Merge pull request #4931 from DeCohen/WI486581-mdi-detection-updates-reduce-alert-noise

release note- Updates to multiple detections to reduce noise and impr…

Author: Ruchika-mittal01

ATPDocs/whats-new.md

@@ -25,22 +25,46 @@ For updates about versions and features released six months ago or earlier, see
 
 ## September 2025
 
+### Updates to multiple detections to reduce noise and improve alert accuracy
+
+Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you may see a decrease in the number of alerts raised.
+
+The improvements will gradually take effect across the following detections:
+
+- Suspicious communication over DNS
+
+- Suspected Netlogon privilege elevation attempt (CVE-2020-1472)
+
+- Honeytoken authentication activity
+
+- Remote code execution attempt over DNS
+
+- Suspicious password reset by Microsoft Entra Connect account
+
+- Data exfiltration over SMB
+
+- Suspected skeleton key attack (encryption downgrade)
+
+- Suspicious modification of Resource Based Constrained Delegation by a machine account
+
+- Remote code execution attempt
+
 ### Unified connectors is now available for Okta Single Sign-On connectors (Preview)
 
 Microsoft Defender for Identity supports the [Unified connectors](/azure/sentinel/unified-connector) experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency.
 
-For more information see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
+For more information, see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
 
 
 ## August 2025
 
 ### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
 
-Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+Microsoft Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Microsoft Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
 
-Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+Previously, Defender for Identity tenants received Microsoft Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Microsoft Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
 
-For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Microsoft Entra ID risk level to the IdentityInfo table remains unchanged.
 
 ### New security assessment: Remove stale service accounts (Preview)
 
@@ -478,7 +502,7 @@ Defender for Identity added the new **Edit insecure ADCS certificate enrollment
 
 Active Directory Certificate Services (AD CS) supports certificate enrollment through various methods and protocols, including enrollment via HTTP using the Certificate Enrollment Service (CES) or the Web Enrollment interface (Certsrv). Insecure configurations of the CES or Certsrv IIS endpoints might create vulnerabilities to relay attacks (ESC8).
 
-The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that post risks to the entire organization, together with related detections.
+The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that pose risks to the entire organization, together with related detections.
 
 For more information, see: