Merge branch 'main' into docs-editor/whats-new-1758828567

LiorShapiraa · web-flow · commit 336c50ceafbe · 2025-09-29T15:53:05.000+03:00
diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md
@@ -446,17 +446,18 @@ Configure filesystems to be unmonitored/excluded from real-time protection (RTP)
 > [!NOTE] 
 > Configured filesystem is unmonitored only if it's present in Microsoft's list of permitted unmonitored filesystems.
 
-By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove NFS from the list of unmonitored filesystems list, update the managed config file as shown below. This will automatically add NFS to the list of monitored filesystems for RTP.
+By default, `cifs`, `fuse`, `nfs`, `nfs4` and `smb` are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove `nfs` and `nfs4` from the list of unmonitored filesystems list, update the managed config file as shown below. This will add `nfs`/`nfs4` to the list of monitored filesystems for RTP. 
+Currently monitoring `nfs4`, `cifs` and `smb` filesystems is in preview mode for RTP mode.
 
 ```JSON
 {
    "antivirusEngine":{
-      "unmonitoredFilesystems": ["Fuse"]
+      "unmonitoredFilesystems": ["cifs","fuse","smb"]
   }
 }
 ```
 
-To remove both NFS and Fuse from unmonitored list of filesystems, use the following snippet:
+To remove all entries from unmonitored list of filesystems, use the following snippet:
 
 ```JSON
 {
@@ -1126,4 +1127,4 @@ To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is wor
 
 Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`.
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-for-cloud-apps/cloud-discovery-anonymizer.md b/defender-for-cloud-apps/cloud-discovery-anonymizer.md
@@ -87,9 +87,12 @@ To resolve (deanonymize) usernames in Cloud Discovery data:
 
         ![Anonymize resolve pop-up.](media/anonymize-resolve-dialog.png)
 
-1. The action is audited in the portal's **Governance log**.
+1. The action is audited in the portal's **Audit log**.
+
+> [!NOTE]
+> Starting October,2025 - **Resolve Anonymization** actions are no longer part of **Governance logs**. Instead, they will be audited in the **Activity log** only.
+
 
-    ![Anonymization action in governance log.](media/anonymize-gov-log.png)
 
 ## Next steps
 
diff --git a/defender-for-cloud-apps/cloud-discovery-custom-apps.md b/defender-for-cloud-apps/cloud-discovery-custom-apps.md
@@ -39,9 +39,13 @@ After the app is created, it's available for you in the cloud app catalog.
 At any time, you can select the three dots at the end of the row to edit or delete a custom app.
 
 >[!NOTE]
-> Custom apps are automatically tagged with the **Custom app** tag after you add them. This app tag cannot be removed.
+> Custom apps are automatically tagged with the **Custom app** tag after you add them.
 In order to view all your custom apps, set the **App tag** filter to be equal to *Custom app*.
 
+>[!NOTE]
+> Avoid adding Custom apps when you are using the **Remove all tags** feature. 
+Using Remove all tags will also remove the Custom App tag of the app.
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/defender-for-identity/architecture.md b/defender-for-identity/architecture.md
@@ -1,7 +1,7 @@
 ---
 title: Architecture | Microsoft Defender for Identity
 description: Learn about the Microsoft Defender for Identity system architecture and related components.
-ms.date: 09/14/2023
+ms.date: 09/28/2025
 ms.topic: overview
 #CustomerIntent: As a Defender for Identity user, I want to understand the relevant components and how they interact with the rest of my environment so that I can best use Defender for Identity features.
 ms.reviewer: morRubin
@@ -29,7 +29,7 @@ Defender for Identity sensors can be directly installed on the following servers
   - **Domain controllers**: The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
   - **AD FS / AD CS**: The sensor directly monitors network traffic and authentication events.
 - **Defender for Identity cloud service**  
-Defender for Identity cloud service runs on Azure infrastructure and is currently deployed in Europe, UK, Switzerland, North America/Central America/Caribbean, Australia East, Asia, and India. Defender for Identity cloud service is connected to Microsoft's intelligent security graph.
+Defender for Identity is a cloud-based service that operates on Azure infrastructure and is currently deployed across [multiple regions](/defender-for-identity/privacy-compliance/#data-location).
 
 ## Microsoft Defender portal
 
diff --git a/defender-for-identity/deploy/deploy-defender-identity.md b/defender-for-identity/deploy/deploy-defender-identity.md
@@ -21,8 +21,8 @@ Once you've completed the steps to prepare your environment, and assigned roles
 Identify your architecture and your requirements, and then use the table below to select the appropriate deployment for the servers in your environment. 
 
 |Server configuration   |Server Operating System  |Recommended deployment |
-|---------|---------|---------|---------|
-|Domain controller     | Windows Server 2019 or later with the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
+|---------|---------|---------|
+|Domain controller     | Windows Server 2019 or later with the [June 2025 Cumulative Update](https://support.microsoft.com/en-us/topic/june-10-2025-kb5060526-os-build-20348-3807-4e9453c4-6602-48ea-b349-689cd66dfdb9) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
 |Domain controller      |Windows Server 2016 or later         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
 |[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    Windows Server 2016 or later      |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
 |[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  Windows Server 2016 or later        |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
diff --git a/defender-for-identity/investigate-assets.md b/defender-for-identity/investigate-assets.md
@@ -59,8 +59,10 @@ When you investigate a specific identity, you'll see the following details on an
 |[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, and an organizational tree, entity tags.       |
 |[Incidents and alerts](/microsoft-365/security/defender/investigate-users#incidents-and-alerts)     | Lists active incidents and alerts involving the user from the last 180 days, including details like alert severity and the time the alert was generated. |
 |[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. |
-|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     | The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
-|[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |     Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
+|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     |The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
+|Security recommendations|This tab displays all active security posture assessments (ISPMs) associated with an identity account. It includes Defender for Identity recommendations across available identity providers such as Active Directory, Okta, and others. Selecting an ISPM pivots you to the recommendation page in Microsoft Secure Score for additional details.|
+|Attack paths|This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management.|
+|[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
 
 > [!NOTE]
 > **Investigation Priority Score** has been deprecated on December 3, 2024. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
diff --git a/defender-for-identity/privacy-compliance.md b/defender-for-identity/privacy-compliance.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for Identity – privacy
 description: Learn how Microsoft Defender for Identity collects data in a manner that protects personal privacy.
-ms.date: 06/06/2024
+ms.date: 09/28/2025
 ms.topic: article
 #customerIntent: To learn how Microsoft Defender for Identity collects data in a manner that protects personal privacy.
 ms.reviewer: rlitinsky
@@ -30,7 +30,7 @@ Defender for Identity operates in the Microsoft Azure data centers in the follow
 - North America (East US, West US, West US2)
 - Switzerland (Switzerland North, Switzerland West)
 - United Kingdom (UK South)
-
+- United Arab Emirates (North and Central)
 
 Customer data collected by the service might be stored as follows:
 
diff --git a/defender-for-identity/sensor-settings.md b/defender-for-identity/sensor-settings.md
@@ -227,7 +227,7 @@ To update the Defender for Identity sensor silently:
 
 ## Configure proxy settings
 
-We recommend that you configure initial proxy settings during installation [using command line switches](deploy/install-sensor.md#perform-a-defender-for-identity-silent-installation). If you need to update your proxy settings later on, use either the [CLI](deploy/configure-proxy.md#change-proxy-configuration-using-the-cli) or [PowerShell](deploy/configure-proxy.md#change-proxy-configuration-using-powershell).
+We recommend that you configure initial proxy settings during silent installation [using command line switches](deploy/install-sensor.md#perform-a-defender-for-identity-silent-installation). If you need to update your proxy settings later on, use either the [CLI](deploy/configure-proxy.md#change-proxy-configuration-using-the-cli) or [PowerShell](deploy/configure-proxy.md#change-proxy-configuration-using-powershell).
 
 If you'd previously configured your proxy settings via either WinINet or a registry key and need to update them, you'll need to [use the same method](deploy/configure-proxy.md#change-proxy-configuration-using-legacy-methods) you used originally.
 
diff --git a/defender-for-identity/whats-new.md b/defender-for-identity/whats-new.md
@@ -30,6 +30,10 @@ For updates about versions and features released six months ago or earlier, see
 We've added a new tab on the Identity profile page that contains all active identity-related identity security posture assessments (ISPMs). This feature consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions.   
 For more information, see [Investigate users in Microsoft Defender XDR](/microsoft-365/security/defender/investigate-users).
 
+### New Regional Availability: United Arab Emirates
+Defender for Identity data centers are now also deployed in the United Arab Emirates, North and Central regions. For the most current list of regional deployments, see [Defender for Identity data locations](/defender-for-identity/privacy-compliance/#data-location).
+
+
 ### New API support for unified agent 
 We are excited to announce the availability of a new Graph-based API for managing unified agent server actions in Microsoft Defender for Identity.
 This capability is currently in preview and available in API Beta version.
@@ -41,7 +45,7 @@ This API allows customers to:
 * Activate or deactivate the agent on eligible servers
  ​
 
-For more information, see [Managing unified agent actions through Graph API](/graph/api/resources/security-api-overview?view=graph-rest-beta).
+For more information, see [Managing unified agent actions through Graph API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true).
