diff --git a/defender-endpoint/mac-whatsnew.md b/defender-endpoint/mac-whatsnew.md
index da73ab876b..c7136b6472 100644
--- a/defender-endpoint/mac-whatsnew.md
+++ b/defender-endpoint/mac-whatsnew.md
@@ -40,12 +40,12 @@ For more information on Microsoft Defender for Endpoint on other operating syste
> [!NOTE]
> - Apple fixed an issue on macOS [Ventura upgrade](https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes), and [Sonoma upgrade](https://developer.apple.com/forums/thread/737824#773449022) with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.
> - In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
-> - In both macOS Sonoma and Sequoia builds, Network Protection capabilities may be impacted due to changes in Apple's internal networking structure resulting in crashes of the network extension (NetExt). This will result in intermittent network connectivity issues for end users. We are recommending that customers who have Network Protection enabled in their organization refrain from upgrading to Sonoma / Seqouia builds at this time.
+> - In macOS Sequoia, Network Protection capabilities may be impacted due to changes in Apple's internal networking structure resulting in crashes of the network extension (NetExt). This will result in intermittent network connectivity issues for end users. We are recommending that customers who have Network Protection enabled in their organization refrain from upgrading to Sequoia builds at this time.
**Sequoia support**
-Microsoft Defender supports macOS Sequoia (15) in the current Defender release.
+Microsoft Defender is working with Apple on a network stack change that is impacting Network Protection's Network Filter with macOS Sequoia (15).
**macOS Deprecation**
@@ -89,7 +89,7 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
##### What's new
-- [[device control](mac-device-control-overview.md)] Secure Digital cards are not recognized on newer macOS
+- [[device control](mac-device-control-overview.md)] Secure Digital cards aren't recognized on newer macOS
- Bug and performance fixes
### May-2024 (Build: 101.24042.0008 | Release version: 20.124042.8.0)
@@ -1026,7 +1026,7 @@ Live Response for macOS is now available for all Mac devices onboarded to Defend
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.
> > The mechanism for granting this consent depends on how you deployed Microsoft Defender for Endpoint:
> - For manual deployments, see the updated instructions in the [Manual deployment topic](mac-install-manually.md#allow-full-disk-access).
-- For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+- For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) articles.
- Performance improvements & bug fixes
diff --git a/defender-endpoint/microsoft-defender-antivirus-updates.md b/defender-endpoint/microsoft-defender-antivirus-updates.md
index 91851327ea..6a7e2515d3 100644
--- a/defender-endpoint/microsoft-defender-antivirus-updates.md
+++ b/defender-endpoint/microsoft-defender-antivirus-updates.md
@@ -3,11 +3,11 @@ title: Microsoft Defender Antivirus security intelligence and product updates
description: Manage how Microsoft Defender Antivirus receives protection and product updates.
ms.service: defender-endpoint
ms.localizationpriority: high
-ms.date: 08/12/2024
+ms.date: 09/19/2024
audience: ITPro
ms.topic: reference
-author: siosulli
-ms.author: siosulli
+author: denisebmsft
+ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr, tudobril, yongrhee
manager: deniseb
@@ -151,21 +151,6 @@ All our updates contain:
- Fixed an issue where an Outlook exclusion for the ASR rule [Block Office applications from injecting code into other processes](/defender-endpoint/attack-surface-reduction-rules-reference#block-office-applications-from-injecting-code-into-other-processes) was not honored.
- Fixed a race condition during the startup of [endpoint data loss prevention](/purview/endpoint-dlp-getting-started) such that, in certain environments, some system files could be corrupted.
-### May-2024 (Engine: 1.1.24050.5 | Platform: 4.18.24050.7)
-
-- Security intelligence update version: **1.413.1.0**
-- Release date: **May 30, 2024** (Engine) / **June 4, 2024** (Platform)
-- Engine: **1.1.24050.5**
-- Platform: **4.18.24050.7**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Improved performance when running configuration queries.
-- Optimized how scans are prioritized.
-- Fixed a crash caused by a race condition with a device control driver.
-- Added Event Viewer Logging for scan start event where the scan originates from PowerShell.
-
### Previous version updates: Technical upgrade support only
After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
@@ -228,14 +213,13 @@ Updates are released for x86, x64, and ARM64 Windows architecture.
