Merging changes synced from https://github.com/MicrosoftDocs/defender-docs-pr (branch live)

Author: Learn Build Service GitHub App

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -56,4 +56,6 @@ For more information, see:
 
 [How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
 
-[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+
+[How to integrate Defender for Identity with BeyondTrust](https://docs.beyondtrust.com/insights/docs/microsoft-defender)

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 05/13/2025
+ms.date: 05/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -101,17 +101,17 @@ What's new
 
 Known Issues
 
-- There's a known issue where MDE is deleting the configuration file located at /etc/system/system/mdatp.service.d on each service start. As a workaround, customers can use the Immutable attribute that prevents the files from being modified or deleted.
+- There's a known issue where MDE is deleting the configuration file located at /etc/systemd/system/mdatp.service.d on each service start. As a workaround, customers can use the Immutable attribute that prevents the files from being modified or deleted.
 
   To set the file to be unmodifiable, execute the following command:
-    
+  
 ```bash
 
   sudo chattr +i /etc/systemd/system/mdatp.service.d/[file name]
   ```
 
- This command makes the file unchangeable. T If you need to restore modification permissions, use the following command:
-  
+ This command makes the file unchangeable. If you need to restore modification permissions, use the following command:
+
   ```bash
 
   sudo chattr -i /etc/systemd/system/mdatp.service.d/[file name]

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -7,7 +7,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
-ms.date: 05/14/2025
+ms.date: 05/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -46,10 +46,6 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
-## May 2025
-
-- (GA) New setting for **"Allow Network Protection On Win Server"** to be able to manage Network Protection for Windows Server 2019 and later in Microsoft Defender for Endpoint Security Settings Management and Microsoft Intune. See [Turn on network protection](/defender-endpoint/enable-network-protection).
-
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.

defender-office-365/defender-for-office-365-whats-new.md

@@ -8,7 +8,7 @@ ms.author: chrisda
 author: chrisda
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 03/03/2025
+ms.date: 05/19/2025
 audience: ITPro
 ms.collection:
   - m365-security
@@ -39,6 +39,23 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 
+## May 2025
+
+- In government cloud environments, :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** replaces the **Message actions** drop down list on the **Email** tab (view) of the details area of the **All email**, **Malware**, or **Phish** views in [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md):
+  - SecOps personnel can now create tenant-level block entries on URLs and files via the [Tenant Allow/Block List](tenant-allow-block-list-about.md) directly from Threat Explorer.
+  - For 100 or fewer messages selected in Threat Explorer, SecOps personnel can take multiple actions on the selected messages from the same page. For example:
+    - Purge email messages or propose email remediation.
+    - Submit messages to Microsoft.
+    - Trigger investigations.
+    - Crate block entries in the Tenant Allow/Block List.
+  - Actions are contextually based on the latest delivery location of the message, but SecOps personnel can use the **Show all response actions** toggle to allow all available actions.
+  - For 101 or more messages selected, only email purge and propose remediation options are available.
+
+  > [!TIP]
+  > A new panel allows SecOps personnel to look for indicators of compromise at the tenant level, and the block action is readily available.
+
+  For more information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation) and  [Remediate Malicious Email: Manual and automated remediation](remediate-malicious-email-delivered-office-365.md#manual-and-automated-remediation).
+
 ## March 2025
 
 - **User reported messages by third-party add-ins can be sent to Microsoft for analysis**: In [user reported settings](submissions-user-reported-messages-custom-mailbox.md), admins can select **Monitor reported messages in Outlook** \> **Use a non-Microsoft add-in button**. In the **Reported message destination** section, select **Microsoft and my reporting mailbox**, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the **User reported** tab of **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>.

defender-office-365/remediate-malicious-email-delivered-office-365.md

@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 search.appverid: MET150
 description: Threat remediation
 ms.service: defender-office-365
-ms.date: 03/20/2025
+ms.date: 05/19/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -109,7 +109,7 @@ Open any remediation item to view details about it, including its remediation na
     - **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
 
   > [!NOTE]
-  > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from quarantine folder aren't available.
+  > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from quarantine folder aren't available. Also, the action logs are available only at <https://security.microsoft.com/threatincidents>, not in the **Action Center** at <https://security.microsoft.com/action-center>.
   
   Suspicious messages are categorized as either remediable or nonremediable. In most cases, the total of remediable and nonremediable messages equals the total number of messages submitted. But the totals might not match because of system delays, time-outs, or expired messages. Messages expire based on the Explorer retention period for your organization.
 

defender-office-365/threat-explorer-threat-hunting.md

@@ -7,7 +7,7 @@ author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 10/01/2024
+ms.date: 05/19/2025
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -301,6 +301,8 @@ The **Take action** wizard is described in the following list:
    When you're finished on the **Review and submit** page, select **Submit**.
 
 > [!TIP]
+> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) admins can take the actions **Soft delete**, **Move to junk folder**, **Move to deleted items**, **Hard delete**, and **Move to inbox**. The actions **Delete sender's copy** and **Move to inbox** from quarantine folder aren't available. Also, the action logs are available only at <https://security.microsoft.com/threatincidents>, not in the **Action Center** at <https://security.microsoft.com/action-center>.
+>
 > The actions might take time for to appear on the related pages, but the speed of the remediation isn't affected.
 
 ## The threat hunting experience using Threat Explorer and Real-time detections

defender-xdr/TOC.yml

@@ -322,8 +322,10 @@
           items:
           - name: Custom detections overview
             href: custom-detections-overview.md
-          - name: Create & manage detection rules
+          - name: Create detection rules
             href: custom-detection-rules.md
+          - name: Manage detection rules
+            href: custom-detection-manage.md            
         - name: Take action on query results
           href: advanced-hunting-take-action.md
         - name: Link query results to an incident

defender-xdr/advanced-hunting-cloudappevents-table.md

@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: reference
-ms.date: 06/09/2024
+ms.date: 05/15/2025
 ---
 
 # CloudAppEvents
@@ -30,6 +30,15 @@ ms.date: 06/09/2024
 
 The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about events involving accounts and objects in Office 365 and other [cloud apps and services](#apps-and-services-covered). Use this reference to construct queries that return information from this table.
 
+## Get access
+
+To make sure the `CloudAppEvents` data is populated:
+
+1.  Go to the Defender portal and select **Settings > Cloud apps > App connectors**.
+
+1.  In the Microsoft 365 connector portal, select the **Pull activities** checkbox.
+
+ For detailed instructions, see: [Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-office-365#prerequisites)
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
@@ -91,7 +100,7 @@ The __CloudAppEvents__ table contains enriched logs from all SaaS applications c
 
 Connect supported cloud apps for instant, out-of-the-box protection, deep visibility into the app's user and device activities, and more. For more information, see [Protect connected apps using cloud service provider APIs](/defender-cloud-apps/protect-connected-apps).
 
-## Related topics
+## Related articles
 
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -123,7 +123,7 @@ The **Analytics rule wizard** appears. Fill up the required details as described
 
 
 ##### Custom detection rules
-You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create custom detection rules](custom-detection-rules.md) for more information. 
 
 
 In both custom detection and analytics rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs. See [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
@@ -133,3 +133,12 @@ If your Defender XDR data is ingested into Microsoft Sentinel, you have the opti
 
 > [!NOTE]
 > If a Defender XDR table is not set up to stream to log analytics in Microsoft Sentinel but is recognized as a standard table in Microsoft Sentinel, an analytics rule can be created successfully but the rule won't run correctly since no data is actually available in Microsoft Sentinel. For these cases, use the custom detection rule wizard instead. 
+
+## Manage custom analytics and detection rules
+
+You can view all your user-defined rules—both custom detection rules and analytics rules—in the **Detection rules** page. Read [Manage custom detections](custom-detection-manage.md) for more details.
+
+
+
+For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
+   

defender-xdr/custom-detection-manage.md

@@ -0,0 +1,97 @@
+---
+title: Manage custom detection rules in Microsoft Defender XDR
+description: Learn how to manage custom detections rules based on advanced hunting queries.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+  - m365-security
+  - m365initiative-m365-defender
+  - tier2
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: how-to
+ms.date: 05/07/2025
+---
+
+# Manage existing custom detection rules
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.
+
+> [!TIP]
+> Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft Defender XDR APIs](api-supported.md).
+
+For users who have onboarded a Microsoft Sentinel workspace to the unified Microsoft Defender portal, the custom detection rules list includes [analytics rules](advanced-hunting-defender-use-custom-rules.md#analytics-rules). The following sections also apply to analytics rules unless otherwise indicated.
+
+### View existing rules
+
+To view your existing custom detection rules and analytics rules, navigate to **Hunting** > **Custom detection rules**. 
+
+:::image type="content" source="/defender/media/unified-custom-det-list-tb.png" alt-text="Screenshot of the Custom detection rules page in the Microsoft Defender portal." lightbox="/defender/media/unified-custom-det-list.png":::
+
+You can filter for any column by going to **Add filter**, selecting the columns you want to filter for, and selecting **Add**. For each of the chosen columns, select the corresponding pill beside **Filters:**, select the columns, then **Apply**.
+
+To search for specific rules, go to the search box in the upper right of the page and enter the name or rule ID of the rule you are looking for.
+
+For multiworkspace organizations that onboarded multiple workspaces to Microsoft Defender, you can filter for workspaces using the columns **Workspace ID** or **Workspace name**. 
+
+The page lists all the rules with the following run information:
+
+- **Last run** - When a rule was last run to check for query matches and generate alerts
+- **Last run status** - Whether a rule ran successfully (for custom detection rules only)
+- **Next run** - The next scheduled run
+- **Status** - Whether a rule has been turned on or off
+
+### View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule or an analytics rule, go to **Hunting** > **Custom detection rules** and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.
+
+:::image type="content" source="/defender/media/custom-detect-rules-view.png" alt-text="Screenshot of the Custom detection rule details page in the Microsoft Defender portal." lightbox="/defender/media/custom-detect-rules-view.png":::
+
+You can also take the following actions on the rule from this page:
+
+- **Open detection rule page** - opens the detection rule page to view triggered alerts and review actions (for custom detection rules only)
+- **Run** - runs the rule immediately; this also resets the interval for the next run (for custom detection rules only)
+- **Edit** - allows you to modify the rule without changing the query
+- **Modify query** - allows you to edit the query in advanced hunting
+- **Turn on** / **Turn off** - allows you to enable the rule or stop it from running
+- **Delete** - allows you to turn off the rule and remove it
+
+#### View and manage triggered alerts 
+
+In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to  **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
+
+- Manage the alert by setting its status and classification (true or false alert)
+- Link the alert to an incident
+- Run the query that triggered the alert on advanced hunting
+
+#### Review actions
+
+In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.
+
+> [!TIP]
+> To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
+
+
+## See also
+
+- [Custom detections overview](custom-detections-overview.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
+- [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md)
+- [Microsoft Graph security API for custom detections](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]