Merge branch 'main' into docs-editor/behavior-monitor-macos-1750993940

Author: denisebmsft

ATPDocs/remediation-actions.md

@@ -27,23 +27,27 @@ Watch the following video to learn more about remediation actions in Defender fo
 
 To perform any of the [supported actions](#supported-actions), you need to:
 
-- Configure the account that Microsoft Defender for Identity will use to perform them.  By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
+- Configure the account that Microsoft Defender for Identity will use to perform them. By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
 
 - Be signed into Microsoft Defender XDR to with relevant permissions. For Defender for Identity actions, you'll need a custom role with **Response (manage)** permissions. For more information, see [Create custom roles with Microsoft Defender XDR Unified RBAC](/microsoft-365/security/defender/create-custom-rbac-roles).
 
 ## Supported actions
 
-The following Defender for Identity actions can be performed directly on your on-premises identities:
+The following Defender for Identity actions can be performed on Identities:
 
-- **Disable user in Active Directory**: This will temporarily prevent a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
+- **Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
 
-- **Reset user password** – This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
+- **Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
 
-- **Mark User Compromised** - The user’s risk level is set to High
+- **Mark User Compromised** - The user's risk level is set to High.
 
-- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources
+- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
 
-- **Require User to Sign In Again** - Revoke a user’s active sessions
+- **Require User to Sign In Again** - Revoke a user's active sessions.
+
+- **Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
+
+- **Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
@@ -56,6 +60,8 @@ Depending on your Microsoft Entra ID roles, you might see additional Microsoft E
 |Require User to Sign In Again          | - Global Administrator <br>|
 | Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
 | Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
+| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
 
 
 ## Related videos

defender-xdr/faq-defender-experts-hunting.md

@@ -47,6 +47,7 @@ The following section lists down questions your security operations center (SOC)
 |**How is customer data protected?**| For more information about Microsoft's commitment in valuing and protecting your data, see [Data collection, usage, and retention](before-you-begin-defender-experts.md#data-collection-usage-and-retention). You can also visit the [Trust Center](https://www.microsoft.com/en-us/trust-center/product-overview) then scroll down to **Additional products and services** > **Managed Security Services** > [**Microsoft Defender Experts**](https://aka.ms/trustcenter-defenderexperts).|
 |**Does the hunting service offer real-time threat remediation with boots on ground?**| No, the hunting service doesn't cover real-time threat remediation.<br><br>Despite this, Microsoft provides professional on-site service through our [Microsoft Incident Response team](https://www.microsoft.com/en-us/security/business/microsoft-incident-response?msockid=2c408e0b54cc68301f9a9b55554869f3). This service requires a separate contract. We prioritize customer needs and have a swift turnaround time. Contact your Customer Service Account Manager for further assistance.|
 |**Is there a graph API that can fetch Defender Experts Notifications content?**| Yes. For more information, see [Access incident notifications using Graph API](access-den-graph-api.md).|
+|**How is AI used in the Defender Experts service?**| AI is used to support the Defender Experts service by enhancing the speed, scale, and consistency of security operations. We use a combination of generative, agentic, and foundational AI to power workflows such as incident triage, investigation, and summarization by analyzing signals like telemetry and historical analyst actions. Defender Experts analysts review and validate these AI-generated insights to ensure quality and accuracy. AI helps scale expert capabilities, and human analysts remain central to the service, ensuring customers receive trusted outcomes.|
 
 ### See also
 - [Before you begin using Defender Experts for Hunting](before-you-begin-defender-experts.md)

defender-xdr/frequently-asked-questions.md

@@ -36,6 +36,7 @@ ms.date: 10/30/2024
 | **Can your experts help me improve my security posture?** | Yes, our experts provide necessary guidance regularly to improve your security posture.
 | **Can Defender Experts for XDR help with an active compromise or vulnerability?** | No, Defender Experts currently don't provide incident response services. Contact your Microsoft representative or fill out the [Experiencing a Cybersecurity Incident?](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRypQlJUvhTFIvfpiAfrpFQdUOTdRRFpDUFQ1TzNLVFZXV0VUOVlVN0szUiQlQCN0PWcu) form to engage Microsoft Incident Response for incident response assistance. |
 | **How can my organization participate in the Defender Experts for XDR service?** | Contact your Microsoft representative to express interest in Defender Experts for XDR.|
+|**How is AI used in the Defender Experts service?**| AI is used to support the Defender Experts service by enhancing the speed, scale, and consistency of security operations. We use a combination of generative, agentic, and foundational AI to power workflows such as incident triage, investigation, and summarization by analyzing signals like telemetry and historical analyst actions. Defender Experts analysts review and validate these AI-generated insights to ensure quality and accuracy. AI helps scale expert capabilities, and human analysts remain central to the service, ensuring customers receive trusted outcomes.|
 
 ### See also