Merge branch 'main' into deniseb-minisuiterenaming

Author: denisebmsft

ATPDocs/change-password-krbtgt-account.md

@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)

ATPDocs/deploy/configure-windows-event-collection.md

@@ -59,7 +59,7 @@ Use the following procedures to configure auditing on the domain controllers tha
 
 This procedure describes how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity via the UI.
 
-**Related health issue:** [Directory Services Advanced Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
 To configure your Advanced Audit Policy settings:
 
@@ -100,7 +100,7 @@ To configure your Advanced Audit Policy settings:
 
 1. From an elevated command prompt, enter `gpupdate`.
 
-1. After you apply the policy via GPO, conform that the new events appear in the Event Viewer, under **Windows Logs** > **Security**.
+1. After you apply the policy via GPO, confirm that the new events appear in the Event Viewer, under **Windows Logs** > **Security**.
 
     To test your audit policies from the command line, run the following command:
 
@@ -114,7 +114,7 @@ For more information, see the [auditpol reference documentation](/windows-server
 
 The following actions describe how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity by using PowerShell.
 
-**Related health issue:** [Directory Services Advanced Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
 To configure your settings, run:
 
@@ -167,7 +167,7 @@ This section describes the extra configuration steps that you need for auditing
 > - Domain group policies to collect Windows event 8004 should be applied *only* to domain controllers.
 > - When a Defender for Identity sensor parses Windows event 8004, Defender for Identity NTLM authentication activities are enriched with the server-accessed data.
 
-**Related health issue:** [NTLM Auditing is not enabled](../health-alerts.md)
+**Related health issue:** [NTLM Auditing isn't enabled](../health-alerts.md)
 
 To configure NTLM auditing:
 
@@ -192,7 +192,7 @@ To collect events for object changes, such as for event 4662, you must also conf
 > [!IMPORTANT]
 > Review and audit your policies (via the [UI](#configure-advanced-audit-policy-settings-from-the-ui) or [PowerShell](#configure-advanced-audit-policy-settings-by-using-powershell)) before you enable event collection, to ensure that the domain controllers are properly configured to record the necessary events. If this auditing is configured properly, it should have a minimal effect on server performance.
 
-**Related health issue:** [Directory Services Object Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Object Auditing isn't enabled as required](../health-alerts.md)
 
 To configure domain object auditing:
 
@@ -233,7 +233,7 @@ To configure domain object auditing:
 
         ![Screenshot of selecting permissions.](../media/select-permissions.png)
 
-        Now, all relevant changes to directory services appear as 4662 events when they're triggered.
+        Now, all relevant changes to directory services appear as 4,662 events when they're triggered.
 
 1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
@@ -368,7 +368,7 @@ To configure auditing on Microsoft Entra Connect servers:
 
