MicrosoftDocs
diff --git a/‎ATPDocs/alerts-overview.md‎
Lines changed: 0 additions & 1 deletion b/‎ATPDocs/alerts-overview.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎ATPDocs/deploy/configure-windows-event-collection.md‎
Lines changed: 2 additions & 1 deletion b/‎ATPDocs/deploy/configure-windows-event-collection.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ATPDocs/privacy-compliance.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/privacy-compliance.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/reconnaissance-discovery-alerts.md‎
Lines changed: 0 additions & 19 deletions b/‎ATPDocs/reconnaissance-discovery-alerts.md‎
Lines changed: 0 additions & 19 deletions
diff --git a/‎ATPDocs/remediation-actions.md‎
Lines changed: 16 additions & 0 deletions b/‎ATPDocs/remediation-actions.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 17 additions & 0 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎CloudAppSecurityDocs/cas-compliance-trust.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/cas-compliance-trust.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/editions-cloud-app-security-o365.md‎
Lines changed: 3 additions & 1 deletion b/‎CloudAppSecurityDocs/editions-cloud-app-security-o365.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎defender-endpoint/api/collect-investigation-package.md‎
Lines changed: 3 additions & 7 deletions b/‎defender-endpoint/api/collect-investigation-package.md‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎defender-endpoint/configure-machines-asr.md‎
Lines changed: 1 addition & 1 deletion b/‎defender-endpoint/configure-machines-asr.md‎
Lines changed: 1 addition & 1 deletion
@@ -98,7 +98,6 @@ The following table lists the mapping between alert names, their corresponding u
 | [Suspicious modifications to the AD CS security permissions/settings](persistence-privilege-escalation-alerts.md#suspicious-modifications-to-the-ad-cs-security-permissionssettings--external-id-2435) | 2435                | Medium                                                     | Privilege escalation                                            |
 | [Account Enumeration reconnaissance (LDAP)](reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-ldap-external-id-2437-preview) (Preview) | 2437 | Medium  | Account Discovery, Domain Account |
 | [Directory Services Restore Mode Password Change](other-alerts.md#directory-services-restore-mode-password-change-external-id-2438) | 2438 | Medium  | Persistence, Account Manipulation |
-| [Honeytoken was queried via SAM-R](reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-sam-r-external-id-2439) | 2439                | Low                                                     | Discovery                                            |
 |[Group Policy Tampering ](/defender-for-identity/other-alerts)|2440|Medium|Defense evasion|
 
 > [!NOTE]
 
@@ -1,7 +1,7 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 01/16/2024
+ms.date: 06/04/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -240,6 +240,7 @@ To configure domain object auditing:
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
 
 > [!NOTE]
 > Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
 
@@ -46,7 +46,7 @@ Your data is kept and is available to you while the license is under grace perio
 
 ## Data sharing
 
-Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer:
+Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.
 
 - Microsoft Defender XDR
 - Microsoft Defender for Cloud Apps
 
@@ -173,25 +173,6 @@ None
 |MITRE attack technique  | [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/), [Indirect Command Execution (T1202)](https://attack.mitre.org/techniques/T1202/), [Permission Groups Discovery (T1069)](https://attack.mitre.org/techniques/T1069/)        |
 |MITRE attack sub-technique | [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/), [Domain Groups (T1069.002)](https://attack.mitre.org/techniques/T1069/002/)        |
 
-## Honeytoken was queried via SAM-R (external ID 2439)
-
-**Severity**: Low
-
-**Description**:
-
-User reconnaissance is used by attackers to map the directory structure and target privileged accounts for later steps in their attack. The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping.
-In this detection, Microsoft Defender for Identity will trigger this alert for any reconnaissance activities against a pre-configured [honeytoken user](entity-tags.md)
-
-**Learning period**:
-
-None
-
-**MITRE**:
-
-|Primary MITRE tactic  |[Discovery (TA0007)](https://attack.mitre.org/tactics/TA0007/)  |
-|---------|---------|
-|MITRE attack technique  | [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/)|
-|MITRE attack sub-technique | [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/)|
 
