Merge branch 'main' into docs-editor/governance-actions-1756026617

Author: padmagit77

CloudAppSecurityDocs/discovery-docker-windows.md

@@ -110,7 +110,7 @@ The following steps describe the deployment in Windows. The deployment steps for
 1. Run the following command to download the Windows Docker installer PowerShell script file: 
 
     ```powershell
-    Invoke-WebRequest https://adaprodconsole.blob.core.windows.net/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1)
+   Invoke-WebRequest https://discoveryresources-cdn-prod.cloudappsecurity.com/prod-1/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1) 
     ```
 
     To validate that the installer is signed by Microsoft, see [Validate installer signature](#optional---validate-installer-signature).

CloudAppSecurityDocs/log-collector-advanced-management.md

@@ -314,7 +314,7 @@ The following procedures describe how to export the log collector image, using L
 1. On a Linux computer that has access to the Docker Hub, run the following command to install Docker and download the log collector image.
 
     ```bash
-    curl -o /tmp/MCASInstallDocker.sh https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh
+    curl -o /tmp/MCASInstallDocker.sh https://discoveryresources-cdn-prod.cloudappsecurity.com/prod-1/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh 
     ```
 
 1. Export the log collector image. Run:

CloudAppSecurityDocs/protect-office-365.md

@@ -138,6 +138,8 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 - You must [enable auditing in Power BI](/power-bi/admin/service-admin-auditing) to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
 - You must [enable auditing in Dynamics 365](/power-platform/admin/enable-use-comprehensive-auditing#enable-auditing) to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
 
+- You must [enable the service principal](/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http) to get Malware detection and response support (this service API is enabled by default). Once API is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
+
 **To connect Microsoft 365 to Defender for Cloud Apps**:
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.

defender-endpoint/mac-whatsnew.md

@@ -74,6 +74,18 @@ This feature enables organizations to configure offline updates for security int
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Aug-2025 (Build: 101.25062.0006  | Release version: 20.125062.6.0)
+
+| Build:             | **101.25062.0006**   |
+|--------------------|----------------------|
+| Release version:   | **20.125062.6.0**    |
+| Engine version:    | **1.1.25070.3000**   |
+| Signature version: | **1.435.357.0**      |
+
+##### What's new
+
+- Bug and performance fixes
+
 ### Jul-2025 (Build: 101.25062.0005  | Release version: 20.125062.5.0)
 
 | Build:             | **101.25062.0005**   |
@@ -982,7 +994,7 @@ Live Response for macOS is now available for all Mac devices onboarded to Defend
 
 > [!IMPORTANT]
 > We're working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to familiarize yourself with this new syntax.
-> We continue supporting the old syntax in parallel with the new syntax and provides more communications around the deprecation plan for the old syntax in the upcoming months.
+> We continue supporting the old syntax in parallel with the new syntax and provide more communications around the deprecation plan for the old syntax in the upcoming months.
 - Addressed a kernel panic that occurred sometimes when accessing SMB file shares.
 - Performance improvements & Product improvements
 

defender-xdr/phishing-triage-agent.md

@@ -7,7 +7,6 @@ f1.keywords:
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -55,10 +54,11 @@ The Phishing Triage Agent is a [Security Copilot agent](/copilot/security/agents
 
 | Action                        | Permission required                                                                                           |
 |:------------------------------|:----------------------------------------------------------------------------------------------------------------------|
-| Set up, pause, remove or the agent              | **Security Administrator** in Microsoft Entra ID                                                            |
-| View and manage agent settings and activity        | **Security Copilot (read)** and **Security data basics (read)** under the **Security operations** permissions group in the Defender portal                     |
+| Set up, pause, or remove the agent, and manage agent identity              | **Security Administrator** in Microsoft Entra ID                                                            |
+| View and manage agent settings        | **Security Copilot (read)** and **Security data basics (read)** under the **Security operations** permissions group in the Defender portal                     |
 | View and manage feedback   | **Security Copilot (read)**, **Security data basics (read)**, and **Email & collaboration metadata (read)** under the **Security operations** permissions group in the Defender portal|
 |Reject feedback|**Security Administrator** in Microsoft Entra ID|
+| View agent results |**Security Copilot (read)**, **Security data basics (read)**, **Alerts (manage)**,  **Email & collaboration metadata (read)**, and **Email & collaboration content (read)** under the **Security operations** permissions group in the Defender portal|
 
 For more information about unified RBAC in the Defender portal, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
 

unified-secops-platform/microsoft-sentinel-onboard.md

@@ -119,30 +119,12 @@ After you connect your workspace to the Defender portal, **Microsoft Sentinel**
 
 Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal.
 
