Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into painbar-custom-install-path

Author: paulinbar

.github/workflows/TierManagement.yml

@@ -2,12 +2,15 @@ name: Tier management
 
 permissions:
   pull-requests: write
-  contents: read
+  contents: write
 
 on: 
   issue_comment:
     types: [created, edited]
 
+  pull_request_target:
+    types: [opened, reopened]
+
 jobs:
 
   tier-mgmt:

ATPDocs/remove-discoverable-passwords-active-directory-account-attributes.md

@@ -0,0 +1,64 @@
+---
+title:  'Security Assessment: Remove Discoverable Passwords in Active Directory Account Attributes (Preview)'
+description: Learn how to identify and address discoverable passwords in Active Directory account attributes to mitigate security risks and improve your organization's security posture.
+ms.date: 08/04/2025
+ms.topic: how-to
+---
+
+# Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
+
+
+## Why do discoverable passwords in Active Directory account attributes pose a risk?
+
+Certain free-text attributes are often overlooked during hardening but are readable by any authenticated user in the domain. When credentials or clues are mistakenly stored in these attributes, attackers can abuse them to move laterally across the environment or escalate privileges—often without triggering traditional alerts.
+
+Attackers seek low-friction paths to expand access. Exposed passwords in these attributes represent an easy win because:
+
+- The attributes aren't access-restricted.
+
+- They aren't monitored by default.
+
+- They provide context attackers can exploit for lateral movement and privilege escalation.
+
+Removing exposed credentials from these attributes reduces the risk of identity compromise and strengthens your organization’s security posture.
+
+
+## How does Microsoft Defender for Identity detect discoverable passwords?
+
+> [!NOTE] 
+> This security recommendation is part of Microsoft Defender for Identity and is powered by AI-based analysis of free-text attributes in Active Directory. 
+> Findings can include false positives. Always validate the results before taking action.
+
+Microsoft Defender for Identity detects potential credential exposure in Active Directory by analyzing commonly used free-text attributes. This includes looking for common password formats, hints,  `'description'`, `'info'`, and `'adminComment'` fields, and other contextual clues that might suggest the presence of credential misuse. Microsoft Defender for Identity detects indicators such as:
+
+- Plaintext passwords or variations. For example, '`Password=Summer2024!'`
+
+- Credential patterns, reset hints, or sensitive account information. 
+
+- Other indicators suggesting operational misuse of directory fields. 
+
+Detected matches are surfaced in **Secure Score** and the **Security Assessment report** for review and remediation.
+
+
+## Remediation steps 
+
+To address this security assessment, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove discoverable passwords in Active Directory account attributes.
+1. Review the exposed entries in the security report. Identify any field content that includes:
+
+    - Cleartext passwords
+
+    - Reset instructions or credential clues
+
+    - Sensitive business or system information
+
+1. Remove sensitive information from the listed attribute fields using standard directory management tools (for example, PowerShell or ADSI Edit).
+1. Fully remove the sensitive information. Don’t just mask the value. Partial obfuscation (for example, P@ssw***) can still offer useful clues to attackers.
+
+> [!NOTE]
+> Assessments are updated in near real time. Scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of you implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/toc.yml

@@ -251,6 +251,8 @@ items:
            href: security-assessment-laps.md
          - name: Riskiest lateral movement paths
            href: security-assessment-riskiest-lmp.md
+         - name: Remove discoverable passwords in Active Directory account attributes
+           href: remove-discoverable-passwords-active-directory-account-attributes.md
          - name: Unsecure Kerberos delegation assessment
            href: security-assessment-unconstrained-kerberos.md
          - name: Unsecure SID History attributes

ATPDocs/whats-new.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 05/15/2025
+ms.date: 08/12/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -125,7 +125,7 @@ Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. M
 
 **How does this affect you or your users?**
 
-New users won't be able to install the Microsoft Defender app on devices running iOS/iPadOS 15 and earlier versions. Similarly, existing users won't be to upgrade to the latest version of the app.
+New users won't be able to install the Microsoft Defender app on devices running iOS/iPadOS 15 and earlier versions. Similarly, existing users will be able to upgrade till April-Mid Release version (1.1.64030101) of the app and not beyond it. 
 
 To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:
 

defender-endpoint/ios-whatsnew.md

@@ -313,6 +313,8 @@
             href: advanced-hunting-graphapiauditevents-table.md            
           - name: IdentityDirectoryEvents
             href: advanced-hunting-identitydirectoryevents-table.md
+          - name: IdentityEvents
+            href: advanced-hunting-identityevents-table.md
           - name: IdentityInfo
             href: advanced-hunting-identityinfo-table.md
           - name: IdentityLogonEvents

defender-xdr/TOC.yml

@@ -23,7 +23,7 @@ ms.custom:
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 03/28/2025
+ms.date: 07/28/2025
 ---
 
 # Use Microsoft Sentinel functions, saved queries, and custom rules 
@@ -61,14 +61,17 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
 > [!NOTE]
 > The `adx()` operator isn't supported for custom detections.
 
-
 ### Use arg() operator for Azure Resource Graph queries
-The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
+
+The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
 
 This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
 
 For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
 
+>[!NOTE]
+> The `arg()` operator isn't supported for analytics rules.
+
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
 For example:
@@ -86,7 +89,6 @@ BehaviorAnalytics
 ) on $left.name == $right.SourceDevice
 ```
 
-
 ## Use saved queries
 
 To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions:

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -0,0 +1,75 @@
+---
+title: IdentityEvents table in the advanced hunting schema
+description: Learn about the IdentityEvents table in the advanced hunting schema, which contains information about identity events obtained from other cloud identity service providers. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 08/07/2025
+---
+
+# IdentityEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+The `IdentityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about identity events obtained from other cloud identity service providers. Use this reference to construct queries that return information from this table. 
+
+> [!IMPORTANT]
+> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This advanced hunting table is populated by records from Microsoft Defender for Identity. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+>[!NOTE]
+>This advanced hunting table is populated only when other identity services like Okta are connected to Defender for Identity. 
+
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp ` | `datetime` | Date and time when the record was generated  |
+| `ReportId ` | `string` | Unique identifier for the event  |
+| `AccountId ` | `string` | Unique identifier for the account in the source application |
+| `AccountType` | `string` | Type of user account, indicating its general role like User, SystemPrincipal |
+| `AccountDisplayName` | `string` | Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.  |
+| `AccountUpn` | `string` | Alternate ID, email, or name for the account in the source application |
+| `ActionType` | `string` | Type of activity that triggered the event in the raw format received from the source application | 	
+| `ActionResult` | `string` | Result of the action | 	 
+| `ActionFailureReason` | `string` | Information explaining why the recorded action failed | 	 
+| `IPAddress` | `string` | IP address assigned to the device and used during related network communications |  	 
+| `UserAgent` | `string` | User agent information from the web browser or other client application | 	 
+| `TargetObjects` | `dynamic` | List of the target objects of this activity. Target object can be user, group, role, domain, application, and more. | 	 
+| `Application` | `string` | The source application where this event was received from | 	 
+| `ApplicationInstanceId` | `string` | Domain of the source application | 	 
+| `ApplicationEventId` | `string` | Raw event ID provided by the source application | 	 
+| `ApplicationSessionId` | `string` | Raw session ID provided by the source application | 	 
+| `RawEventData` | `dynamic` | Full raw event information from the source application in JSON format | 	 
+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |
+
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-identityevents-table.md

@@ -100,6 +100,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
 | **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
+| **[IdentityEvents](advanced-hunting-identityevents-table.md)** (Preview) | Information about identity events obtained from other cloud identity service providers |
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
 | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |

defender-xdr/advanced-hunting-schema-tables.md

@@ -33,16 +33,18 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## August 2025
+- (Preview) The following advanced hunting schema tables are now available for preview:
+   - The [`CloudStorageAggregatedEvents`](advanced-hunting-cloudstorageaggregatedevents-table.md) table contains information about storage activity and related events
+   - The [`IdentityEvents`](advanced-hunting-identityevents-table.md) table contains information about identity events obtained from other cloud identity service providers
+- (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
+- (Preview) In advanced hunting, the number of [query results](advanced-hunting-query-results.md) displayed in the Microsoft Defender portal has been increased to 100,000. 
 - (GA) [Microsoft Defender Experts for XDR](dex-xdr-overview.md) and [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, **Microsoft Defender Experts for Servers** and **Microsoft Defender Experts for Hunting - Servers**. [Learn more](faq-cloud-coverage-defender-experts.md)
 - (GA) Defender Experts for XDR customers can now [incorporate third-party network signals](third-party-enrichment-defender-experts.md) for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
 - (GA) In advanced hunting, you can now [view all your user-defined rules](custom-detection-manage.md)—both custom detection rules and analytics rules—in the **Detection rules** page. This feature also brings the following improvements:
     - You can now filter for *every* column (in addition to **Frequency** and **Organizational scope**).
     - For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
     - You can now view the details pane even for analytics rules.
     - You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
-- (Preview) In advanced hunting, the number of [query results](advanced-hunting-query-results.md) displayed in the Microsoft Defender portal has been increased to 100,000. 
-- (Preview) The [`CloudStorageAggregatedEvents`](advanced-hunting-cloudstorageaggregatedevents-table.md) table in advanced hunting is now available for preview. This table contains information about storage activity and related events.
-- (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
 
 ## July 2025
 - (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.