Merge branch 'main' into EOP-chrisda

Author: chrisda

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -23,7 +23,7 @@ ms.topic: concept-article
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 02/10/2025
+ms.date: 07/22/2025
 ---
 
 # Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal
@@ -34,6 +34,9 @@ Querying from a single portal across different data sets makes hunting more effi
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
+> [!NOTE]
+> After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration KQL queries in the Defender portal. For more information, see [KQL queries in the Microsoft Sentinel data lake](/azure/sentinel/datalake/kql-queries).
+
 ## How to access
 
 ### Required roles and permissions

defender-xdr/communicate-defender-experts-xdr.md

@@ -51,7 +51,8 @@ Once you turn on chat on Teams, a new team named **Defender Experts team** is cr
 
 **Important reminders when using the Teams chat:**
 
-- Our experts have access to messages in **Defender Experts team** through the Defender Experts Teams app so you don't have to explicitly them to this team. 
+- Our experts have access to messages in **Defender Experts team** through the Defender Experts Teams app so you don't have to explicitly add them to this team. 
+
 - Our experts only see replies to existing posts created by Defender Experts regarding a managed response. If you create a new post, our experts won't be able to see it.
 - While Defender Experts might have access to all messages in any channel in **Defender Experts team**, tag or mention our experts by typing *@Defender Experts* in your replies, so they're notified to join the chat conversation.
 - Don't attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.

defender-xdr/create-custom-rbac-roles.md

@@ -2,17 +2,17 @@
 title: Create custom roles with Microsoft Defender XDR Unified role-based access control (RBAC)
 description: Create custom roles in Microsoft Defender XDR Security portal role-based access control (RBAC)
 ms.service: defender-xdr
-ms.author: diannegali
-author: diannegali
+ms.author: bagol
+author: batamig
 ms.localizationpriority: medium
-manager: deniseb
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 04/25/2025
+ms.date: 07/06/2025
 ms.reviewer: 
 search.appverid: met150
 appliesto:
@@ -24,124 +24,130 @@ appliesto:
 - Microsoft Defender for Cloud
 - Microsoft Security Exposure Management
 - Microsoft Defender for Cloud Apps
+- Microsoft Sentinel data lake
 #customer intent: As a security administrator, I want to create custom roles in Microsoft Defender XDR Unified RBAC so that I can manage permissions and access to Microsoft Defender portal experiences.
 ---
 
 # Create custom roles with Microsoft Defender XDR Unified RBAC
 
+This article describes how to create custom roles in Microsoft Defender XDR Unified role-based access control (RBAC). Microsoft Defender XDR Unified RBAC enables you to create custom roles with specific permissions and assign them to users or groups, allowing for granular control over access to Microsoft Defender portal experiences.
+
+Creating custom roles for [Microsoft Sentinel data lake](https://aka.ms/data-lake-overview) is supported in Preview.
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 ## Prerequisites
 
-To create custom roles in Microsoft Defender XDR Unified RBAC, you must be assigned one of the following:
+To create custom roles in Microsoft Defender XDR Unified RBAC, you must be assigned one of the following roles or permissions:
 
 - Global Administrator or Security Administrator in Microsoft Entra ID.
 - All **Authorization** permissions assigned in Microsoft Defender XDR Unified RBAC.
 
-For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
+For more information on permissions, see [Permission prerequisites](manage-rbac.md#permissions-prerequisites).
 
 > [!TIP]
-> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
-
-## Create a custom role
+> Microsoft recommends that you use roles with the fewest permissions. This practice helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-The following steps guide you on how to create custom roles in Microsoft Defender XDR Unified RBAC.
+To create custom roles for the Microsoft Sentinel data lake using the **Security Operations** or **Data operations** permission group, you must have a Log Analytics workspace enabled for Microsoft Sentinel and onboarded to the Defender portal. 
 
+- [Onboard Microsoft Sentinel](/azure/sentinel/quickstart-onboard?tabs=defender-portal)
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json)
 
-1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
+## Create a custom role
 
-2. In the navigation pane, go to **System > Permissions**.
+The following steps describe how to create custom roles in the Microsoft Defender portal.
 
-3. Select **Roles** under Microsoft Defender XDR to get to the Permissions and roles page.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com). In the navigation pane on the side, scroll down and select **Permissions**.
 
-4. Select **Create custom role**.
+1. On the **Permissions** page, under **Microsoft Defender XDR**, select **Roles** > **Create custom role**.
 
-5. Enter the Role name and description.
+1. In the wizard that opens, on the **Basics** tab, enter the role name and an optional description, and then select **Next**.
 
-6. Select **Next** to choose the permissions you want to assign. Permissions are organized in three different categories:
+1. On the **Choose permissions** page, select each of the following as needed to configure permissions for that area:
 
-   :::image type="content" source="/defender/media/defender/m365-defender-rbac-permissions1.png" alt-text="Screenshot of the permissions screen" lightbox="/defender/media/defender/m365-defender-rbac-permissions1.png":::
+    - **Security operations**
+    - **Security posture**
+    - **Authorization and settings**
+    - **Data Operations** (Preview). Supported for the **Microsoft Sentinel data lake** data collection.
 
-7. Select a permission category (for example, Security operations), and then review the permissions available. You can choose to assign the following different levels of permissions:
+    Hover over the description column for each permission group for a detailed description of the permissions available in that group. 
 
-    - Select all read-only permissions – Users are assigned with all the read-only permissions in this category.
-    - Select all read and manage permissions – Users are assigned all permissions in this category (read and manage permissions).
-    - Select custom permissions – Users are assigned the custom permissions selected.
+    An extra **Authorization and settings** side pane slides open for each permission group you select, where you can choose the specific permissions to assign to the role.
 
-   :::image type="content" source="/defender/media/defender/m365-defender-rbac-assignments-fig.png" alt-text="Screenshot of the permissions flyout screen" lightbox="/defender/media/defender/m365-defender-rbac-assignments-fig.png":::
+    If you select **All read-only permissions**, or **All read and manage permissions**, any new permissions later added to these categories are also automatically assigned under this role.
 
-    For more information on the RBAC custom permissions, see [About RBAC custom permissions](custom-permissions-details.md).
+    For more information, see [Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)](custom-permissions-details.md).
 
+1. When you're done assigning permissions for each permission group, select **Apply** and then **Next** to continue on to the next permission group.
+    
     > [!NOTE]
     > If all read-only or all read and manage permissions are assigned, any new permissions added to this category in the future are automatically assigned under this role.
     >
-    > If you have assigned custom permissions and new permissions are added to this category, you will need to re-assign your roles with the new permissions if needed.
-
-8. Once you have selected your permissions, select **Apply** and then **Next** to assign users and data sources.
+    > If you assigned custom permissions and new permissions are added to this category, you'll need to reassign your roles with the new permissions if needed.
 
-9. Select **Add assignments** and add the Assignment name.
+1. Once you selected your permissions for any relevant permission group, select **Apply** and then **Next** to assign users and data sources.
 
-10. Under **data sources**, choose if the assigned users will have the selected permissions across all the available products, or only for specific data sources:
+1. On the **Assign users and data sources** page, select **Add assignment**.
 
-     :::image type="content" source="/defender/media/defender/defender-rbac-add-assignments-small.png" alt-text="Screenshot of the assignments screen" lightbox="/defender/media/defender/defender-rbac-add-assignments.png":::
+    1. On the **Add assignment** side pane, enter the following details:
 
-    If a user selects all read-only permissions for a single data source, for example, Microsoft Defender for Endpoint, they will not be able to read alerts for Microsoft Defender for Office 365 or Microsoft Defender for Identity.
+        - **Assignment name**: Enter a descriptive name for the assignment.
+        - **Employees**: Select Microsoft Entra security groups or individual users to assign users to the role.
+        - **Data sources**: Select the **Data sources** drop down and then select the services where the assigned users will have the selected permissions. If you assigned read-only permissions for a single data source, such as Microsoft Defender for Endpoint, the assigned users can't read alerts in the other services, such as Microsoft Defender for Office 365 or Microsoft Defender for Identity.
 
-    > [!NOTE]
-    > By selecting **Include future data sources automatically** all supported data sources within Microsoft Defender XDR Unified RBAC and any future data sources that are added are automatically assigned to this assignment.
+    1. Select **Include future data sources automatically** to include all other data sources supported by Microsoft Defender unified RBAC. If this option is selected, any future data sources that are added for unified RBAC support are also automatically added to the assignment.
 
-11. In **Assigned users and groups** choose the Microsoft Entra security groups or individual users to assign the role to, and select **Add**.
+    1. In the **Data collections** area on the **Add assignments** side pane, the Microsoft Sentinel default data lake is listed by default. Select **Edit** to either remove access to the data lake, or define a custom data lake selection.
 
     > [!NOTE]
     > In Microsoft Defender XDR Unified RBAC, you can create as many assignments as needed under the same role with same permissions. For example, you can have an assignment within a role that has access to all data sources and then a separate assignment for a team that only needs access to Endpoint alerts from the Defender for Endpoint data source. This enables maintaining the minimum number of roles.
 
-12. Select **Next** to review and finish creating the role and then select **Submit**.
+1. Back on the **Assign users and data sources** page, select **Next** to review the role and assignment details. Select **Submit** to create the role.
 
 ## Create a role to access and manage roles and permissions
 
-To access and manage roles and permissions, without being a Global Administrator or Security Administrator in Microsoft Entra ID, you need to create a role with **Authorization** permissions. To create this role:
+To access and manage roles and permissions, without being a Global Administrator or Security Administrator in Microsoft Entra ID, create a role with **Authorization** permissions. To create this role:
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as Global Administrator or Security Administrator.
 
-2. In the navigation pane, select **Permissions**.
-
-3. Select **Roles** under Microsoft Defender XDR.
+1. In the navigation pane, select **Permissions > Microsoft Defender XDR > Roles > Create custom role**.
 
-4. Select **Create custom role**.
+1. Enter your role name and description, and then select **Next**.
 
-5. Enter the Role name and description.
+1. Select **Authorization and settings**, and then on the **Authorization and settings** side pane, select **Select custom permissions**.
 
-6. Select **Next** and choose the **Authorization and settings** option.
+1. Under **Authorization**, select one of the following options:
 
-7. On the Authorization and settings category flyout, choose **Select custom permissions** and under **Authorization** select either:
+    - **Select all permissions**. Users are able to create and manage roles and permissions.
+    - **Read-only**. Users can access and view roles and permissions in a read-only mode.
 
-    - Select all permissions - users are able to create and manage roles and permissions.
-    - Read-only - uses can access and view roles and permissions in a read-only mode.
+    For example:
 
     :::image type="content" source="/defender/media/defender/m365-defender-rbac-authorization-role.png" alt-text="Screenshot of the permissions and roles page" lightbox="/defender/media/defender/m365-defender-rbac-authorization-role.png":::
 
-8. Select **Apply** and then **Next** to assign users and data sources.
+1. Select **Apply** and then **Next** to assign users and data sources.
 
-9. Select **Add assignments** and enter the Assignment name.
+1. Select **Add assignments** and enter the **Assignment name**.
 
-10. To choose the **data sources** users assigned the Authorization permission will have access to:
+1. To choose the data sources that users assigned with the *Authorization* permission have access to, select one of the following options:
 
-    - Select **Choose all data sources** to grant users permissions to create new roles and manage roles for all data sources.
-    - Select **Select specific data sources** to grant users permissions to create new roles and manage roles for a specific data source. For example, select Microsoft Defender for Endpoint from the dropdown to grant users the Authorization permission for the Microsoft Defender for Endpoint data source only.
+    - **Choose all data sources**: This grants users permissions to create new roles and manage roles for all data sources.
+    - **Select specific data sources**: This grants users permissions to create new roles and manage roles for a specific data source. For example, select **Microsoft Defender for Endpoint** from the dropdown to grant users the *Authorization* permission for the Microsoft Defender for Endpoint data source only.
+    - **Microsoft Sentinel data lake collection**: Select this option to grant users the *Authorization* permission for the Microsoft Sentinel data lake.
 
-11. In **Assigned users and groups** – choose the Microsoft Entra security groups or individual users to assign the role to, and select **Add**.
+1. In **Assigned users and groups** – choose the Microsoft Entra security groups or individual users to assign the role to, and select **Add**.
 
-12. Select **Next** to review and finish creating the role and then select **Submit**.
+1. Select **Next** to review and finish creating the role and then select **Submit**.
 
 > [!NOTE]
-> For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft Defender XDR Unified RBAC model. For more information, see [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md).
+> For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new or imported roles, you need to activate the new Microsoft Defender XDR Unified RBAC model. For more information, see [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md).
 
 
 ## Configure scoped roles for Microsoft Defender for Identity
 
 Scoped access for Microsoft Defender for Identity (MDI) is currently in **Public preview**. You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (URBAC) model. This allows you to restrict access and visibility to specific Active Directory domains, helping align with team responsibilities and reduce unnecessary data exposure.
 
-For more information see: [Configure scoped access for Microsoft Defender for Identity](/defender-for-identity/configure-scoped-access).
+For more information, see: [Configure scoped access for Microsoft Defender for Identity](/defender-for-identity/configure-scoped-access).
 
 ## Next steps