Merge branch 'main' into US477096_AP

Author: DebLanger

.github/workflows/TierManagement.yml

@@ -2,12 +2,15 @@ name: Tier management
 
 permissions:
   pull-requests: write
-  contents: read
+  contents: write
 
 on: 
   issue_comment:
     types: [created, edited]
 
+  pull_request_target:
+    types: [opened, reopened]
+
 jobs:
 
   tier-mgmt:

.openpublishing.redirection.ata-atp.json

@@ -17,17 +17,17 @@
     },
     {
       "source_path": "ATPDocs/deploy/quick-installation-guide.md",
-      "redirect_url": "deploy/deploy-defender-identity",
+      "redirect_url": "deploy-defender-identity",
       "redirect_document_id": false
     },
     {
       "source_path": "ATPDocs/deploy/prerequisites.md",
-      "redirect_url": "deploy/prerequisites-sensor-version-2",
+      "redirect_url": "prerequisites-sensor-version-2",
       "redirect_document_id": false
     },
         {
       "source_path": "ATPDocs/deploy/activate-capabilities.md",
-      "redirect_url": "deploy/activate-sensor",
+      "redirect_url": "activate-sensor",
       "redirect_document_id": false
     },
     {

ATPDocs/alerts-xdr.md

@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
 
 # Microsoft Defender for Identity XDR alerts
 
-Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
+Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. 
 
 To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
 

ATPDocs/change-password-krbtgt-account.md

@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)

ATPDocs/dashboard.md

@@ -45,7 +45,7 @@ Select links in the cards to just to more details, such as documentation, relate
 |**Identities overview (shield widget)** |Provides a quick overview of the number of users in hybrid, cloud, and on-premises environments (AD and Microsoft Entra ID). This feature includes direct links to the Advanced Hunting platform, offering detailed user information at your fingertips.|
 |**Top insights** /<br>**Users identified in a risky lateral movement path** | Indicates any sensitive accounts with risky lateral movement paths, which are windows of opportunity for attackers and can expose risks.  <br><br>We recommend that you take action on any sensitive accounts found with risky lateral movement paths to minimize your risk. <br><br>For more information, see [Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity](understand-lateral-movement-paths.md).|
 |**Top insights** /<br>**Dormant Active Directory users who should be removed from sensitive groups** | Lists accounts that have been left unused for at least 180 days. <br><br>An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups, therefore we recommend removing those users from sensitive groups. <br><br>For more information, see [Security assessment: Riskiest lateral movement paths (LMP)](security-assessment-riskiest-lmp.md).|
-|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability.     |
+|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability derived from Defender for Identity data and Device Inventory, which relies on Defender for Endpoint coverage.  |
 |**Identity posture (Secure score)** | The score shown represents your organization's security posture with a focus on the *identity* score, reflecting the collective security state of your identities. The score is automatically updated in real-time to reflect the data shown in graphs and recommended actions. <br><br>Microsoft Secure Score updates daily with system data with new points for each recommended action take.<br><br> For more information, see [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score). |
 | **Highly privileged entities** | Lists a summary of the sensitive accounts in your organization, including Entra ID security administrators and Global admin users. |
 | **Identity related incidents** | Lists alerts from both Defender for Identity and [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection), and any corresponding, relevant incidents from the last 30 days. |