Merge branch 'main' into mdi-protection-for-okta

Author: DeCohen

ATPDocs/service-account-discovery.md

@@ -5,7 +5,7 @@ ms.topic: conceptual
 ms.date: 03/25/2025
 ---
 
-# Investigate and protect Service Accounts | Microsoft Defender for Identity
+# Investigate and protect Service Accounts
 
 ### What are Service Accounts?
 
@@ -17,7 +17,7 @@ Service accounts are classified into several types:
 - sMSA (Managed Service Accounts): Designed for individual services on a single server rather than groups.
 - User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.
 
-The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria.These criteria include having a [Service Principal Name ](/windows/win32/ad/service-principal-names)(SPN) or a "password never expires" attribute assigned. The feature then classifies these accounts as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
+The auto discovery feature quickly identifies gMSA and sMSA accounts and user accounts within Active Directory that meet specific criteria. These criteria include having a [Service Principal Name](/windows/win32/ad/service-principal-names)(SPN) or a "password never expires" attribute assigned. The feature then classifies these accounts as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
 
 Service account types are displayed in the Identity Info table within Advanced Hunting.
 
@@ -77,7 +77,7 @@ You can use the sort and filter functionality on each service account tab to get
 ### Connections
 
 
-For a deeper dive into what's happening in your service account click on the domain name to see the following information:
+For a deeper dive into what's happening in your service account select the domain name to see the following information:
 
 When you investigate a specific Service account, you see the following details under the connections tab:
 
@@ -96,10 +96,30 @@ When you investigate a specific Service account, you see the following details u
 Last seen   | The date and time of the most recent sign in event over this connection.        |
 
 
-For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths**, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details).
+### Define Service Account classification rules
+
+Service account classification rules let you define your own criteria for identifying service accounts. These rules help you include service accounts that Defender for Identity doesn't identify automatically. For example, some organizations name all their service accounts with a prefix like `srv`. Defender for Identity doesn't automatically detect such naming conventions. By creating a classification rule based on that pattern, you can include those accounts in the Service accounts view.
+
+Classification rules work alongside Defender for Identity’s automatic discovery and provide a more complete and customized view of service accounts in your environment.
+
+To create a rule:
+
+1. Go to Settings > Microsoft Defender XDR > Service accounts classification.
+1. Select on **+ Create a new rule**.
+1. Enter a name for the rule.
+2. Optional: Add a description.
+1. Select one or more of the following filters:
+   - **Account display name**
+   - **Account domain**
+   - **Account SAM name**
+   - **Organizational unit**
+1. Select Create to save the rule.
+
+
+For more information about Defender for Identity details, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details).
 
 ## Related content
 - [Service principal names](/windows/win32/ad/service-principal-names)
 - [How to configure SPN](/windows-server/identity/ad-ds/manage/how-to-configure-spn?tabs=add%2Caduc)
 
-If you run into any problems, we're here to help. To get assistance or support for your product issue, see how to open a support ticket at [Microsoft Defender for Identity support](support.md).
+If you run into any problems, we're here to help. To get assistance or support for your product issue, see how to open a support ticket at [Microsoft Defender for Identity support](support.md).

ATPDocs/whats-new.md

@@ -26,6 +26,7 @@ For updates about versions and features released six months ago or earlier, see
 ## June 2025
 
 
+
 ### Okta integration is now available in Microsoft Defender for Identity
 
 Microsoft Defender for Identity now supports integration with Okta, enabling detection of identity-based threats across cloud and on-premises environments. This integration helps identify suspicious sign-ins, risky role assignments, and potential privilege misuse within your Okta environment.
@@ -34,6 +35,14 @@ For prerequisites and configuration steps, see [Integrate Okta with Microsoft De
 
 ### Microsoft Defender For Identity PowerShell module updates (version 1.0.0.4)
 
+### Service account classification rules now available
+
+You can now create custom classification rules to identify service accounts based on your organization’s specific criteria. This complements automatic discovery, enabling more accurate identification of service accounts.
+For more information, see [Service account discovery](service-account-discovery.md)
+
+### Defender For Identity PowerShell module updates (version 1.0.0.4)
+
+
 New Features and Improvements:
 - Added remote domain functionality.
 - Added SensorType parameter to Test-MDISensorApiConnection to inform endpoint URL.
@@ -55,11 +64,11 @@ Defender for Identity now supports deploying its new sensor on Domain Controller
 
 
 ### Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page
-The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify non-eligible servers and take action to update and onboard them for enhanced identity protection.
+The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify noneligible servers and take action to update and onboard them for enhanced identity protection.
 
