device is onboarded to Defender for Endpoint.
- **Can be onboarded**: The supported device was discovered, but it isn't currently onboarded. We highly recommend onboarding these devices.
- **Unsupported**: The unsupported device was discovered.
- **Insufficient info**: The system couldn't determine the supportability of the device.|
+|**OS distribution**|**All devices**, **Computers & mobile**|The distribution of the operating system. The available values are:
- **Windows 11**
- **Windows 10**
- **Windows 8.1**
- **Windows 8**
- **Windows 7**
- **Windows Server 2022**
- **Windows Server 2019**
- **Windows Server 2016**
- **Windows Server 2012 R2**
- **Windows Server 2008 R2**
- **Linux**
- **macOS**
- **iOS**
- **Android**
- **Windows 10 WVD**
- **Other**|
+|**OS Platform**|**All devices**, **Computers & mobile**|The operating system on the device. The available
+|**Risk level**|All|The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are: - **High** - **Medium** - **Low** - **Informational** - **No known risk** Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.|
+|**Sensor health state**|**All devices**, **Computers & mobile** |The available values for onboarded devices are:
- **Active**: Devices that are actively reporting sensor data to the service.
- **Inactive**: Devices that stopped sending signals for more than seven days.
- **Misconfigured**: Devices with impaired communications or devices that can't send sensor data. For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).|
+|**Site**|**All devices**, **IoT/OT**|Used for Defender for IoT [site security](/defender-for-iot/site-security-overview) (requires a Defender for IoT license).|
|**Tags**|All|The grouping and tagging that you added to individual devices. For more information, see [Create and manage device tags](machine-tags.md).|
|**Transient device**|All|The available values are **No** and **Yes**. By default, transient devices are filtered to reduce inventory noise. For more information, see [Identifying transient devices](transient-device-tagging.md).|
|**Vendor**|**All devices**|The vendor of the device. Enter a value or select from the available values.|
-|**Windows version**|**Computers & mobile**|The version of Windows. The **OS version** filter is also available.
The value **Future version** for this property is caused by one of the following scenarios: - A prerelease build of a future Windows release.
- The build has no version name.
- The build version name isn't yet supported
The full OS version is visible on the device details page.|
+|**Windows version**|**Computers & mobile**|The version of Windows. The **OS version** filter is also available.
The value **Future version** for this property is caused by one of the following scenarios:
- A prerelease build of a future Windows release.
+- The build has no version name.
- The build version name isn't yet supported
The full OS version is visible on the device details page.|
## Use columns to customize the device inventory views
You can sort the entries by clicking on an available column header. Select :::image type="icon" source="media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (*):
- **All devices** tab:
+
- **Name***
- **IP***
- **MAC address**
@@ -193,6 +201,7 @@ You can sort the entries by clicking on an available column header. Select :::im
Firmware information for OT devices is displayed in the **OS version** and **Model** columns.
- **Computers & mobile** tab:
+
- **Name***
- **Domain***
- **Device AAD id***
@@ -218,7 +227,8 @@ You can sort the entries by clicking on an available column header. Select :::im
- **Mitigation status***
- **Cloud platforms***
-- **Network devices** tab
+- **Network devices** tab:
+
- **IP***
- **MAC address**
- **Vendor***
@@ -237,7 +247,8 @@ You can sort the entries by clicking on an available column header. Select :::im
- **Tags***
- **Exclusion state**
-- **IoT/OT devices** tab
+- **IoT/OT devices** tab:
+
- **IP***
- **MAC address***
- **Name***
diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 69561b8d23..5bfba51394 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc
ms.service: defender-endpoint
ms.subservice: ngp
ms.localizationpriority: medium
-ms.date: 01/10/2025
+ms.date: 01/23/2025
ms.topic: conceptual
author: emmwalshh
ms.author: ewalsh
@@ -66,13 +66,20 @@ The following table summarizes what to expect:
|Windows Server 2022
Windows Server 2019
Windows Server, version 1803, or newer
Windows Server 2016
Windows Server 2012 R2 |Microsoft Defender Antivirus|Active mode|
|Windows Server 2022
Windows Server 2019
Windows Server, version 1803, or newer
Windows Server 2016 |A non-Microsoft antivirus/antimalware solution|Disabled
(set manually; see the note that follows this table) |
+If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft Defender Antivirus in passive mode as described later in this article.
