Merge branch 'main' into poliveria-dex-licensing-07012025

Author: poliveria

ATPDocs/investigate-assets.md

@@ -1,7 +1,7 @@
 ---
 title: Investigate assets
 description: This article explains how to investigate suspicious users, computers, and devices with Microsoft Defender for Identity.
-ms.date: 01/17/2024
+ms.date: 07/01/2025
 ms.topic: how-to
 ms.reviewer: LiorShapiraa
 ---
@@ -46,8 +46,7 @@ Find identity information in the following Microsoft Defender XDR areas:
 
 For example, the following image shows the details on an identity details page:
 
-![Screenshot of a specific user's page in the Microsoft Defender portal.](media/investigate-assets/image.png)
-
+:::image type="content" source="media/investigate-assets/investigate-assets.png" alt-text="Screenshot that shows a specific user's page in the Microsoft Defender portal." lightbox="media/investigate-assets/investigate-assets.png":::
 
 
 ### Identity details
@@ -57,7 +56,7 @@ When you investigate a specific identity, you'll see the following details on an
 
 |Identity details page area  |Description  |
 |---------|---------|
-|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, the investigation priority score, an organizational tree, entity tags, and a scored activity timeline.       |
+|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, and an organizational tree, entity tags.       |
 |[Incidents and alerts](/microsoft-365/security/defender/investigate-users#incidents-and-alerts)     | Lists active incidents and alerts involving the user from the last 180 days, including details like alert severity and the time the alert was generated. |
 |[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. |
 |[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     | The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |

ATPDocs/media/investigate-assets/investigate-assets.png

@@ -27,7 +27,6 @@ In contrast to the ATA sensor, the Defender for Identity sensor also uses data s
 
 - Support for [multi-forest environments](deploy/multi-forest.md)
 - [Microsoft Secure Score posture assessments](/defender-for-identity/security-assessment)
-- [UEBA capabilities](/cloud-app-security/tutorial-ueba)
 - Direct integrations with other services like Microsoft Defender for Cloud Apps and Microsoft Entra for a hybrid view of what's taking place in both on-premises and hybrid environments
 - And more
 

ATPDocs/migrate-from-ata-overview.md

@@ -52,35 +52,6 @@ For more information, see [Work with Defender for Identity's ITDR dashboard (Pre
 
 1. When the incident is remediated, resolve it to resolve all linked and related active alerts and set a classification.
 
-## Investigate users with a high investigation score
-
-**Where**: In Microsoft Defender XDR and in Microsoft Entra.
-
-In Microsoft Defender XDR:
-
-1. Check the **Users at risk** widget on the **Home** page or the  **Entra ID users at risk** on the **Identities > Dashboard** page.
-
-1. If you have users listed at *High risk*:
-
-    - Select **View all users** to review high risk identities in Microsoft Entra.
-    - Go to the **Identities** page and sort the grid to view users with high **Investigation priority** scores at the top. Select an identity to view the identity details page, including more details in the **Investigation priority** widget.
-
-    The investigation priority widget includes the calculated investigation priority score breakdown and a two-week trend for an identity, including whether the identity score is on the high percentile for that tenant.
-
-Find more identity-related information on:
-
-- Individual alert or incident details pages
-- Device details pages
-- Advanced hunting queries
-- The Action center page
-
-**Persona**: SOC analysts
-
-For more information, see:
-
-- [Investigate users in Microsoft Defender XDR](/microsoft-365/security/defender/investigate-users)
-- [Investigate assets](../investigate-assets.md)
-- [Work with Defender for Identity's ITDR dashboard (Preview)](../dashboard.md)
 
 ## Configure tuning rules for benign true positives / false positive alerts
 

ATPDocs/ops-guide/ops-guide-daily.md

@@ -68,8 +68,6 @@ sections:
           
           - **[Microsoft Secure Score posture assessments](/defender-for-identity/security-assessment)**: Identifies common misconfigurations and exploitable components and provides remediation paths to reduce the attack surface.
           
-          - **[UEBA capabilities](/cloud-app-security/tutorial-ueba)**: Insights into individual user risk through user investigation priority scoring. The score can assist SecOps in their investigations and help analysts understand unusual activities for the user and the organization.
-          
           - **Native integrations**: Integrates with Microsoft Defender for Cloud Apps and Microsoft Entra ID Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.
           
           - **Contributes to Microsoft Defender XDR**: Contributes alert and threat data to  Microsoft Defender XDR. Microsoft Defender XDR uses the Microsoft 365 security portfolio (identities, endpoints, data, and applications) to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. 
@@ -150,7 +148,7 @@ sections:
 
       - question: Does Microsoft Defender for Identity require synchronizing users to Microsoft Entra ID?
         answer: |
-          Microsoft Defender for Identity provides security value for all Active Directory accounts including those that are not synced to Microsoft Entra ID. User accounts that are synced to Microsoft Entra ID will also benefit of security value provided by Microsoft Entra ID (based on license level) and of Investigation Priority Scoring.
+          Microsoft Defender for Identity provides security value for all Active Directory accounts including those that are not synced to Microsoft Entra ID. User accounts that are synced to Microsoft Entra ID benefit from the security value provided by Microsoft Entra ID based on license level. For more detailse see: [Identity inventory](/defender-for-identity/identity-inventory).
 
   - name: WinPcap and Npcap drivers
     questions: 

ATPDocs/technical-faq.yml

@@ -1,35 +1,74 @@
 ---
 title: DLP content inspection
 description: This article describes the process Defender for Cloud Apps follows when performing DLP content inspection on data in your cloud.
-ms.date: 01/29/2023
+ms.date: 06/26/2025
 ms.topic: how-to
 ---
 # DLP content inspection in Microsoft Defender for Cloud Apps
 
 
+Data loss prevention (DLP) in Microsoft Defender for Cloud Apps uses content inspection to detect sensitive information in files. When content inspection is enabled, Defender for Cloud Apps analyzes files for text patterns defined by expressions. Text that meets these expressions is treated as a match and can be used to determine a policy violation.
 
-If you enable content inspection, you can choose to use preset expressions or to search for other customized expressions.
+You can use preset or custom expressions and define a threshold for when a match constitutes a violation. For example, you can set a threshold of 10 to alert when a file contains at least 10 credit card numbers.
 
-You can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
+Matched text is replaced with "X" characters, and the surrounding context (100 characters before and after the match) is masked. Numbers in the context are replaced with "#" and aren't stored. To expose the final four digits of a match, enable the **Unmask the last four characters of a match** setting in the file policy.
 
-You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
+You can also define which file elements are inspected—content, metadata, or file name. By default, inspection applies to both content and metadata. This approach allows inspection of protected files, detection of sensitive data, enforcement of compliance, and application of governance controls, while reducing false positives and aligning enforcement with internal classification standards.
+
+## Prerequisites
+
+To inspect encrypted files, and enable scanning of labels a [Global Administrator](/entra/identity/enterprise-apps/configure-admin-consent-workflow) must first grant one‑time admin consent to Defender for Cloud Apps in Microsoft Entra ID.
+
+To do this, in the Defender portal go to **Settings > Cloud Apps > Microsoft Information Protection > Inspect protected files**, and select **Grant permission**.
 
-When content is matched against the selected expression, the violation text is replaced with "X" characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with "#" characters and are never stored within Defender for Cloud Apps. When creating a file policy, if you've enabled an inspection method, then you can select the option to **Unmask the last four characters of a match** to unmask the last four characters of the violation itself. It's necessary to set which data types the regular expression searches: content, metadata and/or file name. By default it searches the content and the metadata.
 
 ## Content inspection for protected files
 
-Defender for Cloud Apps allows admins to grant Defender for Cloud Apps permission to decrypt encrypted files and scan their content for violations. This consent is also required to enable scanning labels on encrypted files.
+Once consent is granted, Defender for Cloud Apps provisions the Microsoft Cloud App Security (Internal) app in your tenant. The app uses the Azure Rights Management Services > Content.SuperUser permission to decrypt and inspect protected files.
+
+The following app IDs apply based on your Microsoft cloud environment:
+
+**App IDs**
+
+| Environment | App ID |
+|--------------|---------|
+| Public | 25a6a87d-1e19-4c71-9cb0-16e88ff608f1 |
+| Fairfax | bd5667e4-0484-4262-a9db-93faa0893899 |
+| GCCM | 23105e90-1dfc-497a-bb5d-8b18a44ba061 |
+
+>[!NOTE]
+>App IDs are internal service principals used by Defender for Cloud Apps in Public, Fairfax, and GCC‑M environments to inspect and enforce DLP policies on protected files.
+>Don't remove or disable these App IDs. Doing so breaks inspection and prevent DLP policies from applying to protected files.
+>Always verify that the App ID for your environment is present and enabled.
+
+## Configure Microsoft Information Protection settings
 
 In order to give Defender for Cloud Apps the necessary permissions:
 
-1. Go to **Settings** and then **Microsoft Information Protection**.
-2. Under **Inspect protected files**, select **Grant permission** to grant Defender for Cloud Apps permission in Microsoft Entra ID.
-3. Follow the prompt to allow the required permissions in Microsoft Entra ID.
-4. You can configure the settings per file policy to determine which policies will scan protected files.
+1. Go to **Settings** > **Microsoft Information Protection**.
+1. Under **Microsoft Information Protection settings**, configure one or both of the following options:
+
+   - **Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.** When enabled, the App connector scans new files for embedded sensitivity labels from Microsoft Information Protection.
+
+   - **Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.** When enabled, only sensitivity labels applied within your tenant are scanned. Labels applied by external tenants are disregarded.
+
+1. After selecting your options, select **Save** to apply your changes.
+
+## Configure file policies for protected files
+
+1. In the Defender portal, go to **Settings > Cloud Apps > Policies > Policy management**.
+1. Follow the steps to [create a new file policy](data-protection-policies.md#create-a-new-file-policy).
+1. Select either **Apply to all files**, or **Apply to selected files** to specify which files to scan. This option is useful if you have an inner classification keyword standard that you want to exclude from the policy.
+1. Select **Inspection method** > **Data Classification Service** to enable content inspection for the policy.
+1. Check both boxes - **Inspect protected files** and **Unmask the last 4 characters of a match**.
+
+   :::image type="content" source="media/content-inspection/inspection-method-data-classification-service.png" alt-text="Screenshot that shows the Data classification service inspection method.":::
+
 
 ## Next steps
 
-> [!div class="nextstepaction"]
-> [Control cloud apps with policies](control-cloud-apps-with-policies.md)
+- [Tutorial: Discover and protect sensitive information in your organization](tutorial-dlp.md)
+- [Learn how to control cloud apps using policies](control-cloud-apps-with-policies.md)
+- [Integrate with Microsoft Purview for information protection](azip-integration.md)
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/content-inspection.md

@@ -45,7 +45,7 @@ To ensure that your application connector is set to show data in Microsoft Secur
    > [!NOTE]
    > If you have multiple instances of the same app, you can send security recommendations for each instance separately. Security recommendations for the selected instance are added to Microsoft Security Exposure Management in addition to the current recommendations.
 
-Security recommendations appear automatically in Microsoft Security Exposure Management. Recommendations are based on Microsoft benchmarks, and they might take up to 24 hours to update.
+Security recommendations appear automatically in Microsoft Security Exposure Management. Recommendations are based on Microsoft benchmarks, and they might take time to update.
 
 In [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), filter the **Recommended actions** tab by product to view any recommended actions. If you have multiple instances of an app, you can choose to filter recommendations from specific instances only. The following example shows options for filtering specific instances.
 

CloudAppSecurityDocs/media/content-inspection/inspection-method-data-classification-service.png

@@ -47,7 +47,7 @@ In addition to monitoring for potential threats, you can apply and automate the
 
 | Type | Action |
 | ---- | ---- |
-| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br />- Remove external collaborators on folders<br />- Send DLP violation digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
+| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br/> - Send policy-match digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
 | User governance | - Suspend user<br />- Notify user on alert (via Microsoft Entra ID)<br />- Require user to sign in again (via Microsoft Entra ID)<br />- Suspend user (via Microsoft Entra ID) |
 
 For more information about remediating threats from apps, see [Governing connected apps](governance-actions.md).

CloudAppSecurityDocs/posture-overview.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/22/2025
+ms.date: 07/01/2025
 ---
 
 # Isolation exclusions (preview)
@@ -57,7 +57,7 @@ There are two steps to using isolation exclusion: defining isolation exclusion r
 
 ### Prerequisites
 
-* Isolation exclusion is available on Windows (minimum client version 10.8470) and macOS (minimum client version 101.240902).
+* Isolation exclusion is available on Windows 11, Windows 10 version 1703 or later, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and macOS.
 * Isolation exclusion must be enabled. Enabling isolation exclusion requires Security Admin or Manage Security settings permissions or above. To enable isolation exclusion, sign in to the [Microsoft Defender portal](https://security.microsoft.com) and go to **Settings** > **Endpoints** > **Advanced features** and enable **Isolation Exclusion Rules** feature.
 
    :::image type="content" source="./media/isolation-exclusions/enable-exclusions.png" alt-text="Screenshot showing how to enable isolation exclusions." lightbox="./media/isolation-exclusions/enable-exclusions.png":::