Merge branch 'main' into WI363235-Add-ipv6-ipv4-limitations-information

Author: DeCohen

.github/workflows/StaleBranch.yml

@@ -2,12 +2,17 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
-      
+
+# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
+# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
+# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
+# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
+
 on:
   schedule:
-    - cron: "0 9 1 * *"
+    - cron: "0 9 1,15-31 * *"
 
-  # workflow_dispatch:
+  workflow_dispatch:
 
 
 jobs:

ATPDocs/deploy/activate-capabilities.md

@@ -117,8 +117,8 @@ The first time you activate Defender for Identity capabilities on your domain co
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
-- [Specified security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
-- [Specified alert detections](#test-alert-functionality)
+- [Security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
+- [Alert detections](#test-alert-functionality)
 - [Remediation actions](#test-remediation-actions)
 - [Automatic attack disruption](/microsoft-365/security/defender/automatic-attack-disruption)
 

defender-xdr/dlp-investigate-alerts-defender.md

@@ -83,7 +83,14 @@ It's best practice to only grant minimal permissions to alerts in the Microsoft
 
 1. Search for the DLP policy name of the alerts and incidents you're interested in.
 
-1. To view the incident summary page, select the incident from the queue. Similarly, select the alert to view the DLP alert page.
+1. To view the incident summary page, select the incident from the queue. Similarly, select the alert to view the DLP alert page. Select **Summarize** (preview) for Security Copilot to generate a summary of the alert. The alert summary will contain the:
+
+- alert severity
+- alert title
+- the name of the policy that was matched
+- the name file involved and a link to the file
+- alert status
+- the email address of the user who performed the action that matched the policy
 
 1. View the **Alert story** for details about policy and the sensitive information types detected in the alert. Select the event in the **Related Events** section to see the user activity details.
 

defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md

@@ -16,12 +16,12 @@ ms.custom:
 - cx-ti
 - cx-mdti
 ms.topic: conceptual
-ms.date: 01/15/2025
+ms.date: 04/22/2025
 ---
 
 # Microsoft Security Copilot in Microsoft Defender Threat Intelligence
 
-Microsoft Security Copilot is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot).
+Microsoft Security Copilot is a cloud-based AI platform that provides a natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Security Copilot?](/copilot/security/microsoft-security-copilot).
 
 Security Copilot customers gain for each of their authenticated Copilot users access to Microsoft Defender Threat Intelligence (Defender TI). To ensure that you have access to Copilot, see the [Security Copilot purchase and licensing information](/copilot/security/faq-security-copilot).
 
@@ -158,9 +158,17 @@ Get detailed information about an indicator (for example, IP addresses, domains,
 - Show me all resolutions for IP address _\<IP address\>_.
 - Show me the open services in _\<IP address\>_.
 
+### Malware information
+
+Get detailed information about a specific malware detection, which is derived from the [Microsoft Security Intelligence threat encyclopedia](https://www.microsoft.com/en-us/wdsi/threats/threat-search). 
+
+**Sample prompt**:
+
+- What can you tell me about Ransom:Win32/WannaCrypt?
+
 ## Provide feedback
 
-Your feedback on the Defender TI integration in Security Copilot helps with development. To provide feedback, in Copilot, select **How's this response?** At the bottom of each completed prompt and choose any of the following options:
+Your feedback on the Defender TI integration in Security Copilot helps with development. To provide feedback, in Copilot, select **How's this response?** at the bottom of each completed prompt and choose any of the following options:
 - **Looks right** - Select this button if the results are accurate, based on your assessment. 
 - **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment. 
 - **Inappropriate** - Select this button if the results contain questionable, ambiguous, or potentially harmful information.