Merge branch 'main' into WI473943-account-view-manual-account-correlation

Author: DeCohen

.github/workflows/AutoLabelAssign.yml

@@ -26,7 +26,7 @@ jobs:
         name: Run assign and label
         if: github.repository_owner == 'MicrosoftDocs'
         needs: [download-payload]
-        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-test
         with:
             PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
             AutoAssignUsers: 1

defender-endpoint/indicators-overview.md

@@ -158,7 +158,7 @@ If indicators are synced to the Defender portal from Microsoft Defender for Clou
 
 ## Known issues and limitations
 
-Microsoft Store apps can't be blocked by Microsoft Defender because they're signed by Microsoft.
+Microsoft apps can't be blocked by Microsoft Defender because they're signed by Microsoft.
 
 Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. 
 

defender-endpoint/linux-install-manually.md

@@ -95,6 +95,9 @@ In order to preview new features and provide early feedback, it's recommended th
    > [!NOTE]
    > For your distribution and version, identify the closest entry for it (by major, then minor) under `https://packages.microsoft.com/config/rhel/`.
 
+   > [!TIP]
+   > Online Kernel patching tools, such as Ksplice or similar, can lead to unpredictable OS stability if Defender for Endpoint is running. It's recommended to temporarily stop the Defender for Endpoint daemon before performing online Kernel patching. After the Kernel is updated, Defender for Endpoint on Linux can be safely restarted. This action is especially important for systems running Oracle Linux.
+
 3. In the following commands, replace *[version]* and *[channel]* with the information you've identified:
 
    ```bash

defender-endpoint/linux-whatsnew.md

@@ -55,7 +55,7 @@ This article is updated frequently to let you know what's new in the latest rele
 
 What's new
 
-- Added support for CentOS Stream 9, CentOS Stream 10 and RHEL 10.
+- Added support for RHEL 10.
 
 - Enhanced engine resiliency through automatic error recovery, preventing excessive logging and minimizing downtime to improve overall reliability.
 

defender-for-cloud-apps/ai-agent-inventory.md

@@ -0,0 +1,78 @@
+---
+title: Discover and detect threats using the AI agents inventory (Preview)
+ms.author: abbyweisberg
+author: AbbyMSFT
+description: Learn how to view all of the AI Agents in your organization using Microsoft Defender.
+ms.date: 11/02/2025
+ms.topic: how-to
+ms.service: defender-for-cloud-apps
+ms.reviewer: gayasalomon
+#customer-intent: As a security administrator, I want view all of the AI Agents in my organization, and detect threats on my AI agents using advanced hunting.
+---
+
+# Discover and protect your AI Agents (Preview)
+
+Microsoft Defender detects all Copilot Studio custom AI agents in your tenant and provides tools to identify misconfigured or potentially risky agents, and collects data from Copilot Studio for use in [advanced hunting](/defender-xdr/advanced-hunting-overview).
+
+## Prerequisites
+To enable AI agent inventory and detection you must opt in to the [Microsoft Defender preview features](https://security.microsoft.com/securitysettings/defender/preview_features) of:
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Cloud
+- Microsoft Defender XDR
+
+## Enable the Copilot Studio AI agent inventory
+
+> [!NOTE]
+> The onboarding process for the AI agent inventory requires collaboration with Power Platform administrators.
+
+To enable the Copilot Studio AI agent inventory, follow these steps:
+
+1. **Sign in to the [Microsoft Defender portal](https://security.microsoft.com)** as the System Administrator.
+1. Go to **System > Settings > Cloud Apps > Copilot Studio AI Agents**.
+1. Turn on **Copilot Studio AI Agents**. Enabling Copilot Studio AI Agents confirms that you read the disclaimer and agree to use the Microsoft Defender AI agent protection features. 
+
+    :::image type="content" source="media/protect-ai-agents/copilot-studio-ai-agents-button.png" alt-text="Screenshot of the Copilot Studio AI Agent configuration toggle.":::
+
+1. Work together with the Power Platform administrator to complete these steps in the [Power Platform Portal](https://admin.preview.powerplatform.microsoft.com/security/threatdetection):
+    1. Go to **Security** -> **Threat Protection**. 
+    1. Select **Microsoft Defender - Copilot Studio AI Agents**.
+    1. Turn on **Enable Microsoft Defender - Copilot Studio AI Agents**.
+
+When Copilot Studio AI Agents are connected, a green indicator appears in the **AI Agents Inventory** section in the Microsoft Defender system settings. It can take up to 30 minutes for the initial connection status to update. Depending on the size and complexity of your environment, it might take longer to see the full deployment of the AI agent inventory.
+
+
+## Identify misconfigured or risky AI agents using advanced hunting
+
+After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats.
+We recommend that you reach out to the owners of the risky agents for more information, and that you consider quarantining or deleting risky agents.
+
+1. Sign in to the Defender portal, and go **Investigation & response** -> **Hunting** -> **Advanced hunting**.
+1. In the **Apps & identities** section, the [AIAgentsInfo table](/defender-xdr/advanced-hunting-aiagentsinfo-table) contains data for all your custom AI agents created using Copilot Studio. You can use this data to create custom queries.
+
+### Sample queries
+
+Run this query to get a list of all the agents in your tenant:
+
+```kusto
+    AIAgentsInfo 
+    | summarize arg_max(Timestamp, *) by AIAgentId
+```
+
+Run this query to identify all published agents that are configured with an incorrect authentication mechanism: 
+
+```kusto
+    AIAgentsInfo
+    | summarize arg_max(Timestamp, *) by AIAgentId 
+    | where AgentStatus != "Deleted"  
+    | where AgentStatus == "Published" 
+    | where UserAuthenticationType == "None" or AuthenticationTrigger == "As Needed"  
+    | project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
+```
+
+ 
+See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
+
+ ## Related articles
+ 
+ - [Protect your Copilot Studio custom AI Agents (Preview)](ai-agent-protection.md)
+ - [Enable real-time protection for Microsoft Copilot Studio Agents](real-time-agent-protection-during-runtime.md)  

