Merge branch 'main' into john-working

Author: jpabloms

.acrolinx-config.edn

@@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
  
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
 
-| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
+| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
 |---------|:--------------:|:--------------------:|:------:|:---------:|
 "
 

.github/workflows/BuildValidation.yml

@@ -0,0 +1,21 @@
+name: PR has no warnings or errors
+
+permissions:
+  pull-requests: write
+  statuses: write
+      
+on: 
+  issue_comment:
+    types: [created]
+
+jobs:
+
+  build-status:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+
+  

.openpublishing.redirection.defender-cloud-apps.json

@@ -994,6 +994,11 @@
       "source_path": "CloudAppSecurityDocs/what-is-cloud-app-security.md",
       "redirect_url": "/defender-cloud-apps/what-is-defender-for-cloud-apps",
       "redirect_document_id": true
+    },
+     {
+      "source_path": "CloudAppSecurityDocs/tutorial-ueba.md",
+      "redirect_url": "/defender-cloud-apps/",
+      "redirect_document_id": true
     },
     {
       "source_path": "CloudAppSecurityDocs/file-filters.md",

.openpublishing.redirection.defender-endpoint.json

@@ -79,6 +79,11 @@
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-endpoint/monthly-security-summary-report.md",
+      "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
+      "redirect_document_id": true
+    }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -131,6 +131,11 @@
       "redirect_url": "/defender-xdr/entity-page-device",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-xdr/unlink-alert-from-incident.md",
+      "redirect_url": "/defender-xdr/move-alert-to-another-incident",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-xdr/unified-secops-platform/defender-xdr-portal.md",
       "redirect_url": "/defender-xdr/",

ATADocs/index.yml

@@ -8,7 +8,6 @@ metadata:
   description: Protect your enterprise using information from multiple network data-sources to learn the behavior of users and entities in your organization.
   services: service
   ms.service: advanced-threat-analytics
-  ms.subservice: ms.subservice
   ms.topic: landing-page
   ms.collection: M365-security-compliance
   author: batamig

ATPDocs/index.yml

@@ -6,8 +6,7 @@ metadata:
   title: Microsoft Defender for Identity documentation
   description: Microsoft Defender for Identity cloud service helps protect your enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats.
   services: service
-  ms.service: azure-advanced-threat-protection
-  ms.subservice: subservice
+  ms.service: microsoft-defender-for-identity
   ms.topic: landing-page
   ms.collection: M365-security-compliance
   author: batamig

ATPDocs/monitored-activities.md

@@ -14,18 +14,20 @@ In the case of a valid threat, or **true positive**, Defender for Identity enabl
 The information monitored by Defender for Identity is presented in the form of activities. Defender for Identity currently supports monitoring of the following activity types:
 
 > [!NOTE]
->
 > - This article is relevant for all Defender for Identity sensor types.
 > - Defender for Identity monitored activities appear on both the user and machine profile page.
-> - Defender for Identity monitored activities are also available in Microsoft Defender XDR's [Advanced Hunting](https://security.microsoft.com/advanced-hunting) page.
+> - Defender for Identity monitored activities are also available in [Microsoft Defender XDR's Advanced Hunting](/defender-xdr/advanced-hunting-overview) page.
+
+> [!TIP]
+> For detailed information on all supported event types (`ActionType` values) in Advanced Hunting Identity-related tables, use the built-in schema reference available in Microsoft Defender XDR.
 
 ## Monitored user activities: User account AD attribute changes
 
 |Monitored activity|Description|
 |---------------------|------------------|
 |Account Constrained Delegation State Changed|The account state is now enabled or disabled for delegation.|
 |Account Constrained Delegation SPNs Changed|Constrained delegation restricts the services to which the specified server can act on behalf of the user.|
-|Account Delegation Changed | Changes to the account delegation settings |
+|Account Delegation Changed | Changes to the account delegation settings. |
 |Account Disabled Changed|Indicates whether an account is disabled or enabled.|
 |Account Expired|Date when the account expires.|
 |Account Expiry Time Changed|Change to the date when the account expires.|
@@ -35,9 +37,9 @@ The information monitored by Defender for Identity is presented in the form of a
 |Account Password Never Expires Changed|User's password changed to never expire.|
 |Account Password Not Required Changed|User account was changed to allow logging in with a blank password.|
 |Account Smartcard Required Changed|Account changes to require users to log on to a device using a smart card.|
-|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256)|
-|Account Unlock changed | Changes to the account unlock settings |
-|Account UPN Name Changed|User's principle name was changed.|
+|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256).|
+|Account Unlock changed | Changes to the account unlock settings. |
+|Account UPN Name Changed|User's principal name was changed.|
 |Group Membership Changed|User was added/removed, to/from a group, by another user or by themselves.|
 |User Mail Changed|Users email attribute was changed.|
 |User Manager Changed|User's manager attribute was changed.|
@@ -48,8 +50,8 @@ The information monitored by Defender for Identity is presented in the form of a
 