+
> [!NOTE]
-> On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus.
-> On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
+> On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlets (as an administrator):
+>
+> - Windows Server 2019 and newer: `Uninstall-WindowsFeature Windows-Defender`
+> - Windows Server 2016: `Uninstall-WindowsFeature Windows-Defender` and `Uninstall-WindowsFeature Windows-Defender-Gui`
+>
+> On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
+>
+> Make sure to restart your server to finish removing Microsoft Defender Antivirus.
+>
> If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See [Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled).
-If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft Defender Antivirus in passive mode as described later in this article.
-
## Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions
> [!NOTE]
diff --git a/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md b/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
index 2929c08eaa..5b886f15fa 100644
--- a/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
+++ b/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
@@ -9,7 +9,7 @@ ms.author: ewalsh
ms.reviewer: pahuijbr
manager: deniseb
ms.topic: conceptual
-ms.date: 05/17/2024
+ms.date: 01/23/2025
ms.collection:
- m365-security
- tier2
@@ -56,7 +56,7 @@ By default, Microsoft Defender Antivirus is installed and functional on Windows
| Procedure | What to do |
|:---|:---|
| Turn on the GUI using the Add Roles and Features Wizard | 1. See [Install roles, role services, and features by using the add Roles and Features Wizard](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. |
-| Turn on the GUI using PowerShell | 1. On your Windows Server, open Windows PowerShell as an administrator.
2. Run the following PowerShell cmdlet: `Install-WindowsFeature -Name Windows-Defender-GUI` |
+| Turn on the GUI using PowerShell (Windows Server 2016 only)| 1. On your Windows Server, open Windows PowerShell as an administrator.
2. Run the following PowerShell cmdlet: `Install-WindowsFeature -Name Windows-Defender-GUI` |
For more information, see [Getting Started with PowerShell](/powershell/scripting/learn/ps101/01-getting-started).
@@ -173,7 +173,7 @@ The following table describes methods to set Microsoft Defender Antivirus to pas
| Procedure | Description |
|---|---|
| Set Microsoft Defender Antivirus to passive mode by using a registry key | Set the `ForceDefenderPassiveMode` registry key as follows:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: `ForceDefenderPassiveMode`
- Type: `REG_DWORD`
- Value: `1` |
-| Turn off the Microsoft Defender Antivirus user interface using PowerShell | Open Windows PowerShell as an administrator, and run the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender-GUI`
+| Turn off the Microsoft Defender Antivirus user interface using PowerShell (Windows Server 2016 only)| Open Windows PowerShell as an administrator, and run the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender-GUI`|
| Disable Microsoft Defender Antivirus real-time protection using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` |
| Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard | See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you're prompted to remove the interface option **GUI for Windows Defender**.
Microsoft Defender Antivirus runs normally without the user interface, but the user interface can't be enabled if you disable the core **Windows Defender** feature. |
| Uninstall Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender` |
diff --git a/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md b/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
index 8cb2dad552..6e35109b58 100644
--- a/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
+++ b/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
author: emmwalshh
ms.author: ewalsh
ms.custom: nextgen
-ms.date: 12/26/2024
+ms.date: 01/23/2025
ms.reviewer: ksarens, jtoole, pahuijbr
manager: deniseb
ms.subservice: ngp
@@ -62,8 +62,7 @@ In general, you can use the following procedure to configure or change some sett
The following table lists commonly used Group Policy settings that are available in Windows 10.
> [!TIP]
-> For the most current settings, see get the latest ADMX files in your central store to access the correct policy options. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files.
