Merge branch 'main' into WI397895-edit-app-governence-get-started

Author: DeCohen

.acrolinx-config.edn

@@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
  
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
 
-| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
+| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
 |---------|:--------------:|:--------------------:|:------:|:---------:|
 "
 

.github/workflows/BuildValidation.yml

@@ -0,0 +1,21 @@
+name: PR has no warnings or errors
+
+permissions:
+  pull-requests: write
+  statuses: write
+      
+on: 
+  issue_comment:
+    types: [created]
+
+jobs:
+
+  build-status:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+
+  

.openpublishing.redirection.defender-cloud-apps.json

@@ -994,6 +994,16 @@
       "source_path": "CloudAppSecurityDocs/what-is-cloud-app-security.md",
       "redirect_url": "/defender-cloud-apps/what-is-defender-for-cloud-apps",
       "redirect_document_id": true
+    },
+     {
+      "source_path": "CloudAppSecurityDocs/tutorial-ueba.md",
+      "redirect_url": "/defender-cloud-apps/",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/file-filters.md",
+      "redirect_url": "/defender-cloud-apps/data-protection-policies",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.defender-endpoint.json

@@ -79,6 +79,11 @@
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-endpoint/monthly-security-summary-report.md",
+      "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
+      "redirect_document_id": true
+    }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -10,7 +10,6 @@
       "redirect_url": "/defender-for-identity/microsoft-365-security-center-mdi",
       "redirect_document_id": false
     },
-
     {
       "source_path": "defender-xdr/eval-create-eval-environment.md",
       "redirect_url": "/defender-xdr/pilot-deploy-overview",
@@ -131,6 +130,11 @@
       "redirect_url": "/defender-xdr/entity-page-device",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-xdr/unlink-alert-from-incident.md",
+      "redirect_url": "/defender-xdr/move-alert-to-another-incident",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-xdr/unified-secops-platform/defender-xdr-portal.md",
       "redirect_url": "/defender-xdr/",
@@ -166,6 +170,31 @@
       "redirect_url": "/defender-xdr/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-threat-actor-naming.md",
+      "redirect_url": "/unified-secops-platform/microsoft-threat-actor-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/malware-naming.md",
+      "redirect_url": "/unified-secops-platform/malware-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/criteria.md",
+      "redirect_url": "/unified-secops-platform/criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/submission-guide.md",
+      "redirect_url": "/unified-secops-platform/submission-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/virus-initiative-criteria.md",
+      "redirect_url": "/unified-secops-platform/virus-initiative-criteria",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/tickets.md",
       "redirect_url": "/defender-xdr/troubleshoot",
@@ -175,6 +204,61 @@
       "source_path": "defender-xdr/portal-submission-troubleshooting.md",
       "redirect_url": "/defender-xdr/troubleshoot",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-advanced-hunting.md",
+      "redirect_url": "/unified-secops-platform/mto-advanced-hunting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-dashboard.md",
+      "redirect_url": "/unified-secops-platform/mto-dashboard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-endpoint-security-policy.md",
+      "redirect_url": "/unified-secops-platform/mto-endpoint-security-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-incidents-alerts.md",
+      "redirect_url": "/unified-secops-platform/mto-incidents-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-overview.md",
+      "redirect_url": "/unified-secops-platform/mto-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-requirements.md",
+      "redirect_url": "/unified-secops-platform/mto-requirements",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenant-devices.md",
+      "redirect_url": "/unified-secops-platform/mto-tenant-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenantgroups.md",
+      "redirect_url": "/unified-secops-platform/mto-tenantgroups",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenants.md",
+      "redirect_url": "/unified-secops-platform/mto-tenants",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/portals.md",
+      "redirect_url": "/unified-secops-platform/overview-plan#understand-microsoft-security-portals-and-admin-centers",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
+      "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
+      "redirect_document_id": false
     }
   ]
-}
+}

ATADocs/docfx.json

@@ -48,7 +48,13 @@
       "uhfHeaderId": "MSDocsHeader-M365-IT",
       "searchScope": ["ATA"],
       "contributors_to_exclude": [
-        "beccarobins"
+        "beccarobins",
+        "rjagiewich",
+        "claydetels19",
+        "garycentric",
+        "padmagit77",
+        "aditisrivastava07",
+        "Ruchika-mittal01"
       ]
     },
     "markdownEngineName": "markdig"

ATADocs/index.yml

@@ -8,7 +8,6 @@ metadata:
   description: Protect your enterprise using information from multiple network data-sources to learn the behavior of users and entities in your organization.
   services: service
   ms.service: advanced-threat-analytics
-  ms.subservice: ms.subservice
   ms.topic: landing-page
   ms.collection: M365-security-compliance
   author: batamig

ATADocs/media/ATA-windows-event-forwarding.jpg

@@ -7,13 +7,12 @@ ms.topic: how-to
 
 # Activate Microsoft Defender for Identity capabilities directly on a domain controller
 
-Microsoft Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
 
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availablility for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
->
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor.
 
 ## Prerequisites
 
@@ -30,10 +29,8 @@ Make sure that the domain controller where you're planning to activate Defender
 
 Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:
 
-- Windows Server 2019
-- Windows Server 2022
-
-You must also have the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) installed.
+- Windows Server 2019 or above
+- [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later
 
 > [!IMPORTANT]
 >After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.
@@ -122,7 +119,7 @@ In the Defender portal, check for the following details:
 
 - **Device entities**: Select **Assets > Devices**, and select the machine for your new sensor. Defender for Identity events are shown on the device timeline.
 
