Merge branch 'main' into maccruz-campaigns

Author: poliveria

defender-for-cloud-apps/anomaly-detection-policy.md

@@ -36,7 +36,6 @@ Based on the policy results, security alerts are triggered. Defender for Cloud A
 > - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
 > - [Unusual ISP for an OAuth App](#unusual-isp-for-an-oauth-app).
 > - [Suspicious file access activity (by user)](#unusual-activities-by-user).
-> - [Ransomware activity](#ransomware-activity).
 >
 > You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
 
@@ -92,10 +91,6 @@ This detection identifies that users were active from an IP address that has bee
 
 ### Ransomware activity
 
-> [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Ransomware payment instruction file uploaded to {Application}**.
-> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
-
 Defender for Cloud Apps extended its ransomware detection capabilities with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. Using our security research expertise to identify behavioral patterns that reflect ransomware activity, Defender for Cloud Apps ensures holistic and robust protection. If Defender for Cloud Apps identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions. For more information about how Defender for Cloud Apps detects ransomware, see [Protecting your organization against ransomware](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware).
 
 ### Activity performed by terminated user

exposure-management/exposure-insights-overview.md

@@ -103,8 +103,6 @@ Security Exposure Management ingests security recommendations from multiple sour
 - **New unified Recommendations page**: All recommendations from various sources (Secure Score, Defender for Cloud, Defender for Endpoint, etc.) are now consolidated into one catalog view in the Defender portal
 - **Organized by attack surface**: Recommendations are organized by tabs for different domains - Devices, Cloud, Identity, SaaS, and Data
 - **Categorized by issue type**: Recommendations are separated by type - misconfigurations vs vulnerabilities vs secrets. For example, on the Devices tab, you'll find separate views for Misconfigurations and Vulnerabilities, aligning with different remediation workflows
-- **Risk-based prioritization**: Combines vulnerability data from endpoints and cloud environments into a unified, actionable view, including contextual risk-based Secure Score.
-- **Unified remediation flow**: Side-by-side visibility into device and cloud weaknesses enabling security teams to efficiently track posture improvements, remediate vulnerabilities, and understand attack paths in real time through a streamlined interface.
 
 ### Recommendation management
 

exposure-management/security-recommendations.md

@@ -17,7 +17,6 @@ This article describes how to work with security recommendations in the new unif
 
 - Learn about the [unified recommendations catalog](exposure-insights-overview.md#working-with-recommendations) before you start.
 - [Review permissions and prerequisites needed](prerequisites.md) for working with Security Exposure Management.
-- Understand that all recommendations from various sources (Secure Score, Defender for Cloud, Defender for Endpoint, etc.) are now consolidated into one unified view in the Defender portal.
 
 ## Overview of the unified recommendations catalog
 
@@ -58,7 +57,7 @@ Apply advanced filtering using the **Add filter** option to narrow down recommen
 
 #### Devices
 
-The Devices tab provides a unified view of device-related security recommendations, combining misconfigurations and vulnerabilities into a single location for easier management.
+The Devices tab provides a unified view of device-related security recommendations.
 
 There are separate views for issue types:
 
@@ -69,7 +68,7 @@ This separation recognizes that misconfigurations and vulnerabilities often repr
 
 ## Cloud assets
 
-This tab provides a prioritized list of security actions designed to improve your cloud security posture by addressing vulnerabilities and misconfigurations. These recommendations are ranked by effective risk, helping security teams focus on the most critical threats first.
+This tab provides a prioritized list of security actions designed to improve your cloud security posture by addressing vulnerabilities, misconfigurations, and exposed secrets. These recommendations are ranked by effective risk, helping security teams focus on the most critical threats first.
 
 Apply filters and filter sets such as **Exposed asset**, **Asset risk factors**, **Environment**, **Workload**, **Recommendation maturity** and others.
 
@@ -111,29 +110,18 @@ These tabs provide recommendations specific to SaaS applications, identity secur
 
 The recommendations summary on these tabs includes:
 
-- Their unique secure score
+- Their unique Microsoft Secure Score
 - Score history
 - Recommendation by status
 - Score comparison
 
-1. Select a recommendation to view and review details.
-
-You can also review recommendations on the **Recommendations** tab in a specific security initiative page in **Initiatives** to access [Microsoft Exposure Recommendations](https://security.microsoft.com/exposure-recommendations) in the [Microsoft Defender portal](https://security.microsoft.com/).
-
 ## Remediate recommendations
 
 1. To remediate a recommendation, select a specific recommendation and browse to the **Remediation steps** tab.
 
 1. Review the remediation steps and select **Manage** to follow the steps in the originating workload. The unified experience directs you to the appropriate service:
-   - Microsoft Defender for Cloud for cloud recommendations
-   - Microsoft Defender Vulnerability Management for device vulnerabilities  
-   - Microsoft Secure Score for Microsoft 365 recommendations
-   - Other Microsoft workloads as appropriate
-
-1. **Note on unified workflow**: All recommendations, including those from Azure security center, are now visible in Exposure Management, so you can manage your entire security posture from the unified portal without needing to navigate to separate Azure portals for cloud recommendations.
 
 ## Next steps
 
 - Review other ways to [improve security insights with exposure insights](exposure-insights-overview.md)
-- Learn how to [Explore security events](security-events.md)
-- [Investigate initiative metrics](security-metrics.md)
+- [Investigate initiatives and metrics](security-metrics.md)