Merge pull request #5787 from MicrosoftDocs/main

[AutoPublish] main to live - 11/30 04:38 PST | 11/30 18:08 IST

Author: aditisrivastava07

defender-endpoint/autoir-investigation-results.md

@@ -20,22 +20,18 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
-ms.date: 04/04/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 2
 
 ---
 # View the details and results of an automated investigation
 
-
 With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
 
-## (NEW!) Unified investigation page
-
-The investigation page is updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)  and [Microsoft Defender for Office 365](/defender-office-365/mdo-about).
+## Unified investigation page
 
-> [!TIP]
-> To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
+The unified investigation page includes information across your devices, email, and collaboration content. It defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](/defender-office-365/mdo-about). For more information, see [Details and results of an automated investigation](/defender-xdr/m365d-autoir-results).
 
 ## Open the investigation details view
 
@@ -69,9 +65,7 @@ Use an incident details page to view detailed information about an incident, inc
 
 ## Investigation details
 
-Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image:
-
-In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
+Use the investigation details view to see past, current, and pending activity pertaining to an investigation. In the investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
 
 > [!NOTE]
 > - The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription doesn't include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.

defender-endpoint/enable-attack-surface-reduction.md

@@ -345,6 +345,10 @@ Example:
    > Don't use quotes as they aren't supported for either the **Value name** column or the **Value** column.
    > The rule ID shouldn't have any leading or trailing spaces.
 
+> [!NOTE]
+> Microsoft rebranded Windows Defender Antivirus to Microsoft Defender Antivirus beginning with Windows 10 version 20H1.
+> Group Policy paths on earlier Windows versions may still reference Windows Defender Antivirus, while newer builds show Microsoft Defender Antivirus. Both names refer to the same policy location.
+
 ### PowerShell
 
 > [!WARNING]

defender-endpoint/media/atp-time-zone-menu.png

@@ -1,9 +1,9 @@
 ---
 title: Microsoft Defender XDR time zone settings
-description: Use the info contained here to configure the Microsoft Defender XDR time zone settings and view license information.
+description: Use the info contained here to configure the Microsoft Defender XDR time zone settings.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: article
 ms.subservice: reference
 search.appverid: met150
-ms.date: 05/05/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -22,9 +22,7 @@ appliesto:
 # Microsoft Defender XDR time zone settings
 
 
-This article describes time zone settings and options. You can use **Time zone** menu to configure the time zone and view license information.
-
-:::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-1" lightbox="media/atp-time-zone.png":::
+This article describes how to configure time zone settings and options.
 
 > [!NOTE]
 > Changing the time zone setting in the [Microsoft Defender portal](https://security.microsoft.com) only affects how times are displayed. It doesn't affect the actual scheduling of operations, such as antivirus scans, which continue to follow the local system time or UTC settings, depending on how they're configured.
@@ -33,10 +31,6 @@ This article describes time zone settings and options. You can use **Time zone**
 
 The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It's important that your system reflects the correct time zone settings. Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
 
-Your current time zone setting is shown in the **Timezone** menu in the Microsoft Defender portal.
-
-:::image type="content" source="media/atp-time-zone-menu.png" alt-text="The Time zone settings-2" lightbox="media/atp-time-zone-menu.png":::
-
 ### UTC time zone
 
 Defender for Endpoint uses UTC time by default. Keeping this time zone displays all system timestamps (alerts, events, and others) in UTC for all users. This configuration can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
@@ -55,13 +49,9 @@ The Defender for Endpoint time zone is set by default to UTC. Setting the time z
 
 To set the time zone:
 
-1. Select the **Time zone** menu.
-
-   :::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="media/atp-time-zone.png":::
-
-2. Select the **Timezone UTC** indicator.
+1. In the Microsoft Defender portal, go to **System** > **Settings** > **Microsoft Defender portal** > **Time zone**.
 
-3. Select **Timezone UTC** or your local time zone, for example `-7:00`.
+1. In the **Time zone** drop down menu, select either UTC or your local time zone.
 
 ### Regional settings
 

defender-endpoint/media/atp-time-zone.png

@@ -83,6 +83,11 @@ To successfully generate a cloud discovery report, your traffic logs must meet t
 1. The log file is valid and includes outbound traffic information.
 1. Configure the appliance to forward only traffic logs. Including unrelated logs in the configuration can inflate the ingested traffic volume.
 
+> [!IMPORTANT]
+> ZIP upload is supported **only for a single compressed file.** ZIP archives containing multiple log files are **not supported.**
+> Individual log files larger than **1 GB** cannot be uploaded. Split large logs before uploading. You can upload up to 20 files per batch.
+
+
 ## Next steps
 
 > [!div class="nextstepaction"]

defender-endpoint/time-settings.md

@@ -22,17 +22,14 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 search.appverid: met150
-ms.date: 09/30/2025
+ms.date: 12/01/2025
 
 ---
-# Hunt for threats using the hunting graph (Preview)
+# Hunt for threats using the hunting graph
 
-> [!IMPORTANT]
-> Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+The **hunting graph** provides visualization capabilities in [advanced hunting](advanced-hunting-overview.md) by rendering threat scenarios as interactive graphs. This feature allows security operations center (SOC) analysts, threat hunters, and security researchers to conduct threat hunting and incident response more easily and intuitively, improving their efficiency and ability to assess possible security issues. 
 
