Merge branch 'main' into MB-chrisda

Author: chrisda

ATPDocs/media/okta-integration/okta-permissions.png

@@ -100,9 +100,8 @@ After assigning both roles, you can remove the Super Admin role. This ensures th
 1. Select **Create new role**.
 1. Set the role name to **Microsoft Defender for Identity**.
 1. Select the permissions you want to assign to this role. Include the following permissions:
-    - **Suspend users**
-    - **Unsuspend users**
-    - **Clear users’ session**
+    - **Edit user's lifecycle states**
+    - **Edit user's authenticator operations**
     - **View roles, resources, and admin assignments**
 1. Select **Save role**.
 

ATPDocs/okta-integration.md

@@ -58,6 +58,8 @@ The sensors page provides the following information about each sensor:
 
   * **Standalone sensor**
 
+  * **Entra Connect sensor**. If your sensor is installed on a domain controller server with Entra Connect configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
+ 
   * **ADCS sensor** (Active Directory Certificate Services). If your sensor is installed on a domain controller server with AD CS configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
 
 * **Domain**: Displays the fully qualified domain name of the Active Directory domain where the sensor is installed.
@@ -186,9 +188,9 @@ Every few minutes, Defender for Identity sensors check whether they have the lat
 
 1. Sensors selected for **Delayed update** start their update process 72 hours after the Defender for Identity cloud service is updated. These sensors will then use the same update process as automatically updated sensors.
 
-For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
+    For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
 
-![Sensor update failure.](media/sensor-outdated.png)
+    ![Sensor update failure.](media/sensor-outdated.png)
 
 ### Silently update the Defender for Identity sensor
 

ATPDocs/sensor-settings.md

@@ -83,6 +83,13 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
+> [!NOTE]
+> These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
+ - Security Operator
+ - Security administrator
+ - Global administrator
+ - Cloud app security administrator
+   
 :::image type="content" source="media/governance-actions/governance-actions-dropbox-google-workspace.png" alt-text="Screenshot that shows malware governance actions." lightbox="media/governance-actions/governance-actions-dropbox-google-workspace.png":::
 
 > [!NOTE]

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -11,6 +11,17 @@ ms.topic: how-to
 
 Microsoft Defender for Cloud Apps provides security detections and alerts for malicious activities. The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. Included in this guide is general information about the conditions for triggering alerts. However, it's important to note that since anomaly detections are nondeterministic by nature, they're only triggered when there's behavior that deviates from the norm. Finally, some alerts might be in preview, so regularly review the official documentation for updated alert status.
 
+> [!IMPORTANT]
+> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
+> 
+> - Activity from suspicious IP addresses
+> - Suspicious inbox manipulation rules
+> - Suspicious email deletion activity
+> - Activity from anonymous IP addresses
+> - Suspicious inbox forwarding
+>
+> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
+
 ## MITRE ATT\&CK
 
 To explain and make it easier to map the relationship between Defender for Cloud Apps alerts and the familiar MITRE ATT\&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT\&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when a Defender for Cloud Apps alert is triggered.
@@ -52,6 +63,9 @@ This section describes alerts indicating that a malicious actor might be attempt
 
 ### Activity from anonymous IP address
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Activity from a TOR IP address** and **Anonymous proxy activity**.
+
 **Description**
 
 Activity from an IP address that has been identified as an anonymous proxy IP address by Microsoft Threat Intelligence or by your organization. These proxies can be used to hide a device's IP address and might be used for malicious activities.
@@ -101,6 +115,9 @@ Detecting anomalous locations requires an initial learning period of seven days
 
 ### Activity from suspicious IP addresses
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Successful logon from a suspicious IP address**.
+
 Activity from an IP address that has been identified as risky by Microsoft Threat Intelligence or by your organization. These IP addresses were identified as being involved in malicious activities, such as performing password spray, botnet command and control (C&C), and might indicate a compromised account.
 
 **TP**, **B-TP**, or **FP**?
@@ -317,6 +334,9 @@ Activities in a single session indicating that, a user performed suspicious chan
 
 ### Suspicious email deletion activity (by user)
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email deletion activity**.
+
 Activities in a single session indicating that, a user performed suspicious email deletions. The deletion type was the "hard delete" type, which makes the email item deleted and not available in the user's mailbox. The deletion was made from a connection that includes uncommon preferences such as ISP, country/region, and user agent. This can indicate an attempted breach of your organization, such as attackers attempting to mask operations by deleting emails related to spam activities.
 
 **TP**, **B-TP**, or **FP**?
@@ -340,6 +360,10 @@ Activities in a single session indicating that, a user performed suspicious emai
 
 ### Suspicious inbox manipulation rule
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model.
+> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
+
 Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as deleting or moving messages, or folders, from a user's inbox might be an attempt to exfiltrate information from your organization. Similarly, they can indicate an attempt to manipulate information that a user sees or to use their inbox to distribute spam, phishing emails, or malware. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
 
 **TP**, **B-TP**, or **FP**?
@@ -538,6 +562,9 @@ This section describes alerts indicating that a malicious actor might be attempt
 
 ### Suspicious inbox forwarding
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email forwarding rule created by third-party app**.
+
 Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as forward all or specific emails to another email account might be an attempt to exfiltrate information from your organization. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
 
 **TP**, **B-TP**, or **FP**?

CloudAppSecurityDocs/governance-actions.md

@@ -80,7 +80,7 @@ To configure the severity for alerts sent to Microsoft Defender for Endpoint:
 1. Under **Alerts**, select the global severity level for alerts.
 1. Select **Save**.
 
-    ![Screenshot of the Defender for Endpoint alert settings.](media/mde-alert-severity-settings.png)
+    :::image type="content" source="media/mde-alert-severity-settings.png" alt-text="Screenshot that shows the Defender for Endpoint alert settings." lightbox="media/mde-alert-severity-settings.png":::
 
 ## Next steps
 

CloudAppSecurityDocs/investigate-anomaly-alerts.md

@@ -27,9 +27,30 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 > Learn more: [Network requirements](https://aka.ms/MDANetworkDocs).
 
 
+## June 2025
+
+### “Behaviors” data type in Microsoft Defender for Cloud Apps - General Availability
+
+The **Behaviors** data type significantly enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. You can now use **Behaviors** to conduct investigations in [Advanced Hunting](https://learn.microsoft.com/defender-xdr/advanced-hunting-overview), build better [custom detections](https://learn.microsoft.com/defender-xdr/custom-detection-rules) based on behavioral signals, and benefit from automatic inclusion of context-related behaviors into [incidents](https://learn.microsoft.com/defender-xdr/incidents-overview). This provides clearer context and helps security operations teams to reduce alert fatigue, prioritize, and respond more efficiently.
+
+For more information, see:
+- [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
+- [TechCommunity Blog](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/transform-the-way-you-investigate-by-using-behaviors--new-detections-in-xdr-star/3825154).
+
+### New Dynamic Threat Detection model
+
+Microsoft Defender for Cloud Apps new dynamic threat detection model continuously adapts to the ever-changing SaaS apps threat landscape. This approach ensures your organization remains protected with up-to-date detection logic without the need for manual policy updates or reconfiguration. Several legacy anomaly detection policies have already been seamlessly transitioned to this adaptive model, delivering smarter and more responsive security coverage.
+
+For more information, see [Create Defender for Cloud Apps anomaly detection policies](anomaly-detection-policy.md).
+
+
 ## May 2025 
 
 
+### Revamped Cloud Discovery Executive Summary report
+
+The Cloud Discovery Executive Summary report has been updated with a modernized design and streamlined format. The new version reduces the report from 26 pages to 6 pages, focusing on the most relevant and actionable insights while improving readability and usability. For more details, see [How to generate a Cloud Discovery executive report](discovered-apps.md#generate-a-cloud-discovery-executive-report).
+
 ### New Applications inventory page now available in Defender XDR
 
 The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. This view helps streamline application discovery, monitoring, and risk assessment.
@@ -99,7 +120,7 @@ Defender for Cloud Apps customers can now configure Role-Based Access Control (R
 For more information, see:
 
 - [Configure admin access](/defender-cloud-apps/manage-admins)
-- [Investigate behaviors with advanced hunting (Preview)](/defender-cloud-apps/behaviors)
+- [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors)
 
 ## February 2025
 

CloudAppSecurityDocs/mde-integration.md

@@ -1046,6 +1046,8 @@
             href: respond-machine-alerts.md#restrict-app-execution
           - name: Isolate devices from the network
             href: respond-machine-alerts.md#isolate-devices-from-the-network
+          - name: Isolation exclusions
+            href: isolation-exclusions.md
           - name: Contain devices from the network
             href: respond-machine-alerts.md#contain-devices-from-the-network
           - name: Contain user from the network