-
+> For the most current settings, get the latest ADMX files in your central store to access the correct policy options. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files.
|Location|Setting|Article|
|---|---|---|
diff --git a/defender-office-365/submissions-outlook-report-messages.md b/defender-office-365/submissions-outlook-report-messages.md
index 557c7ac2fb..3b6a7829ac 100644
--- a/defender-office-365/submissions-outlook-report-messages.md
+++ b/defender-office-365/submissions-outlook-report-messages.md
@@ -14,7 +14,7 @@ ms.collection:
description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
ms.service: defender-office-365
search.appverid: met150
-ms.date: 01/10/2025
+ms.date: 01/23/2025
appliesto:
- ✅ Exchange Online Protection
- ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2
@@ -54,7 +54,7 @@ Admins configure user reported messages to go to a specified reporting mailbox,
If user reporting is turned off and a non-Microsoft add-in button is selected, the **Report** button isn't available in supported versions of Outlook.
-- The built-in **Report** button in Outlook on the web and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.
+- The built-in **Report** button in Outlook on the web, Outlook for Android and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.
- Shared mailboxes require Send As or Send On Behalf permission for the user.
- Other mailboxes require Send As or Send On Behalf permission _and_ Read and Manage permissions for the delegate.
diff --git a/defender-vulnerability-management/tvm-supported-os.md b/defender-vulnerability-management/tvm-supported-os.md
index 70cf4d98c1..d1cab24387 100644
--- a/defender-vulnerability-management/tvm-supported-os.md
+++ b/defender-vulnerability-management/tvm-supported-os.md
@@ -13,15 +13,15 @@ ms.collection:
- Tier2
ms.topic: conceptual
search.appverid: met150
-ms.date: 12/18/2024
+ms.date: 01/23/2025
---
# Supported operating systems, platforms and capabilities
-Before you begin, ensure that you meet the following operating system or platform requisites for vulnerability management so the activities in your devices are properly accounted for.
+Before you begin, ensure that you meet the operating system and platform requirements for vulnerability management so the activities in your devices are properly accounted for. The supported systems and platforms for vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](/defender-endpoint/minimum-requirements) list.
-> [!NOTE]
-> The supported systems and platforms for vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](/defender-endpoint/minimum-requirements) list.
+> [!IMPORTANT]
+> Device vulnerability information is gathered regularly from devices that are onboarded to Defender for Endpoint, in both active mode and passive mode. This capability is available across supported Windows, Mac, and Linux operating systems.
## Capabilities per supported operating systems (OS) and platforms
diff --git a/defender-xdr/custom-detection-rules.md b/defender-xdr/custom-detection-rules.md
index 400321e6d1..708afd1639 100644
--- a/defender-xdr/custom-detection-rules.md
+++ b/defender-xdr/custom-detection-rules.md
@@ -71,24 +71,28 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
#### Required columns in the query results
-To create a custom detection rule, the query must return the following columns:
-- `Timestamp`- Used to set the timestamp for generated alerts
-- `ReportId`- Enables lookups for the original records
-- One of the following columns that identify specific devices, users, or mailboxes:
- - `DeviceId`
- - `DeviceName`
- - `RemoteDeviceName`
- - `RecipientEmailAddress`
- - `SenderFromAddress` (envelope sender or Return-Path address)
- - `SenderMailFromAddress` (sender address displayed by email client)
- - `RecipientObjectId`
- - `AccountObjectId`
- - `AccountSid`
- - `AccountUpn`
- - `InitiatingProcessAccountSid`
- - `InitiatingProcessAccountUpn`
- - `InitiatingProcessAccountObjectId`
+To create a custom detection rule, the query must return the following columns:
+1. `Timestamp` - Used to set the timestamp for generated alerts
+2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
+ - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
+ - For Alert* tables, `Timestamp` must appear in the event
+ - For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
+ - For all others, `Timestamp` and `ReportId` must appear in the same event
+3. One of the following columns that contain a strong identifier for an impacted asset:
+ - `DeviceId`
+ - `DeviceName`
+ - `RemoteDeviceName`
+ - `RecipientEmailAddress`
+ - `SenderFromAddress` (envelope sender or Return-Path address)
+ - `SenderMailFromAddress` (sender address displayed by email client)
+ - `RecipientObjectId`
+ - `AccountObjectId`
+ - `AccountSid`
+ - `AccountUpn`
+ - `InitiatingProcessAccountSid`
+ - `InitiatingProcessAccountUpn`
+ - `InitiatingProcessAccountObjectId`
> [!NOTE]
> Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
diff --git a/unified-secops-platform/TOC.yml b/unified-secops-platform/TOC.yml
index 5d0d496911..2b702621bd 100644
--- a/unified-secops-platform/TOC.yml
+++ b/unified-secops-platform/TOC.yml
@@ -73,6 +73,8 @@
href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal
- name: Manage your unified SOC
items:
+ - name: Manage cases
+ href: cases-overview.md
- name: Manage multiple tenants
items:
- name: Overview
diff --git a/unified-secops-platform/cases-overview.md b/unified-secops-platform/cases-overview.md
new file mode 100644
index 0000000000..a7385a469e
--- /dev/null
+++ b/unified-secops-platform/cases-overview.md
@@ -0,0 +1,127 @@
+---
+title: Manage cases natively with the Case Management Starter Kit (Preview)
+description: Learn about case management features across Microsoft's unified security operations (SecOps) platform.
