Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into mdi-sensors-toc

Author: AbbyMSFT

CloudAppSecurityDocs/content-inspection.md

@@ -1,35 +1,74 @@
 ---
 title: DLP content inspection
 description: This article describes the process Defender for Cloud Apps follows when performing DLP content inspection on data in your cloud.
-ms.date: 01/29/2023
+ms.date: 06/26/2025
 ms.topic: how-to
 ---
 # DLP content inspection in Microsoft Defender for Cloud Apps
 
 
+Data loss prevention (DLP) in Microsoft Defender for Cloud Apps uses content inspection to detect sensitive information in files. When content inspection is enabled, Defender for Cloud Apps analyzes files for text patterns defined by expressions. Text that meets these expressions is treated as a match and can be used to determine a policy violation.
 
-If you enable content inspection, you can choose to use preset expressions or to search for other customized expressions.
+You can use preset or custom expressions and define a threshold for when a match constitutes a violation. For example, you can set a threshold of 10 to alert when a file contains at least 10 credit card numbers.
 
-You can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
+Matched text is replaced with "X" characters, and the surrounding context (100 characters before and after the match) is masked. Numbers in the context are replaced with "#" and aren't stored. To expose the final four digits of a match, enable the **Unmask the last four characters of a match** setting in the file policy.
 
-You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
+You can also define which file elements are inspected—content, metadata, or file name. By default, inspection applies to both content and metadata. This approach allows inspection of protected files, detection of sensitive data, enforcement of compliance, and application of governance controls, while reducing false positives and aligning enforcement with internal classification standards.
+
+## Prerequisites
+
+To inspect encrypted files, and enable scanning of labels a [Global Administrator](/entra/identity/enterprise-apps/configure-admin-consent-workflow) must first grant one‑time admin consent to Defender for Cloud Apps in Microsoft Entra ID.
+
+To do this, in the Defender portal go to **Settings > Cloud Apps > Microsoft Information Protection > Inspect protected files**, and select **Grant permission**.
 
-When content is matched against the selected expression, the violation text is replaced with "X" characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with "#" characters and are never stored within Defender for Cloud Apps. When creating a file policy, if you've enabled an inspection method, then you can select the option to **Unmask the last four characters of a match** to unmask the last four characters of the violation itself. It's necessary to set which data types the regular expression searches: content, metadata and/or file name. By default it searches the content and the metadata.
 
 ## Content inspection for protected files
 
-Defender for Cloud Apps allows admins to grant Defender for Cloud Apps permission to decrypt encrypted files and scan their content for violations. This consent is also required to enable scanning labels on encrypted files.
+Once consent is granted, Defender for Cloud Apps provisions the Microsoft Cloud App Security (Internal) app in your tenant. The app uses the Azure Rights Management Services > Content.SuperUser permission to decrypt and inspect protected files.
+
+The following app IDs apply based on your Microsoft cloud environment:
+
+**App IDs**
+
+| Environment | App ID |
+|--------------|---------|
+| Public | 25a6a87d-1e19-4c71-9cb0-16e88ff608f1 |
+| Fairfax | bd5667e4-0484-4262-a9db-93faa0893899 |
+| GCCM | 23105e90-1dfc-497a-bb5d-8b18a44ba061 |
+
+>[!NOTE]
+>App IDs are internal service principals used by Defender for Cloud Apps in Public, Fairfax, and GCC‑M environments to inspect and enforce DLP policies on protected files.
+>Don't remove or disable these App IDs. Doing so breaks inspection and prevent DLP policies from applying to protected files.
+>Always verify that the App ID for your environment is present and enabled.
+
+## Configure Microsoft Information Protection settings
 
 In order to give Defender for Cloud Apps the necessary permissions:
 
-1. Go to **Settings** and then **Microsoft Information Protection**.
-2. Under **Inspect protected files**, select **Grant permission** to grant Defender for Cloud Apps permission in Microsoft Entra ID.
-3. Follow the prompt to allow the required permissions in Microsoft Entra ID.
-4. You can configure the settings per file policy to determine which policies will scan protected files.
+1. Go to **Settings** > **Microsoft Information Protection**.
+1. Under **Microsoft Information Protection settings**, configure one or both of the following options:
+
+   - **Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.** When enabled, the App connector scans new files for embedded sensitivity labels from Microsoft Information Protection.
+
+   - **Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.** When enabled, only sensitivity labels applied within your tenant are scanned. Labels applied by external tenants are disregarded.
+
+1. After selecting your options, select **Save** to apply your changes.
+
+## Configure file policies for protected files
+
+1. In the Defender portal, go to **Settings > Cloud Apps > Policies > Policy management**.
+1. Follow the steps to [create a new file policy](data-protection-policies.md#create-a-new-file-policy).
+1. Select either **Apply to all files**, or **Apply to selected files** to specify which files to scan. This option is useful if you have an inner classification keyword standard that you want to exclude from the policy.
+1. Select **Inspection method** > **Data Classification Service** to enable content inspection for the policy.
+1. Check both boxes - **Inspect protected files** and **Unmask the last 4 characters of a match**.
+
+   :::image type="content" source="media/content-inspection/inspection-method-data-classification-service.png" alt-text="Screenshot that shows the Data classification service inspection method.":::
+
 
 ## Next steps
 
-> [!div class="nextstepaction"]
-> [Control cloud apps with policies](control-cloud-apps-with-policies.md)
+- [Tutorial: Discover and protect sensitive information in your organization](tutorial-dlp.md)
+- [Learn how to control cloud apps using policies](control-cloud-apps-with-policies.md)
+- [Integrate with Microsoft Purview for information protection](azip-integration.md)
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/media/content-inspection/inspection-method-data-classification-service.png

@@ -47,7 +47,7 @@ In addition to monitoring for potential threats, you can apply and automate the
 
 | Type | Action |
 | ---- | ---- |
-| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br />- Remove external collaborators on folders<br />- Send DLP violation digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
+| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br/> - Send policy-match digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
 | User governance | - Suspend user<br />- Notify user on alert (via Microsoft Entra ID)<br />- Require user to sign in again (via Microsoft Entra ID)<br />- Suspend user (via Microsoft Entra ID) |
 
 For more information about remediating threats from apps, see [Governing connected apps](governance-actions.md).

CloudAppSecurityDocs/protect-box.md

@@ -293,6 +293,8 @@
             href: advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
           - name: DeviceTvmSoftwareVulnerabilitiesKB
             href: advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+          - name: DisruptionAndResponseEvents
+            href: advanced-hunting-disruptionandresponseevents-table.md            
           - name: EmailAttachmentInfo
             href: advanced-hunting-emailattachmentinfo-table.md
           - name: EmailEvents

defender-xdr/TOC.yml

@@ -0,0 +1,94 @@
+---
+title: DisruptionAndResponseEvents table in the advanced hunting schema
+description: Learn about the DisruptionAndResponseEvents table in the advanced hunting schema
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 06/11/2025
+---
+
+# DisruptionAndResponseEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+The `DisruptionAndResponseEvents` table in the [advanced hunting](advanced-hunting-overview.md) contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. 
+
+Users can use this table to increase their visibility and awareness of active, complex attacks disrupted by automatic attack disruption. Understanding the scope of even complex attacks, their context, impact, and why disruption actions were taken, can help users make better and faster decisions and allocate resources more efficiently.
+
+This advanced hunting table is populated by records from various Microsoft security services. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return complete results. For more information about how to deploy supported services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+Use this reference to construct queries that return information from this table.
+
+> [!TIP]
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `ActionType` | `string` | Type of disruption action taken, for example: ContainedUserLogonBlocked, ContainedUserSmbFileOpenBlocked, SafeBootGuardApplied   |
+| `DeviceId` | `string` | Unique identifier for the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack |
+| `SourceDeviceId` | `string` | Unique identifier for the device that the attack originated from  |
+| `TargetDeviceId` | `string` | Unique identifier for the device that was targeted or attacked |
+| `TargetDeviceName ` | `string` | Name of the device that was targeted or attacked  |
+| `TargetDomainName ` | `string` | Domain name of the device that was targeted or attacked  |
+| `DeviceName` | `string` | Name of the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack  |
+| `DomainName` | `string` | Domain name that the device that reported the event is joined to; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack |
+| `InitiatingProcessId` | `integer` | Process ID (PID) of the process that triggered that block action, based on the perspective of the reporting device |
+| `InitiatingProcessFileName` | `string` |Name of the process that triggered the block action, based on the perspective of the reporting device |
+| `SourceUserSid` | `string` | The security identifier of the account conducting the malicious activity   |
+| `SourceUserName` | `string` | The user name of the account conducting the malicious activity  |
+| `SourceUserDomainName` | `string` | The domain name of the account conducting the malicious activity  |
+| `SourceIPAddress` | `string` | IP address where the attacker communication originated from and was blocked by automatic attack disruption  |
+| `SourcePort` | `integer` | Port where the attacker communication originated from  |
+| `IPAddress` | `string` | IP address that the attacker attempted to access |
+| `Port` | `string` | Port that the attacker attempted to access |
+| `SourceDeviceName` | `string` | Host name of the device where the attack originated from |
+| `SourceDomainName` | `string` | Domain name of the device where the attack originated from  |
+| `AuthenticationProtocol` | `string` | Authentication protocol that the compromised user used to sign in; possible values: Undefined, NTLM, Kerberos |
+| `Service` | `string` | Name of the service the attacker attempted to use, if the attacker signed in using Kerberos or NTLM; for example: SMB, HTTP, cifs, SMB, host, ldap, SMB, krbtgt |
+| `InterfaceUuidSourceDomainName` | `string` | Unique identifier (UUID) for the Remote Procedure Call (RPC) interface that the attacker attempted to access |
+| `InterfaceFriendlyName` | `string` |Friendly name of the interface represented by the interface UUID  |
+| `FileName` | `string` | Name of the file that the attacker attempted to access |
+| `ShareName` | `string` | Name of the share location that the attacker attempted to access |
+| `LogonType` | `string` | Type of logon session the user attempted; possible values: interactive, remote interactive (RDP), network, batch job, service  |
+| `LogonId ` | `long` | Identifier for a logon session; this is unique on the same device only between restarts |
+| `SessionId ` | `long` | Unique number assigned to a user by a website's server for the duration of the visit or session  |
+| `CompromisedAccountCount` | `integer` | Number of compromised accounts that are part of the policy |
+| `PolicyId` | `string` | Unique identifier for the policy |
+| `PolicyName` | `string` | Name of the policy  |
+| `PolicyVersion` | `string` | Version of the policy |
+| `PolicyHash` | `string` | Unique hash of the policy  |
+| `DataSources` | `array` |Products or services that provided information for the event; for example: Microsoft Defender for Endpoint |
+| `IsPolicyOn` | `boolean` |Indicates the current state of the policy on the device at the time of the disruption event; possible values: true (the policy is on, therefore it was applied or enforced), false (the policy was turned off or revoked from the device) |
+|`ReportType` | `string` | The nature and impact level of the reported event; possible values: Prevented (the action, such as a connection or authentication attempt, was fully blocked before execution), Blocked (an active connection or session was forcibly terminated, with partial impact on the device), PolicyUpdated (the client received and possibly applied a new policy) |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

defender-xdr/advanced-hunting-disruptionandresponseevents-table.md

@@ -90,6 +90,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status |
 | **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
 | **[DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
+| **[DisruptionAndResponseEvents](advanced-hunting-disruptionandresponseevents-table.md)** (Preview)|  [Automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR|
 | **[EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md)** | Information about files attached to emails |
 | **[EmailEvents](advanced-hunting-emailevents-table.md)** | Microsoft 365 email events, including email delivery and blocking events |
 | **[EmailPostDeliveryEvents](advanced-hunting-emailpostdeliveryevents-table.md)** | Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox |

defender-xdr/advanced-hunting-schema-tables.md

@@ -149,7 +149,8 @@ When you save a new rule, it runs and checks for matches from the past 30 days o
 > [!TIP]
 > Match the time filters in your query with the lookback period. Results outside of the lookback period are ignored.
 
-When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set. The rule frequency is based on the event timestamp and not the ingestion time.
+When you edit a rule, the changes are applied in the next run time scheduled according to the frequency you set. The rule frequency is based on the event timestamp and not the ingestion time. There might also be small delays in specific runs, whereby the configured frequency is not 100% accurate.
+
 
 ##### Continuous (NRT) frequency