 ## Update legacy configurations
 
-Defender for Identity no longer requires logging 1644 events. If you have either of the following settings enabled, you can remove them from the registry.
+Defender for Identity no longer requires logging 1,644 events. If you have either of the following settings enabled, you can remove them from the registry.
 
 ```reg
 Windows Registry Editor Version 5.00

ATPDocs/remove-inactive-service-account.md

@@ -6,13 +6,13 @@ ms.topic: how-to
 #customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
 ---
 
-# Security Assessment: Remove Inactive Service Accounts (Preview)
+# Security Assessment: Remove Stale Service Accounts (Preview)
 
-This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+This recommendation lists Active Directory service accounts detected as stale within the past 90 days. 
 
-## Why do inactive service accounts pose a risk?
+## Why do stale service accounts pose a risk?
 
-Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Stale service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
 
 This exposure creates several risks:
 
@@ -25,10 +25,9 @@ This exposure creates several risks:
 
 To use this security assessment effectively, follow these steps:
 
-1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
-1. Review the list of exposed entities to discover which of your service account is inactive.
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions) for Remove stale service account.
 
-    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+1. Review the list of exposed entities to discover which of your service accounts are stale and have not performed any login activity in the last 90 days.
 
 1. Take appropriate actions on those entities by removing the service account. For example:
 

ATPDocs/whats-new.md

@@ -25,28 +25,59 @@ For updates about versions and features released six months ago or earlier, see
 
 ## September 2025
 
+### Microsoft Defender for Identity sensor version updates
+
+|Version number |Updates |
+|---------|---------|
+|2.248|The improved event log query method now captures a broader range of unique events at scale. As a result, you might notice an increase in captured activities. This update also delivers additional security enhancements and performance improvements.|
+
+### Updates to multiple detections to reduce noise and improve alert accuracy
+
+Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you might see a decrease in the number of alerts raised.
+
+The improvements will gradually take effect across the following detections:
+
+- Suspicious communication over DNS
+
+- Suspected Netlogon privilege elevation attempt (CVE-2020-1472)
+
+- Honeytoken authentication activity
+
+- Remote code execution attempt over DNS
+
+- Suspicious password reset by Microsoft Entra Connect account
+
+- Data exfiltration over SMB
+
+- Suspected skeleton key attack (encryption downgrade)
+
+- Suspicious modification of Resource Based Constrained Delegation by a machine account
+
+- Remote code execution attempt
+
+
 ### Unified connectors is now available for Okta Single Sign-On connectors (Preview)
 
 Microsoft Defender for Identity supports the [Unified connectors](/azure/sentinel/unified-connector) experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency.
 
-For more information see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
+For more information, see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
 
 
 ## August 2025
 
 ### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
 
-Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+Microsoft Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Microsoft Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
 
-Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+Previously, Defender for Identity tenants received Microsoft Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Microsoft Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
 
-For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Microsoft Entra ID risk level to the IdentityInfo table remains unchanged.
 
-### New security assessment: Remove inactive service accounts (Preview)
+### New security assessment: Remove stale service accounts (Preview)
 
-Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts.
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been stale for the past 90 days, to help you mitigate security risks associated with unused accounts.
 
-For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+For more information, see: Security Assessment: [Remove Stale Service Accounts (Preview)](/defender-for-identity/remove-inactive-service-account)
 
 ### New Graph based API for response actions (preview) 
 
@@ -478,7 +509,7 @@ Defender for Identity added the new **Edit insecure ADCS certificate enrollment
 
 Active Directory Certificate Services (AD CS) supports certificate enrollment through various methods and protocols, including enrollment via HTTP using the Certificate Enrollment Service (CES) or the Web Enrollment interface (Certsrv). Insecure configurations of the CES or Certsrv IIS endpoints might create vulnerabilities to relay attacks (ESC8).
 
-The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that post risks to the entire organization, together with related detections.
+The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that pose risks to the entire organization, together with related detections.
 
 For more information, see:
 

CloudAppSecurityDocs/app-governance-app-policies-get-started.md

@@ -1,8 +1,9 @@
 ---
 title: Get started with app governance policies | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 08/31/2025
 ms.topic: how-to
 description: Get started learning about app governance policies with Microsoft Defender for Cloud Apps in Microsoft Defender XDR
+ms.reviewer: shragar456
 ---
 
 # Get started with app policies
@@ -23,22 +24,21 @@ To see your list of current app policies, go to the **Microsoft Defender XDR > A
 
 For example:
 
-![Screenshot of the app governance policies summary page in Microsoft Defender XDR.](media/app-governance-app-policies-get-started/azure-ad-policies.jpg)
+:::image type="content" source="media/app-governance-app-policies-get-started/app-governance-app-policies.png" alt-text="Screenshot that shows the app governance app polcies." lightbox="media/app-governance-app-policies-get-started/app-governance-app-policies.png":::
 
 > [!NOTE]
 > Built-in threat detection policies aren't listed on the **Policies** tab. For more information, see [Investigate threat detection alerts](app-governance-anomaly-detection-alerts.md).
 > 
 
 ## What’s available on the app policies dashboard
 
-The **App governance** > **Policies** tab shows the number of active, inactive, and audit mode policies, and the following information for each policy:
+The **App governance** > **Policies** tab shows the number of active and disabled policies, and the following information for each policy:
 
 - **Policy name**
 - **Status**
 
   - **Active**:  All policy evaluation and actions are active.
-  - **Inactive**: All policy evaluation and actions are disabled.
-  - **Audit mode**: Policy evaluation is active (alerts will trigger) but policy actions are disabled.
+  - **Disabled**: All policy evaluation and actions are disabled.
 
 - **Severity**: Severity level set on any alerts triggered because of this policy being evaluated as true, which is part of the configuration of the policy.
 - **Active alerts**: Number of alerts generated by the policy that have an **In Progress** or **New** status.
@@ -74,22 +74,24 @@ You can also:
 
 1. Select **Edit**.
 
-    While you can't change the name of the policy once created, but you can change the description and policy severity as needed. When you're done, select **Next**.
+    While you can't change the name of the policy once created, you can change the description and policy severity as needed. When you're done, select **Next**.
 
 1. Choose whether you want to continue with the existing policy settings or customize them. Select **No, I'll customize the policy** to make changes, and then select **Next**.
 
-1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
+1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. 
+
+1. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
 
 1. Choose whether to modify the existing conditions of the policy. 
 
     - If you choose to modify the conditions, select **Edit or modify existing conditions for the policy** and choose which policy conditions to apply. 
     - Otherwise, select **Use existing conditions of the policy**. 
 
-    When you're done, select **Next**.
+1. When you're done, select **Next**.
 
 1. Choose whether to disable the app if it triggers the policy conditions and then select **Next**.
 
-1. Set the policy status to **Audit** mode, **Active**, or **Inactive**, as needed, and then select **Next**.
+1. Set the policy status to **Active**, or **Disabled**, as needed, and then select **Next**.
 
 1. Review your setting choices for the policy and if everything is the way you want it, select **Submit**.