Merge branch 'main' into docs-editor/mde-security-settings-manageme-1747877571

Author: denisebmsft

ATPDocs/whats-new.md

@@ -24,6 +24,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## May 2025
 
+###  Expanded New Sensor Deployment Support for Domain Controllers (Preview)
+Defender for Identity now supports deploying its new sensor on Domain Controllers without requiring Defender for Endpoint onboarding. This simplifies sensor activation and expands deployment flexibility. [Learn more](deploy/activate-capabilities.md).
+
+
+### Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page
+The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify non-eligible servers and take action to update and onboard them for enhanced identity protection.
+
+
 ### Local administrators collection (using SAM-R queries) feature will be disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
 

CloudAppSecurityDocs/discovered-apps.md

@@ -66,9 +66,9 @@ You also might want to identify specific app instances that are in use by invest
 :::image type="content" source="media/discovered-apps/subdomains-image.png" alt-text="Subdomain filter.":::
 
 > [!NOTE]
-> Deep dives into discovered apps are supported only only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
+> Deep dives into discovered apps are supported only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
 >
-> If Defender for Cloud Apps can't match the subdomain detected in the traffic logs with the data stored in the app catalogue, the subdomain is tagged as **Other**.
+> If Defender for Cloud Apps can't match the subdomain detected in the traffic logs with the data stored in the app catalog, the subdomain is tagged as **Other**.
 
 ## Discover resources and custom apps
 
@@ -102,6 +102,9 @@ The best way to get an overview of Shadow IT use across your organization is by
 1. From the **Cloud discovery** page, select **Actions** > **Generate Cloud Discovery executive report**.
 
 1. Optionally, change the report name, and then select **Generate**.
+   
+> [!NOTE]
+> The executive summary report is revamped to a 6-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
 
 ## Exclude entities
 
@@ -154,7 +157,7 @@ We recommend deleting cloud discovery data in the following cases:
 - If many users or IP addresses recently started working again after being offline for some time, their activity is identified as anomalous and might give you false positive violations.
 
 > [!IMPORTANT]
-> Make sure you want to delete data before doing so. This action is irreversbile and deletes **all** cloud discovery data in the system.
+> Make sure you want to delete data before doing so. This action is irreversible and deletes **all** cloud discovery data in the system.
 >
 
 **To delete cloud discovery data**:

CloudAppSecurityDocs/migrate-to-supported-api-solutions.md

@@ -0,0 +1,49 @@
+---
+title: Migrate to Supported API Solutions
+description: This article describes how to transition from the legacy Defender for Cloud Apps SIEM agent to supported APIs.
+ms.date: 05/19/2025
+ms.topic: article
+---
+
+# Migrate from Defender for Cloud Apps SIEM agent to supported APIs
+
+Transitioning from the legacy [Defender for Cloud Apps SIEM agent ](siem.md) to supported APIs enables continued access to enriched activities and alerts data. While the APIs might not have exact one-to-one mappings to the legacy Common Event Format (CEF) schema, they provide comprehensive, enhanced data through integration across multiple Microsoft Defender workloads.
+
+## Recommended APIs for migration
+
+> To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
+>
+> - For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
+> - For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema. 
+> - For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+> - To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+## Field Mapping from Legacy SIEM to Supported APIs
+
+The table below compares the legacy SIEM agent’s CEF fields to the nearest equivalent fields in the Defender XDR Streaming API (advanced hunting event schema) and the Microsoft Graph Security Alerts API.
+
+
+| CEF Field (MDA SIEM)                  | Description                                                 | Defender XDR Streaming API (CloudAppEvents/AlertEvidence/AlertInfo)                             | Graph Security Alerts API (v2)                                 |
+|---------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------|
+| `start`                               | Activity or alert timestamp                                 | `Timestamp`                                                                                      | `firstActivityDateTime`                                        |
+| `end`                                 | Activity or alert timestamp                                 | None                                                                                             | `lastActivityDateTime`                                         |
+| `rt`                                  | Activity or alert timestamp                                 | `createdDateTime`                                                                                | `createdDateTime` / `lastUpdateDateTime` / `resolvedDateTime`  |
+| `msg`                                 | Alert or activity description as shown in the portal in a human readable format             | The closest structured fields that contribute to a similar description: `actorDisplayName`, `ObjectName`, `ActionType`, `ActivityType`        | `description`                                                  |
+| `suser`                               | Activity or alert subject user                              | `AccountObjectId`, `AccountId`, `AccountDisplayName`                                             | See `userEvidence` resource type                               |
+| `destinationServiceName`              | Activity or alert from the originating app (for example, SharePoint, Box)                     | `CloudAppEvents > Application`                                                                   | See `cloudApplicationEvidence` resource type                   |
+| `cs<X>Label`, `cs<X>`                 | Alert or activity dynamic fields (for example, target user, object)                  | `Entities`, `Evidence`, `additionalData`, `ActivityObjects`                                      | Various `alertEvidence` resource types                         |
+| `EVENT_CATEGORY_*`                    | High-level activity category                                | `ActivityType` / `ActionType`                                                                    | `category`                                                     |
+| `<name>`                              | Matched policy name                                         | `Title`, `alertPolicyId`                                                                         | `Title`, `alertPolicyId`                                       |
+| `<ACTION>` (Activities)               | Specific activity type                                      | `ActionType`                                                                                     | N/A                                                            |
+| `externalId` (Activities)             | Event ID                                                    | `ReportId`                                                                                       | N/A                                                            |
+| `requestClientApplication` (activities)| User agent of the client device in activities                               | `UserAgent`                                                                                      | N/A                                                            |
+| `Dvc` (activities)                    | Client device IP                                            | `IPAddress`                                                                                      | N/A                                                            |
+| `externalId` (Alert)                  | Alert ID                                                    | `AlertId`                                                                                        | `id`                                                           |
+| `<alert type>`                        | Alert type (for example, ALERT_CABINET_EVENT_MATCH_AUDI)           | -                                                                                                | -                                                              |
+| `Src` / `c6a1` (alerts)               | Source IP                                                   | `IPAddress`                                                                                      | `ipEvidence` resource type                                     |
+
+
+## Related content
+
+- [Generic SIEM integration](siem.md)
+- [Microsoft Sentinel integration (Preview)](siem-sentinel.md)

CloudAppSecurityDocs/release-notes.md

@@ -29,6 +29,18 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## May 2025 
 
+### Changes to Microsoft Defender for Cloud Apps SIEM agent availability
+
+As part of our ongoing convergence process across Microsoft Defender workloads, [Microsoft Defender for Cloud Apps SIEM agents](siem.md) will be deprecated starting November 2025.
+
+To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
+- For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
+- For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema. 
+- For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+- To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+For detailed guidance see: [Migrate from Defender for Cloud Apps SIEM agent to supported APIs](migrate-to-supported-api-solutions.md)
+
 ### New and improved Cloud App Catalog page
 
 The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications.

CloudAppSecurityDocs/toc.yml

@@ -315,6 +315,8 @@ items:
     - name: Governing connected apps
       href: governance-actions.md
       displayName: governance actions
+- name: Integrate with SIEM and API solutions
+  items:
     - name: Manage events with SIEM solutions
       items:
       - name: Integrate with Microsoft Sentinel
@@ -323,6 +325,8 @@ items:
         href: siem.md
       - name: Troubleshooting SIEM solutions
         href: troubleshooting-siem.md
+    - name: Migrate from SIEM agents to supported API solutions
+      href: migrate-to-supported-api-solutions.md
     - name: Customize alert automation with Power Automate
       items:
       - name: Customize alert automation with Power Automate

defender-endpoint/TOC.yml

@@ -160,8 +160,6 @@
           items:
           - name: Onboard servers through Defender for Endpoint's experience
             href: onboard-server.md
-          - name: Defender for Endpoint on Windows Server with SAP
-            href: mde-sap-windows-server.md
           - name: Onboard Windows devices using Configuration Manager
             href: configure-endpoints-sccm.md
           - name: Onboard Windows devices using Group Policy
@@ -172,6 +170,12 @@
             href: configure-endpoints-vdi.md
           - name: Direct onboarding with Defender for Cloud
             href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+          - name: Defender for Endpoint on Windows Server with SAP
+            href: mde-sap-windows-server.md
+          - name: Deployment guidance for Defender for Endpoint on Linux for SAP
+            href: mde-linux-deployment-on-sap.md
+          - name: Use custom detection rules to protect SAPXPG
+            href: mde-sap-custom-detection-rules.md
         - name: Defender for Endpoint on macOS
           items:
           - name: Deploy Defender for Endpoint on macOS
@@ -275,8 +279,6 @@
                 href: linux-install-manually.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
-              - name: Deployment guidance for Defender for Endpoint on Linux for SAP
-                href: mde-linux-deployment-on-sap.md
           - name: Configure Defender for Endpoint on Linux
             items:
             - name: Configure security policies and settings

defender-endpoint/edr-block-mode-faqs.yml

@@ -15,7 +15,7 @@ metadata:
   - partner-contribution
   ms.topic: faq
   ms.collection: m365-security
-  ms.date: 03/04/2025
+  ms.date: 05/22/2025
 
 title: Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)
 summary: |
@@ -38,7 +38,7 @@ sections:
       - question: |
           Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?
         answer: |
-          Yes, Microsoft recommends enabling EDR in block mode, even when primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. However, there are scenarios where EDR in block mode might be beneficial, such as if Microsoft Defender Antivirus is misconfigured, or if [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) is not enabled. In such cases, EDR in block mode can automatically remediate detections like PUA.
+          No, Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.
 
       - question: |
           Will EDR in block mode affect a user's antivirus protection?