Merge branch 'main' into patch-2

Author: aditisrivastava07

.acrolinx-config.edn

@@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
  
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
 
-| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
+| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
 |---------|:--------------:|:--------------------:|:------:|:---------:|
 "
 

.github/workflows/BuildValidation.yml

@@ -0,0 +1,21 @@
+name: PR has no warnings or errors
+
+permissions:
+  pull-requests: write
+  statuses: write
+      
+on: 
+  issue_comment:
+    types: [created]
+
+jobs:
+
+  build-status:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+
+  

ATADocs/index.yml

@@ -8,7 +8,6 @@ metadata:
   description: Protect your enterprise using information from multiple network data-sources to learn the behavior of users and entities in your organization.
   services: service
   ms.service: advanced-threat-analytics
-  ms.subservice: ms.subservice
   ms.topic: landing-page
   ms.collection: M365-security-compliance
   author: batamig

ATPDocs/index.yml

@@ -6,8 +6,7 @@ metadata:
   title: Microsoft Defender for Identity documentation
   description: Microsoft Defender for Identity cloud service helps protect your enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats.
   services: service
-  ms.service: azure-advanced-threat-protection
-  ms.subservice: subservice
+  ms.service: microsoft-defender-for-identity
   ms.topic: landing-page
   ms.collection: M365-security-compliance
   author: batamig

CloudAppSecurityDocs/index.yml

@@ -8,7 +8,6 @@ metadata:
   description: Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data, using fundamental cloud access security broker (CASB) functionality, SaaS Security Posture Management (SSPM) features, advanced threat protection, and app-to-app protection.
   services: na
   ms.service: defender-for-cloud-apps
-  ms.subservice: na
   ms.topic: landing-page
   ms.collection: na
   author: batamig
@@ -49,6 +48,8 @@ landingContent:
         links:
           - text: Basic setup
             url: general-setup.md
+          - text: Connect cloud apps
+            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: View and manage security posture
             url: security-saas.md
       - linkListType: concept
@@ -71,8 +72,6 @@ landingContent:
         links:
           - text: Calculate risk scores
             url: risk-score.md
-          - text: Connect cloud apps
-            url: enable-instant-visibility-protection-and-governance-actions-for-your-apps.md
           - text: Collect logs
             url: discovery-docker.md
           - text: Discover and manage shadow IT
@@ -138,4 +137,4 @@ landingContent:
           - text: Monitor and respond to unusual data usage
             url: app-governance-monitor-apps-unusual-data-usage.md
           - text: Secure apps with app hygiene
-            url: app-governance-secure-apps-app-hygiene-features.md
+            url: app-governance-secure-apps-app-hygiene-features.md

CloudAppSecurityDocs/mde-integration.md

@@ -65,13 +65,12 @@ To enable Defender for Endpoint integration with Defender for Cloud Apps:
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), from the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features**.
 1. Toggle the **Microsoft Defender for Cloud Apps** to **On**.
-1. Select **Apply**.
+1. Select **Save preferences**.
 
 >[!NOTE]
 > It takes up to two hours after you enable the integration for the data to show up in Defender for Cloud Apps.
 >
-
-![Screenshot of the Defender for Endpoint settings.](media/mde-settings.png)
+![Screenshot of the Defender for Endpoint settings.](media\turn-on-advanced-features-for-microsoft-defender-for-cloud-apps.png)
 
 To configure the severity for alerts sent to Microsoft Defender for Endpoint:
 

CloudAppSecurityDocs/media/mde-settings.png

@@ -53,7 +53,7 @@ When the client encounters unknown threats, it sends metadata or the file itself
 |**Heuristics engine** <br/> Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.|**Detonation-based ML engine** <br/> Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.|
 |**Emulation engine** <br/> The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.|**Reputation ML engine** <br/> Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.|
 |**Network engine** <br/> Network activities are inspected to identify and stop malicious activities from threats.|**Smart rules engine** <br/> Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.|
-|**CommandLine scanning engine** <br/> This engine scans the commandlines of all processes before they execute. If the commandline for a process is found to be malicious it is blocked from execution.|**CommandLine ML engine** <br/> Multiple advanced ML models scan the suspicious commandlines in the cloud. If a commandline is found to be malicious, cloud sends a signal to the client to block the corresponding process from starting.|
+|**CommandLine scanning engine** <br/> This engine scans the commandlines of all processes before they execute. If the commandline for a process is found to be malicious it is blocked from execution.|**CommandLine ML engine** <br/> Multiple advanced ML models scan the suspicious commandlines in the cloud. If a commandline is found to be malicious, cloud sends a signal to the client to block the corresponding process from starting.|
 
 For more information, see [Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK&reg; Evaluations: Enterprise](https://www.microsoft.com/security/blog/2023/09/20/microsoft-365-defender-demonstrates-100-percent-protection-coverage-in-the-2023-mitre-engenuity-attck-evaluations-enterprise/).
 

CloudAppSecurityDocs/media/turn-on-advanced-features-for-microsoft-defender-for-cloud-apps.png

@@ -61,9 +61,9 @@ Aggregated reporting supports the following event types:
 > [!div class="mx-tdBreakAll"]
 > |Action type|Advanced hunting table|Device timeline presentation|Properties|
 > |:---|:---|:-------|:-------------------------------|
-> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
->|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
-> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. Process name </br> 3. Process name|
+> |FileCreatedAggregatedReport|DeviceFileEvents|{ProcessName} created {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+>|FileRenamedAggregatedReport|DeviceFileEvents|{ProcessName} renamed {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
+> |FileModifiedAggregatedReport|DeviceFileEvents|{ProcessName} modified {Occurrences} {FilePath} files|1. File path </br> 2. File extension </br> 3. Process name|
 > |ProcessCreatedAggregatedReport|DeviceProcessEvents|{InitiatingProcessName} created {Occurrences} {ProcessName} processes|1. Initiating process command line </br> 2. Initiating process SHA1 </br> 3. Initiating process file path </br> 4. Process command line </br> 5. Process SHA1 </br> 6. Folder path|
 > |ConnectionSuccessAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} established {Occurrences} connections with {RemoteIP}:{RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
 > |ConnectionFailedAggregatedReport|DeviceNetworkEvents|{InitiatingProcessName} failed to establish {Occurrences} connections with {RemoteIP:RemotePort}|1. Initiating process name </br> 2. Source IP </br> 3. Remote IP </br> 4. Remote port|
@@ -92,7 +92,7 @@ You can use the following KQL queries to gather specific information using aggre
 
 The following query highlights noisy process activity, which can be correlated with malicious signals.
 
-```KQL
+```Kusto
 DeviceProcessEvents
 | where Timestamp > ago(1h)
 | where ActionType == "ProcessCreatedAggregatedReport"
@@ -105,7 +105,7 @@ DeviceProcessEvents
 
 The following query identifies repeated sign-in attempt failures.
 
-```KQL
+```Kusto
 DeviceLogonEvents
 | where Timestamp > ago(30d)
 | where ActionType == "LogonFailedAggregatedReport"
@@ -119,7 +119,7 @@ DeviceLogonEvents
 
 The following query identifies suspicious RDP connections, which might indicate malicious activity.
 
-```KQL
+```Kusto
 DeviceNetworkEvents
 | where Timestamp > ago(1d)
 | where ActionType endswith "AggregatedReport"