 ## Honeytoken was queried via LDAP (external ID 2429)
 
 
@@ -39,8 +39,24 @@ The following Defender for Identity actions can be performed directly on your on
 
 - **Reset user password** – This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
 
+- **Mark User Compromised** - The user’s risk level is set to High
+
+- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources
+
+- **Require User to Sign In Again** - Revoke a user’s active sessions
+
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
+## Roles and Permissions
+
+| Action | XDR RBAC permissions      |
+| ------------------------------------- | ------------------------------------------------------------ |
+|Mark User Compromised                  | - Global Administrator <br> - Security Administrator|
+|Suspend User in Entra ID               | - Global Administrator |
+|Require User to Sign In Again          | - Global Administrator <br>|
+| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+
 
 ## Related videos
 
 
@@ -23,6 +23,23 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## June 2025
+
+### DefenderForIdentity PowerShell module updates (version 1.0.0.4)
+
+New Features and Improvements:
+- Added remote domain functionality
+- Added SensorType parameter to Test-MDISensorApiConnection to inform endpoint URL.
+- Added ability to Get/Set/Test the Deleted Objects container permissions.
+- Added auditing for Delegated Managed Service Accounts (dMSA) in the DomainObjectAuditing configuration.
+
+Bug Fixes:
+- Fixed audit verification checks for non-English operating systems.
+- Fixed DomainObjectAuditing identity redundant parameter bug.
+- Fixed Domain Controller detection logic to confirm AD Web Services is running on the server.
+- Fixed issue with Test-MDIDSA not parsing Deleted Object permissions.
+- Other reliability fixes.
+
 ## May 2025
 
 ###  Expanded New Sensor Deployment Support for Domain Controllers (Preview)
 
@@ -62,7 +62,7 @@ Your data is kept and is available to you while the license is under grace perio
 
 ## Data sharing for Microsoft Defender for Cloud Apps
 
-Defender for Cloud Apps shares data, including customer data, among the following Microsoft products also licensed by the customer:
+Defender for Cloud Apps shares data, including customer data, among the following Microsoft products also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.
 
 - Microsoft Defender XDR
 - Microsoft Defender for Cloud
 
@@ -26,7 +26,8 @@ Office 365 Cloud App Security includes threat detection based on user activity l
 
 |Capability|Feature|Microsoft Defender for Cloud Apps|Office 365 Cloud App Security|
 |----|----|----|----|
-|Cloud discovery|Discovered apps |31,000 + cloud apps  |750+ cloud apps with similar functionality to Office 365|
+|App Governance|App Governance|Yes||
+|Cloud discovery|Discovered apps |34,000 + cloud apps  |750+ cloud apps with similar functionality to Office 365|
 ||Deployment for discovery analysis|<li> Manual upload <br> <li> Automated upload - Log collector and API <br> <li> Native Defender for Endpoint integration |Manual log upload|
 ||Log anonymization for user privacy|Yes||
 ||Access to full cloud app catalog|Yes||
@@ -52,3 +53,4 @@ Office 365 Cloud App Security includes threat detection based on user activity l
 Read about the basics in [Getting started with Defender for Cloud Apps](./get-started.md).
 
 [!INCLUDE [Open support ticket](includes/support.md)]
+"
@@ -15,19 +15,19 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 03/21/2025
+ms.date: 06/03/2025
 ---
 
 # Collect investigation package API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
 **Applies to:**
+
 - [Microsoft Defender for Endpoint Plan 1](../microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint](../microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
@@ -40,11 +40,7 @@ Collect investigation package from a device.
 
 ## Limitations
 
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-> [!IMPORTANT]
->
-> - These response actions are only available for devices on Windows 10, version  1703 or later, and on Windows 11.
+- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 ## Permissions
 
 
@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 - mde-asr
 ms.custom: admindeeplinkDEFENDER
-ms.topic: conceptual
+ms.topic: article
 ms.subservice: asr
 search.appverid: met150
 ms.date: 03/27/2025