Merge branch 'main' into WI480553-update-ms-date-ms-reviewer

Author: DeCohen

ATPDocs/unmonitored-active-directory-certificate-services-server.md

@@ -19,7 +19,7 @@ This article describes the security posture assessment report for unmonitored Ac
 Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
 
 > [!NOTE]
->  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADCS servers in the environment. In some cases, servers running ADCS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
@@ -35,4 +35,4 @@ Unmonitored Active Directory Certificate Services (AD CS) servers pose a signifi
 
 ## Next steps
 
-Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/unmonitored-active-directory-federation-services-servers.md

@@ -18,8 +18,7 @@ This article describes the Microsoft Defender for Identity's unmonitored Active
 Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
-
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADFS servers in the environment. In some cases, servers running ADFS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 

ATPDocs/unmonitored-entra-connect-servers.md

@@ -23,7 +23,7 @@ If an attacker compromises a Microsoft Entra Connect server, they can inject sha
 These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment. In some cases, servers running Entra Connect might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment? 
 

CloudAppSecurityDocs/discovery-docker-windows.md

@@ -110,7 +110,7 @@ The following steps describe the deployment in Windows. The deployment steps for
 1. Run the following command to download the Windows Docker installer PowerShell script file: 
 
     ```powershell
-    Invoke-WebRequest https://adaprodconsole.blob.core.windows.net/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1)
+   Invoke-WebRequest https://discoveryresources-cdn-prod.cloudappsecurity.com/prod-1/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1) 
     ```
 
     To validate that the installer is signed by Microsoft, see [Validate installer signature](#optional---validate-installer-signature).

CloudAppSecurityDocs/log-collector-advanced-management.md

@@ -315,7 +315,7 @@ The following procedures describe how to export the log collector image, using L
 1. On a Linux computer that has access to the Docker Hub, run the following command to install Docker and download the log collector image.
 
     ```bash
-    curl -o /tmp/MCASInstallDocker.sh https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh
+    curl -o /tmp/MCASInstallDocker.sh https://discoveryresources-cdn-prod.cloudappsecurity.com/prod-1/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh 
     ```
 
 1. Export the log collector image. Run: