MicrosoftDocs
diff --git a/‎.github/workflows/AutoPublish.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/AutoPublish.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎ATPDocs/accounts-with-non-default-pgid.md‎
Lines changed: 1 addition & 0 deletions b/‎ATPDocs/accounts-with-non-default-pgid.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ATPDocs/advanced-settings.md‎
Lines changed: 1 addition & 0 deletions b/‎ATPDocs/advanced-settings.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ATPDocs/alerts-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/alerts-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/architecture.md‎
Lines changed: 1 addition & 0 deletions b/‎ATPDocs/architecture.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ATPDocs/automated-response-exclusions.md‎
Lines changed: 16 additions & 13 deletions b/‎ATPDocs/automated-response-exclusions.md‎
Lines changed: 16 additions & 13 deletions
diff --git a/‎ATPDocs/built-in-active-directory-guest-account-is-enabled.md‎
Lines changed: 4 additions & 3 deletions b/‎ATPDocs/built-in-active-directory-guest-account-is-enabled.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎ATPDocs/cef-format-sa.md‎
Lines changed: 1 addition & 0 deletions b/‎ATPDocs/cef-format-sa.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ATPDocs/change-password-domain-administrator-account.md‎
Lines changed: 3 additions & 2 deletions b/‎ATPDocs/change-password-domain-administrator-account.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎ATPDocs/change-password-krbtgt-account.md‎
Lines changed: 1 addition & 0 deletions b/‎ATPDocs/change-password-krbtgt-account.md‎
Lines changed: 1 addition & 0 deletions
@@ -3,21 +3,23 @@ name: (Scheduled) Publish to live
 permissions:
   contents: write
   pull-requests: write
+  checks: read
 
 on:
   schedule:
-    - cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
+    - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
 
   workflow_dispatch:
 
 jobs:
 
   auto-publish:
     if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build')
-    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublishV2.yml@workflows-prod
     with:
         PayloadJson: ${{ toJSON(github) }}
         EnableAutoPublish: true
+        EnableAutoMerge: true
 
     secrets:
         AccessToken: ${{ secrets.GITHUB_TOKEN }}
 
@@ -10,6 +10,7 @@ ms.author: liorshapira
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     10/05/2024
+ms.reviewer: LiorShapiraa
 ---
 
 # Security Assessment: Accounts with non-default Primary Group ID
 
@@ -4,6 +4,7 @@ description: Learn how to configure the number of Microsoft Defender for Identit
 ms.date: 02/11/2024
 ms.topic: how-to
 #CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
+ms.reviewer: rlitinsky
 ---
 
 # Adjust alert thresholds
 
@@ -3,6 +3,7 @@ title: Security alerts
 description: This article provides a list of the security alerts issued by Microsoft Defender for Identity.
 ms.date: 03/23/2023
 ms.topic: conceptual
+ms.reviewer: morRubin
 ---
 
 # Security alerts in Microsoft Defender for Identity
@@ -97,7 +98,6 @@ The following table lists the mapping between alert names, their corresponding u
 | [Suspicious modifications to the AD CS security permissions/settings](persistence-privilege-escalation-alerts.md#suspicious-modifications-to-the-ad-cs-security-permissionssettings--external-id-2435) | 2435                | Medium                                                     | Privilege escalation                                            |
 | [Account Enumeration reconnaissance (LDAP)](reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-ldap-external-id-2437-preview) (Preview) | 2437 | Medium  | Account Discovery, Domain Account |
 | [Directory Services Restore Mode Password Change](other-alerts.md#directory-services-restore-mode-password-change-external-id-2438) | 2438 | Medium  | Persistence, Account Manipulation |
-| [Honeytoken was queried via SAM-R](reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-sam-r-external-id-2439) | 2439                | Low                                                     | Discovery                                            |
 |[Group Policy Tampering ](/defender-for-identity/other-alerts)|2440|Medium|Defense evasion|
 
 > [!NOTE]
 
@@ -4,6 +4,7 @@ description: Learn about the Microsoft Defender for Identity system architecture
 ms.date: 09/14/2023
 ms.topic: overview
 #CustomerIntent: As a Defender for Identity user, I want to understand the relevant components and how they interact with the rest of my environment so that I can best use Defender for Identity features.
+ms.reviewer: morRubin
 ---
 
 # Microsoft Defender for Identity architecture
 
@@ -18,27 +18,30 @@ For example, an incident involving Attack Disruption, where response actions are
 
 ## How to add automated response exclusions
 
-1. In [Microsoft Defender XDR](https://security.microsoft.com/), go to **Settings** and then **Identities**.
 
