diff --git a/ATPDocs/deploy/capacity-planning.md b/ATPDocs/deploy/capacity-planning.md
index 2a1785f1d1..ea4dc8a573 100644
--- a/ATPDocs/deploy/capacity-planning.md
+++ b/ATPDocs/deploy/capacity-planning.md
@@ -11,7 +11,7 @@ This article describes how to use the Microsoft Defender for Identity sizing too
While domain controller performance may not be affected if the server doesn't have required resources, the Defender for Identity sensor may not operate as expected. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites.md).
-The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS servers, as the performance impact on AD FS / AD CS servers is extremely minimal to not existent.
+The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS / Entra Connect servers, as the performance impact on these servers is extremely minimal to not existent.
> [!TIP]
> By default, Defender for Identity supports up to 350 sensors. To install more sensors, contact Defender for Identity support.
@@ -47,17 +47,17 @@ Common results include:
|Result |Description |
|---------|---------|
-|**Yes** | The sensor is supported on your server |
+|**Yes** | The sensor is supported on your server. |
|**Yes, but additional resources required** | The sensor is supported on your server as long you add any specified missing resources. |
-|**Maybe** | The current **Busy Packets/Second** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances. |
-|**Maybe, but additional resources required** |The sensor may be supported on your server as long you add any specified missing resources, or the **Busy packets / Second** may be above 60K |
-|**No** | The sensor isn't supported on your server.
The current **Busy Packets/Second** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances. |
-|**Missing OS Data** | There was an issue reading the operating system data. Make sure the connection to your server is able to query WMI remotely. |
-|**Missing Traffic Data** | There was an issue reading the traffic data. Make sure the connection to your server is able to query performance counters remotely. |
-|**Missing RAM data** | There was an issue reading the RAM data. Make sure the connection to your server is able to query WMI remotely. |
+|**Maybe** | The current **Busy Packets/sec** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances. |
+|**Maybe, but additional resources required** |The sensor may be supported on your server as long you add any specified missing resources, or the **Busy packets/sec** may be above 60K. |
+|**No** | The sensor isn't supported on your server.
The current **Busy Packets/sec** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances. |
+|**Missing OS Data** | There was an issue reading the operating system data. Make sure the connection to your server is able to query WMI remotely. |
+|**Missing Traffic Data** | There was an issue reading the traffic data. Make sure the connection to your server is able to query performance counters remotely. |
+|**Missing RAM data** | There was an issue reading the RAM data. Make sure the connection to your server is able to query WMI remotely. |
|**Missing core data** | There was an issue reading the core data. Make sure the connection to your server is able to query WMI remotely. |
-For example, the following image shows a set of results where the **Maybe** indicates that the **Busy Packets/Second** value is significantly higher at that point than average. Note that the **Display DC Times as UTC/Local** is set to *Local DC Time*. This setting helps highlight the fact that the values were taken at around 3:30 AM.
+For example, the following image shows a set of results where the **Maybe** indicates that the **Busy Packets/sec** value is significantly higher at that point than average. Note that the **Display DC Times as UTC/Local** is set to *Local DC Time*. This setting helps highlight the fact that the values were taken at around 3:30 AM.
:::image type="content" source="../media/capacity-tool-maybe.png" alt-text="Screenshot of a capacity tool results showing Maybe values." lightbox="../media/capacity-tool-maybe.png":::
diff --git a/defender-xdr/advanced-hunting-query-results.md b/defender-xdr/advanced-hunting-query-results.md
index c6205c7ee7..8d5b2acba1 100644
--- a/defender-xdr/advanced-hunting-query-results.md
+++ b/defender-xdr/advanced-hunting-query-results.md
@@ -173,7 +173,24 @@ Select the three dots to the right of any column in the **Inspect record** panel
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with`, and `ends with`
-:::image type="content" source="/defender/media/work-with-query-tweak-query.png" alt-text="The Action Type pane on the Inspect record page in the Microsoft Defender portal " lightbox="/defender/media/work-with-query-tweak-query.png":::
+:::image type="content" source="/defender/media/work-with-query-tweak-query.png" alt-text="Screenshot of the Action Type pane on the Inspect record page in the Microsoft Defender portal." lightbox="/defender/media/work-with-query-tweak-query.png":::
+
+
+
+## Add items to Favorites
+You can add your frequently used schemas, functions, queries, and detection rules to the Favorites section of each tab in the advanced hunting page for quick access.
+
+:::image type="content" source="media/faves-1.png" alt-text="Screenshot of the advanced hunting page with the Favorites section highlighted." lightbox="media/faves-1.png":::
+
+For instance, to add `AlertInfo` to your **Favorites**, go to the **Schema** tab, and select the three dots to the right of the table and select **Add to favorites**.
