Merge branch 'main' into patch-3

Author: denisebmsft

.openpublishing.redirection.defender-endpoint.json

@@ -79,6 +79,11 @@
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-endpoint/monthly-security-summary-report.md",
+      "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
+      "redirect_document_id": true
+    }    
   ]
 }

ATPDocs/privacy-compliance.md

@@ -22,14 +22,13 @@ For more information see: [Microsoft Defender for Identity monitored activities]
 
 Defender for Identity operates in the Microsoft Azure data centers in the following locations:
 
-- European Union
-- United Kingdom
-- United States
-- Australia
-- Switzerland
-- Singapore
-
-- India
+- European Union (West Europe, North Europe)
+- United Kingdom (UK South) 
+- United States (East US, West US, West US2)
+- Australia (Australia East)
+- Switzerland (Switzerland North)
+- Singapore (Southeast Asia)
+- India (Central India, South India)
 
 Customer data collected by the service might be stored as follows:
 

CloudAppSecurityDocs/get-started.md

@@ -160,7 +160,7 @@ Now the risk scores given to discovered apps are configured precisely according
 Some features work best when they're customized to your needs.
 Provide a better experience for your users with your own email templates. Decide what notifications you receive and customize your risk score metric to fit your organization's preferences.
 
-## Step 7: Organize the data according to your needs
+## Step 6: Organize the data according to your needs
 
 **How to page**: [Working with IP ranges and tags](ip-tags.md)
 

CloudAppSecurityDocs/includes/entra-conditional-access-policy.md

@@ -30,7 +30,13 @@ Microsoft Entra ID supports both browser-based and non browser-based policies. W
 
 Repeat this procedure to create a nonbrowser based Conditional Access policy. In the **Client apps** area, toggle the **Configure** option to **Yes**. Then, under **Modern authentication clients**, clear the **Browser** option. Leave all other default selections selected.
 
-Note: The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. 
-Please ensure the CA policy does not restrict access to this application in the **Target resources**. 
-
 For more information, see [Conditional Access policies](/azure/active-directory/conditional-access/overview) and [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies).
+
+> [!NOTE]
+> Microsoft Defender for Cloud Apps utilizes the application **Microsoft Defender for Cloud Apps - Session Controls** as part of the Conditional Access App Control service for user sign-in. This application is located within the 'Enterprise Applications' section of Entra ID. 
+To protect your SaaS applications with Session Controls, you must allow access to this application. 
+If you block access to this application through an Entra ID Conditional Access policy, end users won't be able to access the protected applications under session controls. <br>
+>
+>It's important to ensure that this application isn't unintentionally restricted by any Conditional Access policies. For policies that restrict all or certain applications, please ensure this application is listed as an exception in the **Target resources** or confirm that the blocking policy is deliberate.<br>  
+>
+>To ensure your location-based conditional access policies function correctly, include the **Microsoft Defender for Cloud Apps – Session Controls** application in those policies.

CloudAppSecurityDocs/ip-tags.md

@@ -40,7 +40,7 @@ In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps*
 
     - **Corporate**: These IPs should be all the public IP addresses of your internal network, your branch offices, and your Wi-Fi roaming addresses.
 
-    - **Risky**: These IPs should be any IP addresses that you consider risky. They can include suspicious IP addresses you've seen in the past, IP addresses in your competitors' networks, and so on.
+    - **Risky**: These IPs should be any IP addresses that you consider risky. They can include suspicious IP addresses you've seen in the past, IP addresses in your competitors' networks, and so on. It is suggested to be cautious with applying automatic governance actions only based on risky IP, since there are some cases when IPs that serve malicious actors are also being in use by legitimate employees, hence our recommendation is to examine each case by itself.
 
     - **VPN**: These IPs should be any IP addresses you use for remote workers. By using this category, you can avoid raising [impossible travel](anomaly-detection-policy.md#impossible-travel) alerts when employees connect from their home locations via the corporate VPN.
 

CloudAppSecurityDocs/policies-threat-protection.md

@@ -88,7 +88,7 @@ You must have at least one app connected using [app connectors](enable-instant-v
 
 ## Detect and alert when Admin activity is detected on risky IP addresses
 
-Detect admin activities performed from and IP address that is considered a risky IP address, and notify the system admin for further investigation or set a governance action on the admin's account.
+Detect admin activities performed from and IP address that is considered a risky IP address, and notify the system admin for further investigation or set a governance action on the admin's account. Learn more [how to work with IP ranges and Risky IP](/defender-cloud-apps/ip-tags).
 