+search.appverid: met150
+ms.service: unified-secops-platform
+ms.author: austinmc
+author: austinmccollum
+ms.localizationpriority: medium
+ms.date: 01/16/2025
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- tier1
+- usx-security
+ms.topic: conceptual
+
+# customer intent: As a security operations center business decision maker, I want to learn about the case management tool available in Microsoft's unified SecOps platform so I can unify security tickets and case management tools so I can get visibility into, and disrupt attacks in real time across identities, endpoints, email, cloud apps, data in hybrid and multicloud environments.
+---
+
+# Manage cases natively in Microsoft's unified security operations platform
+
+Case management is the first installment of new capabilities for managing security work when you onboard to Microsoft's unified security operations (SecOps) platform.
+
+This initial step toward delivering a unified, security-focused case management experience centralizes rich collaboration, customization, evidence collection, and reporting across SecOps workloads. SecOps teams maintain security context, work more efficiently, and respond faster to attacks when they manage case work without leaving the Defender portal.
+
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+## What is case management (Preview)?
+
+Case management enables you to manage SecOps cases natively in the Defender portal. Here's the initial set of scenarios and features supported.
+
+- Define your own case workflow with custom status values
+- Assign tasks to collaborators and configure due dates
+- Handle escalations and complex cases by linking multiple incidents to a case
+- Manage access to your cases using RBAC
+
+As we build on this foundation of case management, we're prioritizing these additional robust capabilities as we evolve this solution:
+
+- Automation
+- Multi-tenant support
+- More evidence to add
+- Workflow customization
+- More Defender portal integrations
+
+## Requirements
+
+Case management is available in the Defender portal, and to use it, you must have a Microsoft Sentinel workspace connected. There's no access to cases from the Azure portal.
+
+For more information, see [Connect Microsoft Sentinel to the Defender portal](/defender-xdr/microsoft-sentinel-onboard).
+
+Use this table to plan your RBAC of case management:
+
+| Cases feature | Minimum permissions required in Microsoft Defender XDR Unified RBAC |
+|---|---|
+| View only- case queue- case details- tasks- comments- case audits | Security operations > Security data basics (read)|
+| Create and Manage- cases and case tasks- assign- update status- link and unlink incidents | Security operations > Alerts (manage)|
+| Customize case status options | Authorization and setting > Core Security settings (manage)|
+
+For more information, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
+
+## Case queue
+
+To start using case management, select **Cases** in the Defender portal to access the case queue. Filter, sort, or search your cases to find what you need to focus on.
+
+:::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of case queue.":::
+
+## Case details
+
+Each case has a page which allows analysts to manage the case and displays important details.
+
+In the following example, a threat hunter is investigating a hypothetical "Burrowing" attack that consists of multiple MITRE ATT&CK techniques and IoCs.