+
+:::image type="content" source="media/faves-2.png" alt-text="Screenshot of the Add to Favorites option in the advanced hunting page." lightbox="media/faves-2.png":::
+
+A notification appears to inform you that the item was successfully added to Favorites.
+
+
+
+You can do the same for your saved functions, queries, and custom detections in their respective Favorites sections right under each tab (**Functions**, **Queries**, and **Detection Rules**).
> [!NOTE]
> Some tables in this article might not be available at Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
diff --git a/defender-xdr/defender-experts-scoped-coverage.md b/defender-xdr/defender-experts-scoped-coverage.md
index e2d05d842c..48a149aa29 100644
--- a/defender-xdr/defender-experts-scoped-coverage.md
+++ b/defender-xdr/defender-experts-scoped-coverage.md
@@ -44,7 +44,7 @@ The devices and users you add to these groups are then considered as the set of
:::image type="content" source="media/defender_scoped_devices.png" alt-text="Screenshot of Defender Experts Scoped devices." lightbox="media/defender_scoped_devices.png":::
> [!NOTE]
-> Defender Experts need **Security admin** permissions to create the device and user groups. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts)
+> Defender Experts need **Security admin** permissions to create the device and user groups. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts).
> [!TIP]
> The device group should be in the highest order of priority for the devices under it, to be considered in scope. This is a known product limitation.
diff --git a/defender-xdr/experts-on-demand.md b/defender-xdr/experts-on-demand.md
index eef7720508..cc60e23f25 100644
--- a/defender-xdr/experts-on-demand.md
+++ b/defender-xdr/experts-on-demand.md
@@ -21,7 +21,7 @@ ms.collection:
- essentials-manage
ms.topic: conceptual
search.appverid: met150
-ms.date: 10/31/2024
+ms.date: 12/20/2024
---
# Collaborate with experts on demand
@@ -33,7 +33,7 @@ ms.date: 10/31/2024
- [Microsoft Defender XDR](microsoft-365-defender.md)
> [!NOTE]
-> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [quarterly allocations](before-you-begin-defender-experts.md#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).
+> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [quarterly allocations](before-you-begin-defender-experts.md#eligibility-and-licensing).
Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Ask Defender Experts can help:
@@ -43,7 +43,7 @@ Select **Ask Defender Experts** directly inside the Microsoft 365 security porta
:::image type="content" source="media/ask-defender-expert-dialog.png" alt-text="Screenshot of the Ask Defender Experts dialog box." lightbox="media/ask-defender-expert-dialog.png":::
-### Required permissions for using Ask Defender Experts
+## Required permissions for using Ask Defender Experts
You need to select one of the following Microsoft Entra ID roles to view and submit inquiries to our Defender experts.
@@ -61,7 +61,7 @@ Microsoft Threat Experts customers using Ask Defender Experts capability will al
| Security data basics | Read |
| Alerts, Response | Read and submit |
-### Where to submit inquiries to Ask Defender Experts
+## Where to submit inquiries to Ask Defender Experts
The option to **Ask Defender Experts** is available in several places throughout the portal:
@@ -71,36 +71,33 @@ The option to **Ask Defender Experts** is available in several places throughout
- **Device inventory page flyout menu**:
- :::image type="content" source="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png":::
+ :::image type="content" source="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal." lightbox="/defender/media/mte/defenderexperts/device-inventory-flyout-menu.png":::
- **Alerts page flyout menu**:
- :::image type="content" source="/defender/media/mte/defenderexperts/alerts-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/alerts-flyout-menu.png":::
+ :::image type="content" source="/defender/media/mte/defenderexperts/alerts-flyout-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal." lightbox="/defender/media/mte/defenderexperts/alerts-flyout-menu.png":::
- **Incidents page actions menu**:
- :::image type="content" source="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.." lightbox="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png":::
+ :::image type="content" source="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png" alt-text="Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal." lightbox="/defender/media/mte/defenderexperts/incidents-page-actions-menu.png":::
-### Where to view responses from Defender Experts
+## Where to view responses from Defender Experts
-#### In portal
+### In portal
-You can view responses to inquiries submitted to Ask Defender Experts from up to six months ago by navigating to **Reports** > **Defender Experts messages**. You will also be able to ask follow-up questions or reply with more information to Defender Experts from this page.
+You can view responses to inquiries submitted to Ask Defender Experts from up to six months ago by navigating to **Reports** > **Defender Experts messages**. You'll also be able to ask follow-up questions or reply with more information to Defender Experts from this page.
:::image type="content" source="media/inportal-managed-response.png" alt-text="Screenshot of in-portal managed response." lightbox="media/inportal-managed-response.png":::
-#### Email
+### Email
-If you included contact email addresses when submitting your inquiry, they will receive an email notification when a response from Defender Experts is posted.
