Merge pull request #5834 from MicrosoftDocs/main

[AutoPublish] main to live - 12/04 04:39 PST | 12/04 18:09 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/mac-whatsnew.md

@@ -59,6 +59,7 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 ## Releases for Defender for Endpoint on macOS
 
+
 ### Offline updates for security intelligence updates on macOS is now in public preview
 
 This feature enables organizations to configure offline updates for security intelligence updates (also referred to as definition updates or signatures) on macOS using a local mirror server. For more information, see [Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS (preview)](./mac-support-offline-security-intelligence-update.md).
@@ -67,6 +68,19 @@ This feature enables organizations to configure offline updates for security int
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Nov-2025 (Build: 101.25102.0016 | Release version: 20.125102.16.0)
+
+| Build: | **101.25102.0016** |
+|--------------------|-----------------------|
+| Release version: | **20.125102.16.0** |
+| Engine version: | **1.1.25090.2000** |
+| Signature version: | **1.435.600.0** |
+
+##### What's new
+
+- Bug and performance fixes
+
+
 ### Oct-2025 (Build: 101.25082.0006  | Release version: 20.125082.6.0)
 
 | Build:             | **101.25082.0006**         |

defender-for-cloud-apps/anomaly-detection-policy.md

@@ -36,7 +36,6 @@ Based on the policy results, security alerts are triggered. Defender for Cloud A
 > - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
 > - [Unusual ISP for an OAuth App](#unusual-isp-for-an-oauth-app).
 > - [Suspicious file access activity (by user)](#unusual-activities-by-user).
-> - [Ransomware activity](#ransomware-activity).
 >
 > You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
 
@@ -92,10 +91,6 @@ This detection identifies that users were active from an IP address that has bee
 
 ### Ransomware activity
 
-> [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Ransomware payment instruction file uploaded to {Application}**.
-> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
-
 Defender for Cloud Apps extended its ransomware detection capabilities with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. Using our security research expertise to identify behavioral patterns that reflect ransomware activity, Defender for Cloud Apps ensures holistic and robust protection. If Defender for Cloud Apps identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions. For more information about how Defender for Cloud Apps detects ransomware, see [Protecting your organization against ransomware](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware).
 
 ### Activity performed by terminated user

defender-xdr/TOC.yml

@@ -240,6 +240,8 @@
             href: advanced-hunting-behaviorentities-table.md
           - name: BehaviorInfo
             href: advanced-hunting-behaviorinfo-table.md
+          - name: CampaignIno
+            href: advanced-hunting-campaigninfo-table.md            
           - name: CloudAppEvents
             href: advanced-hunting-cloudappevents-table.md
           - name: CloudAuditEvents
@@ -320,6 +322,8 @@
             href: advanced-hunting-exposuregraphedges-table.md
           - name: ExposureGraphNodes
             href: advanced-hunting-exposuregraphnodes-table.md
+          - name: FileMaliciousContentInfo
+            href: advanced-hunting-filemaliciouscontentinfo-table.md            
           - name: GraphApiAuditEvents
             href: advanced-hunting-graphapiauditevents-table.md            
           - name: IdentityAccountInfo

defender-xdr/advanced-hunting-campaigninfo-table.md

@@ -0,0 +1,63 @@
+---
+title: CampaignInfo table in the advanced hunting schema
+description: Learn about the CampaignInfo table of the advanced hunting schema
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 12/01/2025
+---
+
+# CampaignInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+The `CampaignInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about email campaigns identified by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
+
+This advanced hunting table is populated by records from Defender for Office 365. If your organization didn't deploy the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `CampaignName` | `string` | Name of the email campaign |
+| `CampaignId` | `string` | Unique identifier for the campaign, generated by Microsoft Defender for Office 365  |
+| `CampaignType` | `string` | Category of the campaign, like Phish, Malware, Spam, and others  |
+| `CampaignSubtype` | `string` | Contains more details about the campaign, like the brand being phished or related malware campaigns, if available   |
+| `NetworkMessageId` | `string` | Unique identifier for the email, generated by Microsoft  Defender for Office 365  |
+| `RecipientEmailAddress` | `string` | Email address of the recipient, or email address of the recipient after distribution list expansion   |
+| `ReportId` | `string` | Unique identifier for the event  |
+
+
+## Read more
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+

