MicrosoftDocs
diff --git a/‎defender-for-identity/deploy/configure-windows-event-collection.md‎
Lines changed: 33 additions & 79 deletions b/‎defender-for-identity/deploy/configure-windows-event-collection.md‎
Lines changed: 33 additions & 79 deletions
diff --git a/‎defender-for-identity/deploy/prerequisites-sensor-version-3.md‎
Lines changed: 1 addition & 2 deletions b/‎defender-for-identity/deploy/prerequisites-sensor-version-3.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎defender-for-identity/whats-new.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-for-identity/whats-new.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-office-365/outbound-spam-policies-configure.md‎
Lines changed: 4 additions & 4 deletions b/‎defender-office-365/outbound-spam-policies-configure.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎defender-xdr/investigate-alerts.md‎
Lines changed: 7 additions & 4 deletions b/‎defender-xdr/investigate-alerts.md‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎defender/media/investigate-alerts/alert-service-settings-entra.png‎
71 KB b/‎defender/media/investigate-alerts/alert-service-settings-entra.png‎
71 KB
diff --git a/‎defender/media/investigate-alerts/alerts-ss-entra-alert.png‎
-170 KB b/‎defender/media/investigate-alerts/alerts-ss-entra-alert.png‎
-170 KB
diff --git a/‎unified-secops-platform/whats-new.md‎
Lines changed: 1 addition & 1 deletion b/‎unified-secops-platform/whats-new.md‎
Lines changed: 1 addition & 1 deletion
@@ -101,8 +101,7 @@ Learn more about Asset Management Rule [here](/defender-xdr/configure-asset-rule
 
 Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
 
-The Defender for Identity sensor v3.x can offer preview feature that allows automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones. See [Configure auditing with the Defender for Identity sensor v3.x](configure-windows-event-collection.md#configure-windows-event-auditing-with-the-defender-for-identity-sensor-v3x).
-If you do not select automatic Windows auditing configuration, you must [manually configure Windows event auditing](configure-windows-event-collection.md) in the Defender portal or using PowerShell. 
+For more information about configuring windows event auditing in the Defender portal or using PowerShell, see [Configure Windows event auditing](configure-windows-event-collection.md).
 
 ## Test your prerequisites
 
 
@@ -1,7 +1,7 @@
 ---
 title: What's new | Microsoft Defender for Identity
 description: This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Identity.
-ms.date: 11/16/2025
+ms.date: 11/30/2025
 ms.topic: overview
 #CustomerIntent: As a Defender for Identity customer, I want to know what's new in the latest release of Defender for Identity, so that I can take advantage of new features and functionality. 
 ms.reviewer: AbbyMSFT
@@ -31,7 +31,7 @@ For updates about versions and features released six months ago or earlier, see
 
 ### Automatic Windows event auditing configuration for Defender for Identity sensors v3.x (Preview)
 
-Defender for Identity offers automatic Windows event-auditing configuration for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones; admins can enable it in the Defender portal or via the Graph API. The new feature will roll out gradually over the next few weeks, and related health alerts are expected to be available in early Jan 2026.
+Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the **Advanced settings** section in the Defender portal, or using the Graph API. 
 
 ### Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions
 
 
@@ -87,8 +87,8 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
 
    You can use a condition only once, but the condition can contain multiple values:
 
-   - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them.
-   - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
+   - Multiple **values** of the **same condition** use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). If the recipient matches **any** of the specified values, the policy is applied to them.
+   - Different **types of conditions** use AND logic. The sender must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
      - Users: `[email protected]`
      - Groups: Executives
 
@@ -98,8 +98,8 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
 
      You can use an exception only once, but the exception can contain multiple values:
 
-     - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
-     - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
+     - Multiple **values** of the **same exception** use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
+     - Different **types of exceptions** use OR logic (for example, _\<sender1\>_ or _\<member of group1\>_ or _\<sender domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
 
    When you're finished on the **Users, groups, and domains**, select **Next**.
 
 
@@ -151,15 +151,18 @@ Microsoft Defender XDR alerts come from solutions like Microsoft Defender for En
 
 <a name='configure-aad-ip-alert-service'></a>
 
-### Configure Microsoft Entra IP alert service
+### Configure alert service settings
+
+To configure alert service settings in Microsoft Defender XDR:
 
 1. Go to the Microsoft Defender portal ([security.microsoft.com](https://security.microsoft.com)), select **Settings** > **Microsoft Defender XDR**.
 
-2. From the list, select **Alert service settings**, and then configure your **Microsoft Entra ID Protection** alert service.
+1. From the list, select **Alert service settings**, and then configure the alert settings for the service.
 
-   :::image type="content" source="/defender/media/investigate-alerts/alerts-ss-entra-alert.png" alt-text="Screenshot of Microsoft Entra ID Protection alerts setting in the Microsoft Defender portal." lightbox="/defender/media/investigate-alerts/alerts-ss-entra-alert.png":::
+    > [!IMPORTANT]
+    > Starting December 11, 2025, Microsoft Defender XDR is rolling out enhanced configuration options for Entra ID Protection alerts in public preview. These updates give you more granular control over risk-based alerting. The new default setting is **High-risk detections only**. Change the default setting to **High + Medium** or **All detections** based on your organization’s needs.
 
-By default, only the most relevant alerts for the security operation center are enabled. If you want to get all Microsoft Entra IP risk detections, you can change it in the **Alert service settings** section.
+    :::image type="content" source="/defender/media/investigate-alerts/alert-service-settings-entra.png" alt-text="Screenshot of Microsoft Entra ID Protection alerts setting in the Microsoft Defender portal." lightbox="/defender/media/investigate-alerts/alert-service-settings-entra.png":::
 
 You can also access **Alert service settings** directly from the **Incidents** page in the Microsoft Defender portal.
 
 
@@ -55,7 +55,7 @@ Advanced hunting and custom detection experiences now include a contextual banne
 
 All features require UEBA to be enabled and are workspace-scoped to the currently selected workspace.
 
-For more information, see [UEBA experiences in the Defender portal empower analysts and streamline workflows](/azure/sentinel/identify-threats-with-entity-behavior-analytics.md#ueba-experiences-in-the-defender-portal-empower-analysts-and-streamline-workflows).
+For more information, see [UEBA experiences in the Defender portal empower analysts and streamline workflows](/azure/sentinel/identify-threats-with-entity-behavior-analytics#ueba-experiences-in-the-defender-portal-empower-analysts-and-streamline-workflows).
 
 ## September 2025