Merge branch 'main' into WI425757-release-note-executive-summary-report

Author: DeCohen

ATPDocs/investigate-security-alerts.md

@@ -11,9 +11,7 @@ Investigate alerts that are affecting your environment, understand what they mea
 
 Begin your investigation by selecting an alert from the **Alerts** page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.
 
-> [!NOTE]
-> The **alert story** and **export to Excel** options are only available for alerts that use the classic Defender for Identity structure.  
-> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 ## Investigate using the alert story
 
@@ -25,6 +23,10 @@ The Important information section includes additional technical details that sup
 
 Together, the alert story, alert graph, and Important information give you a complete picture of the alert. They help you understand what triggered the alert, which entities were involved, and whether the activity requires further investigation or action.
 
+> [!NOTE]
+> The **alert story** is only visible for alerts that use the classic Defender for Identity structure. 
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 ## Take action from the details pane
 Once you've selected an alert of interest, the details pane changes to display information about the selected alert, historic information when it's available, and offer recommended actions to take action on this alert.
 
@@ -35,6 +37,10 @@ Once you're done investigating, go back to the alert you started with, mark the
 
 To get more details on a security alert, select **Export** on an alert details page to download the detailed Excel alert report.
 
+> [!NOTE]
+> The **export to Excel** option is also only available for alerts that use the classic Defender for Identity structure.
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 The downloaded file includes summary details about the alert on the first tab, including:
 

ATPDocs/media/okta-integration/okta-permissions.png

@@ -100,9 +100,8 @@ After assigning both roles, you can remove the Super Admin role. This ensures th
 1. Select **Create new role**.
 1. Set the role name to **Microsoft Defender for Identity**.
 1. Select the permissions you want to assign to this role. Include the following permissions:
-    - **Suspend users**
-    - **Unsuspend users**
-    - **Clear users’ session**
+    - **Edit user's lifecycle states**
+    - **Edit user's authenticator operations**
     - **View roles, resources, and admin assignments**
 1. Select **Save role**.
 

ATPDocs/okta-integration.md

@@ -58,6 +58,8 @@ The sensors page provides the following information about each sensor:
 
   * **Standalone sensor**
 
+  * **Entra Connect sensor**. If your sensor is installed on a domain controller server with Entra Connect configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
+ 
   * **ADCS sensor** (Active Directory Certificate Services). If your sensor is installed on a domain controller server with AD CS configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
 
 * **Domain**: Displays the fully qualified domain name of the Active Directory domain where the sensor is installed.
@@ -186,9 +188,9 @@ Every few minutes, Defender for Identity sensors check whether they have the lat
 
 1. Sensors selected for **Delayed update** start their update process 72 hours after the Defender for Identity cloud service is updated. These sensors will then use the same update process as automatically updated sensors.
 
-For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
+    For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
 
-![Sensor update failure.](media/sensor-outdated.png)
+    ![Sensor update failure.](media/sensor-outdated.png)
 
 ### Silently update the Defender for Identity sensor
 

ATPDocs/sensor-settings.md

@@ -1,7 +1,7 @@
 ---
 title:  Microsoft Defender for Cloud Apps – privacy
 description: Learn about how Microsoft Defender for Cloud Apps manages user privacy.
-ms.date: 11/24/2024
+ms.date: 06/17/2025
 ms.topic: concept-article
 ---
 # Privacy with Microsoft Defender for Cloud Apps
@@ -22,7 +22,7 @@ Microsoft Defender for Cloud Apps collects information from your configured clou
 - User and group configurations
 
 > [!NOTE]
-> The data collected from the various applications is dependent on the customer-provided data from the various applications and may include personal information.
+> The data collected from the various applications is dependent on the customer-provided data from the various applications and might include personal information.
 
 ## Data storage location
 
@@ -31,7 +31,7 @@ Defender for Cloud Apps operates in the Microsoft Azure data centers in the foll
 |Customer provisioning location  |Data storage location  |
 |---------|---------|
 |**Customers whose tenants are provisioned in the United States**     |  United States       |
-|**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    Either the European Union and/or the United Kingdom      |
+|**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    The European Union or the United Kingdom, depending on service availability.      |
 |**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned.    |
 
 In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions listed below. Customer with App Governance enabled will have data stored within the data storage location the customer provisions in above, and in a second data storage location as described below: 
@@ -52,7 +52,13 @@ In addition to the locations above, the App Governance features within Defender
 
 Customer data collected by Defender for Cloud Apps is either stored in your tenant location, as described in the previous tables, or in the geographic location of another online service that Defender for Cloud Apps shares data with, as defined by the data storage rules of that online service.
 
