Merge branch 'main' into WI419617-Document-details-for-finding-AD-service-accounts

Author: DeCohen

CloudAppSecurityDocs/cloud-discovery-policies.md

@@ -44,8 +44,8 @@ Discovery policies enable you to set alerts that notify you when new apps are de
 
 > [!NOTE]
 >
-> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it may trigger additional alerts for apps that have already been discovered and alerted on.
-> - Data from **snapshot reports** do not trigger alerts in app discovery policies.
+> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it might trigger additional alerts for apps that have already been discovered and alerted on.
+> - Data from **snapshot reports** don't trigger alerts in app discovery policies.
 
 For example, if you're interested in discovering risky hosting apps found in your cloud environment, set your policy as follows:
 
@@ -73,6 +73,11 @@ Defender for Cloud Apps searches all the logs in your cloud discovery for anomal
 
 1. Under **Apply to** choose whether this policy applies **All continuous reports** or **Specific continuous reports**. Select whether the policy applies to **Users**, **IP addresses**, or both.
 
+    :::image type="content" source="media/apply-to-continous-reports.png" alt-text="Screenshot showing how to apply file polcies to specific continous reports" lightbox="media/apply-to-continous-reports.png":::
+
+    > [!IMPORTANT]
+    > When you configure an app discovery policy and select **Apply to > All continuous reports**, multiple alerts are generated for each discovery stream, including the global stream which aggregates data from all sources. To control alert volume, select **Apply to > Specific continuous reports** and choose only the relevant streams for your policy.
+    > Learn more: [Defender for Cloud apps continuous risk assessment reports](set-up-cloud-discovery.md#snapshot-and-continuous-risk-assessment-reports)
 1. Select the dates during which the anomalous activity occurred to trigger the alert under **Raise alerts only for suspicious activities occurring after date.**
 
 1. Set a **Daily alert limit** under **Alerts**. Select if the alert is sent as an email. Then provide email addresses as needed.

CloudAppSecurityDocs/mde-integration.md

@@ -1,7 +1,7 @@
 ---
 title: Integrate Microsoft Defender for Endpoint
 description: This article describes how to integrate Microsoft Defender for Endpoint with Defender for Cloud Apps for enhanced visibility into Shadow IT and risk management.
-ms.date: 06/03/2024
+ms.date: 05/12/2025
 ms.topic: how-to
 ---
 
@@ -18,10 +18,12 @@ This article describes the out-of-the-box integration available between Microsof
 
 - Microsoft Defender for Cloud Apps license
 
+- Devices must be onboarded to [Microsoft Defender for Endpoint](/defender-endpoint/onboard-client)
+
 - One of the following:
 
     - Microsoft Defender for Endpoint with Plan 2
-    - Microsoft Defender for Business with a premium or standalone license
+    - Microsoft Defender for Business (standalone or as part of Microsoft 365 Business Premium)
 
     For more information, see [Compare Microsoft endpoint security plans](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2).
 

CloudAppSecurityDocs/media/apply-to-continous-reports.png

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/24/2025
+ms.date: 05/12/2025
 ---
 
 # Schedule an update for Microsoft Defender for Endpoint on Linux
@@ -92,19 +92,19 @@ CRON_TZ=America/Los_Angeles
 > #!RHEL and variants (CentOS and Oracle Linux)
 >
 > ```bash
-> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp -y >> ~/mdatp_cron_job.log
+> 0 6 * * sun [ $(date +\%d) -le 15 ] && sudo yum update mdatp -y >> ~/mdatp_cron_job.log
 > ```
 
 > #!SLES and variants
 >
 > ```bash
-> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo zypper update mdatp >> ~/mdatp_cron_job.log
+> 0 6 * * sun [ $(date +\%d) -le 15 ] && sudo zypper update mdatp >> ~/mdatp_cron_job.log
 > ```
 
 > #!Ubuntu and Debian systems
 >
 > ```bash
-> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo apt-get install --only-upgrade mdatp >> ~/mdatp_cron_job.log
+> 0 6 * * sun [ $(date +\%d) -le 15 ] && sudo apt-get install --only-upgrade mdatp >> ~/mdatp_cron_job.log
 > ```
 
 > [!NOTE]

defender-endpoint/linux-update-mde-linux.md

@@ -116,11 +116,12 @@ To remove an exclusion:
 
 - Device group exclusions can be configured in the **Device groups** tab. Select the device group you want to configure from the list and choose the appropriate exclusion from the flyout pane. Select **Save** to save the exclusion.
 
-## Opt out of automatic attack disruption
+### Opting out of automatic attack disruption
+
+Opting out of attack disruption can greatly increase security risk. Consider [excluding specific entities](automatic-attack-disruption-exclusions.md#review-or-change-automated-response-exclusions-for-assets) instead. 
 
 If you must opt out of attack disruption, you can do so by opening a support case in the Microsoft Defender portal with the subject *Attack disruption opt-out*. In your request, please specify that you wish to opt out of attack disruption and include a brief explanation about your decision. This feedback helps us improve the feature and better understand customer needs. By opting out, you'll still receive alerts related to attack disruption but no automated actions are taken.
 
