Merge branch 'main' into poliveria-hunting-agent-11272025

Author: poliveria

defender-business/mdb-whats-new.md

@@ -52,7 +52,7 @@ This article lists new features in the latest releases of Microsoft Defender for
 
 - **Streaming API (preview) is now available for Defender for Business**. For partners or customers looking to build their own security operations center, the Defender for Endpoint streaming API is now in preview for Defender for Business. The API supports streaming of device file, registry, network, sign-in events and more to Azure Event Hub, Azure Storage, and Microsoft Sentinel to support advanced hunting and attack detection. See [Use the streaming API (preview) with Microsoft Defender for Business](mdb-streaming-api.md).
 
-- **Managed detection and response integration with Blackpoint Cyber**. This solution is ideal for customers who don't have the resources to invest in an in-house security operations center and for partners who want to augment their IT team with security experts to investigate, triage, and remediate the alerts generated by Defender for Business. [Learn more bout Blackpoint Cyber](https://aka.ms/BlackpointMSFT).
+- **Managed detection and response integration with Blackpoint Cyber**. This solution is ideal for customers who don't have the resources to invest in an in-house security operations center and for partners who want to augment their IT team with security experts to investigate, triage, and remediate the alerts generated by Defender for Business. [Learn more about Blackpoint Cyber](https://aka.ms/BlackpointMSFT).
 
 - **Customizable security baselines and configuration drift reports in Microsoft 365 Lighthouse**. For Microsoft Managed Service Providers (MSPs), Microsoft 365 Lighthouse includes security baselines to deploy a standardized set of configurations to customers' tenants. Microsoft 365 Lighthouse now lets MSPs customize baselines based on expertise and tailor them to customers' unique needs. [Learn more about Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview).
 

defender-endpoint/mac-whatsnew.md

@@ -59,6 +59,7 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 ## Releases for Defender for Endpoint on macOS
 
+
 ### Offline updates for security intelligence updates on macOS is now in public preview
 
 This feature enables organizations to configure offline updates for security intelligence updates (also referred to as definition updates or signatures) on macOS using a local mirror server. For more information, see [Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS (preview)](./mac-support-offline-security-intelligence-update.md).
@@ -67,6 +68,19 @@ This feature enables organizations to configure offline updates for security int
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
 
+### Nov-2025 (Build: 101.25102.0016 | Release version: 20.125102.16.0)
+
+| Build: | **101.25102.0016** |
+|--------------------|-----------------------|
+| Release version: | **20.125102.16.0** |
+| Engine version: | **1.1.25090.2000** |
+| Signature version: | **1.435.600.0** |
+
+##### What's new
+
+- Bug and performance fixes
+
+
 ### Oct-2025 (Build: 101.25082.0006  | Release version: 20.125082.6.0)
 
 | Build:             | **101.25082.0006**         |

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -29,11 +29,17 @@ Learn more:
 - [What's new in Microsoft Defender for Endpoint on other operating systems and services](#whats-new-in-defender-for-endpoint-on-other-operating-systems-and-services)
 - [Preview features](/defender-xdr/preview)
 
+## December 2025
+
+|Feature  |Preview/GA  |Description  |
+|---------|------------|-------------|
+|[Triage collection](/azure/sentinel/datalake/sentinel-mcp-triage-tool) |Preview |Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server.|
+
 ## November 2025
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
-|New predictive shielding response actions. |Preview |Defender for Endpoint now includes the [GPO hardening](respond-machine-alerts.md#gpo-hardening) and [Safeboot hardening](respond-machine-alerts.md#safeboot-hardening) response actions. These actions are part of the [predictive shielding](/defender-xdr/shield-predict-threats) feature, which anticipates and mitigates potential threats before they materialize.|
+|New predictive shielding response actions |Preview |Defender for Endpoint now includes the [GPO hardening](respond-machine-alerts.md#gpo-hardening) and [Safeboot hardening](respond-machine-alerts.md#safeboot-hardening) response actions. These actions are part of the [predictive shielding](/defender-xdr/shield-predict-threats) feature, which anticipates and mitigates potential threats before they materialize.|
 |[Custom data collection](custom-data-collection.md) |Preview |Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. |
 | Defender deployment tool<br/>- [for Windows devices](./defender-deployment-tool-windows.md)<br/>- [for Linux devices](./linux-install-with-defender-deployment-tool.md) | Preview | The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. |
 | [Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1](./onboard-downlevel.md#use-the-defender-deployment-tool-to-deploy-defender-endpoint-security) | Preview | A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new [Defender deployment tool](./defender-deployment-tool-windows.md). |

defender-for-cloud-apps/anomaly-detection-policy.md

@@ -36,7 +36,6 @@ Based on the policy results, security alerts are triggered. Defender for Cloud A
 > - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
 > - [Unusual ISP for an OAuth App](#unusual-isp-for-an-oauth-app).
 > - [Suspicious file access activity (by user)](#unusual-activities-by-user).
-> - [Ransomware activity](#ransomware-activity).
 >
 > You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
 
@@ -92,10 +91,6 @@ This detection identifies that users were active from an IP address that has bee
 
 ### Ransomware activity
 
-> [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Ransomware payment instruction file uploaded to {Application}**.
-> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
-
 Defender for Cloud Apps extended its ransomware detection capabilities with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. Using our security research expertise to identify behavioral patterns that reflect ransomware activity, Defender for Cloud Apps ensures holistic and robust protection. If Defender for Cloud Apps identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions. For more information about how Defender for Cloud Apps detects ransomware, see [Protecting your organization against ransomware](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware).
 
 ### Activity performed by terminated user