-- Search
-  - [Search across long time spans in large datasets](/azure/sentinel/search-jobs?tabs=defender-portal)
-  - [Restore archived logs from search](/azure/sentinel/restore)
-- Threat management
-  - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data?tabs=defender-portal)
-  - [Conduct end-to-end threat hunting with Hunts](/azure/sentinel/hunts)
-  - [Use hunting bookmarks for data investigations](/azure/sentinel/bookmarks)
-  - [Use hunting Livestream in Microsoft Sentinel to detect threat](/azure/sentinel/livestream)
-  - [Hunt for security threats with Jupyter notebooks](/azure/sentinel/notebooks-hunt)
-  - [Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file](/azure/sentinel/indicators-bulk-file-import?tabs=defender-portal)
-  - [Work with threat indicators in Microsoft Sentinel](/azure/sentinel/work-with-threat-indicators?tabs=defender-portal)
-  - [Understand security coverage by the MITRE ATT&CK framework](/azure/sentinel/mitre-coverage)
-- Content management
-  - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy?tabs=defender-portal)
-  - [Microsoft Sentinel content hub catalog](/azure/sentinel/sentinel-solutions-catalog)
-  - [Deploy custom content from your repository](/azure/sentinel/ci-cd)
-- Configuration
-  - [Find your Microsoft Sentinel data connector](/azure/sentinel/data-connectors-reference)
-  - [Create custom analytics rules to detect threats](/azure/sentinel/create-analytics-rules?tabs=defender-portal)
-  - [Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel](/azure/sentinel/create-nrt-rules?tabs=defender-portal)
-  - [Create watchlists](/azure/sentinel/watchlists-create?tabs=defender-portal)
-  - [Manage watchlists in Microsoft Sentinel](/azure/sentinel/watchlists-manage)
-  - [Create automation rules](/azure/sentinel/create-manage-use-automation-rules)
-  - [Create and customize Microsoft Sentinel playbooks from content templates](/azure/sentinel/use-playbook-templates)
+| Feature category   | Links |
+|--------------------|----------|
+| **Search**         | - [Search across long time spans in large datasets](/azure/sentinel/search-jobs?tabs=defender-portal)<br>- [Restore archived logs from search](/azure/sentinel/restore) |
+| **Threat management** | - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data?tabs=defender-portal)<br>- [Conduct end-to-end threat hunting with Hunts](/azure/sentinel/hunts)<br>- [Use hunting bookmarks for data investigations](/azure/sentinel/bookmarks)<br>- [Use hunting Livestream in Microsoft Sentinel to detect threat](/azure/sentinel/livestream)<br>- [Hunt for security threats with Jupyter notebooks](/azure/sentinel/notebooks-hunt)<br>- [Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file](/azure/sentinel/indicators-bulk-file-import?tabs=defender-portal)<br>- [Work with threat indicators in Microsoft Sentinel](/azure/sentinel/work-with-threat-indicators?tabs=defender-portal)<br>- [Understand security coverage by the MITRE ATT&CK framework](/azure/sentinel/mitre-coverage) |
+| **Content management** | - [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy?tabs=defender-portal)<br>- [Microsoft Sentinel content hub catalog](/azure/sentinel/sentinel-solutions-catalog)<br>- [Deploy custom content from your repository](/azure/sentinel/ci-cd) |
+| **Configuration**  | - [Find your Microsoft Sentinel data connector](/azure/sentinel/data-connectors-reference)<br>- [Create custom analytics rules to detect threats](/azure/sentinel/create-analytics-rules?tabs=defender-portal)<br>- [Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel](/azure/sentinel/create-nrt-rules?tabs=defender-portal)<br>- [Create watchlists](/azure/sentinel/watchlists-create?tabs=defender-portal)<br>- [Manage watchlists in Microsoft Sentinel](/azure/sentinel/watchlists-manage)<br>- [Create automation rules](/azure/sentinel/create-manage-use-automation-rules)<br>- [Create and customize Microsoft Sentinel playbooks from content templates](/azure/sentinel/use-playbook-templates) |
 
 Find Microsoft Sentinel settings in the Defender portal under **System** > **Settings** > **Microsoft Sentinel**.
 

unified-secops-platform/whats-new.md

@@ -7,7 +7,7 @@ ms.subservice: unified-security-operations
 ms.author: bagol
 author: batamig
 ms.localizationpriority: medium
-ms.date: 07/31/2025
+ms.date: 08/20/2025
 manager: orspodek
 audience: ITPro
 ms.collection:
@@ -23,10 +23,19 @@ This article lists recent features added for unified security operations in the
 
 ## August 2025
 
+
 - [Viewing unified RBAC in multitenant management to GA](#viewing-unified-rbac-in-multitenant-management-to-ga)
 - [Tenant groups in multitenant management renamed to distribution profiles](#tenant-groups-in-multitenant-management-renamed-to-distribution-profiles)
 - [Distribute Microsoft Defender for Endpoint security policies with multitenant management](#distribute-microsoft-defender-for-endpoint-security-policies-with-multitenant-management)
 
+### Edit workbooks directly in the Microsoft Defender portal
+
+Now you can create and edit Microsoft Sentinel workbooks directly in the Microsoft Defender portal. This enhancement streamlines your workflow and allows you to manage your workbooks more efficiently and brings the workbook experience more closely aligned with the experience in the Azure portal.
+
+Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you visualize and monitor the data ingested to Microsoft Sentinel. Workbooks add tables and charts with analytics for your logs and queries to the tools already available.
+
+Workbooks are available in the Defender portal under **Microsoft Sentinel > Threat management > Workbooks**. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data).
+
 ### Viewing unified RBAC in multitenant management to GA
 
 Viewing unified role-based access control (RBAC) in the Microsoft Defender multitenant management portal is now generally available. This feature allows you to view a comprehensive view of permissions and access for your tenants.