 
 ### Microsoft Defender for Identity sensor version updates
 
diff --git a/defender-office-365/reports-email-security.md b/defender-office-365/reports-email-security.md
@@ -560,6 +560,7 @@ In the **View data by Email \> Spam** and **Chart breakdown by Detection Technol
 - **Fingerprint matching**: The message closely resembles a previous detected malicious message.
 - **General filter**
 - **IP reputation**: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations.
+- **Mail bombing**: Messages detected as part of a mail bombing attack where attackers flood targeted email addresses with an overwhelming volume of messages.
 - **Mixed analysis detection**: Multiple filters contributed to the verdict for the message.
 - **URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.
 
diff --git a/defender-xdr/phishing-triage-agent.md b/defender-xdr/phishing-triage-agent.md
@@ -413,6 +413,29 @@ Administrators configure the agent’s identity and access levels during install
 
 The Phishing Triage Agent operates within a zero-trust environment. The system enforces organizational policies on every agent action by evaluating the intent and scope of each operation. All decisions, reasoning, and actions taken by the agent are transparently documented as a decision tree within Defender and recorded in Microsoft Purview audit logs for traceability and compliance.
 
+
+### I want to try the Phishing Triage Agent - how do I set it up in Microsoft Defender?
+
+To try the agent, you must first have access to **Security Copilot in Microsoft Defender**. If you don’t yet have Security Copilot, see [Get started with Security Copilot](/security-copilot/get-started-security-copilot) or contact your Microsoft representative.
+
+After you enable Security Copilot, the agent setup option appears in the Microsoft Defender portal if your environment meets the necessary [prerequisites](#prerequisites). For more information on agent setup, see [Set up the Phishing Triage Agent](#set-up-the-phishing-triage-agent):
+
+ 
+### I've tried the Phishing Triage Agent - how can I estimate the SCU capacity needed for the agent in my organization?
+
+If you joined the limited-time trial, the agent automatically starts consuming SCUs provisioned for the workspace when the trial period ends.
+
+It's important to ensure that your organization has sufficient SCUs for healthy agent operation. To evaluate SCU usage and plan capacity going forward, see the [Usage monitoring dashboard in the Security Copilot portal](https://securitycopilot.microsoft.com/usage-monitoring). The dashboard shows:
+
+- **Cost per email processed**
+- **Capacity consumption over time**
+
+You can also export the dashboard data into Excel for more detailed analysis.
+
+For more information about managing SCUs, see [Manage security compute unit usage in Security Copilot](/copilot/security/manage-usage).
+
+If the agent is already running and you have sufficient capacity in your organization, no further action is required and the agent will keep running. If you choose to discontinue use, follow the [offboarding steps](#remove-the-agent) in the documentation.
+
 ## Related content
 
 - [Microsoft Security Copilot agents](/copilot/security/agents-overview)
diff --git a/unified-secops-platform/microsoft-sentinel-onboard.md b/unified-secops-platform/microsoft-sentinel-onboard.md

Original file line number	Diff line number	Diff line change
`@@ -446,17 +446,18 @@ Configure filesystems to be unmonitored/excluded from real-time protection (RTP)`
`446`	`446`	`> [!NOTE]`
`447`	`447`	`> Configured filesystem is unmonitored only if it's present in Microsoft's list of permitted unmonitored filesystems.`
`448`	`448`
`449`		`-By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove NFS from the list of unmonitored filesystems list, update the managed config file as shown below. This will automatically add NFS to the list of monitored filesystems for RTP.`
	`449`	+By default, `cifs`, `fuse`, `nfs`, `nfs4` and `smb` are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove `nfs` and `nfs4` from the list of unmonitored filesystems list, update the managed config file as shown below. This will add `nfs`/`nfs4` to the list of monitored filesystems for RTP.
	`450`	+Currently monitoring `nfs4`, `cifs` and `smb` filesystems is in preview mode for RTP mode.
`450`	`451`
`451`	`452`	```JSON
`452`	`453`	`{`
`453`	`454`	`"antivirusEngine":{`
`454`		`- "unmonitoredFilesystems": ["Fuse"]`
	`455`	`+ "unmonitoredFilesystems": ["cifs","fuse","smb"]`
`455`	`456`	`}`
`456`	`457`	`}`
`457`	`458`	```
`458`	`459`
`459`		`-To remove both NFS and Fuse from unmonitored list of filesystems, use the following snippet:`
	`460`	`+To remove all entries from unmonitored list of filesystems, use the following snippet:`
`460`	`461`
`461`	`462`	```JSON
`462`	`463`	`{`
@@ -1126,4 +1127,4 @@ To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is wor
`1126`	`1127`
`1127`	`1128`	Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`.
`1128`	`1129`
`1129`		`-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]`
	`1130`	`+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]`