Merge branch 'main' into WI475700-ispm-service-account

Author: DeCohen

ATPDocs/whats-new.md

@@ -25,15 +25,20 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+
 ## New security posture assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
 
 The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise.
 
 For more information, see: [Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview)](remove-discoverable-passwords-active-directory-account-attributes.md)
 
-### Sensor version 2.246
 
-This version includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.
+### Microsoft Defender for Identity sensor version updates
+
+|Version number |Updates |
+|---------|---------|
+|2.247|Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.|
+|2.246|Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.    |
 
 ### Detection update: Suspected Brute Force attack (Kerberos, NTLM)
 

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -23,7 +23,7 @@ ms.custom:
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 03/28/2025
+ms.date: 07/28/2025
 ---
 
 # Use Microsoft Sentinel functions, saved queries, and custom rules 
@@ -61,14 +61,17 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
 > [!NOTE]
 > The `adx()` operator isn't supported for custom detections.
 
-
 ### Use arg() operator for Azure Resource Graph queries
-The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
+
+The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
 
 This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
 
 For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
 
+>[!NOTE]
+> The `arg()` operator isn't supported for analytics rules.
+
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
 For example:
@@ -86,7 +89,6 @@ BehaviorAnalytics
 ) on $left.name == $right.SourceDevice
 ```
 
-
 ## Use saved queries
 
 To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions: