MicrosoftDocs
diff --git a/‎.openpublishing.redirection.defender-xdr.json‎
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.defender-xdr.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎ATPDocs/monitored-activities.md‎
Lines changed: 12 additions & 10 deletions b/‎ATPDocs/monitored-activities.md‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 33 additions & 1 deletion b/‎ATPDocs/whats-new.md‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎defender-endpoint/android-configure.md‎
Lines changed: 16 additions & 16 deletions b/‎defender-endpoint/android-configure.md‎
Lines changed: 16 additions & 16 deletions
@@ -131,6 +131,11 @@
       "redirect_url": "/defender-xdr/entity-page-device",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-xdr/unlink-alert-from-incident.md",
+      "redirect_url": "/defender-xdr/move-alert-to-another-incident",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-xdr/unified-secops-platform/defender-xdr-portal.md",
       "redirect_url": "/defender-xdr/",
 
@@ -14,18 +14,20 @@ In the case of a valid threat, or **true positive**, Defender for Identity enabl
 The information monitored by Defender for Identity is presented in the form of activities. Defender for Identity currently supports monitoring of the following activity types:
 
 > [!NOTE]
->
 > - This article is relevant for all Defender for Identity sensor types.
 > - Defender for Identity monitored activities appear on both the user and machine profile page.
-> - Defender for Identity monitored activities are also available in Microsoft Defender XDR's [Advanced Hunting](https://security.microsoft.com/advanced-hunting) page.
+> - Defender for Identity monitored activities are also available in [Microsoft Defender XDR's Advanced Hunting](/defender-xdr/advanced-hunting-overview) page.
+
+> [!TIP]
+> For detailed information on all supported event types (`ActionType` values) in Advanced Hunting Identity-related tables, use the built-in schema reference available in Microsoft Defender XDR.
 
 ## Monitored user activities: User account AD attribute changes
 
 |Monitored activity|Description|
 |---------------------|------------------|
 |Account Constrained Delegation State Changed|The account state is now enabled or disabled for delegation.|
 |Account Constrained Delegation SPNs Changed|Constrained delegation restricts the services to which the specified server can act on behalf of the user.|
-|Account Delegation Changed | Changes to the account delegation settings |
+|Account Delegation Changed | Changes to the account delegation settings. |
 |Account Disabled Changed|Indicates whether an account is disabled or enabled.|
 |Account Expired|Date when the account expires.|
 |Account Expiry Time Changed|Change to the date when the account expires.|
@@ -35,9 +37,9 @@ The information monitored by Defender for Identity is presented in the form of a
 |Account Password Never Expires Changed|User's password changed to never expire.|
 |Account Password Not Required Changed|User account was changed to allow logging in with a blank password.|
 |Account Smartcard Required Changed|Account changes to require users to log on to a device using a smart card.|
-|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256)|
-|Account Unlock changed | Changes to the account unlock settings |
-|Account UPN Name Changed|User's principle name was changed.|
+|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256).|
+|Account Unlock changed | Changes to the account unlock settings. |
+|Account UPN Name Changed|User's principal name was changed.|
 |Group Membership Changed|User was added/removed, to/from a group, by another user or by themselves.|
 |User Mail Changed|Users email attribute was changed.|
 |User Manager Changed|User's manager attribute was changed.|
@@ -48,8 +50,8 @@ The information monitored by Defender for Identity is presented in the form of a
 
 |Monitored activity|Description|
 |---------------------|------------------|
-|User Account Created|User account was created|  
-|Computer Account Created|Computer account was created|
+|User Account Created|User account was created.|  
+|Computer Account Created|Computer account was created.|
 |Security Principal Deleted Changed|Account was deleted/restored (both user and computer).|
 |Security Principal Display Name Changed|Account display name was changed from X to Y.|
 |Security Principal Name Changed|Account name attribute was changed.|
@@ -69,7 +71,7 @@ The information monitored by Defender for Identity is presented in the form of a
 |Private Data Retrieval|User attempted/succeeded to query private data using LSARPC protocol.|
 |Service Creation|User attempted to remotely create a specific service to a remote machine.|
 |SMB Session Enumeration|User attempted to enumerate all users with open SMB sessions on the domain controllers.|
-|SMB file copy|User copied files using SMB|
+|SMB file copy|User copied files using SMB.|
 |SAMR Query|User performed a SAMR query.|
 |Task Scheduling|User tried to remotely schedule X task to a remote machine.|
 |Wmi Execution|User attempted to remotely execute a WMI method.|
@@ -83,7 +85,7 @@ For more information, see [Supported logon types](/microsoft-365/security/defend
 |Monitored activity|Description|
 |---------------------|------------------|
 |Computer Operating System Changed|Change to the computer OS.|
-|SID-History changed | Changes to the computer SID history |
+|SID-History changed | Changes to the computer SID history. |
 
 ## See Also
 
 
@@ -22,6 +22,38 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## February 2025
+
+### New attack paths tab on the Identity profile page
+
+This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview) 
+
+Additional identity page enhancements:
+
+- New side panel with more information for each entry on the user timeline.
+
+- Filtering capabilities on the Devices tab under Observed in organization.
+
+### Updating 'Protect and manage local admin passwords with Microsoft LAPS' posture recommendation
+
+This update aligns the security posture assessment within Secure Score with the latest version of [Windows LAPS](/windows-server/identity/laps/laps-overview), ensuring it reflects current security best practices for managing local administrator passwords.
+
+### New and updated events in the Advanced hunting IdentityDirectoryEvents table
+
+We have added and updated the following events in the `IdentityDirectoryEvents` table in Advanced Hunting:
+
+- User Account control flag has been changed
+
+- Security group creation in Active directory
+
+- Failed attempt to change an account password
+
+- Successful account password change
+
+- Account primary group ID has been changed
+
+Additionally, the **built-in schema reference** for Advanced Hunting in Microsoft Defender XDR has been updated to include detailed information on all supported event types (**`ActionType`** values) in identity-related tables, ensuring complete visibility into available events. For more information, see [Advanced hunting schema details](/defender-xdr/advanced-hunting-schema-tables).
+
 ## December 2024
 
 ### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
@@ -443,7 +475,7 @@ This version includes the following improvements:
 
     For more information, see [Download and schedule Defender for Identity reports in Microsoft Defender XDR (Preview)](reports.md).
 
-- **Health issues**: Added the *The 'Remove learning period' toggle was automatically switched off for this tenant* health issue
+- **Health issues**: The 'Remove learning period' toggle was automatically switched off for this tenant* health issue.
 
 This version also includes bug fixes for cloud services and the Defender for Identity sensor.
 
 
@@ -49,7 +49,7 @@ Defender for Endpoint on Android allows IT Administrators the ability to configu
 [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.
 
 > [!NOTE]
-> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This VPN is not a regular VPN. Instead, it's a local/self-looping VPN that does not take traffic outside the device.
+> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This VPN isn't a regular VPN. Instead, it's a local/self-looping VPN that doesn't take traffic outside the device.
 >
 > For more information, see [Configure web protection on devices that run Android](/mem/intune/protect/advanced-threat-protection-manage-android).
 
@@ -92,7 +92,7 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
    |Manage Network Protection detection for Open Networks|2- Enable (default), 1- Audit mode, 0 - Disable. Security admins manage this setting to enable, audit, or disable open network detection, respectively. In 'Audit' mode, alerts are sent only to the ATP portal with no end user experience. For end user experience, the config should be set to 'Enable' mode.|
    |Manage Network protection Detection for Certificates|2- Enable, 1- Audit mode, 0 - Disable (default).  In Audit mode, notification alerts are sent to SOC admins, but no end-user notifications are displayed to the user when Defender detects a bad certificate. Admins can, however, enable full feature functionality by setting 2 as the value. When the feature is enabled with the value of 2, end-user notifications are sent to the user when Defender detects a bad certificate, and alerts are also sent to the SOC Admin. |
 
-5. Add the required groups to which the policy will have to be applied. Review and create the policy.
+5. Add the required groups to which the policy has to be applied. Review and create the policy.
 
    | Configuration Key| Description|
    |---|---|
@@ -106,9 +106,9 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 6. Add the required groups to which the policy has to be applied. Review and create the policy.
 
 > [!NOTE]
->
 > - The other config keys of Network Protection will only work if the parent key '**Enable Network Protection in Microsoft Defender'** is enabled.
-> - Users need to enable location permission (which is an optional permission) and need to grant "Allow All the Time" permission to ensure protection against Wi-Fi threat, even when the app is not actively in use. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.
+> - To ensure comprehensive protection against Wi-Fi threats, users should enable location permission and select the "Allow All the Time" option. This permission is optional but highly recommended, even when the app is not actively in use. If location permission is denied, Defender for Endpoint will only offer limited protection against network threats and will only safeguard users from rogue certificates.
+**An open wi-fi network alert** is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert will be generated. However, connecting to a different open Wi-Fi network will result in an immediate alert.
 
 ## Privacy Controls
 
@@ -156,7 +156,7 @@ These controls help the end user to configure the information shared to their or
 
 These toggles will only be visible if enabled by the admin. Users can decide if they want to send the information to their organization or not.
 
-Enabling/disabling the above privacy controls won't impact the device compliance check or conditional access.
+Enabling/disabling the above privacy controls won't affect the device compliance check or conditional access.
 
 ## Configure vulnerability assessment of apps for BYOD devices
 
@@ -207,7 +207,7 @@ Defender for Endpoint supports vulnerability assessment of apps in the work prof
 
 5. Select **Next** and assign this profile to targeted devices/users.
 
-Turning the above privacy controls on or off won't impact the device compliance check or conditional access.
+Turning the above privacy controls on or off won't affect the device compliance check or conditional access.
 
 ## Configure privacy for phishing alert report
 
@@ -233,7 +233,7 @@ Use the following steps to turn it on for targeted users:
 
 4. Select **Next** and assign this profile to targeted devices/users.
 
-Using this privacy control won't impact the device compliance check or conditional access.
+Using this privacy control won't affect the device compliance check or conditional access.
 
 ### Configure privacy for phishing alert report on Android Enterprise work profile
 
@@ -248,7 +248,7 @@ Use the following steps to turn on privacy for targeted users in the work profil
 
 5. Select **Next** and assign this profile to targeted devices/users.
 
-Turning the above privacy controls on or off won't impact the device compliance check or conditional access.
+Turning the above privacy controls on or off won't affect the device compliance check or conditional access.
 
 ## Configure privacy for malware threat report
 
@@ -274,7 +274,7 @@ Use the following steps to turn it on for targeted users:
 
 4. Select **Next** and assign this profile to targeted devices/users.
 
-Using this privacy control won't impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".
+Using this privacy control won't affect the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".
 
 ### Configure privacy for malware alert report on Android Enterprise work profile
 
@@ -289,20 +289,20 @@ Use the following steps to turn on privacy for targeted users in the work profil
 
 5. Select **Next** and assign this profile to targeted devices/users.
 
-Using this privacy control won't impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".
+Using this privacy control won't affect the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".
 
-## Disable sign-out
+## Disable sign out
 
-Defender for Endpoint supports deployment without the sign-out button in the app to prevent users from signing out of the Defender app. This is important to prevent users from tampering with the device.
-Use the following steps to configure Disable sign-out:
+Defender for Endpoint supports deployment without the sign out button in the app to prevent users from signing out of the Defender app. This is important to prevent users from tampering with the device.
+Use the following steps to configure Disable out sign:
 
 1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.
 2. Give the policy a name, select **Platform > Android Enterprise**, and select the profile type.
 3. Select **Microsoft Defender for Endpoint** as the target app.
 4. In the Settings page, select **Use configuration designer** and add **Disable Sign Out** as the key and **Integer** as the value type.
 
    - By default, Disable Sign Out = 1 for Android Enterprise personally owned work profiles, fully managed, company owned personally enabled profiles and 0 for device administrator mode.
-   - Admins need to make Disable Sign Out = 0 to enable the sign-out button in the app. Users will be able to see the sign-out button once the policy is pushed.
+   - Admins need to make Disable Sign Out = 0 to enable the sign out button in the app. Users are able to see the sign out button once the policy is pushed.
 
 5. Select **Next** and assign this profile to targeted devices and users.
 
@@ -321,11 +321,11 @@ Use the following steps to configure the Device tags:
    - Admin can edit an existing tag by modifying the value of the key **DefenderDeviceTag**.
    - Admin can delete an existing tag by removing the key **DefenderDeviceTag**.
 
-5. Click Next and assign this policy to targeted devices and users.
+5. Select Next and assign this policy to targeted devices and users.
 
 
 > [!NOTE]
-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal.
+> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It might take up to 18 hours for tags to reflect in the portal.
 
 ## Related articles