Merge branch 'main' into patch-4

paulinbar · web-flow · commit 9e34963815ba · 2025-11-20T14:01:47.000+02:00
diff --git a/defender-for-identity/deploy/active-directory-federation-services.md b/defender-for-identity/deploy/active-directory-federation-services.md
@@ -18,7 +18,7 @@ These considerations apply:
 
 ## Prerequisites
 
-Prerequisites for installing Defender for Identity sensors on AD FS, AD CS, or Microsoft Entra Connect servers are the can be found in [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md) article.
+Prerequisites for installing Defender for Identity sensors on AD FS, AD CS, or Microsoft Entra Connect servers can be found in [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md) article.
 
 A sensor installed on an AD FS, AD CS, or Microsoft Entra Connect server can't use the local service account to connect to the domain. Instead, you need to configure a [Directory Service Account](directory-service-accounts.md).
 
diff --git a/defender-xdr/incidents-overview.md b/defender-xdr/incidents-overview.md
@@ -7,7 +7,7 @@ f1.keywords:
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-manager: raynew
+manager: orspodek
 audience: ITPro
 ms.collection:
   - m365-security
@@ -19,7 +19,7 @@ ms.topic: concept-article
 search.appverid:
   - MOE150
   - MET150
-ms.date: 11/14/2024
+ms.date: 07/27/2025
 appliesto: 
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -51,15 +51,15 @@ Incidents also provide you with a framework for managing and documenting your in
 
 ## Alert sources and threat detection
 
-Alerts in the Microsoft Defender portal come from many sources. These sources include the many services that are part of Microsoft Defender XDR, as well as other services with varying degrees of integration with the Microsoft Defender portal. 
+Alerts in the Microsoft Defender portal come from many sources. These sources include the many services that are part of Microsoft Defender XDR, as well as other services with varying degrees of integration with the Microsoft Defender portal.
 
 For example, when Microsoft Sentinel is [onboarded](/unified-secops-platform/microsoft-sentinel-onboard) to the Microsoft Defender portal, the correlation engine in the Defender portal has access to all the raw data ingested by Microsoft Sentinel, which you can find in Defender's **Advanced hunting** tables.
 
-Microsoft Defender XDR itself also creates alerts. Defender XDR's unique correlation capabilities provide another layer of data analysis and threat detection for all the non-Microsoft solutions in your digital estate. These detections produce Defender XDR alerts, in addition to the alerts already provided by Microsoft Sentinel's analytics rules.
+- Microsoft Sentinel customers using the Defender portal, or who are using the Azure portal with the [Microsoft Sentinel Defender XDR data connector](/azure/sentinel/connect-microsoft-365-defender), also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation state actors, such as ransomware campaigns and fraudulent operations. For customers without E5 licenses or Microsoft Sentinel, these alerts are available only in the Microsoft 365 Admin Center (MAC).
 
-Within each of these sources, there are one or more threat detection mechanisms that produce alerts based on the rules defined in each mechanism.
+- Microsoft Defender XDR itself also creates alerts. Defender XDR's unique correlation capabilities provide another layer of data analysis and threat detection for all the non-Microsoft solutions in your digital estate. These detections produce Defender XDR alerts, in addition to the alerts already provided by Microsoft Sentinel's analytics rules.
 
-For example, Microsoft Sentinel has at least four different engines that produce different types of alerts, each with its own rules.
+Within each of these sources, there are one or more threat detection mechanisms that produce alerts based on the rules defined in each mechanism. For example, Microsoft Sentinel has at least four different engines that produce different types of alerts, each with its own rules.
 
 ## Tools and methods for investigation and response
 
diff --git a/defender-xdr/shield-predict-threats-manage.md b/defender-xdr/shield-predict-threats-manage.md
@@ -1,6 +1,6 @@
 ---
-title: Manage predictive shielding in Microsoft Defender XDR
-description: Manage the predictive shielding feature in Microsoft Defender XDR.
+title: Manage predictive shielding in Microsoft Defender
+description: Manage the predictive shielding feature in Microsoft Defender.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -24,19 +24,19 @@ appliesto:
   - Microsoft Defender for Endpoint
 ---
 
-# Manage predictive shielding in Microsoft Defender XDR (Preview)
+# Manage predictive shielding in Microsoft Defender (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 [!INCLUDE [Prerelease information](../includes/prerelease.md)]
 
-Microsoft Defender XDR uses predictive shielding (Preview) as a proactive defense strategy designed to anticipate and mitigate threats before they materialize. Learn [how predictive shielding works](shield-predict-threats.md#how-predictive-shielding-works) to dynamically infer risk, anticipate attacker progression, and harden your environment.
+Microsoft Defender uses predictive shielding (Preview) as a proactive defense strategy designed to anticipate and mitigate threats before they materialize. Learn [how predictive shielding works](shield-predict-threats.md#how-predictive-shielding-works) to dynamically infer risk, anticipate attacker progression, and harden your environment.
 