 
 ### Local administrators collection (using SAM-R queries) feature will be disabled
-The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
+The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change occurs automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue
 
@@ -190,7 +199,7 @@ For more information, see:
 The new Identity security posture assessments (ISPMs) can help customers monitor misconfiguration by watching for weak spots and reduce the risk of potential attack on on-premises infrastructure.   
 These new identity recommendations, as part of Microsoft Secure Score, are new security posture reports related to Active Directory infrastructure and Group policy Objects:
 
-- [Accounts with non-default Primary Group ID](/defender-for-identity/accounts-with-non-default-pgid)
+- [Accounts with nondefault Primary Group ID](/defender-for-identity/accounts-with-non-default-pgid)
 
 - [Change Domain Controller computer account old password](/defender-for-identity/domain-controller-account-password-change)
 
@@ -232,7 +241,7 @@ As part of our ongoing effort to enhance Microsoft Defender for Identity coverag
 * **Suspicious Interactive Logon to the Microsoft Entra Connect Server**
    * Direct logins to Microsoft Entra Connect servers are highly unusual and potentially malicious. Attackers often target these servers to steal credentials for broader network access. Microsoft Defender for Identity can now detect abnormal logins to Microsoft Entra Connect servers, helping you identify and respond to these potential threats faster. It's specifically applicable when the Microsoft Entra Connect server is a standalone server and not operating as a Domain Controller.
 * **User Password Reset by Microsoft Entra Connect Account**
-   *  The Microsoft Entra Connect connector account often holds high privileges, including the ability to reset user’s passwords. Microsoft Defender for Identity now has visibility into those actions and will detect any usage of those permissions that were identified as malicious and non-legitimate. This alert will be triggered only if the [password writeback feature](/entra/identity/authentication/concept-sspr-writeback) is disabled.
+   *  The Microsoft Entra Connect connector account often holds high privileges, including the ability to reset user’s passwords. Microsoft Defender for Identity now has visibility into those actions and will detect any usage of those permissions that were identified as malicious and non-legitimate. This alert is triggered only if the [password writeback feature](/entra/identity/authentication/concept-sspr-writeback) is disabled.
 *  **Suspicious writeback by Microsoft Entra Connect on a sensitive user**
    * While Microsoft Entra Connect already prevents writeback for users in privileged groups, Microsoft Defender for Identity expands this protection by identifying additional types of sensitive accounts. This enhanced detection helps prevent unauthorized password resets on critical accounts, which can be a crucial step in advanced attacks targeting both cloud and on-premises environments.
 
@@ -261,7 +270,7 @@ For more information, see:
 
 ## July 2024
 
-6 New detections are new in public preview:
+Six New detections are new in public preview:
 * **Possible NetSync attack**
     * NetSync is a module in Mimikatz, a post-exploitation tool, that requests the password hash of a target device's password by pretending to be a domain controller. An attacker might be performing malicious activities inside the network using this feature to gain access to the organization's resources.
 * **Possible takeover of a Microsoft Entra seamless SSO account**
@@ -312,7 +321,7 @@ With this data customers can now easily create their own [custom detection rules
 
 Access Defender XDR portal -> Hunting -> Advanced Hunting.
 
-Now, you can copy our recommended query as provided below, and click on “Create detection rule”. Please be aware that our provided query also tracks failed logon attempts, which may generate information unrelated to a potential attack. Therefore, feel free to customize the query to suit your specific requirements.
+Now, you can copy our recommended query as provided below, and click on “Create detection rule”. Be aware that our provided query also tracks failed logon attempts, which may generate information unrelated to a potential attack. Therefore, feel free to customize the query to suit your specific requirements.
 
