Merge pull request #2558 from MicrosoftDocs/main

Ruchika-mittal01 · web-flow · commit 39fe80098a47 · 2025-01-28T00:07:53.000+05:30
Publish main to live, 01/27/25, 10:30 AM PT
diff --git a/CloudAppSecurityDocs/mde-integration.md b/CloudAppSecurityDocs/mde-integration.md
@@ -65,13 +65,12 @@ To enable Defender for Endpoint integration with Defender for Cloud Apps:
 
 1. In the [Microsoft Defender portal](https://security.microsoft.com), from the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features**.
 1. Toggle the **Microsoft Defender for Cloud Apps** to **On**.
-1. Select **Apply**.
+1. Select **Save preferences**.
 
 >[!NOTE]
 > It takes up to two hours after you enable the integration for the data to show up in Defender for Cloud Apps.
 >
-
-![Screenshot of the Defender for Endpoint settings.](media/mde-settings.png)
+![Screenshot of the Defender for Endpoint settings.](media\turn-on-advanced-features-for-microsoft-defender-for-cloud-apps.png)
 
 To configure the severity for alerts sent to Microsoft Defender for Endpoint:
 
diff --git a/CloudAppSecurityDocs/media/mde-settings.png b/CloudAppSecurityDocs/media/mde-settings.png
diff --git a/CloudAppSecurityDocs/media/turn-on-advanced-features-for-microsoft-defender-for-cloud-apps.png b/CloudAppSecurityDocs/media/turn-on-advanced-features-for-microsoft-defender-for-cloud-apps.png
diff --git a/defender-xdr/auditing.md b/defender-xdr/auditing.md
@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 01/14/2025
 ---
 
 # Auditing
@@ -28,7 +28,7 @@ ms.date: 10/30/2024
 
 As a tenant administrator, you can use Microsoft Purview to search the audit logs for the times Microsoft Defender Experts signed into your tenant and the actions they did there to perform their investigations. You can also search the audit logs for the changes done by your tenant administrators to the Defender Experts settings.
 
-[Audit (Standard)](/microsoft-365/compliance/audit-solutions-overview) is turned on by default for all Microsoft Defender Experts for XDR customers when paid licenses are assigned to the tenant. If you have a trial license, work with your service delivery manager to turn on Audit if it isn't yet.
+Auditing is automatically turned on in the Microsoft Defender portal. Features that are audited are logged in the audit log automatically. Auditing can also collect audit logs from GCC environments.
 
 > [!NOTE]
 > Make sure you have the right [permissions](/microsoft-365/compliance/audit-log-search#before-you-search-the-audit-log) to search for audit logs.
diff --git a/defender-xdr/microsoft-365-defender-portal.md b/defender-xdr/microsoft-365-defender-portal.md
@@ -38,6 +38,7 @@ To learn more about the services that are part of the Microsoft Defender portal,
 - **[Microsoft Security Copilot embedded experience in the Microsoft Defender portal](security-copilot-in-microsoft-365-defender.md)**
 - **[Microsoft Defender for IoT enterprise monitoring in the Microsoft Defender portal](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint)**
 - **[Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)**
+- **[Microsoft Purview Insider Risk Management alerts in the Microsoft Defender portal](irm-investigate-alerts-defender.md)**
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
diff --git a/defender-xdr/microsoft-365-defender.md b/defender-xdr/microsoft-365-defender.md
@@ -40,6 +40,7 @@ Microsoft Defender XDR helps security teams protect and detect their organizatio
 - [**Microsoft Entra ID Protection**](/azure/active-directory/identity-protection/overview-identity-protection)
 - [**Microsoft Data Loss Prevention**](/microsoft-365/compliance/dlp-learn-about-dlp)
 - [**App Governance**](/defender-cloud-apps/app-governance-manage-app-governance)
+- [**Microsoft Purview Insider Risk Management**](/purview/insider-risk-management-solution-overview)
 
 With the integrated Microsoft Defender XDR solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft Defender XDR takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
 
diff --git a/defender-xdr/microsoft-xdr-auditing.md b/defender-xdr/microsoft-xdr-auditing.md
@@ -1,6 +1,6 @@
 ---
 title: Search the audit log for events in Microsoft Defender XDR
-description: Learn about the Microsoft Defender XDR activities that are logged in the Microsoft 365 audit log.
+description: Learn how to use the audit log to search for Microsoft Defender XDR activities to help with investigation.
 ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
@@ -10,21 +10,21 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier3
-ms.topic: overview
-ms.date: 08/14/2024
+ms.topic: how-to
+ms.date: 01/14/2025
 search.appverid: met150
+appliesto:
+- Microsoft Defender for Endpoint Plan 2
+- Microsoft Defender XDR
+
+#customer intent: As a SOC analyst, I want to learn how to use the audit log to search for Microsoft Defender XDR activities to help with investigation.
 ---
 
 # Search the audit log for events in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- [Microsoft Defender for Endpoint Plan 2](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-The audit log can help you investigate specific activities across Microsoft 365 services. In the Microsoft Defender portal, Microsoft Defender XDR and Microsoft Defender for Endpoint activities are audited. Some of the activities audited are:
+The audit log helps you investigate specific activities across Microsoft 365 services. In the Microsoft Defender portal, Microsoft Defender XDR and Microsoft Defender for Endpoint activities are audited. Some of the activities audited are:
 
 - Changes to data retention settings
 - Changes to advanced features
@@ -36,33 +36,25 @@ The audit log can help you investigate specific activities across Microsoft 365
 
 For a complete list of Microsoft Defender XDR activities that are audited, see [Microsoft Defender XDR activities](#microsoft-defender-xdr-activities) and [Microsoft Defender for Endpoint activities](#microsoft-defender-for-endpoint-activities).
 
