Merge branch 'main' into patch-1

Author: yelevin

.openpublishing.redirection.defender-cloud-apps.json

@@ -1009,6 +1009,11 @@
       "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
       "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
       "redirect_document_id": true
-    }
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/connector-platform.md",
+      "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
+      "redirect_document_id": true
+    },
   ]
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
 > The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
 > 
 > It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.

CloudAppSecurityDocs/connector-platform.md

@@ -118,6 +118,7 @@ This section provides instructions for connecting Microsoft  Defender for Cloud
       * **Manage Users**
       * **[Query All Files](https://go.microsoft.com/fwlink/?linkid=2106480)**
       * **Modify Metadata Through Metadata API Functions**
+      * **View Setup And Configuration**
 
       If these checkboxes aren't selected, you may need to contact Salesforce to add them to your account.
 

CloudAppSecurityDocs/protect-salesforce.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your ServiceNow environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your ServiceNow app to Defender for Cloud Apps using the API connector.
-ms.date: 04/28/2025
+ms.date: 05/05/2025
 ms.topic: how-to
 ---
 
@@ -97,6 +97,7 @@ Defender for Cloud Apps supports the following ServiceNow versions:
         - Kingston
         - London  
         - Utah
+        - Yokohama
     :::column-end:::
     :::column:::
         - Madrid

CloudAppSecurityDocs/protect-servicenow.md

@@ -62,8 +62,6 @@ items:
       - name: Overview
         displayName: connect apps
         href: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
-      - name: Custom connectors with the open app connector platform
-        href: ./connector-platform.md
       - name: Asana
         href: protect-asana.md
       - name: Atlassian

CloudAppSecurityDocs/toc.yml

@@ -357,7 +357,7 @@ You can identify critical assets by the **critical asset** tag on the device or
 
 ## Contain user from the network
 
-When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (terminating the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.
+When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can contain an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (deny network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (terminating the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity. Once contained by automatic attack disruption, a user is automatically removed from containment in the next five days.
 
 > [!NOTE]
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.

defender-endpoint/respond-machine-alerts.md

@@ -34,7 +34,7 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
 
 The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow or time of click for incoming messages from external senders.
 
-Entries for **Domains and email addresses** and **Spoofed senders** apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
+Entries for **Domains and email addresses** and **Spoofed senders** apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
 
 The Tenant Allow/Block list is available in the Microsoft Defender portal at <https://security.microsoft.com> **Email & collaboration** \> **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
 

defender-office-365/tenant-allow-block-list-about.md

@@ -14,7 +14,7 @@ ms.collection:
 - Tier1
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 02/08/2025
+ms.date: 05/02/2025
 ---
 
 # Microsoft Defender Vulnerability Management frequently asked questions
@@ -118,6 +118,18 @@ Currently Windows is supported, but coverage will be expanded to more operating
 
 For details on the full list of capabilities across Microsoft Defender Vulnerability Management and Defender for Endpoint, see [Defender Vulnerability Management Capabilities](defender-vulnerability-management-capabilities.md).
 
+### What happens to CVEs that are marked as "won't fix"?
+
+Defender Vulnerability Management currently filters out CVEs marked as "Won't Fix", particularly on Linux platforms, from vulnerability recommendations and security score calculations. This design choice was implemented to reduce noise from non-actionable issues and improve signal-to-noise ratio for security teams.
+
+Certain Linux distributions, such as RHEL, include large numbers of CVEs labeled as "Won't Fix" due to platform-specific or architectural decisions. These CVEs were previously displayed in the Microsoft Defender portal, but they caused confusion and inflated the recommendations list and exposure score. As a result, these were intentionally removed following internal review and Data Subject Rights (DSR) requests.
+
+Here's what to expect:
+
+- "Won't Fix" CVEs are not shown in the [Microsoft Defender portal](https://security.microsoft.com).
+- These CVEs are excluded from vulnerability recommendations and scoring.
+- There is no current workaround to view them in the product experience.
+
 ### Can customers buy only one capability?
 
 Microsoft Defender Vulnerability Management is available as a vulnerability management solution comprised of multiple premium capabilities.

defender-vulnerability-management/defender-vulnerability-management-faq.md

@@ -13,7 +13,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/06/2025
+ms.date: 05/02/2025
 ---
 
 # Microsoft Defender Vulnerability Management dashboard
@@ -31,15 +31,15 @@ Defender vulnerability management provides both security administrators and secu
 - Invaluable device vulnerability context during incident investigations
 - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
 
-You can use Defender Vulnerability Management dashboard in the Microsoft Defender portal to:
+You can use Defender Vulnerability Management dashboard in the [Microsoft Defender portal](https://security.microsoft.com) to:
 
 - View your exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices
 - Correlate EDR insights with endpoint vulnerabilities and process them
 - Select remediation options to triage and track the remediation tasks
 - Select exception options and track active exceptions
 
 > [!NOTE]
-> Devices that aren't active in the last 30 days aren't factored in on the data that reflects your organization's vulnerability management exposure score and Microsoft Secure Score for Devices.
+> Devices that aren't active in the last 30 days aren't factored in on the data that reflects your organization's vulnerability management exposure score and Microsoft Secure Score for Devices. In addition, CVEs marked as "won't fix" are not shown in the Microsoft Defender portal, and they're not included in vulnerability recommendations or scoring.
 
 Watch this video for a quick overview of what is in the Defender Vulnerability Management dashboard.