-Opting out of attack disruption can greatly increase security risk. Consider [excluding specific entities](automatic-attack-disruption-exclusions.md#review-or-change-automated-response-exclusions-for-assets) instead. 
 
 ## See also
 

defender-xdr/automatic-attack-disruption-exclusions.md

@@ -94,6 +94,8 @@
               href: mto-requirements.md
             - name: View and manage incidents and alerts
               href: mto-incidents-alerts.md
+            - name: View and manage cases
+              href: mto-manage-cases.md
             - name: Advanced hunting
               href: mto-advanced-hunting.md
             - name: Multitenant devices

unified-secops-platform/TOC.yml

@@ -1,6 +1,6 @@
 ---
-title: Manage cases natively in the Microsoft Defender portal
-description: Learn about case management features for unified security operations in the Defender portal.
+title: Manage security operations cases natively in the Microsoft Defender portal
+description: Learn about the case management capabilities in the Defender portal for managing and standardizing unified security operations.
 search.appverid: met150
 ms.service: unified-secops-platform
 ms.author: yelevin
@@ -14,30 +14,43 @@ ms.collection:
 - usx-security
 ms.topic: conceptual
 
-# customer intent: As a security operations center business decision maker, I want to learn about the case management tools available in the Microsoft Defender portal so I can unify security tickets, increase visibility, and disrupt attacks in real time across identities, endpoints, email, cloud apps, data in hybrid and multicloud environments.
+# customer intent: As a business decision maker for a security operations center, I want to learn about the case management tools available in the Microsoft Defender portal so I can unify security tickets and increase visibility across hybrid, multitenant, and multicloud environments, and disrupt attacks on identities, endpoints, email, cloud apps, and data in real time.
 ---
 
-# Manage cases natively in the Microsoft Defender portal
+# Manage security operations cases natively in the Microsoft Defender portal
 
-Case management is the first installment of new unified security operations (SecOps) capabilities for managing security work in the Microsoft Defender portal.
+Microsoft Defender case management is a collection of features and capabilities delivering a unified, security-focused case management experience. This experience is designed for managing unified security operations (SecOps) work natively in the Microsoft Defender portal, without the need for third-party tools. SecOps teams maintain security context, work more efficiently, and respond faster to attacks when they manage case work without leaving the Defender portal.
 
-This initial step toward delivering a unified, security-focused case management experience centralizes rich collaboration, customization, evidence collection, and reporting across SecOps workloads. SecOps teams maintain security context, work more efficiently, and respond faster to attacks when they manage case work without leaving the Defender portal.
+The current, introductory phase of the case management rollout centralizes rich collaboration, customization, evidence collection, and reporting across SecOps workloads.
 
 <a name="what-is-case-management-preview"></a>
 
 ## What is case management?
 
-Case management enables you to manage SecOps cases natively in the Defender portal. Here's the initial set of scenarios and features supported.
+Case management enables you to manage SecOps cases natively in the Defender portal. Even in its initial stages, SecOps teams are demonstrating the following use cases for case management:
 
-- Define your own case workflow with custom status values
-- Assign tasks to collaborators and configure due dates
-- Handle escalations and complex cases by linking multiple incidents to a case
-- Manage access to your cases using RBAC
+- Responding to security events that span multiple incidents.
+
+- Managing threat hunting.
+
+- Tracking IoCs and threat actors.
+
+- Tracking detection logic that needs tuning.
+
+The following specific capabilities and features support these use cases and scenarios:
+
+- Create and track your SecOps related cases in one place with the new **Cases** page.
+- [Define your own case workflow by configuring custom status values](#customize-status).
+- [Improve collaboration, quality, and accountability by assigning tasks and due dates](#tasks).
+- [Handle escalations and complex cases by linking multiple incidents to a case](#link-incidents).
+- [Manage access to your cases using RBAC](#requirements).
+- [Add rich-text comments to provide links, tables, and formatting to the activity log (in Preview)](#activity-log).
+- [Upload attachments to store files like documents, CSVs, and encrypted zip files containing malware samples (in Preview)](#attachments).
+- [Manage cases in multiple tenants via the multitenant management portal (in Preview)](mto-manage-cases.md).
 
 As we build on this foundation of case management, we're prioritizing these additional robust capabilities as we evolve this solution:
 
 - Automation
-- Multi-tenant support
 - More evidence to add
 - Workflow customization
 - More Defender portal integrations
@@ -50,8 +63,8 @@ For more information, see [Connect Microsoft Sentinel to the Defender portal](mi
 
 Use Defender XDR unified RBAC or Microsoft Sentinel roles to grant access to case management features.
 
