Merge branch 'main' into user/zakhter/mde_netfilter_doc_update

Author: zeeshan1995

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

.github/workflows/StaleBranch.yml

@@ -2,12 +2,18 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
-      
+  pull-requests: read
+
+# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
+# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
+# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
+# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
+
 on:
   schedule:
-    - cron: "0 9 1 * *"
+    - cron: "0 9 1,15-31 * *"
 
-  # workflow_dispatch:
+  workflow_dispatch:
 
 
 jobs:

.openpublishing.redirection.defender-cloud-apps.json

@@ -1009,6 +1009,11 @@
       "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
       "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
       "redirect_document_id": true
-    }
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/connector-platform.md",
+      "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
+      "redirect_document_id": true
+    },
   ]
 }

.openpublishing.redirection.defender-endpoint.json

@@ -149,6 +149,11 @@
       "source_path": "defender-endpoint/onboard-windows-server-2012r2-2016.md",
       "redirect_url": "/defender-endpoint/onboard-server",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/mde-linux-arm.md",
+      "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",
+      "redirect_document_id": false
     } 
   ]
 }

ATPDocs/deploy/activate-capabilities.md

@@ -117,8 +117,8 @@ The first time you activate Defender for Identity capabilities on your domain co
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
-- [Specified security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
-- [Specified alert detections](#test-alert-functionality)
+- [Security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
+- [Alert detections](#test-alert-functionality)
 - [Remediation actions](#test-remediation-actions)
 - [Automatic attack disruption](/microsoft-365/security/defender/automatic-attack-disruption)
 

ATPDocs/deploy/remote-calls-sam.md

@@ -7,10 +7,14 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
+> [!IMPORTANT]
+> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025.
+> 
+
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
 > The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
 > 
 > It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.

ATPDocs/health-alerts.md

@@ -32,6 +32,15 @@ The Microsoft Defender for Identity **Health issues** page lets you know when th
 
     :::image type="content" source="media/health-issues/close-suppress.png" alt-text="Screenshot of a health issue details pane." lightbox="media/health-issues/close-suppress.png":::
 
+## Health issue status
+
+Health issues in Microsoft Defender for Identity can have different statuses depending on their state and how they're handled. 
+
+- **Open:**: The health issue is marked as open. 
+- **Closed:** A health issue is automatically marked as **Closed** when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have [Azure ATP (workspace name) Administrator](/defender-for-identity/role-groups#defender-for-identity-security-groups)  you can also manually close a health issue.
+- **Suppressed:** If you have Azure ATP (workspace name) Administrators permissions, you can suppress the health alert for seven days. Suppress a health alert if you're aware of an expected temporary known issue, for example, taking down a machine for maintenance.
+
+For example, if a domain controller is taken offline for maintenance, a "Sensor stopped communicating" alert might be triggered. You can use the API to change the alert status from Open to Suppressed. Once the domain controller is back online, revert the status to Open and let Microsoft Defender for Identity close the alert automatically when the issue is resolved.
 
 ## Health issues
 
@@ -43,7 +52,7 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 
 |Alert|Description|Resolution|Severity|Displayed in|
 |----|----|----|----|----|
-|The virtual machines that the listed Defender for Identity sensors are installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
+|The virtual machines that the listed Defender for Identity sensors is installed on has a network configuration mismatch. This issue might affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
 
 ### A domain controller is unreachable by a sensor
 

ATPDocs/identity-inventory.md

@@ -28,15 +28,15 @@ The Identities inventory page includes the following tabs:
 
 - **Identities**: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information.
 
-- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts) 
+- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts)
 
 There are several options you can choose from to customize the identities list view. On the top navigation you can:
 
 - Add or remove columns.
 
 - Apply filters.
 
-- Search for an identity by name or full UPN, SID and Object ID. 
+- Search for an identity by name or full UPN, SID, and Object ID. 
 
 - Export the list to a CSV file.
 
@@ -49,23 +49,23 @@ There are several options you can choose from to customize the identities list v
 
 ### Identity details 
 
-The **Identities** list offers a consolidated view of identities across Active Directory and Entra ID. It highlights key details, including the following columns by default:
+The **Identities** list offers a consolidated view of identities across Active Directory and Microsoft Entra IDs. It highlights key details, including the following columns by default:
 
 - __Display name__ – The full name of the identity as shown in the directory.
 
 - __SID__ – The Security Identifier, a unique value used to identify the identity in Active Directory.
 
 - __Domain__ – The Active Directory domain to which the identity belongs.
 
-- __Object ID__ – A unique identifier for the identity in Entra ID.
+- __Object ID__ – A unique identifier for the identity in Microsoft Entra ID.
 
-- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from AD to Entra ID).
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Entra ID).
 
 - __Type__ – Specifies if the identity is a user account or service account.
 
 - __UPN (User Principal Name)__ – The unique login name of the identity in an email-like format.
 
-- __Tags__ – Custom labels that help categorize or classify identities: Sensitive and Honeytoken.
+- __Tags__ – Custom labels that help categorize identities that are considered high value assets. For example, **Sensitive**, **Honeytoken** or **Privileged Accounts** managed by a [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure) (PIM) service.
 
 - __Created time__ – The timestamp when the identity was first created.
 