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
-After a new package version is released, support for the previous two versions is reduced to technical support only. To view a list of previous versions, see [Previous DISM updates (no longer supported)](msda-updates-previous-versions-technical-upgrade-support.md#previous-dism-updates-no-longer-supported).
+After a new package version is released, support for the previous two versions is reduced to technical support only. To view a list of previous versions, see [Previous DISM updates](msda-updates-previous-versions-technical-upgrade-support.md#previous-dism-updates-no-longer-supported).
-### 1.415.295.0
+### 1.417.472.0
-- Defender package version: `1.415.295.0`
-- Security intelligence version: `1.415.295.0`
-- Engine version: `1.24070.1`
-- Platform version: `4.18.24070.5`
+- Defender package version: `1.417.472.0`
+- Security intelligence version: `1.417.472.0`
+- Engine version: `1.24080.9`
#### Fixes
@@ -245,10 +229,10 @@ After a new package version is released, support for the previous two versions i
- None
-### 1.415.235.0
+### 1.415.295.0
-- Defender package version: `1.415.235.0`
-- Security intelligence version: `1.415.235.0`
+- Defender package version: `1.415.295.0`
+- Security intelligence version: `1.415.295.0`
- Engine version: `1.24070.1`
- Platform version: `4.18.24070.5`
@@ -260,12 +244,12 @@ After a new package version is released, support for the previous two versions i
- None
-### 1.411.111.0
+### 1.415.235.0
-- Defender package version: `1.411.111.0`
-- Security intelligence version: `1.411.111.0`
-- Engine version: `1.24050.2`
-- Platform version: `4.18.24050.7`
+- Defender package version: `1.415.235.0`
+- Security intelligence version: `1.415.235.0`
+- Engine version: `1.24070.1`
+- Platform version: `4.18.24070.5`
#### Fixes
diff --git a/defender-endpoint/microsoft-defender-endpoint-mac.md b/defender-endpoint/microsoft-defender-endpoint-mac.md
index 5eb78bf036..936fed8e3a 100644
--- a/defender-endpoint/microsoft-defender-endpoint-mac.md
+++ b/defender-endpoint/microsoft-defender-endpoint-mac.md
@@ -15,7 +15,7 @@ ms.collection:
ms.topic: conceptual
ms.subservice: macos
search.appverid: met150
-ms.date: 09/17/2024
+ms.date: 09/19/2024
---
# Microsoft Defender for Endpoint on Mac
@@ -71,12 +71,12 @@ There are several methods and deployment tools that you can use to install and c
The three most recent major releases of macOS are supported.
-- 15 (Sequoia)
-
- 14 (Sonoma)
- 13 (Ventura)
+- 12 (Monterey)
+
> [!IMPORTANT]
> On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md).
diff --git a/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md b/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
index b7e5b807b6..0ea01fa0e8 100644
--- a/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
+++ b/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
@@ -2,11 +2,11 @@
title: Microsoft Defender Antivirus updates - Previous versions for technical upgrade support
description: Understand the type of technical support offered for previous versions of Microsoft Defender Antivirus
ms.service: defender-endpoint
-ms.author: siosulli
-author: siosulli
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
ms.reviewer: pahuijbr
-ms.date: 08/12/2024
+ms.date: 09/19/2024
manager: deniseb
audience: ITPro
ms.collection:
@@ -29,6 +29,21 @@ Microsoft regularly releases [security intelligence updates and product updates
## Engine and platform updates
+### May-2024 (Engine: 1.1.24050.5 | Platform: 4.18.24050.7)
+
+- Security intelligence update version: **1.413.1.0**
+- Release date: **May 30, 2024** (Engine) / **June 4, 2024** (Platform)
+- Engine: **1.1.24050.5**
+- Platform: **4.18.24050.7**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Improved performance when running configuration queries.
+- Optimized how scans are prioritized.
+- Fixed a crash caused by a race condition with a device control driver.
+- Added Event Viewer Logging for scan start event where the scan originates from PowerShell.
+
### April-2024 (Engine: 1.1.24040.1 | Platform: 4.18.24040.4)
- Security intelligence update version: **1.411.7.0**
@@ -1106,6 +1121,21 @@ Microsoft regularly releases [security intelligence updates and product updates
The versions listed in this section are no longer supported. To view current versions, see [Updates for Deployment Image Servicing and Management (DISM)](microsoft-defender-antivirus-updates.md#updates-for-deployment-image-servicing-and-management-dism).
+### 1.411.111.0
+
+- Defender package version: `1.411.111.0`
+- Security intelligence version: `1.411.111.0`
+- Engine version: `1.24050.2`
+- Platform version: `4.18.24050.7`
+
+#### Fixes
+
+- None
+
+#### Additional information
+
+- None
+
### 1.411.9.0
- Defender package version: `1.411.9.0`
diff --git a/defender-office-365/attack-simulation-training-insights.md b/defender-office-365/attack-simulation-training-insights.md
index 88f45b6736..e04fcffd46 100644
--- a/defender-office-365/attack-simulation-training-insights.md
+++ b/defender-office-365/attack-simulation-training-insights.md
@@ -459,7 +459,7 @@ How user activity signals are captured is described in the following table.
|Opened Attachment|A user opened the attachment.|The signal comes from the client (for example, Outlook or Word).|
|Read Message|The user read the simulation message.|Message read signals might experience issues in the following scenarios: - The user reported the message as phishing in Outlook without leaving the reading pane, and **Mark items as read when viewed in the Reading Pane** wasn't configured (default).
- The user reported the unread message as phishing in Outlook, the message was deleted, and **Mark messages as read when deleted** wasn't configured (default).
|
|Out of Office|Determines whether the user is out of office.|Currently calculated by the Automatic replies setting from Outlook.|
-|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|- **Credential Harvest**: The user entered their credentials on the login page (credentials aren't stored by Microsoft).¹
- **Malware Attachment**: The user opened the payload attachment and selected **Enable Editing** in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653).
- **Link in Attachment**: The user opened the attachment and clicked on the payload link.
- **Link to Malware**: The user clicked on the payload link and entered their credentials.
- **Drive by URL**: The user clicked on the payload link (entering credentials isn't required).¹
- **OAuth Consent Grant**: The user clicked on the payload link and accepted the prompt to share permissions.¹
|
+|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|- **Credential Harvest**: The user entered their credentials on the login page (credentials aren't stored by Microsoft).¹
- **Malware Attachment**: The user opened the payload attachment and selected **Enable Editing** in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653).
- **Link in Attachment**: The user opened the attachment and entered their credentials after clicking on the payload link.
- **Link to Malware**: The user clicked on the payload link and entered their credentials.
- **Drive by URL**: The user clicked on the payload link (entering credentials isn't required).¹
- **OAuth Consent Grant**: The user clicked on the payload link and accepted the prompt to share permissions.¹
|
|Clicked Message Link|The user clicked on the payload link in the simulation message.|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message).|
|Forwarded Message|The user forwarded the message.||
|Replied to Message|The user replied to the message.||
diff --git a/defender-office-365/defender-for-office-365-whats-new.md b/defender-office-365/defender-for-office-365-whats-new.md
index db53d025b9..877a29ebdc 100644
--- a/defender-office-365/defender-for-office-365-whats-new.md
+++ b/defender-office-365/defender-for-office-365-whats-new.md
@@ -49,7 +49,7 @@ For more information on what's new with other Microsoft Defender security produc
- **Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD, and Office 365 operated by 21Vianet environments**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) is now available these environments. They are on parity with the WW commercial experiences.
-- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions and existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire.
+- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions. The existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) can also be modified to include the value **Remove allow entry after** \> **45 days after last used date**. The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire.
- (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject.
diff --git a/defender-office-365/submissions-admin.md b/defender-office-365/submissions-admin.md
index ffc22c1fa2..89e858b64d 100644
--- a/defender-office-365/submissions-admin.md
+++ b/defender-office-365/submissions-admin.md
@@ -306,7 +306,7 @@ After a few moments, the associated allow entries appear on the **Domains & addr
> - If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List.
> - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision.
> - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered.
-> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
+> - By default, allow entries for domains and email addresses are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them. By default, allow entries for spoofed senders never expire.
> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** on the **Tenant Allow/Block Lists** page at .
@@ -362,7 +362,7 @@ After a few moments, the allow entry is available on the **Files** tab on the **
> [!IMPORTANT]
>
-> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files are delivered, unless something else in the message is detected as malicious.
+> - By default, allow entries for files are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them.
> - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
> - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access to the file.