+
+:::image type="content" source="media/cases-overview/case-details.png" alt-text="Screenshot of case details." lightbox="media/cases-overview/case-details-large.png":::
+
+Manage the following case details to describe, prioritize, assign, and track work:
+
+| Displayed case feature | Manage case options | Default value |
+|:---|:---|:---|
+| Priority| `Very low`, `Low`, `Medium`, `High`, `Critical` | none |
+| Status | Set by analysts, customizable by admins | Default statuses are `New`, `Open`, and `Closed`Default value is `New`|
+| Assigned to | A single user in the tenant | none |
+| Description | Plain text | none |
+| Case details | Case ID | Case IDs start at 1000 and aren't purged. Use custom statuses and filters to archive cases. Case numbers are automatically set.|
+| | Created byCreated onLast updated byLast updated on | automatically set |
+| | Due onLinked incidents | none |
+
+Manage cases further by setting customized status, assigning tasks, linking incidents, and adding comments.
+
+### Customize status
+
+Architect case management to fit the needs of your security operations center (SOC). Customize the status options available to your SecOps teams to fit the processes you have in place.
+
+Following the burrowing attack case creation example, the SOC admins configured statuses enabling threat hunters to keep a backlog of threats for triage on a weekly basis. Custom statuses such as *Research phase* and *Generating hypothesis* match this threat hunting team's established process.
+
+:::image type="content" source="media/cases-overview/customize-status.png" alt-text="Screenshot showing default status options and customized statuses.":::
+
+### Tasks
+
+Add tasks to manage granular components of your cases. Each task comes with its own name, status, priority, owner, and due date. With this information, you always know who is accountable to complete which task and by what time. The task description summarizes the work to do and some space for describing the progress. Closing notes provide more context about the outcome of completed tasks.
+
+:::image type="content" source="media/cases-overview/add-task-small.png" alt-text="Screenshot showing the task pane with tasks populated for the case and statuses available." lightbox="media/cases-overview/add-task.png":::
+*Image shows the following task statuses available: New, In progress, Failed, Partially completed, Skipped, Completed*
+
+### Link incidents
+
+Linking a case and an incident helps your SecOps teams collaborate in the method that works best for them. For example, a threat hunter who finds malicious activity creates an incident for the incident response (IR) team. That threat hunter links the incident to a case so it's clear they're related. Now the IR team understands the context of the hunt that found the activity.
+
+:::image type="content" source="media/cases-overview/link-incidents.png" alt-text="Screenshot showing linked incidents for the hypothetical burrowing attack case." lightbox="media/cases-overview/link-incident-chooser.png":::
+
+Alternatively, if the IR team needs to escalate one or more incidents to the hunting team, they can create a case and link the incidents from the **Investigation & response** incident details page.
+
+:::image type="content" source="media/cases-overview/link-incident-from-incident-graph.png" alt-text="Screenshot showing the link incident option from ellipses menu in the incident view.":::
+
+### Activity log
+
+Need to write down notes, or that key detection logic to pass along? Create plain text comments and review the audit events in the activity log. Comments are a great place to quickly add information to a case.
+
+:::image type="content" source="media/cases-overview/informal-comments.png" alt-text="Screenshot showing informal comments between analysts.":::
+
+Audit events are automatically added to the activity log of the case and the latest events are shown at the top. Change the filter if you need to focus on comments or audit history.
