Merge branch 'main' into 30ad7108-02e1-4033-85d8-cacae0241220_98

Author: aditisrivastava07

ATPDocs/alerts-overview.md

@@ -98,7 +98,6 @@ The following table lists the mapping between alert names, their corresponding u
 | [Suspicious modifications to the AD CS security permissions/settings](persistence-privilege-escalation-alerts.md#suspicious-modifications-to-the-ad-cs-security-permissionssettings--external-id-2435) | 2435                | Medium                                                     | Privilege escalation                                            |
 | [Account Enumeration reconnaissance (LDAP)](reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-ldap-external-id-2437-preview) (Preview) | 2437 | Medium  | Account Discovery, Domain Account |
 | [Directory Services Restore Mode Password Change](other-alerts.md#directory-services-restore-mode-password-change-external-id-2438) | 2438 | Medium  | Persistence, Account Manipulation |
-| [Honeytoken was queried via SAM-R](reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-sam-r-external-id-2439) | 2439                | Low                                                     | Discovery                                            |
 |[Group Policy Tampering ](/defender-for-identity/other-alerts)|2440|Medium|Defense evasion|
 
 > [!NOTE]

ATPDocs/deploy/activate-capabilities.md

@@ -6,11 +6,15 @@ ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Activate Microsoft Defender for Identity capabilities directly on a domain controller
+# Activate Microsoft Defender for Identity capabilities directly on a domain controller (Preview)
 
-Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+This article describes how to activate and test Microsoft Defender for Identity new sensor capabilities on your domain controller.
 
-This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
+> [!NOTE]
+> The capabilities described in this article are currently available as Preview features. Preview features are features that aren't complete, but are made available on a "preview" basis so customers can get early access and provide feedback.
+> 
+> Preview features are still in development, have limited or restricted functionality and may be available only in selected geographic areas.
+> For more information, see the [Microsoft Defender XDR preview features](/defender-xdr/preview)
 
 > [!IMPORTANT]
 > The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
@@ -71,25 +75,27 @@ Set-MDIConfiguration -Mode Domain -Configuration All
 
 ### Customers with domain controllers already onboarded to Defender for Endpoint 
 
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+
 ### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
+   The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server, you can find its activation state.
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
-
-    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to see the onboarded servers.":::
+   
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Connectivity requirements
@@ -98,26 +104,32 @@ Defender for Identity capabilities directly on domain controllers use Defender f
 
 For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
 
-### Onboard Defender for Identity capabilities 
-Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+### Onboard Defender for Identity capabilities
+
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal](https://security.microsoft.com)
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
+
+1. Select Download onboarding package and save the file in a location you can access from your domain controller.
+
+    :::image type="content" source="media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png" alt-text="Screenshot that shows how to onboard the new sensor" lightbox="media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png":::
+
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator.
+
+<img width="474" alt="Screenshot that shows the script." src="https://github.com/user-attachments/assets/ff2d73d4-7285-403e-979a-520e05cbf1d1" />
 
-1. Navigate to **System** > **Settings** > **Identities** > **Activation**
-2. Select Download onboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
-   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
 1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
-2. Check that the onboarded domain controller is listed. 
+1. Check that the onboarded domain controller is listed. 
 
-> [!NOTE]
-> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
-> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
+    > [!NOTE]
+    > The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
-## Test activated capabilities
+**Test activated capabilities**
 
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
@@ -147,7 +159,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -226,22 +238,27 @@ For more information, see [Remediation actions in Microsoft Defender for Identit
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. Navigate to **Settings** > **Identities** > **Sensors**
-2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. Navigate to **Settings** > **Identities** > **Sensors**.
+1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
-    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
+    ![Screenshot that shows how to delete a sensor.](media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png)
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Offboard Defender for Identity capabilities on your domain controller 
-Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **Settings** > **Identities** > **Activation**
-2. Select Download offboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
-4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
+1. Select Download offboarding package and save the file in a location you can access from your domain controller.  
+![Screenshot that shows how to offboard the new sensor.](media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png)
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+1. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server, and click **Delete**.
+
+:::image type="content" source="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor" lightbox="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png":::
+
 
 ## Next steps
 

ATPDocs/deploy/configure-windows-event-collection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 01/16/2024
+ms.date: 06/04/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -240,6 +240,7 @@ To configure domain object auditing:
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
 
 > [!NOTE]
 > Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.

ATPDocs/deploy/media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png

@@ -46,7 +46,7 @@ Your data is kept and is available to you while the license is under grace perio
 
 ## Data sharing
 
-Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer:
+Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.
 
 - Microsoft Defender XDR
 - Microsoft Defender for Cloud Apps

ATPDocs/deploy/media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png

@@ -173,25 +173,6 @@ None
 |MITRE attack technique  | [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/), [Indirect Command Execution (T1202)](https://attack.mitre.org/techniques/T1202/), [Permission Groups Discovery (T1069)](https://attack.mitre.org/techniques/T1069/)        |
 |MITRE attack sub-technique | [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/), [Domain Groups (T1069.002)](https://attack.mitre.org/techniques/T1069/002/)        |
 
-## Honeytoken was queried via SAM-R (external ID 2439)
-
-**Severity**: Low
-
-**Description**:
-
-User reconnaissance is used by attackers to map the directory structure and target privileged accounts for later steps in their attack. The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping.
-In this detection, Microsoft Defender for Identity will trigger this alert for any reconnaissance activities against a pre-configured [honeytoken user](entity-tags.md)
-
-**Learning period**:
-
-None
-
-**MITRE**:
-
-|Primary MITRE tactic  |[Discovery (TA0007)](https://attack.mitre.org/tactics/TA0007/)  |
-|---------|---------|
-|MITRE attack technique  | [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/)|
-|MITRE attack sub-technique | [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/)|
 
 ## Honeytoken was queried via LDAP (external ID 2429)