Merge pull request #2500 from MicrosoftDocs/main

Published main to live, Tuesday 10:30 AM PST, 01/21

Author: padmagit77

ATPDocs/role-groups.md

@@ -28,7 +28,7 @@ For more information, see [Custom roles in role-based access control for Microso
 > [!NOTE]
 > Information included from the [Defender for Cloud Apps activity log](classic-mcas-integration.md#activities) may still contain Defender for Identity data. This content adheres to existing Defender for Cloud Apps permissions.
 > 
-> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
+> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in Microsoft Defender for Cloud Apps, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
 
 ## Required permissions Defender for Identity in Microsoft Defender XDR
 

CloudAppSecurityDocs/activity-filters-queries.md

@@ -15,7 +15,7 @@ This article provides descriptions and instructions for Defender for Cloud Apps
 
 Below is a list of the activity filters that can be applied. Most filters support multiple values as well as *NOT* to provide you with a powerful tool for policy creation.
 
-- Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts within the Defender for Cloud Apps portal.
+- Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts using Defender for Cloud Apps.
 
 - Activity objects – Search for the objects the activity was done on. This filter applies to files, folders, users, or app objects.
     - Activity object ID - the ID of the object (file, folder, user, or app ID).
@@ -70,41 +70,41 @@ Below is a list of the activity filters that can be applied. Most filters suppor
     - Tor exit nodes
     - Zscaler
 
-- Impersonated activity – Search only for activities that were performed in the name of another user.
+- Impersonated activity - Search only for activities that were performed in the name of another user.
 
 - Instance - The app instance where the activity was or wasn't performed.
 
-- Location – The country/region from which the activity was performed.
+- Location - The country/region from which the activity was performed.
 
-- Matched Policy – Search for activities that matched a specific policy that was set in the portal.
+- Matched Policy - Search for activities that matched a specific policy that was set in the portal.
 
-- Registered ISP – The ISP from which the activity was performed.
+- Registered ISP - The ISP from which the activity was performed.
 
 - Source - Search by the source from which the activity was detected. The source can be any of the following:
-  - App connector - logs coming directly from the app's API connector.
+  - App connector - Logs coming directly from the app's API connector.
   - App connector analysis - Defender for Cloud Apps enrichments based on information scanned by the API connector.
 
-- User – The user who performed the activity, which can be filtered into domain, group, name, or organization. In order to filter activities with no specific user, you can use the 'is not set' operator.
+- User - The user who performed the activity, which can be filtered into domain, group, name, or organization. In order to filter activities with no specific user, you can use the 'is not set' operator.
   - User domain - Search for a specific user domain.
-  - User organization – The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
-  - User group – Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
+  - User organization - The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
+  - User group - Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
   - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking will take you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
   - The **User group** and **User name** filters can be further filtered by using the **As** filter and selecting the role of the user, which can be any of the following:
     - Activity object only - meaning that the user or user group selected didn't perform the activity in question; they were the object of the activity.
     - Actor only - meaning that the user or user group performed the activity.
     - Any role - Meaning that the user or user group was involved in the activity, either as the person who performed the activity or as the object of the activity.
 
-- User agent – The user agent of from with the activity was performed.
+- User agent - The user agent of from with the activity was performed.
 
-- User agent tag – Built-in user agent tag, for example, all activities from outdated operating systems or outdated browsers.
+- User agent tag - Built-in user agent tag, for example, all activities from outdated operating systems or outdated browsers.
 
 ## Activity queries
 
 To make investigation even simpler, you can now create custom queries and save them for later use.
 
 1. In the **Activity log** page, use the filters as described above to drill down into your apps as necessary.
 
-  :::image type="content" source="media/activity-log-query.png" alt-text="Use filters to make query.":::
+   :::image type="content" source="media/activity-log-query.png" alt-text="Use filters to make query.":::
 
 1. After you've finished building your query, select the **Save as** button.
 
@@ -118,23 +118,23 @@ To make investigation even simpler, you can now create custom queries and save t
 
 Defender for Cloud Apps also provides you with **Suggested queries**. Suggested queries provide you with recommended avenues of investigation that filter your activities. You can edit these queries and save them as custom queries. The following are optional suggested queries:
 
-- Admin activities - filters all your activities to display only those activities that involve admins.
+- Admin activities - Filters all your activities to display only those activities that involve admins.
 
-- Download activities - filters all your activities to display only those activities that were download activities, including downloading user list as a .csv file, downloading shared content, and downloading a folder.
+- Download activities - Filters all your activities to display only those activities that were download activities, including downloading user list as a .csv file, downloading shared content, and downloading a folder.
 
-- Failed log-in - filters all your activities to display only failed sign-in and failed sign-ins via SSO
+- Failed log-in - Filters all your activities to display only failed sign-in and failed sign-ins via SSO
 
-- File and folder activities - filters all your activities to display only those involving files and folders. The filter includes uploading, download, and accessing folders, along with creating, deleting, uploading, downloading, quarantining, and accessing files and transferring content.
+- File and folder activities - Filters all your activities to display only those involving files and folders. The filter includes uploading, download, and accessing folders, along with creating, deleting, uploading, downloading, quarantining, and accessing files and transferring content.
 
-- Impersonation activities - filters all your activities to display only impersonation activities.
+- Impersonation activities - Filters all your activities to display only impersonation activities.
 
-- Password changes and reset requests - filters all your activities to display only those activities that involve password reset, change password, and force a user to change the password on the next sign-in.
+- Password changes and reset requests - Filters all your activities to display only those activities that involve password reset, change password, and force a user to change the password on the next sign-in.
 
-- Sharing activities - filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
+- Sharing activities - Filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
 
-- Successful log-in - filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
+- Successful log-in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
-![query activities.](media/queries-activity.png)
+  ![query activities.](media/queries-activity.png)
 
 Additionally, you can use the suggested queries as a starting point for a new query. First, select one of the suggested queries. Then, make changes as needed and finally select **Save as** to create a new **Saved query**.
 

CloudAppSecurityDocs/api-tokens-legacy.md

@@ -8,15 +8,15 @@ ms.topic: reference
 
 
 
-In order to access the Defender for Cloud Apps API, you have to create an API token and use it in your software to connect to the API. This token will be included in the header when Defender for Cloud Apps makes API requests.
+In order to access the Defender for Cloud Apps API, you have to create an API token and use it in your software to connect to the API. This token is included in the header when Defender for Cloud Apps makes API requests.
 
 The API tokens tab enables you to help you manage all the API tokens of your tenant.
 
 ## Generate a token
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **System**, select **API tokens**.
 
-1. Select the **Add token** and provide a name to identify the token in the future, and select **Generate**.
+1. Select **Add token** and provide a name to identify the token in the future, and select **Generate**.
 
     ![Defender for Cloud Apps generates API token.](media/api-token-gen.png)
 
@@ -26,9 +26,9 @@ The API tokens tab enables you to help you manage all the API tokens of your ten
 
     - **Generated:** Tokens that have never been used.
     - **Active:** Tokens that were generated and were used within the past seven days.
-    - **Inactive:** Tokens that were used but there was no activity in the last seven days.
+    - **Inactive:** Tokens that were used, but there was no activity in the last seven days.
 
-1. After you generate a new token, you'll be provided with a new URL to use to access the Defender for Cloud Apps portal.
+1. After you generate a new token, you'll be provided with a new URL to use to access Defender for Cloud Apps.
 
     ![Defender for Cloud Apps API token.](media/generate-api-token.png)
 
@@ -46,7 +46,7 @@ After a token is revoked, it's removed from the table, and the software that was
 
 > [!NOTE]
 >
-> - SIEM connectors and log collectors also use API tokens. These tokens should be managed from the log collectors and SIEM agent sections and do not appear in this table.
-> - Deprovisioned users API tokens are retained in Defender for Cloud Apps but cannot be used. Any attempt to use them will result in a permission denied response. However, we recommend that such tokens are revoked on the **API tokens** page.
+> - SIEM connectors and log collectors also use API tokens. These tokens should be managed from the log collectors and SIEM agent sections and don't appear in this table.
+> - Deprovisioned users API tokens are retained in Defender for Cloud Apps but can't be used. Any attempt to use them will result in a permission denied response. However, we recommend that such tokens are revoked on the **API tokens** page.
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/azip-integration.md

@@ -6,7 +6,7 @@ ms.topic: how-to
 ---
 # Integrate with Microsoft Purview for information protection
 
-Microsoft Defender for Cloud Apps lets you automatically apply sensitivity labels from Microsoft Purview. These labels are applied to files as a file policy governance action, and depending on the label configuration, can apply encryption for additional protection. You can also investigate files by filtering for the applied sensitivity label within the Defender for Cloud Apps portal. Using labels enables greater visibility and control of your sensitive data in the cloud. Integrating Microsoft Purview with Defender for Cloud Apps is as easy as selecting a single checkbox.
+Microsoft Defender for Cloud Apps lets you automatically apply sensitivity labels from Microsoft Purview. These labels are applied to files as a file policy governance action, and depending on the label configuration, can apply encryption for additional protection. You can also investigate files by filtering for the applied sensitivity label within Defender for Cloud Apps. Using labels enables greater visibility and control of your sensitive data in the cloud. Integrating Microsoft Purview with Defender for Cloud Apps is as easy as selecting a single checkbox.
 
 By integrating Microsoft Purview into Defender for Cloud Apps, you can use the full power of both services and secure files in your cloud, including:
 
@@ -76,13 +76,13 @@ All you have to do to integrate Microsoft Purview with Defender for Cloud Apps i
 
 To enable Defender for Cloud Apps to scan files with content inspection enabled for sensitivity labels:
 
-In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**.  Then go to **Information Protection** -> **Microsoft Information Protection**.
+In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Then go to **Information Protection** -> **Microsoft Information Protection**.
 
 1. Under **Microsoft Information Protection settings**, select **Automatically scan new files for sensitivity labels from Microsoft Information Protection and content inspection warnings**.
 
     ![Screenshot of enabling Microsoft Purview.](media/enable-azip.png)
 
-After enabling Microsoft Purview, you'll be able to see files that have sensitivity labels and filter them per label in Defender for Cloud Apps. After Defender for Cloud Apps is connected to the cloud app, you'll be able to use the Microsoft Purview integration features to apply sensitivity labels from Microsoft Purview (with or without encryption) in the Defender for Cloud Apps portal, by adding them directly to files or by configuring a file policy to apply sensitivity labels automatically as a governance action.
+After enabling Microsoft Purview, you'll be able to see files that have sensitivity labels and filter them per label in Defender for Cloud Apps. After Defender for Cloud Apps is connected to the cloud app, you'll be able to use the Microsoft Purview integration features to apply sensitivity labels from Microsoft Purview (with or without encryption) in the Defender for Cloud Apps, by adding them directly to files or by configuring a file policy to apply sensitivity labels automatically as a governance action.
 
 > [!NOTE]
 > Automatic scan does not scan existing files until they are modified again. To scan existing files for sensitivity labels from Microsoft Purview, you must have at least one **File policy** that includes content inspection. If you have none, create a new **File policy**, delete all the preset filters, under **Inspection method** select **Built-in DLP**. In the **Content inspection** field, select **Include files that match a preset expression** and select any predefined value, and save the policy. This enables content inspection, which automatically detects sensitivity labels from Microsoft Purview.
@@ -91,7 +91,7 @@ After enabling Microsoft Purview, you'll be able to see files that have sensitiv
 
 By default, Defender for Cloud Apps scans sensitivity labels that were defined in your organization and external ones defined by other organizations.
 
-To ignore sensitivity labels set external to your organization, go to the Microsoft Defender Portal and select **Settings**. Then choose **Cloud Apps**.  Under **Information Protection**, select **Microsoft Information Protection**. Then select **Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant**.
+To ignore sensitivity labels set external to your organization, go to the Microsoft Defender Portal and select **Settings**. Then choose **Cloud Apps**. Under **Information Protection**, select **Microsoft Information Protection**. Then select **Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant**.
 
 ![Ignore labels.](media/azip-ignore.png)
 
@@ -112,7 +112,7 @@ To ignore sensitivity labels set external to your organization, go to the Micros
 
 4. You can also remove sensitivity labels by choosing the **Remove sensitivity label** option.
 
-For more information about how Defender for Cloud Apps and Microsoft Purview work together, see [Automatically apply sensitivity labels from Microsoft Purview](use-case-information-protection.md).
+   For more information about how Defender for Cloud Apps and Microsoft Purview work together, see [Automatically apply sensitivity labels from Microsoft Purview](use-case-information-protection.md).
 
 ### Automatically label files
 
@@ -148,8 +148,8 @@ Follow these instructions to create the file policy:
 
 1. Then, you can create file policies in Defender for Cloud Apps to control files that are shared inappropriately and find files that are labeled and were recently modified.
 
-- You can create a policy that automatically applies a sensitivity label to specific files.
-- You can also trigger alerts on activities related to file classification.
+    - You can create a policy that automatically applies a sensitivity label to specific files.
+    - You can also trigger alerts on activities related to file classification.
 
 > [!NOTE]
 > When sensitivity labels are disabled on a file, the disabled labels appear as disabled in Defender for Cloud Apps. Deleted labels are not displayed.