+
+## Related content
+
+- [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)
+- [Microsoft Defender Experts for Hunting](/defender-xdr/defender-experts-for-hunting)
+- [Microsoft Sentinel in the Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)
diff --git a/unified-secops-platform/media/cases-overview/add-task-small.png b/unified-secops-platform/media/cases-overview/add-task-small.png
new file mode 100644
index 0000000000..315aadfc97
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/add-task-small.png differ
diff --git a/unified-secops-platform/media/cases-overview/add-task.png b/unified-secops-platform/media/cases-overview/add-task.png
new file mode 100644
index 0000000000..a419530bc0
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/add-task.png differ
diff --git a/unified-secops-platform/media/cases-overview/case-details-large.png b/unified-secops-platform/media/cases-overview/case-details-large.png
new file mode 100644
index 0000000000..4347591d39
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/case-details-large.png differ
diff --git a/unified-secops-platform/media/cases-overview/case-details.png b/unified-secops-platform/media/cases-overview/case-details.png
new file mode 100644
index 0000000000..7a06f927a1
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/case-details.png differ
diff --git a/unified-secops-platform/media/cases-overview/cases-queue-view.png b/unified-secops-platform/media/cases-overview/cases-queue-view.png
new file mode 100644
index 0000000000..3b83fe5a4e
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/cases-queue-view.png differ
diff --git a/unified-secops-platform/media/cases-overview/customize-status.png b/unified-secops-platform/media/cases-overview/customize-status.png
new file mode 100644
index 0000000000..ceb6354163
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/customize-status.png differ
diff --git a/unified-secops-platform/media/cases-overview/informal-comments.png b/unified-secops-platform/media/cases-overview/informal-comments.png
new file mode 100644
index 0000000000..55c507010c
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/informal-comments.png differ
diff --git a/unified-secops-platform/media/cases-overview/link-incident-chooser.png b/unified-secops-platform/media/cases-overview/link-incident-chooser.png
new file mode 100644
index 0000000000..129c6e7500
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/link-incident-chooser.png differ
diff --git a/unified-secops-platform/media/cases-overview/link-incident-from-incident-graph.png b/unified-secops-platform/media/cases-overview/link-incident-from-incident-graph.png
new file mode 100644
index 0000000000..b30d99078c
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/link-incident-from-incident-graph.png differ
diff --git a/unified-secops-platform/media/cases-overview/link-incident-from-incident.png b/unified-secops-platform/media/cases-overview/link-incident-from-incident.png
new file mode 100644
index 0000000000..233fed3bb2
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/link-incident-from-incident.png differ
diff --git a/unified-secops-platform/media/cases-overview/link-incidents.png b/unified-secops-platform/media/cases-overview/link-incidents.png
new file mode 100644
index 0000000000..bf05c7cda4
Binary files /dev/null and b/unified-secops-platform/media/cases-overview/link-incidents.png differ
diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md
index 123f26eeab..c6c46eb2e2 100644
--- a/unified-secops-platform/whats-new.md
+++ b/unified-secops-platform/whats-new.md
@@ -22,9 +22,25 @@ This article lists recent features added into Microsoft's unified SecOps platfor
## January 2025
+- [Manage SecOps work natively with case management (Preview)](#case-management-preview)
- [Unified device timeline in Microsoft Defender portal (Preview)](#unified-device-timeline-in-microsoft-defender-portal-preview)
- [SOC optimization updates for unified coverage management](#soc-optimization-updates-for-unified-coverage-management)
+### Case management (Preview)
+
+Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that CMSK supports.
+
+- Define your own case workflow with custom status values
+- Assign tasks to collaborators and configure due dates
+- Handle escalations and complex cases by linking multiple incidents to a case
+- Manage access to your cases using RBAC
+
+This is just the start. Stay tuned for additional capabilities as we evolve this solution.
+
+For more information, see the following articles:
+- [Manage cases natively in Microsoft's unified security operations (SecOps) platform](cases-overview.md)
+- [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)
+
### Unified device timeline in Microsoft Defender portal (Preview)
The **unified device timeline**, a single, cohesive view that integrates device activity from Microsoft Sentinel and Defender XDR into a single timeline, is now available in Preview. This feature streamlines security investigations by enabling analysts to access all relevant device activities in one place, reducing the need to switch between platforms and lowering incident response times.
@@ -55,7 +71,7 @@ For more information, see [Optimize your security operations](/azure/sentinel/so
### New SOC optimization recommendations based on similar organizations (Preview)
SOC optimizations now include new recommendations for adding data sources to your workspace based on the security posture of other organizations in similar industries and sectors as you, and with similar data ingestion patterns.
-
+
For more information, see [SOC optimization reference of recommendations](/azure/sentinel/soc-optimization/soc-optimization-reference).
### Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal