Merge pull request #2585 from MicrosoftDocs/main

Published main to live, Wednesday 5:00 PM IST, 01/29

defender-endpoint/aggregated-reporting.md

@@ -61,9 +61,9 @@ Aggregated reporting supports the following event types:
 > [!div class="mx-tdBreakAll"]
 > |Action type|Advanced hunting table|Device timeline presentation|Properties|
 > |:---|:---|:-------|:-------------------------------|
-> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
->|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
-> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
+> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+>|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
 > |ProcessCreatedAggregatedReport|DeviceProcessEvents|{InitiatingProcessName} created {Occurrences} {ProcessName} processes|1. Initiating process command line </br> 2. Initiating process SHA1 </br> 3. Initiating process file path </br> 4. Process command line </br> 5. Process SHA1 </br> 6. Folder path|
 > |ConnectionSuccessAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} established {Occurrences} connections with {RemoteIP}:{RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
 > |ConnectionFailedAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} failed to establish {Occurrences} connections with {RemoteIP:RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
@@ -92,7 +92,7 @@ You can use the following KQL queries to gather specific information using aggre
 
 The following query highlights noisy process activity, which can be correlated with malicious signals.
 
-```KQL
+```Kusto
 DeviceProcessEvents
 | where Timestamp > ago(1h)
 | where ActionType == "ProcessCreatedAggregatedReport"
@@ -105,7 +105,7 @@ DeviceProcessEvents
 
 The following query identifies repeated sign-in attempt failures.
 
-```KQL
+```Kusto
 DeviceLogonEvents
 | where Timestamp > ago(30d)
 | where ActionType == "LogonFailedAggregatedReport"
@@ -119,7 +119,7 @@ DeviceLogonEvents
 
 The following query identifies suspicious RDP connections, which might indicate malicious activity.
 
-```KQL
+```Kusto
 DeviceNetworkEvents
 | where Timestamp > ago(1d)
 | where ActionType endswith "AggregatedReport"

defender-endpoint/mac-device-control-faq.md

@@ -2,8 +2,9 @@
 title: macOS Device control policies frequently asked questions (FAQ)
 description: Get answers to common questions about device control policies using JAMF or Intune.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -39,7 +40,7 @@ Answer: Run _mdatp device-control policy preferences list_ to see all the iOS po
 
 :::image type="content" source="media/macos-device-control-faq-enabled-default-enforcement.png" alt-text="Shows how to run mdatp device-control policy preferences list to see if a device is Device Control enabled. " lightbox="media/macos-device-control-faq-enabled-default-enforcement.png":::
 
-### How do I know whether the policy has been delivered to the client machine?
+### How do I know if the policy is delivered to the client machine?
 
 Answer: Run _mdatp device-control policy rules list_ to see all the iOS policies on this machine:
 

defender-endpoint/mac-device-control-intune.md

@@ -2,8 +2,9 @@
 title: Deploy and manage Device Control using Intune 
 description: Learn how to deploy and manage device control policies using Intune.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -44,7 +45,7 @@ Before you get started with Removable Storage Access Control, you must confirm y
 Now, you have `groups`, `rules`, and `settings`, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema and make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
 > [!NOTE]
-> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Deploy the mobileconfig file using Intune
 

defender-endpoint/mac-device-control-jamf.md

@@ -2,8 +2,9 @@
 title: Deploy and manage device control using JAMF 
 description: Learn how to use device control policies using JAMF.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro
@@ -42,27 +43,27 @@ Before you get started with Removable Storage Access Control, you must confirm y
 
 ### Step 1: Create policy JSON
 
-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
+Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
 
-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
 ### Step 2: Update MDE Preferences Schema
 
-The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) has been updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
+The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 
 ### Step 3: Add Device Control Policy to MDE Preferences
 
-A new 'Device Control' property will now be available to add to the UX.  
+A new 'Device Control' property is now available to add to the UX.  
 
 1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**.
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
 
-2. Next, scroll down until you see the **Device Control** property (it will be the bottommost entry), and select **Add/Remove properties** directly underneath it.
+2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it.
 
-3. Select **Device Control Policy**, and then click **Apply**.  
+3. Select **Device Control Policy**, and then select **Apply**.  
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
 

defender-endpoint/mac-device-control-manual.md

@@ -2,8 +2,9 @@
 title: Deploy and manage device control manually
 description: Learn how to use device control policies manually.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: joshbregman
 manager: deniseb
 ms.localizationpriority: medium
 audience: ITPro