-- **User entities**. Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
+- **User entities**: Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
@@ -148,16 +145,7 @@ IdentityQueryEvents
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
 
-### Test Identity Security Posture Management (ISPM) recommendations
-
-Defender for Identity capabilities on domain controllers support the following ISPM assessments:
-
-- [**Install Defender for Identity Sensor on all Domain Controllers**](../security-assessment-unmonitored-domain-controller.md)
-- [**Microsoft LAPS usage**](../security-assessment-laps.md)
-- [**Resolve unsecure domain configurations**](../security-assessment-unsecure-domain-configurations.md)
-- **Set a honeytoken account**
-- [**Unsecure account attributes**](../security-assessment-unsecure-account-attributes.md)
-- [**Unsecure SID History attributes**](../security-assessment-unsecure-sid-history-attribute.md)
+## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
 
@@ -187,37 +175,6 @@ For more information, see [Microsoft Defender for Identity's security posture as
 
 ### Test alert functionality
 
-The following alerts are supported by Defender for Identity capabilities on domain controllers:
-
-:::row:::
-   :::column span="":::
-    - [Account enumeration reconnaissance](../reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-external-id-2003)
-    - [Active Directory attributes Reconnaissance using LDAP](../reconnaissance-discovery-alerts.md#active-directory-attributes-reconnaissance-ldap-external-id-2210)
-    - [Exchange Server Remote Code Execution (CVE-2021-26855)](../lateral-movement-alerts.md#exchange-server-remote-code-execution-cve-2021-26855-external-id-2414)
-    - [Honeytoken user attributes modified](../persistence-privilege-escalation-alerts.md#honeytoken-user-attributes-modified-external-id-2427)
-    - [Honeytoken was queried via LDAP](../reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-ldap-external-id-2429)
-    - [Honeytoken authentication activity](../credential-access-alerts.md#honeytoken-authentication-activity-external-id-2014)
-    - [Honeytoken group membership changed](../persistence-privilege-escalation-alerts.md#honeytoken-group-membership-changed-external-id-2428) 
-    - [Remote code execution attempt](../other-alerts.md#remote-code-execution-attempt-external-id-2019)
-    - [Security principal reconnaissance (LDAP)](../credential-access-alerts.md#security-principal-reconnaissance-ldap-external-id-2038)
-    - [Suspicious service creation](../other-alerts.md#suspicious-service-creation-external-id-2026)
-    - [Suspected NTLM relay attack (Exchange account)](../lateral-movement-alerts.md#suspected-ntlm-relay-attack-exchange-account-external-id-2037)
-   :::column-end:::
-   :::column span="":::
-    - [Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-the-resource-based-constrained-delegation-attribute-by-a-machine-account--external-id-2423)
-    - [Suspicious additions to sensitive groups](../persistence-privilege-escalation-alerts.md#suspicious-additions-to-sensitive-groups-external-id-2024)
-    - [Suspicious modification of a dNSHostName attribute (CVE-2022-26923)](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-a-dnshostname-attribute-cve-2022-26923--external-id-2421)
-    - [Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287)](../credential-access-alerts.md#suspicious-modification-of-a-samnameaccount-attribute-cve-2021-42278-and-cve-2021-42287-exploitation-external-id-2419)
-    - [Suspected DCShadow attack (domain controller promotion)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-promotion-external-id-2028)
-    - [Suspected DFSCoerce attack using Distributed File System Protocol](../credential-access-alerts.md#suspected-dfscoerce-attack-using-distributed-file-system-protocol-external-id-2426) 
-    - [Suspected DCShadow attack (domain controller replication request)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-replication-request-external-id-2029)
-    - [Suspected account takeover using shadow credentials](../credential-access-alerts.md#suspected-account-takeover-using-shadow-credentials-external-id-2431)
-    - [Suspected SID-History injection](../persistence-privilege-escalation-alerts.md#suspected-sid-history-injection-external-id-1106)
-    - [Suspected AD FS DKM key read](../credential-access-alerts.md#suspected-ad-fs-dkm-key-read-external-id-2413)
-   :::column-end:::
-:::row-end:::
-
-
 Test alert functionality by simulating risky activity in a test environment. For example:
 
 - Tag an account as a honeytoken account, and then try signing in to the honeytoken account against the activated domain controller.
@@ -232,16 +189,12 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the options menu, select any or all of the following, one at a time:
-
-    - **Disable user in AD**
-    - **Enable user in AD**
-    - **Force password reset**
+1. From the **Options** menu, select any of the available remediation actions.
 
 1. Check Active Directory for the expected activity.
 
 > [!NOTE]
-> The current version does not collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
+> The current version doesn't collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
 
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).

ATPDocs/deploy/activate-capabilities.md

@@ -55,9 +55,6 @@ Configure the SQL server to allow the Directory Service Account with the followi
 - *read*
 - *select*
 
-> [!NOTE]
-> If the AD FS database runs on a dedicated SQL server instead of the local AD FS server, and you're using a group Managed Service Account (gMSA) as the Directory Service Account, make sure that you grant the SQL server the [required permissions](create-directory-service-account-gmsa.md#prerequisites-grant-permissions-to-retrieve-the-gmsa-accounts-password) to retrieve the gMSA's password.
-
 ### Grant access to the AD FS database
 
 Grant access to the AD FS database by using SQL Server Management Studio, Transact-SQL (T-SQL), or PowerShell.