Merge branch 'main' into Teams-chrisda

Author: chrisda

.openpublishing.redirection.defender-endpoint.json

@@ -124,6 +124,16 @@
       "source_path": "defender-endpoint/non-windows.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/configure-endpoints-non-windows.md",
+      "redirect_url": "/defender-endpoint/onboarding",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/configure-server-endpoints.md",
+      "redirect_url": "/defender-endpoint/onboard-windows-server-2012r2-2016",
+      "redirect_document_id": true
     } 
   ]
 }

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -0,0 +1,59 @@
+---
+title: Integrate Defender for Identity with PAM services
+ms.service: microsoft-defender-for-identity
+ms.date: 03/30/2025
+ms.topic: concept-article
+#customerIntent: As a SOC engineer, I want to understand how to integrate Microsoft Defender for Identity with my PAM (Privilege Access Management) system to manage privileged access and detect threats.
+description: Learn how to integrate Microsoft Defender for Identity with your Privileged Access Management (PAM) services.
+---
+
+# Integrate Defender for Identity with PAM services
+
+## What are PAM services?
+
+Privileged Access Management (PAM) solutions help reduce the risk of credential misuse by securing, monitoring, and controlling privileged account access to critical resources.
+PAM solutions secure privileged accounts by storing their credentials in a secure vault, controlling access through approval workflows, and monitoring active sessions to enforce just-in-time (JIT) and just-enough-access (JEA) policies. Common PAM capabilities include, automated password rotation, multifactor authentication, session isolation, and anomaly detection.
+
+## Defender for Identity and PAM
+
+Defender for Identity helps identify and investigate suspicious activities related to privileged accounts, such as unusual sign in patterns or privilege escalation attempts. 
+When integrated with a PAM solution, Microsoft Defender for Identity can detect and investigate suspicious activity involving privileged accounts—such as abnormal sign-ins or privilege escalation attempts. The integration combines PAM’s access controls with Defender for Identity’s behavioral analytics for enhanced threat detection and containment.
+
+## Technology partners
+
+Microsoft Defender for Identity currently supports integration with the following PAM vendors. Dedicated integrations for each partner are now available in the Microsoft 365 Defender partner catalog for streamlined onboarding and visibility.
+
+:::image type="content" source="media/integrate-with-partner-system-services/screenshot-of-mdi-technology-partners.png" alt-text="Screenshot of the defender for identity connections page":::
+
+
+|Vendor |Description |
+|---------|---------|
+|CyberArk    | Provides credential vaulting, session monitoring, and threat remediation for privileged identities.       |
+|BeyondTrust     | BeyondTrust Offers identity-centric controls to manage the privilege attack surface and mitigate internal and external threats.        |
+|Delinea     | Delivers centralized authorization and session control for privileged identities across enterprise environments.       |
+
+### Reset password
+
+Once PAM integration is enabled, Microsoft Defender XDR automatically tags identities managed by your PAM solution, providing critical context during investigations.
+
+Additionally, you can initiate a password reset for high-risk privileged accounts directly from the Microsoft Defender XDR console. This action uses the connected PAM system.
+
+To reset a password:
+
+1. Go to **Assets > Identities**.
+2. Select the relevant identity.
+3. Click the three-dot menu (**⋯**) in the top-right corner.
+4. Select **Reset password**. The label might vary based on the vendor (for example, **Reset password by CyberArk**, **Reset password by BeyondTrust**).
+
+:::image type="content" source="media/screenshot-of-privilege-access-management-tags-for-identities.png" alt-text="Screenshot of the priviledge access management tags assigned to identity accounts" lightbox="media/screenshot-of-privilege-access-management-tags-for-identities.png":::
+
+This capability streamlines containment and response workflows by embedding privileged access controls directly into the investigation experience.
+
+
+### Next steps 
+
+For more information, see:
+
+[How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
+
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)

ATPDocs/media/integrate-with-partner-system-services/screenshot-of-mdi-technology-partners.png

@@ -81,7 +81,7 @@ For a deeper dive into what's happening in your service account click on the dom
 
 When you investigate a specific Service account, you'll see the following details under the connections tab:
 
-:::image type="content" source="media/Screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
+:::image type="content" source="media/screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
 
 |Service account connection details  |Description |
 |---------|---------|

ATPDocs/media/screenshot-of-privilege-access-management-tags-for-identities.png

@@ -85,6 +85,10 @@ items:
         displayName: standalone
     - name: Activate Defender for Identity capabilities on your domain controller
       href: deploy/activate-capabilities.md
+  - name: Integrate with PAM services
+    items:
+    - name: Integrate Defender for Identity with PAM services
+      href: integrate-microsoft-and-pam-services.md
 - name: Manage
   items:
   - name: View the ITDR dashboard

ATPDocs/media/Screenshot-of-the-connections-page.png renamed to ATPDocs/media/screenshot-of-the-connections-page.png

@@ -22,6 +22,20 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## April 2025
+
+### New Defender for Identity and PAM Integration
+
+Microsoft Defender for Identity now supports integration with industry-leading Privileged Access Management (PAM) platforms to enhance detection and response for privileged identities.
+
+**Supported PAM vendors**:
+
+- CyberArk
+- Delinea
+- BeyondTrust
+
+For more information see: [Integrations Defender for Identity and PAM services.](Integrate-microsoft-and-pam-services.md)
+
 ## March 2025
 
 ### New Service Account Discovery page

ATPDocs/service-account-discovery.md

@@ -13,7 +13,7 @@ This article provides descriptions and instructions for Defender for Cloud Apps
 
 ## Activity filters
 
-Below is a list of the activity filters that can be applied. Most filters support multiple values as well as *NOT* to provide you with a powerful tool for policy creation.
+Below is a list of the activity filters that can be applied. Most filters support multiple values and *NOT* to provide you with a powerful tool for policy creation.
 
 - Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts using Defender for Cloud Apps.
 
@@ -30,7 +30,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 - Activity type - Search for the app activity.
 
   > [!NOTE]
-  > Apps are added to the filter only if there is activity for that app.
+  > Apps are added to the filter only if there's activity for that app.
 
 - Administrative activity – Search only for administrative activities.
 
@@ -56,7 +56,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 
 - IP address – The raw IP address, category, or tag from which the activity was performed.
   - Raw IP address - Enables you to search for activities that were performed on or by raw IP addresses. The raw IPs can equal, don't equal, start with, or don't start with a particular sequence.
-  - IP category - The category of the IP address from which the activity was performed, for example, all activities from the administrative IP address range. The categories need to be configured to include the relevant IP addresses. Some IPs may be categorized by default. for example, there are IP addresses that are considered by Microsoft threat intelligence sources will be categorized as risky. To learn how to configure the IP categories, see [Organize the data according to your needs](ip-tags.md).
+  - IP category - The category of the IP address from which the activity was performed, for example, all activities from the administrative IP address range. The categories need to be configured to include the relevant IP addresses. Some IPs might be categorized by default. for example, there are IP addresses that are considered by Microsoft threat intelligence sources will be categorized as risky. To learn how to configure the IP categories, see [Organize the data according to your needs](ip-tags.md).
   - IP tag - The tag of the IP address from which the activity was performed, for example, all activities from anonymous proxy IP addresses. Defender for Cloud Apps creates a set of built-in IP tags that aren't configurable. Additionally, you can configure your IP tags. For more information about configuring your IP tags, see [Organize the data according to your needs](ip-tags.md).
   The built-in IP tags include the following:
     - Microsoft apps (14 of them)
@@ -88,7 +88,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
   - User domain - Search for a specific user domain.
   - User organization - The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
   - User group - Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
-  - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking will take you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
+  - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking takes you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
   - The **User group** and **User name** filters can be further filtered by using the **As** filter and selecting the role of the user, which can be any of the following:
     - Activity object only - meaning that the user or user group selected didn't perform the activity in question; they were the object of the activity.
     - Actor only - meaning that the user or user group performed the activity.
@@ -132,7 +132,7 @@ Defender for Cloud Apps also provides you with **Suggested queries**. Suggested
 
 - Sharing activities - Filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
 
-- Successful log-in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
+- Successful log in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
   ![query activities.](media/queries-activity.png)
 
@@ -162,22 +162,59 @@ For example:
 
 ![Filter after selecting investigate 6 months back.](media/filter-six-months-back.png)
 
-#### Export activities six months back (Preview)
 
-You can export all activities from up to six months by clicking the Export button in the top-left corner  
+### Export activities six months back (Preview)
+
+
+You can export all activities from the past six months by clicking the Export button in the top-left corner  of the Activity log page.
+
 ![Click the export icon to export records.](media/activity-filters-queries/export-button-of-activity-logs.png)
 
+When exporting data:
 
+- You can choose a date range of up to six months.
+- You can choose to exclude private activities.  
+- The exported file is limited to 100,000 records and is delivered in CSV format.
 
+Once the export is complete, the file is available under **Exported reports**.
 
-When exporting data, you can choose a date range of up to six months, and have the ability to exclude private activities.  
-The exported file is limited to 100,000 records and will be in CSV format.
+To access exported files and check export status, navigate to **Reports -> Cloud Apps** in Microsoft 365 Defender portal to view the status of the export process and access past exports.  
 
-The result file will be accessible under the **Exported reports**. Users can navigate to **Reports -> Cloud Apps** in Microsoft 365 Defender portal to view the status of the export process and access past exports.  
-Reports that include private activities will be marked with an Eye icon in the reports page.  
+Reports that include private activities are marked with an Eye icon in the reports page.  
 
 ![eye-icon](media/activity-filters-queries/eye-icon-to-indicate-private-report.png)
 
+> [!NOTE] 
+>Exporting and viewing activity data up to six months back is restricted to specific roles with elevated permissions.
+
+The following roles are supported:
+
+- `INVITED_ADMIN`
+
+- `GLOBAL_ADMINISTRATOR`
+
+- `SECURITY_ADMINISTRATOR`
+
+- `MCAS_ADMINISTRATOR`
+
+- `DISCOVERY_ADMIN`
+
+- `SECURITY_OPERATOR`
+
+- `COMPLIANCE_ADMIN`
+
+- `SECURITY_READER`
+
+- `GLOBAL_READER`
+
+- `URBAC_ROLES_GLOBAL_ADMINISTRATOR`
+
+- `URBAC_ROLES_COMPLIANCE_ADMINISTRATOR`
+
+- `URBAC_ROLES_SECURITY_READER`
+
+- `URBAC_ROLES_SECURITY_OPERATOR`
+
 ## Next steps
 
 > [!div class="nextstepaction"]

ATPDocs/toc.yml

@@ -10,8 +10,6 @@ metadata:
   ms.service: defender-for-cloud-apps
   ms.topic: landing-page
   ms.collection: na
-  author: batamig
-  ms.author: bagol
   ms.date: 11/09/2021
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new