-| Cases feature | Microsoft Defender XDR Unified RBAC | Microsoft Sentinel role |
-|---|---|---|
+| Cases feature | Microsoft Defender Unified RBAC | Microsoft Sentinel role |
+| ------------- | ------------------------------- | ----------------------- |
 | View only</br>- case queue</br>- case details</br>- tasks</br>- comments</br>- case audits | Security operations > Security data basics (read)| Microsoft Sentinel Reader |
 | Create and Manage</br>- cases and case tasks</br>- assign</br>- update status</br>- link and unlink incidents | Security operations > Alerts (manage) | Microsoft Sentinel Responder |
 | Customize case status options | Authorization and setting > Core Security settings (manage)| Microsoft Sentinel Contributor |
@@ -62,27 +75,27 @@ For more information, see [Microsoft Defender XDR Unified role-based access cont
 
 To start using case management, select **Cases** in the Defender portal to access the case queue. Filter, sort, or search your cases to find what you need to focus on.
 
-:::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of case queue.":::
+:::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of the cases queue in the Defender portal.":::
 
 The maximum allowed per tenant is 100,000 cases.
 
 ## Case details
 
 Each case has a page which allows analysts to manage the case and displays important details.
 
-In the following example, a threat hunter is investigating a hypothetical "Burrowing" attack that consists of multiple MITRE ATT&CK techniques and IoCs.
+In the following example, a threat hunter is investigating a hypothetical "Burrowing" attack that consists of multiple MITRE ATT&CK&reg; techniques and indicators of compromise (IoCs).
 
-:::image type="content" source="media/cases-overview/case-details.png" alt-text="Screenshot of case details." lightbox="media/cases-overview/case-details-large.png":::
+:::image type="content" source="media/cases-overview/case-details.png" alt-text="Screenshot of the case details page in the Defender portal." lightbox="media/cases-overview/case-details-large.png":::
 
 Manage the following case details to describe, prioritize, assign, and track work:
 
 | Displayed case feature | Manage case options | Default value |
 |:---|:---|:---|
-| Priority| `Very low`, `Low`, `Medium`, `High`, `Critical` | none |
-| Status | Set by analysts, customizable by admins | Default statuses are `New`, `Open`, and `Closed`</br>Default value is `New`|
-| Assigned to | A single user in the tenant | none |
-| Description | Rich text | none |
-| Case details | Case ID | Case IDs start at 1000 and aren't purged. Use custom statuses and filters to archive cases. Case numbers are automatically set.|
+| **Priority** | `Very low`, `Low`, `Medium`, `High`, `Critical` | none |
+| **Status** | Set by analysts, customizable by admins | Default statuses are `New`, `Open`, and `Closed`</br>Default value is `New`|
+| **Assigned to** | A single user in the tenant | none |
+| **Description** | Plain text | none |
+| **Case details** | Case ID | Case IDs start at 1000 and aren't purged. Use custom statuses and filters to archive cases. Case numbers are automatically set.|
 | | Created by</br>Created on</br>Last updated by</br>Last updated on | automatically set |
 | | Due on</br>Linked incidents | none |
 
@@ -101,7 +114,8 @@ Following the burrowing attack case creation example, the SOC admins configured
 Add tasks to manage granular components of your cases. Each task comes with its own name, status, priority, owner, and due date. With this information, you always know who is accountable to complete which task and by what time. The task description summarizes the work to do and some space for describing the progress. Closing notes provide more context about the outcome of completed tasks.
 
 :::image type="content" source="media/cases-overview/add-task-small.png" alt-text="Screenshot showing the task pane with tasks populated for the case and statuses available." lightbox="media/cases-overview/add-task.png":::
-</br>*Image shows the following task statuses available: New, In progress, Failed, Partially completed, Skipped, Completed*
+
+*Image shows the following task statuses available: New, In progress, Failed, Partially completed, Skipped, Completed*
 
 ### Link incidents
 
@@ -123,8 +137,17 @@ Need to write down notes, or that key detection logic to pass along? Create rich
 
 Audit events are automatically added to the activity log of the case and the latest events are shown at the top. Change the filter if you need to focus on comments or audit history.
 
+### Attachments
+
+Share reports, emails, screenshots, log files, and more, all centralized in the **Attachments** tab of a case. Ensure you have all the necessary information to make quick and accurate decisions in your security investigations.
+
+:::image type="content" source="media/cases-overview/case-attachments.png" alt-text="Screenshot of the details of the Attachments tab of a case.":::
+
+To add attachments to your case, go to the **Case details** page, select the **Attachments** tab, select **Upload**, select your file, and wait for the upload to complete. Once uploaded, the file is scanned in the background for malware. When the scan is complete, anyone with access to the case can download the file. If the file you want to upload is actually a malware sample, you can wrap it in a password-protected ZIP file.
+
 ## Related content
 
 - [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)
-- [Microsoft Defender Experts for Hunting](/defender-xdr/defender-experts-for-hunting)
 - [Microsoft Sentinel in the Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)
+- [View and manage cases across multiple tenants in the Microsoft Defender multitenant portal](mto-manage-cases.md)
+- [Microsoft Defender multitenant management](mto-overview.md)