-## Requirements
+Auditing is automatically turned on for Microsoft Defender XDR. Features that are audited are logged in the audit log automatically. Auditing can also collect audit logs from GCC environments.
+
+## Prerequisites
 
 To access the audit log, you need to have the **View-Only Audit Logs** or **Audit Logs** role in Exchange Online. By default, those roles are assigned to the Compliance Management and Organization Management role groups.
 
 > [!NOTE]
 > Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online.
 
-## Turn on auditing in Microsoft Defender XDR
-
-Microsoft Defender XDR uses the [Microsoft Purview auditing solution](/purview/audit-solutions-overview), before you can look at the audit data in the Microsoft Defender XDR portal:
-
-- You should confirm that auditing is turned on in the Microsoft Purview compliance portal. For more information, see [Turn auditing on or off](/purview/audit-log-enable-disable).
-
-- Follow the steps below to enable the unified audit log in the Microsoft Defender XDR portal:
-    1. Log in to [Microsoft Defender XDR](https://security.microsoft.com/homepage) using an account with the Security administrator or Global administrator role assigned.
-    2. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
-    3. Scroll own to **Unified audit log** and toggle the setting to **On**.
-
-   :::image type="content" source="/defender/media/defender/unified-audit-log.png" alt-text="Screenshot of the unified audit log toggle in Microsoft Defender XDR advanced settings" lightbox="/defender/media/defender/unified-audit-log.png":::
-    4. Select **Save preferences**.
+Microsoft Defender XDR uses the [Microsoft Purview auditing solution](/purview/audit-solutions-overview). Before you can look at the audit data in the Microsoft Defender portal, you need to turn on auditing in the Microsoft Purview compliance portal. For more information, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 > [!IMPORTANT]
-> Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization.
+> Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using accounts with lower permissions helps improve security for your organization.
 
-## Using the audit search in Microsoft Defender XDR
+## Search the audit log
 
-1. To retrieve audit logs for Microsoft Defender XDR activities, navigate to the [Microsoft Defender XDR Audit page](https://security.microsoft.com/auditlogsearch) or go to the [Purview compliance portal](https://compliance.microsoft.com) and select **Audit**.
+Follow these steps to search the audit log:
+
+1. Navigate to the [Microsoft Defender portal's Audit page](https://security.microsoft.com/auditlogsearch) or go to the [Purview compliance portal](https://compliance.microsoft.com) and select **Audit**.
 
    :::image type="content" source="/defender/media/defender/unified-audit-log-xdr.png" alt-text="Screenshot of the unified audit log page in Microsoft Defender XDR " lightbox="/defender/media/defender/unified-audit-log-xdr.png":::
 
@@ -94,7 +86,7 @@ For a list of all events that are logged for user and admin activities in Micros
 - [Response action activities in Defender for Endpoint in the audit log](/purview/audit-log-activities#microsoft-defender-for-endpoint-reponse-actions-activities)
 - [Roles settings activities in Defender for Endpoint in the audit log](/purview/audit-log-activities#microsoft-defender-for-endpoint-roles-settings-activities)
 
-## Using a PowerShell script
+## Search for events using a PowerShell script
 
 You can use the following PowerShell code snippet to query the Office 365 Management API to retrieve information about Microsoft Defender XDR events:
 
@@ -108,10 +100,10 @@ Search-UnifiedAuditLog -StartDate 2023/03/12 -EndDate 2023/03/20 -RecordType <ID
 >[!NOTE]
 > See the API column in Audit activities included for the record type values.
 
-## Additional resources
+For more information, see [Use a PowerShell script to search the audit log](/purview/audit-log-search-script)
+
+## See also
 
-- [Search the audit log in the compliance center](/purview/audit-new-search)
-- [Use a PowerShell script to search the audit log](/purview/audit-log-search-script)
 - [Detailed properties in the audit log](/purview/audit-log-detailed-properties)
 - [Export, configure, and view audit log records](/purview/audit-log-export-records)
 - [Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference)
diff --git a/defender-xdr/mto-overview.md b/defender-xdr/mto-overview.md
@@ -8,17 +8,17 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
-  - m365-security
-  - highpri
-  - tier1
-  - usx-security
+- m365-security
+- highpri
+- tier1
+- usx-security
 ms.topic: conceptual
-ms.date: 09/30/2024
+ms.date: 01/27/2025
 appliesto:
-  - Microsoft Defender XDR
-  - Microsoft Sentinel in the Microsoft Defender portal
-  - Microsoft Defender for Endpoint Plan 2
-  - Microsoft Defender for Office 365 P2
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
+- Microsoft Defender for Endpoint Plan 2
+- Microsoft Defender for Office 365 P2
 ---
 
 # Microsoft Defender multitenant management
@@ -71,9 +71,6 @@ The following key capabilities are available for each tenant you have access to
 |**Endpoints** > **Vulnerability management** > **Tenants** |For all tenants and at a tenant-specific level, explore vulnerability management information across different values such as exposed devices, security recommendations, weaknesses, and critical CVEs. |
 |**Configuration** > **Settings**|Lists the tenants you have access to. Use this page to view and manage your tenants.|
 
-> [!NOTE]
-> The content distribution capability is not yet available for all GCC, GCC High, and DoD customers.
-
 ## Next steps
 
 - [Set up Microsoft Defender multitenant management](mto-requirements.md)
diff --git a/defender-xdr/portals.md b/defender-xdr/portals.md
@@ -4,7 +4,7 @@ description: Find the right Microsoft admin center or portal for managing variou
 ms.service: defender-xdr
 ms.localizationpriority: medium
 f1.keywords:
-  - NOCSH
+- NOCSH
 ms.author: dansimp
 author: dansimp
 manager: dansimp
@@ -14,14 +14,14 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 04/03/2024
+ms.date: 01/27/2025
 ---
 
 # Microsoft security portals and admin centers
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the new home for monitoring and managing security across your identities, data, devices, and apps, you need to access various portals for certain specialized tasks.
+While [Microsoft Defender portal](microsoft-365-defender-portal.md) is the home for monitoring and managing security across your identities, data, devices, and apps, you need to access various portals for certain specialized tasks.
 
 > [!TIP]
 > To access various relevant portals from Microsoft Defender portal, select **More resources** in the navigation pane.
@@ -33,8 +33,6 @@ Security operators and admins can go to the following portals to manage security
 | Portal name | Description | Link |
 |---|---|---|
 | Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with [Microsoft Defender XDR](microsoft-365-defender.md) | [security.microsoft.com](https://security.microsoft.com/)  <br/><br/>The Microsoft Defender portal is where you view and manage alerts, incidents, settings, and more. |
-| Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint).  Most tenants should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/).  | [securitycenter.windows.com](https://securitycenter.windows.com) |
-| Office 365 Security & Compliance Center | Manage [Exchange Online Protection](/defender-office-365/eop-about) and [Microsoft Defender for Office 365](/defender-office-365/mdo-about) to protect your email and collaboration services, and ensure compliance to various data-handling regulations.  Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com/). | [protection.office.com](https://protection.office.com) |
 | Defender for Cloud portal | Use [Microsoft Defender for Cloud](/azure/security-center/security-center-intro) to strengthen the security posture of your data centers and your hybrid workloads in the cloud | [portal.azure.com/#blade/Microsoft_Azure_Security](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) |
 | Microsoft Security Intelligence portal | Get security intelligence updates for Microsoft Defender for Endpoint, submit samples, and explore the threat encyclopedia | [microsoft.com/wdsi](https://microsoft.com/wdsi) |
 
@@ -47,10 +45,10 @@ Although these portals aren't specifically for managing security, they support v
 | Microsoft Entra admin center | Access and administer the [Microsoft Entra](/entra) family to protect your business with decentralized identity, identity protection, governance, and more, in a multicloud environment | [entra.microsoft.com](https://entra.microsoft.com/) |
 | Azure portal | View and manage all your [Azure resources](/azure/azure-resource-manager/management/overview)  | [portal.azure.com](https://portal.azure.com/) |
 | Microsoft Entra admin center | View and manage [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) | [aad.portal.azure.com](https://aad.portal.azure.com/) |
-| Microsoft Purview compliance portal | Manage data handling policies and ensure [compliance with regulations](/compliance/regulatory/offering-home) | [compliance.microsoft.com](https://compliance.microsoft.com/) |
+| Microsoft Purview portal | Manage data handling policies and ensure [compliance with regulations](/compliance/regulatory/offering-home) | [purview.microsoft.com](https://purview.microsoft.com/) |
 | Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | [admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2166757) |
-| Microsoft Intune admin center | Use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage and secure devices. Can also combine Intune and Configuration Manager capabilities. | [endpoint.microsoft.com](https://endpoint.microsoft.com/) |
-| Microsoft Intune portal | Use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview) |
+| Microsoft Intune admin center | Use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage and secure devices. Can also combine Intune and Configuration Manager capabilities. | [intune.microsoft.com](https://intune.microsoft.com/) |
+| Microsoft Intune portal | Use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to deploy device policies and monitor devices for compliance | [intune.microsoft.com](https://intune.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview) |
 
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -26,7 +26,9 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Endpoint](/defender-endpoint/whats-new-in-microsoft-defender-endpoint)
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
+- [What's new in Microsoft Defender for Cloud](/azure/defender-for-cloud/release-notes)
 - [What's new in Microsoft Sentinel](/azure/sentinel/whats-new)
+- [What's new in Microsoft Purview](/purview/whats-new)
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