-    ![Go to Settings, then Identities.](media/settings-identities.png)
+1. In the [Microsoft Defender XDR](https://security.microsoft.com/) portal, go to **Settings** and then **Microsoft Defender XDR**.
 
-1. You'll then see **Automated response exclusions** in the left-hand menu.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-settings1.png" alt-text="Go to Settings, then Microsoft Defender XDR.":::
 
-    ![Automated response exclusions.](media/automated-response-exclusions.png)
+ 
+2. You'll see **Automated response > Identities** in the left-side menu.
 
-1. To exclude specific users, select **Exclude Users**.
+    :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-automated-response.png" alt-text="Go to Automated response then Identities.":::
+ 
+3. To exclude specific users, select **Add User Exclusion**.
 
-    :::image type="content" source="media/exclude-users.png" alt-text="Exclude specific users.":::
-
-1. Search for the users to exclude and select the **Exclude Users** button.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-add-exclusion.png" alt-text="Exclude specific users.":::
+      
+4. Search for the users to exclude and select the **Exclude Users** button.
 
     :::image type="content" source="media/exclude-specific-users.png" alt-text="Choose which users to exclude.":::
+   
+5. To remove excluded users, select the relevant users from the list and select the **Remove** button.
 
-1. To remove excluded users, select the relevant users from the list and select the **Remove** button.
-
-    :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
-
+     :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
+   
 ## See also
 
 - [Configure event collection](deploy/configure-event-collection.md)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+
@@ -10,6 +10,7 @@ ms.author: liorshapira
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     10/05/2024
+ms.reviewer: LiorShapiraa
 ---
 
 # Security Assessment: Built-in Active Directory Guest account is enabled
@@ -27,11 +28,11 @@ The on-premises Guest account is a built-in, non-nominative account that allows
 
 1. Take appropriate action on those accounts by **disabling** the account.
 
-For example:
+   For example:
 
-![Screenshot showing guest account in AD.](media/built-in-active-directory-guest-account-is-enabled/guest-account.png)
+   ![Screenshot showing guest account in AD.](media/built-in-active-directory-guest-account-is-enabled/guest-account.png)
 
-![Screenshot showing security report.](media/built-in-active-directory-guest-account-is-enabled/security-report.png)
+   ![Screenshot showing security report.](media/built-in-active-directory-guest-account-is-enabled/security-report.png)
 
 ## Next steps
 
 
@@ -3,6 +3,7 @@ title: SIEM log reference
 description: Provides samples of logs sent from Microsoft Defender for Identity to your SIEM.
 ms.date: 09/22/2024
 ms.topic: conceptual
+ms.reviewer: rlitinsky
 ---
 
 # Microsoft Defender for Identity SIEM log reference
 
@@ -10,6 +10,7 @@ ms.author: liorshapira
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     10/05/2024
+ms.reviewer: LiorShapiraa
 ---
 
 # Security assessment: Change password of built-in domain Administrator account
@@ -28,9 +29,9 @@ Regularly updating the built-in Administrator account's password is essential du
 
 1. Take appropriate action on those accounts by resetting their password.  
 
-For example:
+   For example:
 
-![Screenshot showing the report on the portal.](media/change-password-domain-administrator-account/screenshot-of-report.png)
+   ![Screenshot showing the report on the portal.](media/change-password-domain-administrator-account/screenshot-of-report.png)
 
 ## Next steps
 
 
@@ -10,6 +10,7 @@ ms.author: liorshapira
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     10/06/2024
+ms.reviewer: LiorShapiraa
 ---
 
 # Security Assessment: Change password for krbtgt account