@@ -75,7 +75,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Non-default columns: Email and Entra ID risk level.  
+Nondefault columns: Email and Microsoft Entra ID risk level.  
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:
@@ -99,13 +99,13 @@ You can apply the following filters to limit the list of identities and get a mo
 
 - Account status
 
-Sort option applies to Display name, Domain and Created time columns.
+Sort option applies to Display name, Domain, and Created time columns.
 
 ### Identity inventory insights 
 
 - The __Classify critical assets__ card allows you to define identity groups as business critical. For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). 
 
-- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Entra ID security administrators and Global admin users.
+- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Microsoft Entra ID security administrators and Global admin users.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 

ATPDocs/identity-security-initiative.md

@@ -0,0 +1,85 @@
+---
+title: Identity Security Initiative
+description: Learn how to enhance your organization's identity security using the Identity Security Initiative in Microsoft Defender XDR.
+ms.topic: overview
+ms.date: 04/05/2025
+---
+
+# Identity Security Initiative (Preview)
+
+Identity security is the practice of protecting the digital identities of individuals and organizations. This includes protecting passwords, usernames, and other credentials that can be used to access sensitive data or systems. Identity security is essential for protecting against a wide range of cyber threats, including phishing, malware, and data breaches.
+
+## Prerequisites
+
+- Your organization must have a Microsoft Defender for Identity license.
+- [Review prerequisites and permissions needed](/security-exposure-management/prerequisites) for working with Security Exposure Management.
+
+## View Identity Security Initiatives
+1. Navigate to the [Microsoft Defender portal](https://security.microsoft.com/).
+1. From the Exposure management section on the navigation bar, select **Exposure insights** **>** **Initiatives** to open the Identity Security page.
+
+   :::image type="content" source="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png" alt-text="Screenshot showing the Identity security initiative page." lightbox="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png":::
+
+## Review security metrics
+
+Metrics in security initiatives help you to measure exposure risk for different areas within the initiative. Each metric gathers together one or more recommendations for similar assets.
+Metrics can be associated with one or more initiatives.
+
+On the **Metrics** tab of an initiative, or in the Metrics section of Exposure Insights, you can see the metric state, its effect, and relative importance in an initiative, and recommendations to improve the metric.
+We recommend that you prioritize metrics with the highest impact on Initiative Score level. This composite measure considers both the weight value of each recommendation and the percentage of noncompliant recommendations.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png" alt-text="Screenshot showing the security metrics page." lightbox="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png":::
+
+
+|Metric property |Description  |
+|---------|---------|
+|**Metric name**    | The name of the metric.        |
+|**Progress**   |Shows the improvement of the exposure level for the metric from 0 (high exposure) to 100 (no exposure).         |
+|**State**   | Shows if the metric needs attention or if the target was met.       |
+|**Total assets**  | Total number of assets under the metric scope.        |
+|**Recommendations**   | Security recommendations associated with the metric.        |
+|**Weight**    | The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. Shown as High, Medium, and Low. It can also be defined as Risk accepted.        |
+|**14-day trend** | Shows the metric value changes over the last 14 days.        |
+|**Last updated** | Shows a timestamp of when the metric was last updated.
+
+> [!NOTE]
+> The Affected assets experience isn't fully supported during the Preview phase.
+
+## View Identity security recommendations 
+
+ The Security recommendations tab displays a list of prioritized remediation actions related to your identity security posture. Each recommendation is evaluated for compliance and mapped to its corresponding risk impact, workload, and domain. This view helps you triage and take action based on urgency and business relevance.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png" alt-text="Showing showing the security recommendations page." lightbox="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png":::
+
+Sort the recommendations by any of the headings or filter them based on your task needs. 
+
+| **Column**             | **Description**                                                                 |
+|------------------------|---------------------------------------------------------------------------------|
+| **Name**               | The name of the recommended action (for example, *Configure VPN integration*, *Enable MFA*). |
+| **State**              | Indicates whether the recommendation is *Compliant* or *Not Compliant*.         |
+| **Impact**             | The security impact level (Low, Medium, or High) of implementing the recommendation. |
+| **Workload**           | The Microsoft service area the recommendation applies to (for example, Defender for Identity, Microsoft Entra ID). |
+| **Domain**             | The security domain (for example, identity, apps) associated with the recommendation.   |
+| **Last calculated**    | The most recent time the recommendation's status was evaluated.                 |
+| **Last state change**  | When the recommendation’s compliance state last changed.                        |
+| **Related initiatives**| Number of security initiatives impacted by this recommendation.                 |
+| **Related metrics**    | Number of security metrics that this recommendation contributes to.             |
+
+Security Exposure Management categorizes recommendations by compliance status, as follows:
+
+- **Compliant**: Indicates that the recommendation was implemented successfully.
+- **Not complaint**: Indicates that the recommendation wasn't fixed.
+
+## Set target score
+
+You can set a customized target score for the initiative, taking your organization’s unique set of circumstances, priorities, and risk appetite into account.
+
+To set a target store, select the initiative, and then select **Set target score** from the top of the initiative pane.
+
+:::image type="content" source="media/identity-security-initiative/set-target-score.png" alt-text="Screenshot showing the set target score button." lightbox="media/identity-security-initiative/set-target-score.png":::
+
+## Related content
+
+- [Review security initiatives](/security-exposure-management/initiatives)
+
+- [Investigate security initiative metrics](/security-exposure-management/security-metrics)