-The **hunting graph** provides visualization capabilities in [advanced hunting](advanced-hunting-overview.md) by rendering threat scenarios as interactive graphs. This feature allows security operations center (SOC) analysts, threat hunters, and security researchers conduct threat hunting and incident response easily and more intuitively, improving their efficiency and ability to assess possible security issues. 
-
-Analysts often rely on [Kusto Query Language](/azure/kusto/query/) (KQL) queries to uncover relationships between entities—an approach that could be both time-consuming and prone to oversights. Hunting graph makes exploration of security data simpler and faster by visualizing these relationships, letting you trace paths and possible choke points, as well as surface insights and take various actions based on the results that tabular queries might miss. 
+Analysts often rely on [Kusto Query Language](/azure/kusto/query/) (KQL) queries to uncover relationships between entities. This approach can be both time-consuming and prone to oversights. The hunting graph makes exploration of security data simpler and faster by visualizing these relationships. You can trace paths and possible choke points, as well as surface insights and take various actions based on the results that tabular queries might miss. 
 
 ## Get access
 
@@ -43,7 +40,7 @@ You must also have the following access or permissions:
 - [Microsoft Sentinel data lake](/azure/sentinel/datalake/sentinel-lake-overview)
 - At least [read-only](/security-exposure-management/prerequisites) access in Microsoft Security Exposure Management
 
-## Where to find hunting graph
+## Where to find the hunting graph
 
 You can find the **hunting graph** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Investigation & response** > **Hunting** > **Advanced hunting**. 
 
@@ -55,19 +52,19 @@ A new hunting graph page appears as tab labeled **New hunt** in the advanced hun
 
 ## Hunting graph features
 
-The interactive graphs generated in the hunting graph are composed of **nodes** and **edges** to represent entities in your environment (for example, a device, user account, or IP address, among others) and their relationships or connection properties, respectively. [Learn more about graphs and visualizations in Microsoft Defender](understand-graph-icons.md)
+The interactive graphs that the hunting graph generates use **nodes** and **edges** to show entities in your environment, such as a device, user account, or IP address, and their relationships or connection properties. [Learn more about graphs and visualizations in Microsoft Defender](understand-graph-icons.md).
 
-The lower right-hand corner of the graph also has control buttons that let you **Zoom in** and **Zoom out**, and view the graph's **Layers**.
+The lower right corner of the graph has control buttons that let you **Zoom in** and **Zoom out**, and view the graph's **Layers**.
 
 :::image type="content" source="./media/advanced-hunting-graph/hunting-graph-render.png" alt-text="Screenshot of a rendered graph in the hunting graph page." lightbox="./media/advanced-hunting-graph/hunting-graph-render.png":::
 
 ## Get started with hunting graph
 
 ### Use predefined scenarios in the hunting graph
 
-The hunting graph lets you search with predefined scenarios, which are prebuilt advanced hunting queries that could help you answer specific and common questions for specific use cases.
+The hunting graph lets you search with predefined scenarios. These scenarios are prebuilt advanced hunting queries that help you answer specific and common questions for specific use cases.
 
-To start hunting using a predefined scenario, on a new hunting graph page, select **Search with Predefined scenarios**. A side panel appears where you can then perform the following steps: 
+To start hunting with a predefined scenario, on a new hunting graph page, select **Search with Predefined scenarios**. A side panel appears where you can then perform the following steps: 
 
 1. [Select a scenario and enter the required inputs](#step-1-select-a-scenario-and-enter-scenario-inputs)
 1. [Apply filters on the graph](#step-2-apply-filters)
@@ -81,22 +78,24 @@ The following table describes the predefined scenarios in the hunting graph and
 
 | **Scenario** | **Description** | **Inputs** |
 |---|---|---|
-| **Paths between two entities** | Provide two entities (nodes) to view the paths between them.<br><br>Use this scenario if you want to discover if there’s a path leading from one entity to another. |<ul><li>Start Entity<li>End Entity</ul>**Note:** Make sure to identify and input the correct start and end entities, as the generated graph will be directional. |
+| **Paths between two entities** | Provide two entities (nodes) to view the paths between them.<br><br>Use this scenario if you want to discover if there’s a path leading from one entity to another. |<ul><li>Start Entity<li>End Entity</ul>|
 | **Entities that have access to a key vault** | Provide a specific key vault to view paths from various entities (devices, virtual machines, containers, servers, and others) that have direct or indirect access to it.<br><br>Use this scenario in case of a breach, maintenance work, or assessment of the impact of entities that might have access to a sensitive asset like a key vault. | Target key vault |
 | **Users with access to sensitive data** | Provide any sensitive data storage of interest to view users that have access to it.<br><br>Use this scenario if you want to know which entities have access to sensitive data, especially in cases when an incident indicates unusual access to confidential files. | Target storage account |
 | **Critical users with access to storage accounts containing sensitive data** | This scenario identifies critical users with access to storage resources containing sensitive data.<br><br>Use this scenario to prevent, assess, and monitor unauthorized access, exposure risk, and breach impact based on the privileged users. | (None) |
 | **Data exfiltration by a device** | Provide a device ID to view paths to storage accounts it has access to; for instance, to check what storage accounts a certain device can access in a bring your own device (BYOD) environment.<br><br>Use this scenario when investigating suspicious or unauthorized data transfer from corporate devices and to external sources. | Source device |
 | **Paths to a highly critical Kubernetes cluster** | Provide a Kubernetes cluster with high criticality to view users, virtual machines, and containers that have access to it.<br><br>Use this scenario to assess, analyze and prioritize handling of attack paths leading to highly critical Kubernetes cluster. | Target Kubernetes cluster |
 | **Identities with access to Azure DevOps repositories** | Provide an Azure DevOps (ADO) repository name to view users that have read and/or write access to said repository.<br><br>Use this scenario to identify entities with access to ADO repositories, which often contain sensitive assets and therefore valuable targets for threat actors. This scenario gives you visibility and lets you plan your response in case of a breach. | Target ADO repository |
 | **Identify nodes in the highest number of paths to SQL data stores** | This scenario identifies the nodes that appear in the highest number of paths leading to SQL data stores. The scenario discovers paths in the graph where users have roles or permissions to access the SQL data stores.<br><br>Use this scenario to gain visibility to stores that might contain sensitive information, assess the impact in case of a breach, and prepare your mitigation and response. | (None) |
+| **Attack paths to a critical asset** | View the potential routes through various nodes leading towards a target.<br>Use this scenario to examine potential lateral movement that could reach a critical asset through your network. | Target critical asset |
+| **Entity connections** | Find the direct connections of a given entity and analyze its relationships. | Source entity<br><br>**Note:** You can use any entity as the seeding node for the graph. The graph indicates incoming and outgoing connections. |
 
 :::image type="content" source="./media/advanced-hunting-graph/hunting-graph-select-scenario.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the available options." lightbox="./media/advanced-hunting-graph/hunting-graph-select-scenario.png":::
 
 :::image type="content" source="./media/advanced-hunting-graph/hunting-graph-input.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the required scenario inputs." lightbox="./media/advanced-hunting-graph/hunting-graph-input.png":::
 
 #### Step 2: Apply filters
 
-You can add relevant filters to make the map view of your selected scenario more precise. For example, if you want to **Show only the shortest paths**, tick this option.
+You can add relevant filters to make the map view of your selected scenario more precise. For example, if you want to **Show only the shortest paths**, select this option.
 
 :::image type="content" source="./media/advanced-hunting-graph/hunting-graph-filter.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the Show only the shortest paths filter." lightbox="./media/advanced-hunting-graph/hunting-graph-filter.png":::
 
@@ -113,6 +112,7 @@ To add a filter, select **Add filter** then the select any of the supported node
 | **Source Node** | equals |<ul><li>Is critical<li>Is vulnerable<li>Is exposed to the internet</ul> |
 | **Target Node** | equals |<ul><li>Has sensitive data<li>Has risk score<li>Is vulnerable</ul> |
 | **Edge Type** | equals |<ul><li>has permissions to<li>routes traffic to<li>affecting<li>member of<li>defines<li>can impersonate as<li>contains<li>can authenticate as<li>runs on<li>has role on<li>is running<li>used to create<li>maintains<li>frequently logged in by<li>has credentials of<li>defined in<li>can authenticate to<li>pushes<li>provisions</ul>|
+| **Edge direction** | equals |<ul><li>Incoming<li>Outgoing<li>Both</ul> |
 
 :::image type="content" source="./media/advanced-hunting-graph/hunting-graph-advanced-filters.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the advanced filter section." lightbox="./media/advanced-hunting-graph/hunting-graph-advanced-filters.png":::
 

defender-for-cloud-apps/create-snapshot-cloud-discovery-reports.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 08/13/2025
+ms.date: 11/18/2025
 ---
 
 # MessageEvents
@@ -63,6 +63,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `DeliveryAction` | `string` |Delivery action of the message: Delivered, Blocked|
 | `DeliveryLocation` | `string` |Location of the message at the time of delivery|
 | `ReportId` | `string` |Unique identifier for the event|
+| `SafetyTip` | `string` |The safety tip that has been added on a message, if any|
 
 
 

defender-xdr/advanced-hunting-graph.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 08/13/2025
+ms.date: 11/18/2025
 ---
 
 # MessagePostDeliveryEvents
@@ -53,7 +53,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `LatestDeliveryLocation` | `string` |Last known location of the message |
 | `ReportId` | `string` |Unique identifier for the event|
 | `IsExternalThread` | `boolean` |Indicates if there are external recipients in the thread (1) or none (0)|
-
+| `SafetyTip` | `string` |The safety tip that has been added on a message, if any|
 
 
 ## Related topics