+If you included contact email addresses when submitting your inquiry, they'll receive an email notification when a response from Defender Experts is posted.
:::image type="content" source="media/email-based-managed-response.png" alt-text="Screenshot of email based managed response." lightbox="media/email-based-managed-response.png":::
-> [!NOTE]
-> Defender Experts will not be able to assist you with inquiries regarding bugs or issues in your product experience in the Microsoft Defender XDR portal. You can reach out to Microsoft Support via the [Services Hub](https://serviceshub.microsoft.com/home) regarding such inquiries.
-
-### Sample questions you can ask from Defender Experts
+## Sample questions you can ask from Defender Experts
-#### Alert information
+### Alert information
- We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further?
- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference?
@@ -108,23 +105,42 @@ If you included contact email addresses when submitting your inquiry, they will
- Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"?
- I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?
-#### Possible device compromise
+### Possible device compromise
- Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity or incidents.
- Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago.
-#### Threat intelligence details
+### Threat intelligence details
- We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link?
- We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft Defender XDR provides against this threat actor?
- We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical?
-#### Microsoft Defender Experts for Hunting alert communications
+### Microsoft Defender Experts for Hunting alert communications
- Can your incident response team help us address the Defender Experts Notification that we got?
- We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident?
- We received a Defender Experts Notification from Microsoft Defender Experts for Hunting. What data can you provide to us that we can pass on to our incident response team?
+## Services that aren't in scope for Defender Experts
+
+Ask Defender Experts is focused on products that are only included in Microsoft Defender XDR, i.e., Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity.
+
+The service doesn't cover the following scenarios:
+
+- Inquiries related to custom detections in the above products can't be handled in Ask Defender Experts because our experts typically don't have access to such telemetry or visibility into how these custom policies were set up. Examples of such policies include:
+
+ - **Alerts with policy source** = **Custom**
+ - **Detection source** = **Custom TI**
+ - **Alert title** = **Anomaly Indicator**
+ - **Threat family** = **Custom Enterprise Block Only**
+
+- Defender Experts won't be able to handle inquiries on non-Defender XDR products such as Microsoft Defender for Cloud, Microsoft Defender for IoT, Microsoft Sentinel, Microsoft Purview, Microsoft Priva, and other third-party cybersecurity products.
+
+- Defender Experts won't be able to assist you with inquiries regarding bugs in your product experience in the Defender XDR portal, such as, missing data on the alert or incident page or a recommended action not completing when you action it. You can reach out to Microsoft Support via the [Services Hub](https://serviceshub.microsoft.com/home) regarding such issues.
+
+- Ask Defender Experts isn't a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).
+
### Next step
- [Understand the Defender Experts for Hunting report in Microsoft Defender XDR](defender-experts-report.md)
diff --git a/defender-xdr/media/faves-1.png b/defender-xdr/media/faves-1.png
new file mode 100644
index 0000000000..f3194bca36
Binary files /dev/null and b/defender-xdr/media/faves-1.png differ
diff --git a/defender-xdr/media/faves-2.png b/defender-xdr/media/faves-2.png
new file mode 100644
index 0000000000..eeeef4f3a0
Binary files /dev/null and b/defender-xdr/media/faves-2.png differ
diff --git a/defender-xdr/media/faves-3.png b/defender-xdr/media/faves-3.png
new file mode 100644
index 0000000000..d5e2fac956
Binary files /dev/null and b/defender-xdr/media/faves-3.png differ
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
index b2456c9aeb..d697fa14ea 100644
--- a/defender-xdr/whats-new.md
+++ b/defender-xdr/whats-new.md
@@ -36,6 +36,7 @@ You can also get product updates and important notifications through the [messag
- (Preview) The [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in [Defender XDR advanced hunting](advanced-hunting-link-to-incident.md), you can now specify whether an entity is an impacted asset or related evidence.
- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
- New documentation library for Microsoft's unified security operations platform. Find centralized documentation about [Microsoft's unified SecOps platform in the Microsoft Defender portal](/unified-secops-platform/overview-unified-security). Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment.
+- (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the **[Favorites](advanced-hunting-query-results.md#add-items-to-favorites)** sections under each tab for quicker accesss.
## November 2024
diff --git a/defender/media/advanced-hunting-query-results-copy.png b/defender/media/advanced-hunting-query-results-copy.png
new file mode 100644
index 0000000000..236044406b
Binary files /dev/null and b/defender/media/advanced-hunting-query-results-copy.png differ
diff --git a/defender/media/advanced-hunting-query-results-faves.png b/defender/media/advanced-hunting-query-results-faves.png
new file mode 100644
index 0000000000..d7eb992ec9
Binary files /dev/null and b/defender/media/advanced-hunting-query-results-faves.png differ