defender-for-cloud-apps/ai-agent-protection.md

@@ -0,0 +1,31 @@
+---
+title: Protect your Microsoft Copilot Studio AI agents (Preview)
+description: Learn how to enable and manage AI Agent protection for Microsoft Copilot Studio AI agents using Microsoft Defender.
+ms.date: 11/02/2025
+ms.topic: how-to
+ms.service: defender-for-cloud-apps
+ms.reviewer: gayasalomon
+#customer-intent: As a security administrator, I want my Copilot Studio AI agents to be protected against suspicious or harmful actions so that I can reduce security risks to my organization.
+---
+
+# Protect your Microsoft Copilot Studio AI agents (Preview)
+
+As No code/Low code platforms become increasingly accessible, organizations face new types of security risks. These platforms empower non-technical users to build and deploy custom agents without centralized security review or controls in place. Attackers can attempt to manipulate these agents by:
+- Injecting malicious prompts
+- Triggering unintended tool executions
+- Exploiting data sources to escalate privileges or exfiltrate data.
+
+## AI agent protection features
+
+Microsoft Defender addresses critical security gaps with comprehensive AI agent protection that includes proactive exposure, threat hunting, real time protection, and alerts. With AI agent protection, Microsoft Defender:
+
+- Detects all of your custom AI agents created with Microsoft Copilot Studio, and integrates their data into advanced hunting for proactive threat detection. You can use this data to create custom queries and hunt for potential threats. See [Copilot Studio AI agent inventory (Preview)](ai-agent-inventory.md) to learn how to set up and make use of the AI agent inventory.
+- Collects audit logs for your custom AI agents created with Copilot Studio, continuously monitors the agents for suspicious activity, and enables detections and alerts. To enable this monitoring, make sure that you:
+    - [Enable the AI agent inventory](ai-agent-inventory.md#enable-the-copilot-studio-ai-agent-inventory).
+    - [Enable the Microsoft 365 app connector](protect-office-365.md#connect-microsoft-365-to-microsoft-defender-for-cloud-apps).
+- Provides real-time protection to block suspicious or harmful actions initiated by your AI agents, and triggers an informative alert integrated into the XDR incidents and alerts environment. See [Enable real-time protection for Microsoft Copilot Studio Agents](real-time-agent-protection-during-runtime.md) to learn how to set up real-time protection.
+
+## Related articles
+
+- [Discover and protect your Copilot Studio custom AI Agents (Preview)](ai-agent-inventory.md)
+- [Enable real-time protection for Microsoft Copilot Studio Agents](real-time-agent-protection-during-runtime.md)    

defender-for-cloud-apps/app-governance-get-started.md

@@ -64,6 +64,8 @@ You must have at least one of these roles to turn on app governance:
 - Compliance Admin  
 - Compliance Data Admin
 - Cloud App Security Admin
+  > [!NOTE]
+  > The Cloud App Security Admin role grants permissions turn on app governance for Microsoft Defender for Cloud Apps. However, this role doesn't grant access to view or manage app governance capabilities. To view or manage app governance capabilities, you must also have one of the other roles listed in the table  below.
 
 The following table lists the app governance capabilities for each role.