 
 ```
@@ -484,13 +493,13 @@ This version includes improvements and bug fixes for cloud services and the Defe
 > [!NOTE]
 > If you're seeing a decreased number of *Remote code execution attempt* alerts, see our updated [September announcements](#september-2023), which include an [update to the Defender for Identity detection logic](#decreased-number-of-alerts-for-remote-code-execution-attempts). Defender for Identity continues to record the remote code execution activities as before.
 
-### New Identities area and dashboard in Microsoft 365 Defender  (Preview)
+### New Identities area and dashboard in Microsoft Defender XDR  (Preview)
 
-Defender for Identity customers now have a new **Identities** area in Microsoft 365 Defender for information about identity security with Defender for Identity.
+Defender for Identity customers now have a new **Identities** area in Microsoft Defender XDR for information about identity security with Defender for Identity.
 
-In Microsoft 365 Defender, select **Identities** to see any of the following new pages:
+In Microsoft Defender XDR, select **Identities** to see any of the following new pages:
 
-- **Dashboard**: This page shows graphs and widgets to help you monitor identity threat detection and response activities.  For example:
+- **Dashboard**: This page shows graphs and widgets to help you monitor identity threat detection and response activities. For example:
 
    :::image type="content" source="media/dashboard/dashboard.gif" alt-text="An animated GIF showing a sample ITDR Dashboard page.":::
 
@@ -506,7 +515,7 @@ This version includes improvements and bug fixes for cloud services and the Defe
 
 ### Security posture assessments for AD CS sensors (Preview)
 
-Defender for Identity's security posture assessments proactively detect and recommend actions across your on-premises Active Directory configurations. 
+Defenders for Identity's security posture assessments proactively detect and recommend actions across your on-premises Active Directory configurations. 
 
 Recommended actions now include the following new security posture assessments, specifically for certificate templates and certificate authorities.
 
@@ -524,7 +533,7 @@ Recommended actions now include the following new security posture assessments,
    - [Edit misconfigured Certificate Authority ACL (ESC7)](security-assessment-edit-misconfigured-ca-acl.md)
    - [Enforce encryption for RPC certificate enrollment interface (ESC11)](security-assessment-enforce-encryption-rpc.md)
 
-The new assessments are available in Microsoft Secure Score, surfacing security issues and severe misconfigurations that pose risks to the entire organization, alongside detections. Your score is updated accordingly.
+The new assessments are available in Microsoft Secure Score, surfacing security issues, and severe misconfigurations that pose risks to the entire organization, alongside detections. Your score is updated accordingly.
 
 For example:
 
@@ -533,7 +542,7 @@ For example:
 For more information, see [Microsoft Defender for Identity's security posture assessments](security-assessment.md).
 
 > [!NOTE]
-> While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [New sensor type for Active Directory Certificate Services (AD CS)](#new-sensor-type-for-active-directory-certificate-services-ad-cs).
+> While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [New sensor type for Active Directory Certificate Services (AD CS)](#new-sensor-type-for-active-directory-certificate-services-ad-cs).
 
 ### Defender for Identity release 2.223
 
@@ -606,7 +615,7 @@ While this change results in a decreased number of *Remote code execution attemp
 
 ### Alert sensitivity settings and learning period enhancements
 
-Some Defender for Identity alerts wait for a *learning period* before alerts are triggered, while building a profile of patterns to use when distinguishing between legitimate and suspicious activities.
+Some Defenders for Identity alerts wait for a *learning period* before alerts are triggered, while building a profile of patterns to use when distinguishing between legitimate and suspicious activities.
 
 Defender for Identity now provides the following enhancements for the learning period experience:
 

CloudAppSecurityDocs/behaviors.md

@@ -6,7 +6,7 @@ ms.topic: conceptual
 #CustomerIntent: As a Defender for Cloud Apps customer, I want to understand how behaviors work so that I can investigate more effectively.
 ---
 
-# Investigate behaviors with advanced hunting (Preview)
+# Investigate behaviors with advanced hunting
 
 
 
@@ -57,7 +57,7 @@ This process aims to remove policies from alerts that give low-quality detection
 
 1. (Complete) Defender for Cloud Apps sends behaviors in parallel to alerts.
 
-1. (Currently in Preview) Policies that generate behaviors are now disabled by default, and don't send alerts.
+1. (Complete) Policies that generate behaviors are now disabled by default, and don't send alerts.
 
 1. Move to a cloud-managed detection model, removing customer-facing policies completely. This phase is planned to provide both custom detections and selected alerts generated by internal policies for high-fidelity, security-focused scenarios.