Merge branch 'main' into WI353984-update-file-policies-article

Author: DeCohen

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -21,6 +21,9 @@ Microsoft Defender for Cloud Apps collects information from your configured clou
 - System settings and policies
 - User and group configurations
 
+> [!NOTE]
+> The data collected from the various applications is dependent on the customer-provided data from the various applications and may include personal information.
+
 ## Data storage location
 
 Defender for Cloud Apps operates in the Microsoft Azure data centers in the following geographical regions: 

CloudAppSecurityDocs/mde-govern.md

@@ -120,7 +120,8 @@ To block an app, do the following steps:
 > - Any organizational scoping that was set manually on indicators that were created by Defender for Cloud Apps before the release of this feature will be overridden by Defender for Cloud Apps. The required scoping should be set from the Defender for Cloud Apps experience using the scoped profiles experience.
 > - To remove a selected scoping profile from an unsanctioned app, remove the unsanctioned tag and then tag the app again with the required scoped profile.
 > - It can take up to two hours for app domains to propagate and be updated in the endpoint devices once they're marked with the relevant tag or/and scoping.
-> - When an app is tagged as *Monitored*, the option to apply a scoped profile shows only if the built-in *Win10 Endpoint Users* data source has consistently recieved data during the past 30 days.
+> - When an app is tagged as *Monitored*, the option to apply a scoped profile shows only if the built-in *Win10 Endpoint Users* data source has consistently received data during the past 30 days.
+> - Device groups in Microsoft Defender for Business(MDB) are managed differently. Due to this- No device groups will appear in MDA device groups for customers with MDB license.
 
 ## Educate users when accessing risky apps
 

CloudAppSecurityDocs/protect-github.md

@@ -1,7 +1,7 @@
 ---
 title: Protect your GitHub Enterprise environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your GitHub Enterprise app to Defender for Cloud Apps using the API connector.
-ms.date: 12/05/2023
+ms.date: 04/27/2025
 ms.topic: how-to
 ---
 # How Defender for Cloud Apps helps protect your GitHub Enterprise environment
@@ -85,10 +85,6 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
 
 1. **Create an OAuth App for Defender for Cloud Apps to connect your GitHub organization.** Repeat this step for each additional connected organization.
 
-    > [!NOTE]
-    > If you have [preview features](/microsoft-365/security/defender/preview) and [app governance turned on](app-governance-get-started.md), use the **App governance** page instead of the **OAuth apps** page to perform this procedure.
-    >
-
 1. Browse to **Settings** > **Developer settings**, select  **OAuth Apps**, and then select **Register an application**. Alternatively, if you have existing OAuth apps, select **New OAuth App**.
 
     ![Screenshot showing creating an oauth app.](media/connect-github-create-oauth-app.png)
@@ -129,8 +125,8 @@ These steps can be completed independently of the [Configure GitHub Enterprise C
 
    1. Select the **GitHub Profile picture** -> **your enterprises**.
    1. Select **your enterprise account** and choose the account you want to connect to Microsoft Defender for Cloud Apps.
-   1. Confirm that the URL is the enterprise slug. For instance, in this example `https://github.com/enterprises/testEnterprise` *testEnterprise* is the enterprise slug. Enter only the enterprise slug, not the entire URL.
-
+   1. Confirm that the URL contains the enterprise slug. For instance, `https://github.com/enterprises/testEnterprise` 
+   2. Enter only the enterprise slug, not the entire URL. In this example, *testEnterprise* is the enterprise slug.
 1. Select **Next**.
 
 1. Select **Connect GitHub**.

defender-xdr/TOC.yml

@@ -416,6 +416,12 @@
           href: advanced-hunting-security-copilot.md
         - name: Create incident reports
           href: security-copilot-m365d-create-incident-report.md
+        - name: Security Copilot agents in Microsoft Defender
+          items:
+          - name: Overview
+            href: security-copilot-agents-defender.md          
+          - name: Phishing Triage Agent
+            href: phishing-triage-agent.md
     - name: Enhance security operations
       items:
       - name: Security operations guide

defender-xdr/phishing-triage-agent.md

@@ -0,0 +1,66 @@
+---
+title: Security Copilot Phishing Triage Agent in Microsoft Defender
+description: Learn about the Security Copilot Phishing Triage Agent, including requirements for setup and providing feedback to the agent.
+ms.service: defender-xdr
+f1.keywords:
+- NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- security-copilot
+- magic-ai-copilot 
+ms.topic: concept-article
+search.appverid:
+- MOE150
+- MET150
+ms.date: 04/28/2025
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Defender for Office 365 Plan 2
+#customer intent: As a security analyst, I want to learn about the Phishing Triage Agent in Microsoft Defender so that I can triage and classify user-submitted phishing incidents efficiently.
+---
+
+# Microsoft Security Copilot Phishing Triage Agent in Microsoft Defender
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
+
+Phishing remains one of the most common ways attackers gain initial access. It also represents one of the highest-volume challenges security operations center (SOC) teams face, due to the large number of user-reported suspicious emails that must be investigated daily.
+
+To help security teams address phishing efficiently, Microsoft Security Copilot is introducing the Phishing Triage Agent in Microsoft Defender. This AI-powered virtual agent is designed to scale security teams' response in triaging and classifying user-submitted phishing incidents, allowing organizations to improve their efficiency by reducing manual effort and streamlining their phishing response.
+
+The Phishing Triage Agent uses advanced large language model (LLM)-based analysis to understand the content of reported emails and autonomously determine whether a submission is a genuine phishing attempt or a false alarm. Unlike rule-based systems, it doesn't rely on predefined input or code to operate. Instead, it applies dynamic reasoning to analyze and act on incoming reports at scale.
+
+By removing false alarms from the queue, the agent significantly reduces the team's manual workload and allows them to focus on higher-priority tasks. With this automation, security teams can more efficiently process hundreds or thousands of phishing submissions, accelerating detection and response for incidents that require immediate attention.
+
+## Overview
+
+Security Copilot brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
+
+The Phishing Triage Agent is a [Security Copilot agent](/copilot/security/agents-overview) in Microsoft Defender designed to scale your security operations teams' processes in classifying and triaging user-submitted phishing incidents. Some of the agent’s highlights include:
+
+- It operates autonomously. The Phishing Triage Agent leverages advanced AI tools to perform sophisticated assessments and determine whether a phishing submission is a real threat or a false alarm, without requiring step-by-step human input or code.
+- It provides a transparent rationale for its classification verdicts in natural language, including the reasoning behind its decisions and the evidence it used to arrive at those conclusions. It also shows a visual representation of its reasoning process for every decision.
+- It continuously learns and improves its accuracy based on feedback provided by analysts. Over time, this feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification.
+
+## Prerequisites
+
+The following are organizational requirements to run Phishing Triage Agent in your environment:
+
+|Components|Details|
+|:---|:---|
+|Products|- An active subscription to Security Copilot and provisioned capacity in Security Compute Units (SCU) to power Security Copilot workload. See [Get started with Security Copilot](/copilot/security/get-started-security-copilot) for more information </br> - Microsoft Defender for Office 365 Plan 2 deployed|
+|Microsoft Defender required features|- Unified role-based access control (URBAC) must be enabled in your organization. See [Unified role-based access control (URBAC)](manage-rbac.md) for more information </br> - *Monitor reported messages in Outlook* is configured. See [User reported settings](/defender-office-365/submissions-user-reported-messages-custom-mailbox) for more information </br> - The alert policy **Email reported by user as malware or phish** must be turned on. See [Alert policies in the Microsoft Defender portal](alert-policies.md) for more information|
+|Security Copilot plugins required|The following [Microsoft plugins](/copilot/security/plugin-overview#microsoft-plugins) must be enabled in Security Copilot: </br> - Microsoft Defender XDR </br> - Microsoft Threat Intelligence </br> - Phishing Triage Agent|
+
+## Related content
+
+- [Microsoft Security Copilot agents](/copilot/security/agents-overview)
+- [Responsible AI FAQs for Security Copilot](/copilot/security/rai-faqs-security-copilot)

defender-xdr/security-copilot-agents-defender.md

@@ -0,0 +1,57 @@
+---
+title: Microsoft Security Copilot Agents in Microsoft Defender
+description: Learn about Security Copilot agents in Microsoft Defender that can help you perform your security tasks easily.
+ms.service: defender-xdr
+f1.keywords:
+- NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- security-copilot
+- magic-ai-copilot 
+ms.topic: concept-article
+search.appverid:
+- MOE150
+- MET150
+ms.date: 04/28/2025
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
+#customer intent: As a security analyst, I want to know about the Security Copilot agents available in Microsoft Defender so that I can use them to perform my security tasks efficiently.
+---
+
+# Microsoft Security Copilot Agents in Microsoft Defender
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+Microsoft Security Copilot agents are available in Microsoft Defender to help you perform your security tasks efficiently. Security Copilot agents are AI-powered assistants that can help you with various tasks by working seamlessly with Microsoft security products.
+
+## Agents in Microsoft Defender
+
+### Phishing Triage Agent
+
+The [Phishing Triage Agent](phishing-triage-agent.md) helps security operations analysts to triage and classify user-submitted phishing incidents. The agent operates autonomously, provides a transparent rationale for its classification verdicts in natural language, and continuously learns and improves its accuracy based on feedback provided by analysts.
+
+#### Trigger
+
+The agent is triggered when a user in your organization submits a phishing incident. The agent autonomously analyzes the submitted email to classify them as either phishing or not phishing based on its training and the context of the organization.
+
+#### Products
+
+Tenants must have the following products enabled to use the agent:
+
+- An active subscription to Security Copilot and provisioned capacity in Security Compute Units (SCU) to power Security Copilot workload. See [Get started with Security Copilot](/copilot/security/get-started-security-copilot) for more information.
+- Microsoft Defender for Office 365 Plan 2 deployed
+
+#### Plugins
+
+The following plugins must be enabled in Security Copilot:
+
+- Microsoft Defender XDR
+- Microsoft Threat Intelligence
+- Phishing Triage Agent

defender-xdr/security-copilot-in-microsoft-365-defender.md

@@ -14,14 +14,16 @@ ms.collection:
 - tier1
 - security-copilot
 - magic-ai-copilot 
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid:
 - MOE150
 - MET150
-ms.date: 03/10/2025
+ms.date: 04/28/2025
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
+#customer intent: As an IT admin, I want to learn about Microsoft Security Copilot capabilities embedded in Microsoft Defender so that I can use them to perform my security tasks efficiently.
+#customer intent: As a security analyst, I want to learn about Microsoft Security Copilot capabilities embedded in Microsoft Defender so that I can use them to perform my security tasks efficiently.
 ---
 
 # Microsoft Copilot in Microsoft Defender
@@ -49,7 +51,7 @@ If you're new to Security Copilot, you should familiarize yourself with it by re
 
 [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Security Copilot.
 
-Furthermore, Security Copilot operates using [Microsoft's AI principles](https://www.microsoft.com/ai/responsible-ai). To know more, see the [Security Copilot Responsible AI FAQs](/copilot/security/rai-faqs-security-copilot).
+Security Copilot operates using [Microsoft's AI principles](https://www.microsoft.com/ai/responsible-ai). To know more, see the [Security Copilot Responsible AI FAQs](/copilot/security/rai-faqs-security-copilot).
 
 ## Key features