Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into WI480553-update-ms-date-ms-reviewer

Author: DeCohen

ATPDocs/remediation-actions.md

@@ -35,34 +35,30 @@ To perform any of the [supported actions](#supported-actions), you need to:
 
 The following Defender for Identity actions can be performed on Identities:
 
-- **Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
+| Remediation Action  | Description     |          Scope                        | 
+| ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
+|Disable user                 | This temporarily prevents a user from signing in. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network. | Active Directory, Entra ID and Okta
+|Enable user              | Enable a user to sign in. | Active Directory, Entra ID and Okta
+|Revoke all Users' sessions       | Revoke a user's active sessions. | Entra ID and Okta
+|Confirm user compromised      | The user's risk level is set to High | Entra ID
+| Reset user password| This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts| Active Directory
+|Deactivate user in Okta | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
+| Set user risk to High/Medium/Low |Set one user risk scoring to one of the defined levels. This action will only be available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
 
-- **Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
-
-- **Mark User Compromised** - The user's risk level is set to High.
-
-- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
-
-- **Require User to Sign In Again** - Revoke a user's active sessions.
-
-- **Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
-
-- **Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
 ## Roles and Permissions
 
-| Action | XDR RBAC permissions      |
-| ------------------------------------- | ------------------------------------------------------------ |
-|Mark User Compromised                  | - Global Administrator <br> - Security Administrator|
-|Suspend User in Entra ID               | - Global Administrator |
-|Require User to Sign In Again          | - Global Administrator <br>|
-| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-
+| Remediation Action | Active Directory  |Entra ID   | Okta  |
+|--|--|--|--|
+| Disable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator   | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Enable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Revoke all Users' sessions |N\A  | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Confirm user compromised |N\A  |  - Global Administrator <br> -Security Administrator | N/A|
+| Reset user password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
+| Deactivate user in Okta  | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
+|  Set User risk to High/Medium/Low  | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
 
 ## Related videos
 

ATPDocs/whats-new.md

@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
+
+Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+
+Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+
 
 ### New security assessment: Remove inactive service accounts (Preview)
 

CloudAppSecurityDocs/attest-your-app.md

@@ -10,7 +10,7 @@ ms.reviewer: Mravela 
 
 Microsoft Defender for Cloud Apps enables you to attest your app, so that you make sure that the compliance and security details we use to rate your app in our cloud app catalog are up to date.
 
-Whether your app is already listed in the cloud app catalog, or it's new, submit a [self-attestation questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u). For details on the self-attestation process, contact casfeedback@microsoft.com.
+Whether your app is already listed in the cloud app catalog, or it's new, submit a [self-attestation questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u). For details on the self-attestation process, contact mscac@microsoft.com.
 
 Follow the service attributes described below to successfully complete the submission of the questionnaire:
 
@@ -22,7 +22,7 @@ Follow the service attributes described below to successfully complete the submi
 | Headquarters | General | Country code | Close list - provided in questionnaire | The country/region of the provider's headquarters.|
 | Data center| General | Country code array* | Close list - provided in questionnaire (Multi selection) | The country/region in which your data center resides (can be multiple locations) |
 | Hosting company | General | String | Free text | The name of the company that provides server hosting for the app. |
-| Founded | General | Integer | YYYY (no later than 2019) | The year in which the provider was founded. |
+| Founded | General | Integer | YYYY (no later than 2025) | The year in which the provider was founded. |
 | Holding | General | String | Private, Public | Displays whether the provider is a publicly or privately held company |
 | App domain | General | URL array* | Free text | The list of specific domains that are used to interact with the service. For example, 'teams.microsoft.com' for Microsoft Teams and not the generic domain 'microsoft.com'. |
 | Terms of service | General | URL | Free text | Does this app provide a set of regulations that users must agree to follow in order to use the app? |
@@ -32,7 +32,7 @@ Follow the service attributes described below to successfully complete the submi
 | Data types | General | String | Close list - provided in questionnaire | Which data types can be uploaded by the user to the app?|
 | Homepage | General | URL | Free text | The provider's home page URL. |
 | Disaster recovery plan | General | Boolean | True, False | Does this app have a disaster recovery plan that includes a backup and restore strategy? |
-| Latest breach | Security | Date | MMM-dd-YYYY | Most recent incident in which sensitive, protected, or confidential data owned by the app was viewed, stolen, or used by an individual unauthorized to do so. |
+| Latest breach | Security | Date | MM-dd-YYYY | Most recent incident in which sensitive, protected, or confidential data owned by the app was viewed, stolen, or used by an individual unauthorized to do so. |
 | Data-at-rest encryption method | Security | String | Close list - provided in questionnaire | The type of encryption of data-at-rest performed on the app. |
 | Multifactor authentication | Security | Boolean | True, False | Does this app support multifactor authentication solutions? |
 | IP address restriction | Security | Boolean | True, False | Does this app support restriction of specific IP addresses by the app? |
@@ -41,7 +41,7 @@ Follow the service attributes described below to successfully complete the submi
 | Data audit trail | Security | Boolean | True, False | Does this app support availability of a data audit trail in the app? |
 | User can upload data | Security | Boolean | True, False | Does this app support user uploaded data? |
 | Data classification | Security | Boolean | True, False | Does this app enable the option for classification of the data uploaded to the app? |
-| Remember password | Security | Boolean | True, False | Does this app enable the option for remembering and saving user passwords in the app? |
+| Remember password | Security | Boolean | True, False, N/A | Does this app enable the option for remembering and saving user passwords in the app? |
 | User-roles support | Security | Boolean | True, False | Does this app support distribution of users by roles and levels of permission? |
 | File sharing | Security | Boolean | True, False | Does this app include features that allow file sharing between users? |
 | Supports SAML | Security | Boolean | True, False | Does this app support the SAML standard for exchanging authentication and authorization data? |
@@ -62,12 +62,12 @@ Follow the service attributes described below to successfully complete the submi
 | ISO 27001 | Compliance | Boolean | True, False | Is this app ISO 27001 certified, a certificate given to companies upholding internationally recognized guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization? |
 | ITAR | Compliance | Boolean | True, False, N/A | Does this app comply with ITAR, regulations controlling the export and import of defense-related articles and services found on the US Munitions List? |
 | SOC 1 | Compliance | Boolean | True, False, N/A | Does this app comply with SOC 1, reporting on controls at a service organization which are relevant to user entities' internal control over financial reporting? |
-| SOC 2 | Compliance | Boolean | True, False | Does this app comply with SOC 2, reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, availability, confidentiality, and processing integrity? |
-| SOC 3 | Compliance | Boolean | True, False | Does this app comply with SOC 3, reporting based on the Trust service criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria? |
+| SOC 2 | Compliance | Boolean |  True, False, N/A | Does this app comply with SOC 2, reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, availability, confidentiality, and processing integrity? |
+| SOC 3 | Compliance | Boolean | True, False, N/A | Does this app comply with SOC 3, reporting based on the Trust service criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria? |
 | SOX | Compliance | Boolean | True, False, N/A | Does this app comply with SOX, US legislation aimed at protecting shareholders and the general public from accounting errors and frauds, as well as improving the accuracy of corporate disclosures? |