 ### Prerequisites
 

CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md

@@ -49,6 +49,7 @@ App connector errors can be seen in the app connector dialog after attempting to
 > |Get Permissions: NoHttpResponseException: `*******.salesforce.com:443` failed to respond|Salesforce|IP restriction on customer ENV.|In the Salesforce portal, under **Setup** > **Session Settings**, clear the **Lock sessions to the IP address from which they originated** check box.|
 > |team_not_authorized|Slack|Slack Discovery API is not enabled.|Contact Slack support and ask to enable Discovery API.|
 > |RuntimeException: com.adallom.adalib.httputils.exceptions.HttpRequestFailure: Server returned: 403 Forbidden|ServiceNow|Permissions are incorrect|Follow the process to connect ServiceNow to Defender for Cloud Apps again using an admin account.|
+> |Operation you are attempting to perform is not supported by your plan|Smartsheet|The Smartsheet Plan is not correct, an enterprise license with the platinum package is required|Upgrade Smartsheet license.|
 > |Get events: {"code":403,"serverResponse"<br />Get users: {"code":403,"serverResponse"<br />…<br />"body":"{"error":"permission denied"}"|Workday|Insufficient permission to access audit logs and/or user endpoints|Verify all permissions are in place. [Learn more](./connect-workday.md#prerequisites)|
 > |"code":400,"serverResponse"<br />…<br />body":"{"error":"invalid_grant"}|Workday|Authentication issue|Account used to set up the instance may be locked or disabled. To verify, view the Workday account and select **View Sign-on History**. You may see an authentication failure message in the report specifying that the System Account is disabled. [Learn more](./connect-workday.md#how-to-connect-workday-to-defender-for-cloud-apps-using-oauth)|
 > |"code":401,"serverResponse":<br />…<br />body":"{"error":"invalid_client"}"|Workday|Client token validity issue|OAuth 2.0 REST API Client token not valid. The token may have expired, or may be incorrect. Generate another token and assign it to the connected instance. [Learn more](./connect-workday.md#how-to-connect-workday-to-defender-for-cloud-apps-using-oauth)|

defender-endpoint/TOC.yml

@@ -605,9 +605,6 @@
       - name: Manage device group and tags
         href: machine-tags.md
 
-    - name: Host firewall reporting in Microsoft Defender for Endpoint
-      href: host-firewall-reporting.md
-
     - name: Tamper resiliency
       href: tamper-resiliency.md
 
@@ -633,8 +630,6 @@
             href: attack-surface-reduction-rules-deployment-operationalize.md
         - name: Attack surface reduction rules reference
           href: attack-surface-reduction-rules-reference.md
-        - name: Attack surface reduction rules report
-          href: attack-surface-reduction-rules-report.md
         - name: Troubleshoot attack surface reduction rules
           href: troubleshoot-asr-rules.md
         - name: Enable ASR rules alternate configuration methods
@@ -665,8 +660,6 @@
           href: device-control-deploy-manage-gpo.md
         - name: Device control frequently asked questions
           href: device-control-faq.md
-        - name: Device control reports
-          href: device-control-report.md
       - name: Exploit protection
         items:
         - name: Protect devices from exploits
@@ -703,8 +696,6 @@
           items:
           - name: Web threat protection overview
             href: web-threat-protection.md
-          - name: Monitor web security
-            href: web-protection-monitoring.md
           - name: Respond to web threats
             href: web-protection-response.md
         - name: Web content filtering
@@ -910,13 +901,6 @@
 
       - name: Diagnostics for Microsoft Defender Antivirus
         items:
-        - name: Device health reports
-          href: device-health-reports.md
-          items:
-          - name: Microsoft Defender Antivirus health report
-            href: device-health-microsoft-defender-antivirus-health.md
-          - name: Sensor health and OS report
-            href: device-health-sensor-health-os.md
         - name: Microsoft Defender Core service overview
           href: microsoft-defender-core-service-overview.md
         - name: Microsoft Defender Core service configurations and experimentation 
@@ -1121,14 +1105,27 @@
     items:
     - name: Reports
       items:
-        - name: Monthly security summary
-          href: monthly-security-summary-report.md
-        - name: Create custom reports using Power BI
-          href: api/api-power-bi.md
-        - name: Threat protection reports
+        - name: Microsoft Defender for Endpoint reports
           href: threat-protection-reports.md
+        - name: Device health reports
+          href: device-health-reports.md
+          items:
+          - name: Microsoft Defender Antivirus health report
+            href: device-health-microsoft-defender-antivirus-health.md
+          - name: Sensor health and OS report
+            href: device-health-sensor-health-os.md
+        - name: Host firewall reporting
+          href: host-firewall-reporting.md
+        - name: Web protection and monitoring reports
+          href: web-protection-monitoring.md
+        - name: Device control reports
+          href: device-control-report.md
+        - name: Attack surface reduction rules report
+          href: attack-surface-reduction-rules-report.md                                                    
         - name: Aggregated reports
-          href: aggregated-reporting.md                 
+          href: aggregated-reporting.md
+        - name: Create custom reports using Power BI
+          href: api/api-power-bi.md                         
     - name: Configure integration with other Microsoft solutions
       items:
       - name: Configure conditional access

defender-endpoint/api/export-firmware-hardware-assessment.md

@@ -162,7 +162,7 @@ GET /api/machines/HardwareFirmwareInventoryExport
 > [!NOTE]
 >
 > - The files are GZIP compressed & in multiline JSON format.
-> - The download URLs are valid for 6 hours.
+> - The download URLs are valid for 1 hour unless the `sasValidHours` parameter is used.
 > - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
 > - Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.
 > - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

defender-endpoint/api/export-security-baseline-assessment.md

@@ -167,7 +167,7 @@ GET /api/machines/BaselineComplianceAssessmentExport
 > [!NOTE]
 > 
 > - The files are GZIP compressed & in multiline JSON format.
-> - The download URLs are valid for 6 hours.
+> - The download URLs are valid for 1 hour unless the `sasValidHours` parameter is used.
 > - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
 > - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.