Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into painbar-simplified-installation

Author: paulinbar

.openpublishing.publish.config.json

@@ -2,7 +2,7 @@
   "docsets_to_publish": [
     {
       "docset_name": "ATA-Docs",
-      "build_source_folder": "ATADocs",
+      "build_source_folder": "advanced-threat-analytics",
       "build_output_subfolder": "ATA-Docs",
       "locale": "en-us",
       "monikers": [],

ATPDocs/alerts-xdr.md

@@ -8,7 +8,7 @@ ms.reviewer: rlitinsky
 
 # Microsoft Defender for Identity XDR alerts
 
-Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
+Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. 
 
 To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
 

ATPDocs/change-password-krbtgt-account.md

@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)

ATPDocs/dashboard.md

@@ -45,7 +45,7 @@ Select links in the cards to just to more details, such as documentation, relate
 |**Identities overview (shield widget)** |Provides a quick overview of the number of users in hybrid, cloud, and on-premises environments (AD and Microsoft Entra ID). This feature includes direct links to the Advanced Hunting platform, offering detailed user information at your fingertips.|
 |**Top insights** /<br>**Users identified in a risky lateral movement path** | Indicates any sensitive accounts with risky lateral movement paths, which are windows of opportunity for attackers and can expose risks.  <br><br>We recommend that you take action on any sensitive accounts found with risky lateral movement paths to minimize your risk. <br><br>For more information, see [Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity](understand-lateral-movement-paths.md).|
 |**Top insights** /<br>**Dormant Active Directory users who should be removed from sensitive groups** | Lists accounts that have been left unused for at least 180 days. <br><br>An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups, therefore we recommend removing those users from sensitive groups. <br><br>For more information, see [Security assessment: Riskiest lateral movement paths (LMP)](security-assessment-riskiest-lmp.md).|
-|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability.     |
+|**ITDR deployment health**     |  Lists any sensor deployment progress, any health alerts, and license availability derived from Defender for Identity data and Device Inventory, which relies on Defender for Endpoint coverage.  |
 |**Identity posture (Secure score)** | The score shown represents your organization's security posture with a focus on the *identity* score, reflecting the collective security state of your identities. The score is automatically updated in real-time to reflect the data shown in graphs and recommended actions. <br><br>Microsoft Secure Score updates daily with system data with new points for each recommended action take.<br><br> For more information, see [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score). |
 | **Highly privileged entities** | Lists a summary of the sensitive accounts in your organization, including Entra ID security administrators and Global admin users. |
 | **Identity related incidents** | Lists alerts from both Defender for Identity and [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection), and any corresponding, relevant incidents from the last 30 days. |

ATPDocs/deploy/configure-windows-event-collection.md

@@ -59,7 +59,7 @@ Use the following procedures to configure auditing on the domain controllers tha
 
 This procedure describes how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity via the UI.
 
-**Related health issue:** [Directory Services Advanced Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
 To configure your Advanced Audit Policy settings:
 
@@ -100,7 +100,7 @@ To configure your Advanced Audit Policy settings:
 
 1. From an elevated command prompt, enter `gpupdate`.
 
-1. After you apply the policy via GPO, conform that the new events appear in the Event Viewer, under **Windows Logs** > **Security**.
+1. After you apply the policy via GPO, confirm that the new events appear in the Event Viewer, under **Windows Logs** > **Security**.
 
     To test your audit policies from the command line, run the following command:
 
@@ -114,7 +114,7 @@ For more information, see the [auditpol reference documentation](/windows-server
 
 The following actions describe how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity by using PowerShell.
 
-**Related health issue:** [Directory Services Advanced Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
 To configure your settings, run:
 
@@ -167,7 +167,7 @@ This section describes the extra configuration steps that you need for auditing
 > - Domain group policies to collect Windows event 8004 should be applied *only* to domain controllers.
 > - When a Defender for Identity sensor parses Windows event 8004, Defender for Identity NTLM authentication activities are enriched with the server-accessed data.
 
-**Related health issue:** [NTLM Auditing is not enabled](../health-alerts.md)
+**Related health issue:** [NTLM Auditing isn't enabled](../health-alerts.md)
 
 To configure NTLM auditing:
 
@@ -192,7 +192,7 @@ To collect events for object changes, such as for event 4662, you must also conf
 > [!IMPORTANT]
 > Review and audit your policies (via the [UI](#configure-advanced-audit-policy-settings-from-the-ui) or [PowerShell](#configure-advanced-audit-policy-settings-by-using-powershell)) before you enable event collection, to ensure that the domain controllers are properly configured to record the necessary events. If this auditing is configured properly, it should have a minimal effect on server performance.
 
-**Related health issue:** [Directory Services Object Auditing is not enabled as required](../health-alerts.md)
+**Related health issue:** [Directory Services Object Auditing isn't enabled as required](../health-alerts.md)
 
 To configure domain object auditing:
 
@@ -233,7 +233,7 @@ To configure domain object auditing:
 
         ![Screenshot of selecting permissions.](../media/select-permissions.png)
 
-        Now, all relevant changes to directory services appear as 4662 events when they're triggered.
+        Now, all relevant changes to directory services appear as 4,662 events when they're triggered.
 
 1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
@@ -368,7 +368,7 @@ To configure auditing on Microsoft Entra Connect servers:
 
 ## Update legacy configurations
 
-Defender for Identity no longer requires logging 1644 events. If you have either of the following settings enabled, you can remove them from the registry.
+Defender for Identity no longer requires logging 1,644 events. If you have either of the following settings enabled, you can remove them from the registry.
 
 ```reg
 Windows Registry Editor Version 5.00