 | SP 800-53 | Compliance | Boolean | True, False | Does this app comply with SP80053, recommended security controls for federal information systems and organizations? |
 | SSAE 16 | Compliance | Boolean | True, False, N/A | Does this app comply with the SSAE 16 standard for auditing a service organization's internal compliance controls and reporting processes? |
-| PCI DSS version | Compliance | String | 1, 2, 3, 3.1, 3.2, N/A | The version of the PCI-DSS protocol supported by this app. |
+| PCI DSS version | Compliance | String | 4.0, 3.2.1, N/A | The version of the PCI-DSS protocol supported by this app. |
 | ISO 27018 | Compliance | Boolean | True, False, N/A | Does this app comply with ISO 27018, which establishes commonly accepted controls and guidelines for processing and protecting Personally Identifiable Information (PII) in a public cloud computing environment? |
 | GLBA | Compliance | Boolean | True, False, N/A | Does this app comply with the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to establish standards for protecting the security and confidentiality of customers' personal information? |
 | FedRAMP level | Compliance | String | High, Moderate, Low, Li-SaaS | The level of the FedRAMP-compliant solution provided by this app. |
@@ -77,14 +77,14 @@ Follow the service attributes described below to successfully complete the submi
 | COBIT | Compliance | Boolean | True, False | Does this app comply with COBIT, which sets best practices for the governance and control of information systems and technology, and aligns IT with business principles? |
 | COPPA | Compliance | Boolean | True, False, N/A | Does this app comply with COPPA, which defines requirements on website and online services operators that provide content to children under 13 years of age? |
 | FERPA | Compliance | Boolean | True, False, N/A | Does this app comply with FERPA, a federal law that protects the privacy of student education records? |
-| GAPP | Compliance | Boolean | True, False, N/A | Does this app comply with GAPP, a collection of commonly followed rules that address privacy risks in an organization? |
+| GAPP | Compliance | Boolean | True, False| Does this app comply with GAPP, a collection of commonly followed rules that address privacy risks in an organization? |
 | HITRUST CSF | Compliance | Boolean | True, False, N/A | Does this app comply with HITRUST CSF, a set of controls that harmonizes the requirements of information security regulations and standards? |
-| Jericho Forum Commandments | Compliance | Boolean | True, False | Does this app follow Jericho Forum Commandments, a set if principles to be observed when architecting systems for secure operation in de-perimeterized environments? |
-| ISO 27002 | Compliance | Boolean | True, False, N/A | Does this app comply with ISO 27002, which establishes common guidelines for organizational information security standards and information security management practices? |
+| Jericho Forum Commandments | Compliance | Boolean | True, False | Does this app follow Jericho Forum Commandments, a set of principles to be observed when architecting systems for secure operation in de-perimeterized environments? |
+| ISO 27002 | Compliance | Boolean | True, False| Does this app comply with ISO 27002, which establishes common guidelines for organizational information security standards and information security management practices? |
 | FFIEC | Compliance | Boolean | True, False, N/A | Does this app comply with the Federal Financial Institutions Examination Council's guidance on the risk management controls necessary to authenticate services in an Internet banking environment? |
-| Data ownership | Legal | Boolean | True, False | Does this app fully preserve the user's ownership of uploaded data? |
-| DMCA | Legal | Boolean | True, False | Does this app comply with the Digital Millennium Copyright Act (DMCA), which criminalizes any attempt to unlawfully access copyrighted material? |
-| Data retention policy | Legal | Boolean | True, False | What is the app's policy for user data retention after account termination? |
+| Data ownership | Legal | Boolean | True, False, N/A | Does this app fully preserve the user's ownership of uploaded data? |
+| DMCA | Legal | Boolean | True, False, N/A | Does this app comply with the Digital Millennium Copyright Act (DMCA), which criminalizes any attempt to unlawfully access copyrighted material? |
+| Data retention policy | Legal | String | Deleted immediately, Within 2 weeks, Within 1 month, Within 3 months, Within more than 3 months, Retained| What is the app's policy for user data retention after account termination? |
 | GDPR readiness statement | Legal | URL | Free text | A link to your website, when relevant, relating how this provider plans to handle GDPR compliance. |
 | GDPR - Right to erasure | Legal | Boolean | True, False, N/A | Does this app stop processing and delete an individual's personal data upon request? |
 | GDPR - Report data breaches | Legal | Boolean | True, False, N/A | Does this app report data breaches to supervisory authorities and individuals affected by the breach, within 72 hours of breach detection? |

CloudAppSecurityDocs/discovered-apps.md

@@ -112,6 +112,7 @@ The best way to get an overview of Shadow IT use across your organization is by
 
 > [!NOTE]
 > The executive summary report is revamped to a six-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
+> Starting September 1, 2025, the Cloud Discovery Alerts data point will no longer be included in the Executive Summary Report.
 
 ## Exclude entities