 |Monitored activity|Description|
 |---------------------|------------------|
-|User Account Created|User account was created|  
-|Computer Account Created|Computer account was created|
+|User Account Created|User account was created.|  
+|Computer Account Created|Computer account was created.|
 |Security Principal Deleted Changed|Account was deleted/restored (both user and computer).|
 |Security Principal Display Name Changed|Account display name was changed from X to Y.|
 |Security Principal Name Changed|Account name attribute was changed.|
@@ -69,7 +71,7 @@ The information monitored by Defender for Identity is presented in the form of a
 |Private Data Retrieval|User attempted/succeeded to query private data using LSARPC protocol.|
 |Service Creation|User attempted to remotely create a specific service to a remote machine.|
 |SMB Session Enumeration|User attempted to enumerate all users with open SMB sessions on the domain controllers.|
-|SMB file copy|User copied files using SMB|
+|SMB file copy|User copied files using SMB.|
 |SAMR Query|User performed a SAMR query.|
 |Task Scheduling|User tried to remotely schedule X task to a remote machine.|
 |Wmi Execution|User attempted to remotely execute a WMI method.|
@@ -83,7 +85,7 @@ For more information, see [Supported logon types](/microsoft-365/security/defend
 |Monitored activity|Description|
 |---------------------|------------------|
 |Computer Operating System Changed|Change to the computer OS.|
-|SID-History changed | Changes to the computer SID history |
+|SID-History changed | Changes to the computer SID history. |
 
 ## See Also
 

ATPDocs/privacy-compliance.md

@@ -22,14 +22,13 @@ For more information see: [Microsoft Defender for Identity monitored activities]
 
 Defender for Identity operates in the Microsoft Azure data centers in the following locations:
 
-- European Union
-- United Kingdom
-- United States
-- Australia
-- Switzerland
-- Singapore
-
-- India
+- European Union (West Europe, North Europe)
+- United Kingdom (UK South) 
+- United States (East US, West US, West US2)
+- Australia (Australia East)
+- Switzerland (Switzerland North)
+- Singapore (Southeast Asia)
+- India (Central India, South India)
 
 Customer data collected by the service might be stored as follows:
 

ATPDocs/security-assessment-laps.md

@@ -1,5 +1,4 @@
 ---
-
 title: Microsoft LAPS usage assessment
 description: This article provides an overview of Microsoft Defender for Identity's Microsoft LAPS usage identity security posture assessment report.
 ms.date: 01/29/2023
@@ -12,9 +11,9 @@ ms.topic: how-to
 
 Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
 
-This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) only.
+This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) and [Windows LAPS](/windows-server/identity/laps/laps-overview).
 
-## What risk does not implementing LAPS pose to an organization?
+## What risk does not implement LAPS pose to an organization?
 
 LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.
 
@@ -24,24 +23,20 @@ LAPS simplifies password management while helping customers implement more recom
 
 1. Review the recommended action at <https://security.microsoft.com/securescore?viewid=actions> to discover which of your domains have some (or all) compatible Windows devices that aren't protected by LAPS, or that haven't had their LAPS managed password changed in the last 60 days.
 
-    ![See which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)
-
+   [![Screenshot that shows which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)](media/cas-isp-laps-1.png#lightbox)
+   
 1. For domains that are partially protected, select the relevant row to view the list of devices not protected by LAPS in that domain.
 
     ![Select domain with devices unprotected by LAPS.](media/cas-isp-laps-2.png)
-
-    > [!NOTE]
-    > If the entire domain is not protected with LAPS, you won't see the list of all the unprotected devices.
-
-1. Take appropriate action on those devices by downloading, installing and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) using the documentation provided in the download.
+   
+1. Take appropriate action on those devices by downloading, installing, and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) or [Windows LAPS](/windows-server/identity/laps/laps-overview). 
 
     ![Remediate devices unprotected by LAPS.](media/laps-unprotected-devices.png)
 
 > [!NOTE]
-> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
-> 
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it will be marked as **Completed**.
 
 ## See also
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+