-If Defender for Cloud Apps data is stored in your tenant location, your tenant isn't movable after having been created. To view your Defender for Cloud Apps tenant location in the Microsoft Defender portal, go to **Settings > Cloud Apps > About > Region**.
+
+### View your data storage location
+
+To view your Defender for Cloud Apps tenant location in the Microsoft Defender portal, go to **Settings > Cloud Apps > About > Region**.
+
+> [!NOTE]
+> If Defender for Cloud Apps data is stored in your tenant location, your tenant isn't movable after having been created.
  
 ## Data retention
 
@@ -62,7 +68,7 @@ Your data is kept and is available to you while the license is under grace perio
 
 ## Data sharing for Microsoft Defender for Cloud Apps
 
-Defender for Cloud Apps shares data, including customer data, among the following Microsoft products also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.
+Defender for Cloud Apps shares data, including customer data, among the following Microsoft products also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments might occur, depending on the location of the service offering.
 
 - Microsoft Defender XDR
 - Microsoft Defender for Cloud

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -17,6 +17,12 @@ Key points:
 - Resolving usernames is done ad-hoc, per-username by deciphering a given encrypted username.
 - Anonymization capabilities aren't supported when using the "Defender for Cloud Apps Proxy" stream.
 
+## Prerequisites
+
+To resolve (deanonymize) usernames in Cloud Discovery data:
+
+- You must have the [Cloud Discovery global admin](manage-admins.md#built-in-admin-roles-in-defender-for-cloud-apps) role with anonymization permissions enabled during role assignment.
+
 ## How data anonymization works
 
 1. There are three ways to apply data anonymization:

CloudAppSecurityDocs/cas-compliance-trust.md

@@ -2,17 +2,16 @@
 title: Work with discovered apps via Graph API | Microsoft Defender for Cloud Apps
 description: Learn how to work with apps discovered by Microsoft Defender for Cloud Apps via Graph API.
 ms.topic: how-to #Don't change
-ms.date: 06/24/2024
-
+ms.date: 06/18/2025
 #customer intent: As a security engineer, I want to work with discovered apps via API so that I can customize and automate the Microsoft Defender for Cloud Apps **Discovered apps** page functionality.
-
 ---
 
 # Work with discovered apps via Graph API (Preview)
 
 Microsoft Defender for Cloud Apps supports a Microsoft Graph API that you can use to work with discovered cloud apps, to customize and automate the **Discovered apps** page functionality in the Microsoft Defender portal.
 
-This article provides sample procedures for using the [uploadedStreams API](/graph/api/security-datadiscoveryreport-list-uploadedstreams?view=graph-rest-beta) for common purposes.
+This article provides sample procedures for using the [uploadedStreams API](/graph/api/security-datadiscoveryreport-list-uploadedstreams?view=graph-rest-beta&preserve-view=true&tabs=http) for common purposes.
+
 
 ## Prerequisites
 
@@ -22,7 +21,7 @@ Before you start using the Graph API, make sure to create an app and get an acce
 
 - Take note of your app secret and copy its value to use later on in your scripts.
 
-You'll also need cloud app data streaming into Microsoft Defender for Cloud Apps.
+- You need cloud app data streaming into Microsoft Defender for Cloud Apps.
 
 For more information, see:
 
@@ -36,7 +35,7 @@ For more information, see:
 To get a high level summary of all the data available on your **Discovered apps** page, run the following GET command:
 
 ```http
-GET https://graph.microsoft.com/beta/dataDiscovery/cloudAppDiscovery/uploadedStreams
+GET https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams
 ```
 
 To drill down to data for a specific stream:
@@ -88,4 +87,4 @@ GET  https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery
 
 ## Related content
 
-For more information, see [Working with discovered apps](discovered-apps.md) and the [Microsoft Graph API reference](/graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta).
+For more information, see [Working with discovered apps](discovered-apps.md) and the [Microsoft Graph API reference](/graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta&preserve-view=true).

CloudAppSecurityDocs/cloud-discovery-anonymizer.md

@@ -59,7 +59,9 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint, Cisco Webex)
 
-   ![policy_create alerts.](media/policy_create-alerts.png)
+      :::image type="content" source="media/governance-actions/governance-actions-box.png" alt-text="Screenshot that shows the available file governance actions for Box and Dropbox." lightbox="media/governance-actions/governance-actions-box.png":::
+
+
 
 ## Malware governance actions (Preview)
 
@@ -81,7 +83,7 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
-:::image type="content" source="media/governance-actions/image1.png" alt-text="Malware governance actions.":::
+:::image type="content" source="media/governance-actions/governance-actions-dropbox-google-workspace.png" alt-text="Screenshot that shows malware governance actions." lightbox="media/governance-actions/governance-actions-dropbox-google-workspace.png":::
 
 > [!NOTE]
 > In SharePoint and OneDrive, Defender for Cloud Apps supports user quarantine only for files in Shared Documents libraries (SharePoint Online) and files in the Documents library (OneDrive for Business).

CloudAppSecurityDocs/discovered-apps-api-graph.md

@@ -11,6 +11,17 @@ ms.topic: how-to
 
 Microsoft Defender for Cloud Apps provides security detections and alerts for malicious activities. The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. Included in this guide is general information about the conditions for triggering alerts. However, it's important to note that since anomaly detections are nondeterministic by nature, they're only triggered when there's behavior that deviates from the norm. Finally, some alerts might be in preview, so regularly review the official documentation for updated alert status.
 
+> [!IMPORTANT]
+> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
+> 
+> - Activity from suspicious IP addresses
+> - Suspicious inbox manipulation rules
+> - Suspicious email deletion activity
+> - Activity from anonymous IP addresses
+> - Suspicious inbox forwarding
+>
+> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
+
 ## MITRE ATT\&CK
 
 To explain and make it easier to map the relationship between Defender for Cloud Apps alerts and the familiar MITRE ATT\&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT\&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when a Defender for Cloud Apps alert is triggered.
@@ -52,6 +63,9 @@ This section describes alerts indicating that a malicious actor might be attempt
 
 ### Activity from anonymous IP address
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Activity from a TOR IP address** and **Anonymous proxy activity**.
+
 **Description**
 
 Activity from an IP address that has been identified as an anonymous proxy IP address by Microsoft Threat Intelligence or by your organization. These proxies can be used to hide a device's IP address and might be used for malicious activities.
@@ -101,6 +115,9 @@ Detecting anomalous locations requires an initial learning period of seven days
 
 ### Activity from suspicious IP addresses
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Successful logon from a suspicious IP address**.
+
 Activity from an IP address that has been identified as risky by Microsoft Threat Intelligence or by your organization. These IP addresses were identified as being involved in malicious activities, such as performing password spray, botnet command and control (C&C), and might indicate a compromised account.
 
 **TP**, **B-TP**, or **FP**?
@@ -317,6 +334,9 @@ Activities in a single session indicating that, a user performed suspicious chan
 
 ### Suspicious email deletion activity (by user)
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email deletion activity**.
+
 Activities in a single session indicating that, a user performed suspicious email deletions. The deletion type was the "hard delete" type, which makes the email item deleted and not available in the user's mailbox. The deletion was made from a connection that includes uncommon preferences such as ISP, country/region, and user agent. This can indicate an attempted breach of your organization, such as attackers attempting to mask operations by deleting emails related to spam activities.
 
 **TP**, **B-TP**, or **FP**?
@@ -340,6 +360,10 @@ Activities in a single session indicating that, a user performed suspicious emai
 
 ### Suspicious inbox manipulation rule
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model.
+> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
+
 Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as deleting or moving messages, or folders, from a user's inbox might be an attempt to exfiltrate information from your organization. Similarly, they can indicate an attempt to manipulate information that a user sees or to use their inbox to distribute spam, phishing emails, or malware. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
 
 **TP**, **B-TP**, or **FP**?
@@ -538,6 +562,9 @@ This section describes alerts indicating that a malicious actor might be attempt
 
 ### Suspicious inbox forwarding
 
+> [!NOTE]
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email forwarding rule created by third-party app**.
+
 Activities indicating that an attacker gained access to a user's inbox and created a suspicious rule. Manipulation rules, such as forward all or specific emails to another email account might be an attempt to exfiltrate information from your organization. Defender for Cloud Apps profiles your environment and triggers alerts when suspicious inbox manipulation rules are detected on a user's inbox. This might indicate that the user's account is compromised.
 
 **TP**, **B-TP**, or **FP**?