Merge branch 'master' into migrate-mdatp

windows/security/threat-protection/TOC.md

@@ -648,6 +648,7 @@
 
 #### [Managed security service provider (MSSP) integration]()
 ##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
 ##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
 ##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
 ##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)

windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md

@@ -32,6 +32,9 @@ You can run an on-demand scan on individual endpoints. These scans will start im
 
 Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
 
+> [!IMPORTANT] 
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. 
+
 Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
 
 In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -33,7 +33,7 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
 
 
 > [!NOTE]
-> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** <br>
+> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
 > You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
   Updates to the app are automatic via Google Play.
 
@@ -58,7 +58,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
    - **Name** 
    - **Description**
    - **Publisher** as Microsoft.
-   - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP Preview app Google Play Store URL) 
+   - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL) 
 
    Other fields are optional. Select **Next**.
 
@@ -73,14 +73,14 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
     > ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png)
 
 
-6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
 
     In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
 
     ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png)
 
 
-7. In the app information page that is displayed, in the **Monitor** section,
+5. In the app information page that is displayed, in the **Monitor** section,
 select **Device install status** to verify that the device installation has
 completed successfully.
 

windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md

@@ -66,6 +66,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
 - **Fetch alerts from MSSP customer's tenant using APIs** <br>
 This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
 
+## Multi-tenant access for MSSPs
+For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
 
 
 

windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md

@@ -36,7 +36,7 @@ Enable security information and event management (SIEM) integration so you can p
 >- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Prerequisites
-- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
+- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 - During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
 
 ## Enabling SIEM integration 

windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md

@@ -32,7 +32,7 @@ To become a Microsoft Defender ATP solution partner, you'll need to follow and c
 Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP. 
 
 ## Step 2: Fulfill the solution validation and certification requirements
-The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
+The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
 
 Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
 

windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md

@@ -54,7 +54,7 @@ The current supported actions are:
 You can create an indicator for:
 - [Files](indicator-file.md)
 - [IP addresses, URLs/domains](indicator-ip-domain.md)
-- [Certificates (preview)](indicator-certificates.md)
+- [Certificates](indicator-certificates.md)
 
 
 >[!NOTE]

windows/security/threat-protection/microsoft-defender-atp/mssp-list.md

@@ -0,0 +1,44 @@
+---
+title: Supported managed security service providers 
+description: See the list of MSSPs that Microsoft Defender ATP integrates with
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Supported managed security service providers
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Logo |Partner name   | Description 
+:---|:---|:---
+![Image of BDO Digital logo](images/bdo-logo.png)| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
+![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
+![Image of Cloud Security Center logo](images/cloudsecuritycenter-logo.png)| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
+![Image of Cloud SOC logo](images/cloudsoc-logo.png)| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
+![Image of CSIS Managed Detection & Response logo](images/csis-logo.png)| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
+![Image of Dell Technologies Advanced Threat Protection logo](images/dell-logo.png)| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability
+![Image of DXC-Managed Endpoint Threat Detection and Response logo](images/dxc-logo.png)| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days
+![Image of NTT Security logo](images/ntt-logo.png)| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
+![Image of Red Canary logo](images/redcanary-logo.png)| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
+![Image of SecureWorks Managed Detection and Response Powered by Red Cloak logo](images/secureworks-logo.png)| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
+![Image of sepagoSOC logo](images/sepago-logo.png)| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
+![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP
+![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response
+![Image of Zero Trust Analytics Platform (ZTAP) logo](images/ztap-logo.png)| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
+
+## Related topics
+- [Configure managed service security provider integration](configure-mssp-support.md)

windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md

@@ -41,7 +41,7 @@ Response actions run along the top of a specific device page and include:
 - Consult a threat expert
 - Action center
 
-![Image of response actions](images/response-actions.png)
+[ ![Image of response actions](images/response-actions.png) ](images/response-actions.png#lightbox)
 
  You can find device pages from any of the following views:
 
@@ -68,11 +68,11 @@ For more information on automated investigations, see [Overview of Automated inv
 
 ## Initiate Live Response Session
 
-Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.
 
 Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
 
-For more information on live response, see [Investigate entities on devices using live response](live-response.md)
+For more information on live response, see [Investigate entities on devices using live response](live-response.md).
 
 ## Collect investigation package from devices
 
@@ -98,17 +98,17 @@ The package contains the following folders:
 
 | Folder | Description |
 |:---|:---------|
-|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”                                                                                                                                  |
+|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device. </br></br> <div class="alert"><b>NOTE:</b> If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”</div>                                                                                                                                |
 |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).                                                                                  |
-|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log                                                                                  |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log                                                                                  |
 | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.                                                                                                      |
-| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                       |
+| Processes| Contains a .CSV file listing the running processes, which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                       |
-| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically.                                                                                                                                                                                                      |
+| Scheduled tasks| Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically.                                                                                                                                                                                                      |
-| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.                                                                                      |
+| Security event log| Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br><div class="alert"><b>NOTE:</b> Open the event log file using Event viewer.</div>                                                                                    |
-| Services| Contains a .CSV file which lists services and their states.                                                                                      |
+| Services| Contains a .CSV file that lists services and their states.                                                                                      |
-| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.                                                                                                                            |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> <div class="alert"><b>NOTE:</b> If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.</div>                                                                                                                          |
 | System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards.                                                                                     |
-| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.                                                                                                                                            |
+| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> <div class="alert"><b>NOTE:</b> If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.</div>                                                                                                                                         |
 | Users and Groups| Provides a list of files that each represent a group and its members.                                                                                                                   |
 |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab                                                                                                                   |
 | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
@@ -127,6 +127,11 @@ One you have selected **Run antivirus scan**, select the scan type that you'd li
 
 The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.
 
+>[!NOTE]
+>When triggering a scan using Microsoft Defender ATP response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.<br> 
+>If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.<br>
+>For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
+
 ## Restrict app execution
 
 In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.

windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/16/2020
 ---
 
 # Use multiple Windows Defender Application Control Policies
@@ -24,7 +24,7 @@ ms.date: 04/15/2020
 - Windows 10
 - Windows Server 2016
 
-The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
 
 1. Enforce and Audit Side-by-Side
     - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
@@ -44,7 +44,7 @@ The restriction of only having a single code integrity policy active on a system
 - Multiple base policies: intersection
   - Only applications allowed by both policies run without generating block events
 - Base + supplemental policy: union
-  - Files that are allowed by the base policy or the supplemental policy are not blocked
+  - Files that are allowed by either the base policy or the supplemental policy are not blocked
 
 ## Creating WDAC policies in Multiple Policy Format