@@ -420,7 +420,7 @@ After a few moments, the allow entry is available on the **URL** tab on the **Te
> [!NOTE]
>
-> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious.
+> - By default, allow entries for URLs are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them.
> - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
> - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL.
diff --git a/defender-office-365/tenant-allow-block-list-about.md b/defender-office-365/tenant-allow-block-list-about.md
index e35b588224..eaa00be14b 100644
--- a/defender-office-365/tenant-allow-block-list-about.md
+++ b/defender-office-365/tenant-allow-block-list-about.md
@@ -8,7 +8,7 @@ manager: deniseb
audience: ITPro
ms.topic: how-to
ms.localizationpriority: medium
-ms.date: 07/18/2024
+ms.date: 09/19/2024
search.appverid:
- MET150
ms.collection:
@@ -34,7 +34,7 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders.
-The Tenant Allow/Block List doesn't apply to internal messages sent within the organization. But block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
+Entries for **Domains and email addresses** and **Spoofed senders** apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
The Tenant Allow/Block list is available in the Microsoft Defender portal at **Email & collaboration** \> **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use .
diff --git a/defender-xdr/advanced-hunting-deviceevents-table.md b/defender-xdr/advanced-hunting-deviceevents-table.md
index 551e3805c7..467d17db2b 100644
--- a/defender-xdr/advanced-hunting-deviceevents-table.md
+++ b/defender-xdr/advanced-hunting-deviceevents-table.md
@@ -68,7 +68,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessFolderPath` | `string` | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessId` | `long` | Process ID (PID) of the process that initiated the event |
diff --git a/defender-xdr/advanced-hunting-devicefileevents-table.md b/defender-xdr/advanced-hunting-devicefileevents-table.md
index df030d31e2..69e33b200a 100644
--- a/defender-xdr/advanced-hunting-devicefileevents-table.md
+++ b/defender-xdr/advanced-hunting-devicefileevents-table.md
@@ -60,7 +60,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessFolderPath` | `string` | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the process (image file) that initiated the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceimageloadevents-table.md b/defender-xdr/advanced-hunting-deviceimageloadevents-table.md
index 9b2d775cda..4d01bf21ad 100644
--- a/defender-xdr/advanced-hunting-deviceimageloadevents-table.md
+++ b/defender-xdr/advanced-hunting-deviceimageloadevents-table.md
@@ -56,7 +56,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-devicelogonevents-table.md b/defender-xdr/advanced-hunting-devicelogonevents-table.md
index ccb36bb3cf..bc7cdca7f0 100644
--- a/defender-xdr/advanced-hunting-devicelogonevents-table.md
+++ b/defender-xdr/advanced-hunting-devicelogonevents-table.md
@@ -64,7 +64,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead|
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-devicenetworkevents-table.md b/defender-xdr/advanced-hunting-devicenetworkevents-table.md
index 388c1cd589..6f96143b24 100644
--- a/defender-xdr/advanced-hunting-devicenetworkevents-table.md
+++ b/defender-xdr/advanced-hunting-devicenetworkevents-table.md
@@ -53,7 +53,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceprocessevents-table.md b/defender-xdr/advanced-hunting-deviceprocessevents-table.md
index 17d1fb9087..75d7d2051b 100644
--- a/defender-xdr/advanced-hunting-deviceprocessevents-table.md
+++ b/defender-xdr/advanced-hunting-deviceprocessevents-table.md
@@ -76,7 +76,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |
diff --git a/defender-xdr/advanced-hunting-deviceregistryevents-table.md b/defender-xdr/advanced-hunting-deviceregistryevents-table.md
index a7e8dd620a..fbcad48e17 100644
--- a/defender-xdr/advanced-hunting-deviceregistryevents-table.md
+++ b/defender-xdr/advanced-hunting-deviceregistryevents-table.md
@@ -55,7 +55,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
| `InitiatingProcessMD5` | `string` | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | `string` | Name of the process that initiated the event |
+| `InitiatingProcessFileName` | `string` | Name of the process file name that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
| `InitiatingProcessFileSize` | `long` | Size of the file that ran the process responsible for the event |
| `InitiatingProcessVersionInfoCompanyName` | `string` | Company name from the version information of the process (image file) responsible for the event |
| `InitiatingProcessVersionInfoProductName` | `string` | Product name from the version information of the process (image file) responsible for the event |