 This article describes how to manage predictive shielding so that you can enrich your prediction data and understand how predictive shielding actions are applied in your environment.
 
 ## Review predictive shielding details and results
 
-The incident view in Microsoft Defender XDR includes built-in predictive shielding details. Use the incident graph and activity information to assess the predictive shielding impact and status.
+The incident view in Microsoft Defender includes built-in predictive shielding details. Use the incident graph and activity information to assess the predictive shielding impact and status.
 
 > [!TIP]
 > To enrich your predictive shielding data, we recommend that you use the Microsoft Defender for Identity sensor to improve security insights and expand coverage. For more information, see [Enrich predictive shielding data](#enrich-predictive-shielding-data).
diff --git a/defender-xdr/shield-predict-threats.md b/defender-xdr/shield-predict-threats.md
@@ -1,5 +1,5 @@
 ---
-title: Predictive shielding in Microsoft Defender XDR
+title: Predictive shielding in Microsoft Defender
 description: Predictive shielding dynamically infers risk, anticipates attacker progression, and hardens your environment.
 ms.service: defender-xdr
 f1.keywords: 
@@ -24,23 +24,23 @@ appliesto:
   - Microsoft Defender for Endpoint
 ---
 
-# Predictive shielding in Microsoft Defender XDR (Preview)
+# Predictive shielding in Microsoft Defender (Preview)
 
 [!INCLUDE [Prerelease information](../includes/prerelease.md)]
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-Predictive shielding (Preview) is a proactive defense strategy designed to anticipate and mitigate threats as part of an ongoing attack. Predictive shielding [expands the Microsoft Defender XDR autonomous protection stack](#how-predictive-shielding-expands-on-automatic-attack-disruption), enhancing automatic attack disruption capabilities with proactive measures.
+Predictive shielding (Preview) is a proactive defense strategy designed to anticipate and mitigate threats as part of an ongoing attack. Predictive shielding [expands the Microsoft Defender autonomous protection stack](#how-predictive-shielding-expands-on-automatic-attack-disruption), enhancing automatic attack disruption capabilities with proactive measures.
 
 This article provides an overview of predictive shielding so that you can understand its capabilities and how it enhances your security posture.
 
-Learn [how predictive shielding works](#how-predictive-shielding-works) or how to [manage predictive shielding in Microsoft Defender XDR](shield-predict-threats-manage.md).
+Learn [how predictive shielding works](#how-predictive-shielding-works) or how to [manage predictive shielding in Microsoft Defender](shield-predict-threats-manage.md).
 
 ## How predictive shielding expands on automatic attack disruption
 
 The evolving threat landscape creates an imbalance: defenders must secure every asset, while attackers need only one opening. Traditional defenses are reactive, responding after malicious activity begins. This approach leaves defenders chasing attackers, who often act too quickly or subtly to detect in real time. While some attacker behaviors must be blocked outright, static prevention disrupts productivity and adds operational overhead.
 
-To address these challenges, predictive shielding enhances Defender XDR's autonomous protection stack, expanding [attack disruption](automatic-attack-disruption.md) to include proactive measures during an attack, anticipating risks and applying targeted protections only where needed. 
+To address these challenges, predictive shielding enhances Defender's autonomous protection stack, expanding [attack disruption](automatic-attack-disruption.md) to include proactive measures during an attack, anticipating risks and applying targeted protections only where needed. 
 
 This proactive approach reduces the reactive chase, minimizes operational burden, maintains usability, and protects the environment before attackers can advance.
 
@@ -58,7 +58,7 @@ Predictive shielding relies on two pillars:
 
 - **Prediction** 
     - Involves analyzing threat intelligence, attacker behavior, past incidents, and organizational exposure. 
-    - Defender XDR uses this prediction data to identify emerging risks, to understand likely attack progression, and to infer risk on noncompromised assets.
+    - Defender uses this prediction data to identify emerging risks, to understand likely attack progression, and to infer risk on noncompromised assets.
 - **Enforcement** applies preventative protective controls to disrupt potential attack paths in real time.
 
 This dual approach ensures that protection is both precise and timely.
@@ -67,7 +67,7 @@ This dual approach ensures that protection is both precise and timely.
 
 Prediction allows organizations to identify assets at risk and apply tailored protections in real time. Prediction focuses on emerging risks rather than static prevention, which minimizes operational friction and ensures that security measures are applied precisely where needed. For example, if a specific attacker tool is detected, predictive shielding can infer the next likely target based on past attack patterns.
 
-Defender XDR uses multiple layers of insight to make accurate predictions:
+Defender uses multiple layers of insight to make accurate predictions:
 
 - Threat intelligence aligns observed activity with known attacker tools and tactics.
 - Learnings from past incidents are used to recognize statistical patterns, and extrapolate the most probable next steps.
@@ -79,15 +79,15 @@ Together, these insights create a dynamic understanding of the environment and i
 
 Graph-based prediction logic bridges the gap between pre-breach and post-breach systems, providing a unified view of attacker activity across the organizational topology. This unified view includes the organization's assets, connections, and vulnerabilities. Graph-based logic combines live activity data with the structural map of the environment.
 
-This integration allows Defender XDR to dynamically adjust protections based on the most critical vulnerabilities, enabling real-time prioritization of defenses and stopping attackers before they reach critical assets.
+This integration allows Defender to dynamically adjust protections based on the most critical vulnerabilities, enabling real-time prioritization of defenses and stopping attackers before they reach critical assets.
 
 The process involves three key stages: 
 
-1. Defender XDR overlays post-breach activity onto the organization’s exposure graph, creating a comprehensive view of potential attack paths. 
-1. Defender XDR identifies the blast radius—the related assets that the identified activity might affect.
+1. Defender overlays post-breach activity onto the organization’s exposure graph, creating a comprehensive view of potential attack paths. 
+1. Defender identifies the blast radius—the related assets that the identified activity might affect.
 1. Reasoning models predict paths attackers are most likely to take, factoring in past behaviors, asset characteristics, and environmental vulnerabilities.
 
-This dynamic understanding allows Defender XDR to move beyond reactive responses, enabling just-in-time protection that stops attackers before they reach critical assets.
+This dynamic understanding allows Defender to move beyond reactive responses, enabling just-in-time protection that stops attackers before they reach critical assets.
 
 ## Predictive shielding actions
 
@@ -104,7 +104,7 @@ Predictive shielding uses Defender for Endpoint-based actions. To use these acti
 
 ## Next steps
 
-- [Manage predictive shielding in Microsoft Defender XDR](shield-predict-threats-manage.md) - Learn how to manage predictive shielding actions and investigate their impact in your environment.
-- [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md) - Learn how automatic attack disruption works to identify and neutralize confirmed malicious activities.
+- [Manage predictive shielding in Microsoft Defender](shield-predict-threats-manage.md) - Learn how to manage predictive shielding actions and investigate their impact in your environment.
+- [Automatic attack disruption in Microsoft Defender](automatic-attack-disruption.md) - Learn how automatic attack disruption works to identify and neutralize confirmed malicious activities.
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -33,6 +33,7 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## November 2025
+- Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. To view these alert types, you must have the **Security Administrator** or **Global Administrator** role. The **Service Source**, **Detection Source**, and **Product Name** values for these alerts are listed as *Microsoft Threat Intelligence*.   For more information, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
 - (Preview) Defender XDR now includes the **predictive shielding** capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. [Learn more](shield-predict-threats.md)
 - (Preview) The [Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender](threat-intel-briefing-agent-defender.md) is now available for preview. It generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information in a matter of minutes, helping security teams save time by creating customized, relevant reports.
 - (Preview) A new **Restrict pod access** response action is now available when [investigating container threats](investigate-respond-container-threats.md) in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. 
@@ -69,11 +70,12 @@ You can also get product updates and important notifications through the [messag
 
 
 ## July 2025
-- (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
 
+- (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
 - (Preview) The [`DisruptionAndResponseEvents`](advanced-hunting-disruptionandresponseevents-table.md) table, now available in advanced hunting, contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.
 
 ## June 2025
+
 - (Preview) Microsoft Copilot now provides suggested prompts as part of incident summaries in the Microsoft Defender portal. Suggested prompts help you get more insights into the specific assets involved in an incident. For more information, see [Summarize incidents with Microsoft Copilot in Microsoft Defender](security-copilot-m365d-incident-summary.md).   
 - (GA) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender.
 
diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md
@@ -21,9 +21,15 @@ ms.topic: concept-article
 
 This article lists recent features added for unified security operations in the Microsoft Defender portal.
 
-
 ## November 2025
 
+
+### Microsoft Threat Intelligence alert enhancements for Microsoft Sentinel customers in the Defender portal
+
+Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. To view these alert types, you must have the **Security Administrator** or **Global Administrator** role. The **Service Source**, **Detection Source**, and **Product Name** values for these alerts are listed as *Microsoft Threat Intelligence*. 
+
+For more information, see [Incidents and alerts in the Microsoft Defender portal](/defender-xdr/incidents-overview).
+
 ### New Entity Behavior Analytics (UEBA) experiences in the Defender portal (Preview)
 
 Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively.
