Merging changes synced from https://github.com/MicrosoftDocs/defender-docs-pr (branch live)

Author: Learn Build Service GitHub App

CloudAppSecurityDocs/applications-inventory.md

@@ -7,17 +7,17 @@ description: The new Applications page located under Assets in Microsoft Defende
 ---
 # Applications inventory (Preview)
 
-Protecting your SaaS ecosystem requires taking inventory of all SaaS and OAuth connected apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Defender for Cloud apps Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
+Protecting your SaaS ecosystem requires taking inventory of all SaaS and connected OAuth apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
 At a glance you can see information such as app name, risk score, privilege level, publisher information, and other details for easy identification of SaaS and OAuth apps most at risk.
 
-The Application page includes the following tabs:
+The Applications page includes the following tabs:
 
 * SaaS apps: A consolidated view of all SaaS applications in your network. This tab highlights key details, including app name, status (unprotected/protected app) and whether the app is marked as sanctioned or unsanctioned.
-* OAuth apps: Displays a list of OAuth apps such as Microsoft Entra ID, Google workspace and Salesforce.
+* OAuth apps: A comprehensive view of OAuth apps registered on Microsoft Entra ID, Google workspace and Salesforce. This tab highlights OAuth apps metadata, publisher info and app origin, permissions used, data accessed and other insights.
 
 ## Navigate to the Applications page
 
-In the Defender portal at <https://security.microsoft.com>, go to **Assets** \> **Applications**. Or, to go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
+In the Defender portal at <https://security.microsoft.com>, go to **Assets** > **Applications**. Or, go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
 
 :::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience" lightbox="media/banner-on-cloud-discovery-pages.png":::
 

CloudAppSecurityDocs/protect-aws.md

@@ -161,8 +161,7 @@ You can connect AWS **Security auditing** to Defender for Cloud Apps connections
     **For an existing connector**
 
    1. In the list of connectors, on the row in which the AWS connector appears, select **Edit settings**.
-   
-       ![Screenshot of the Connected Apps page, showing edit Security Auditing link.](media/aws-connect-app-edit-audit.png)
+
 
    1. On the **Instance name** and **Connect Amazon Web Services** pages, select **Next**. On the **Security auditing page**, paste the **Access key** and **Secret key** from the .csv file into the relevant fields, and select **Next**.
 

CloudAppSecurityDocs/protect-gcp.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your Google Cloud Platform environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your Google Cloud Platform app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 03/04/2025
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your Google Cloud Platform (GCP) environment
@@ -47,7 +47,8 @@ For more information about remediating threats from apps, see [Governing connect
 
 ## Protect GCP in real time
 
-Review our best practices for [securing and collaborating with external users](best-practices.md#secure-collaboration-with-external-users-by-enforcing-real-time-session-controls) and [blocking and protecting the download of sensitive data to unmanaged or risky devices](best-practices.md#block-and-protect-download-of-sensitive-data-to-unmanaged-or-risky-devices).
+Review our best practices for [securing and collaborating with external users](best-practices.md#secure-collaboration-with-external-users-by-enforcing-real-time-session-controls) and [
+blocking and protecting the download of sensitive data to unmanaged or risky devices](best-practices.md#block-and-protect-download-of-sensitive-data-to-unmanaged-or-risky-devices).
 
 ## Connect Google Cloud Platform to Microsoft Defender for Cloud Apps
 
@@ -167,8 +168,6 @@ This procedure describes how to add the GCP connection details to connect Google
 
     1. In the list of connectors, on the row in which the GCP connector appears, select **Edit settings**.
 
-        ![Screenshot of the Connected Apps page, showing edit Security Auditing link.](media/connect-gcp-app-edit-audit.png)
-
     1. In the **Enter details** page, do the following, and then select **Submit**.
         1. In the **Organization ID** box, enter the organization you made a note of earlier.
         1. In the **Private key file** box, browse to the JSON file you downloaded earlier.

CloudAppSecurityDocs/protect-zoom.md

@@ -1,7 +1,7 @@
 ---
 title: Connect Zoom | Microsoft Defender for Cloud Apps
 description: This article provides information about how to connect your Zoom environment  to Defender for Cloud Apps using the API connector for visibility and control over use.
-ms.date: 06/18/2023
+ms.date: 03/04/2025
 ms.topic: how-to
 ---
 
@@ -20,7 +20,7 @@ To see security posture recommendations for Zoom in Microsoft Secure Score, crea
 For example, recommendations for Zoom include: 
 
 - *Enable multi-factor authentication (MFA)*
-- *Enable session timeout for web users*
+- Enable session timeout for web users
 - *Enforce end to end encryption in all Zoom meetings*
 
 If a connector already exists and you don't see Zoom recommendations yet, refresh the connection by disconnecting the API connector, and then reconnecting it with the `“account:read:admin`, `chat_channel:read:admin` and `user:read:admin”` permissions.
@@ -39,6 +39,11 @@ Before connecting Zoom to Defender for Cloud Apps, make sure that you have the f
 
     The admin account is used only for initial consent while connecting Zoom to Defender for Cloud Apps. Defender for Cloud Apps uses an OAuth app for daily transactions.
 
+  >[!NOTE]
+  > The authentication mechanism utilized in the Zoom connector doesn't support two separate connectors utilizing the same user credentials.<br>
+  >
+  > When a new instance with an existing authentication token is used, this revokes the old connector token and will cause a "Bad credentials" error.
+
 ## How to connect Zoom to Defender for Cloud Apps
 
 1. Sign into Zoom as an account owner or admin.

CloudAppSecurityDocs/release-notes.md

@@ -22,7 +22,6 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## April 2025
 
-
 ### OAuthAppInfo table added to Defender XDR advanced hunting (Preview)
 
 The [OAuthAppInfo](/defender-xdr/advanced-hunting-oauthappinfo-table) table is now available in Defender XDR advanced hunting, enabling security teams to explore and analyze OAuth app-related metadata with enhanced visibility.

defender-xdr/alerts-incidents-correlation.md

@@ -1,6 +1,6 @@
 ---
 title: Alert correlation and incident merging in the Microsoft Defender portal
-description: Learn how alerts are correlated, and how and why incidents may be merged, in the Microsoft Defender portal.
+description: Learn how alerts are correlated, and how and why incidents might be merged, in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/02/2025
+ms.date: 03/17/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -37,6 +37,10 @@ When alerts are generated by the various detection mechanisms in the Microsoft D
 
 The criteria used by the Defender portal to correlate alerts together in a single incident are part of its proprietary, internal correlation logic. This logic is also responsible for giving an appropriate name to the new incident.
 
+### Alert correlation by workspace
+
+The Defender portal allows you to connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. A primary workspace's alerts are correlated with Microsoft Defender XDR data. So, incidents include alerts from Microsoft Sentinel's primary workspace and Defender XDR in a unified queue. All other onboarded workspaces are considered secondary workspaces. For secondary workspaces, incidents are created based on the workspace’s data and won't include Defender XDR data. The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces. For more information, see [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579).
+
 ### Manual correlation of alerts
 
 While Microsoft Defender already uses advanced correlation mechanisms, you might want to decide differently whether a given alert belongs with a particular incident or not. In such a case, you can unlink an alert from one incident and link it to another. Every alert must belong to an incident, so you can either link the alert to another existing incident, or to a new incident that you create on the spot.

defender-xdr/prerequisites.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/04/2025
+ms.date: 04/03/2025
 appliesto:
 - Microsoft Defender XDR
 ---
@@ -52,7 +52,8 @@ Any of these licenses give you access to Microsoft Defender XDR features via the
 For more information, [view the Microsoft 365 Enterprise service plans](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise).
 
 > [!NOTE]
-> Automatic attack disruption requires Microsoft Defender for Endpoint Plan 2. For more information, see [Configure automatic attack disruption capabilities](configure-attack-disruption.md).
+> - Automatic attack disruption requires Microsoft Defender for Endpoint Plan 2. For more information, see [Configure automatic attack disruption capabilities](configure-attack-disruption.md).
+> - Threat analytics also requires Defender for Endpoint Plan 2. For more information, see [Threat analytics in Microsoft Defender XDR](threat-analytics.md).
 
 > Don't have license yet? [Try or buy a Microsoft 365 subscription](/microsoft-365/commerce/try-or-buy-microsoft-365)