defender-xdr/advanced-hunting-filemaliciouscontentinfo-table.md

@@ -0,0 +1,73 @@
+---
+title: FileMaliciousContentInfo table in the advanced hunting schema
+description: Learn about the FileMaliciousContentInfo table of the advanced hunting schema
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 12/01/2025
+---
+
+# FileMaliciousContentInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `FileMaliciousContentInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams. Use this reference to construct queries that return information from this table.
+
+> [!TIP]
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
+
+This advanced hunting table is populated by records from Defender for Office 365. If your organization didn't deploy the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was generated |
+| `Workload`| `string` | Information about the workload from which the URL originated from |
+| `FileName`| `string` | Name of the file that the recorded action was applied to |
+| `FolderPath`| `string` | Path of the folder containing the file that the recorded action was applied to |
+| `FileSize`| `long` | Size of the file in bytes |
+| `SHA256`| `string` | SHA-256 of the file that the recorded action was applied to |
+| `FileOwnerDisplayName`| `string` | Account recorded as owner of the file |
+| `FileOwnerUpn`| `string` | Account recorded as owner of the file|
+| `DocumentId`| `string` | Unique identifier of the file |
+| `ThreatTypes`| `dynamic` | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
+| `ThreatNames`| `string` | Detection name for malware or other threats found|
+| `DetectionMethods`| `string` | Methods used to detect malware, phishing, or other threats found in the email |
+| `LastModifyingAccountUpn`| `string` | Account that last modified this file |
+| `LastModifiedTime`| `datetime` |Date and time the item or related metadata was last modified|
+| `FileCreationTime	`| `datetime` | Timestamp of the file creation|
+| `ReportId`| `string` | Unique identifier for the event |
+
+
+
+## Read more
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

defender-xdr/advanced-hunting-schema-tables.md

@@ -61,6 +61,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[AlertInfo](advanced-hunting-alertinfo-table.md)** | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization  |
 | **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** (Preview) | Behavior data types in Microsoft Defender for Cloud Apps (not available for GCC) |
 | **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps (not available for GCC) |
+| **[CampaignInfo](advanced-hunting-campaigninfo-table.md)** (Preview) | Email campaigns identified by Microsoft Defender for Office 365 |
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
 | **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview)| Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
 | **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers |
@@ -101,6 +102,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[EntraIdSpnSignInEvents](advanced-hunting-entraidspnsigninevents-table.md)** (Preview)| Microsoft Entra service principal and managed identity sign-ins |
 | **[ExposureGraphEdges](advanced-hunting-exposuregraphedges-table.md)** | Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph |
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
+| **[FileMaliciousContentInfo](advanced-hunting-emailurlinfo-table.md)** (Preview) | Files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams |
 | **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
 | **[IdentityAccountInfo](advanced-hunting-identityaccountinfo-table.md)** (Preview) | Account information from various sources, including Microsoft Entra ID. This table also includes information and link to the identity that owns the account. |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |

defender-xdr/whats-new.md

@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-ms.date: 11/18/2025
+ms.date: 12/01/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -33,8 +33,11 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## December 2025
+- (Preview) The following advanced hunting schema tables are now available for preview:
+    - The [`CampaignInfo`](advanced-hunting-campaigninfo-table.md) table contains contains information about email campaigns identified by Microsoft Defender for Office 365
+    - The [`FileMaliciousContentInfo`](advanced-hunting-filemaliciouscontentinfo-table.md) table contains information about files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams
 - (GA) The [hunting graph](advanced-hunting-graph.md) in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs.
-- Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. [Learn more](advanced-hunting-custom-functions.md#create-custom-functions-with-tabular-parameters)
+- (GA) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. [Learn more](advanced-hunting-custom-functions.md#create-custom-functions-with-tabular-parameters) 
 
 ## November 2025
 - Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. To view these alert types, you must have the **Security Administrator** or **Global Administrator** role. The **Service Source**, **Detection Source**, and **Product Name** values for these alerts are listed as *Microsoft Threat Intelligence*.   For more information, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).

exposure-management/exposure-insights-overview.md

@@ -103,8 +103,6 @@ Security Exposure Management ingests security recommendations from multiple sour
 - **New unified Recommendations page**: All recommendations from various sources (Secure Score, Defender for Cloud, Defender for Endpoint, etc.) are now consolidated into one catalog view in the Defender portal
 - **Organized by attack surface**: Recommendations are organized by tabs for different domains - Devices, Cloud, Identity, SaaS, and Data
 - **Categorized by issue type**: Recommendations are separated by type - misconfigurations vs vulnerabilities vs secrets. For example, on the Devices tab, you'll find separate views for Misconfigurations and Vulnerabilities, aligning with different remediation workflows
-- **Risk-based prioritization**: Combines vulnerability data from endpoints and cloud environments into a unified, actionable view, including contextual risk-based Secure Score.
-- **Unified remediation flow**: Side-by-side visibility into device and cloud weaknesses enabling security teams to efficiently track posture improvements, remediate vulnerabilities, and understand attack paths in real time through a streamlined interface.
 
 ### Recommendation management