Merge branch 'main' into wi-502580-batch-3-defender-xdr-image-reorg

Author: sbreingold-ms

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -520,9 +520,6 @@ For technical support, contact the software vendor.
 
 This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
-> [!NOTE]
-> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
-
 Intune name: `Process creation from Office communication products (beta)`
 
 Configuration Manager name: Not available

defender-for-cloud-apps/data-protection-policies.md

@@ -46,7 +46,9 @@ The following are examples of file policies that can be created:
 
 ## Prerequisites
 
-To set up the first File Policy in a tenant, you need Microsoft Entra **Service Principal** permissions. **Service Principal** permissions are only automatically given if no file policy exists yet. After the first file policy is created, you can create more  without needing those permissions.
+To set up the first File Policy in a tenant, you need:
+-  Microsoft Entra **Service Principal** permissions. <br>
+**Service Principal** permissions are only automatically given if no file policy exists yet. After the first file policy is created, you can create more without needing those permissions.
 
 
 ## Create a new file policy
@@ -79,7 +81,7 @@ To create a new file policy, follow this procedure:
 
 1. Under the  **Select user groups** filter, select either **all file owners**, **file owners from selected user groups** or **all file owners excluding selected groups**. Then select the relevant user groups to determine which users and groups should be included in the policy.
 
-1. Select the **Content inspection method**.  We recommend using the [**Data Classification Services**](content-inspection.md).
+1. Select the **Content inspection method**. We recommend using the [**Data Classification Services**](content-inspection.md).
 
     Once content inspection is enabled, you can choose to use preset expressions or to search for other customized expressions.
 
@@ -94,16 +96,17 @@ To create a new file policy, follow this procedure:
 
     - **Create an alert for each matching event with the policy's severity**
     - **Send an alert as email**
-    - **Daily alert limit per policy**. Note that governance actions are not impacted by the daily alert limit.
+    - **Daily alert limit per policy**. Governance actions aren't impacted by the daily alert limit.
     - **Send alerts to Power Automate**
-    -
+    
 1. Choose the **Governance** actions you want Defender for Cloud Apps to take when a match is detected. Be careful when you set governance actions, they could lead to irreversible loss of access permissions to your files.
 
-1. Once you've created your policy, you can view it by filtering for the **File policy** type. You can always edit a policy, calibrate its filters, or change the automated actions. The policy is automatically enabled upon creation and starts scanning your cloud files immediately.  We recommended narrowing down the filters using multiple search fields to get the files that you want to work with, . The narrower the filters, the better. You can use the **Edit and preview results** button next to the filters.
+1. Once you've created your policy, you can view it by filtering for the **File policy** type. You can always edit a policy, calibrate its filters, or change the automated actions. The policy is automatically enabled upon creation and starts scanning your cloud files immediately. We recommended narrowing down the filters using multiple search fields to get the files that you want to work with. The narrower the filters, the better. You can use the **Edit and preview results** button next to the filters.
 
-:::image type="content" source="media/file-policy-edit-and-preview-results.png" alt-text="Screenshot that shows how you can see a preview of the filtered results for file policies.":::
+    :::image type="content" source="media/file-policy-edit-and-preview-results.png" alt-text="Screenshot that shows how you can see a preview of the filtered results for file policies.":::
 
-1. To view file policy matches, files that are suspected to violate the policy, go to **Policies** -> **Policy management**. Filter the results to display only the file policies using the **Type** filter at the top. For more information about the matches for each policy, under the **Count** column, select the number of **matches** for a policy. Alternatively, select the three dots at the end of the row for a policy and choose **View all matches**.  This opens the **File policy report**. Select the **Matching now** tab to see files that currently match the policy. Select the **History** tab to see a history back to up to six months of files that matched the policy.
+
+1. To view file policy matches, go to **Policies** -> **Policy management**. Here you can see files that are suspected to violate the policy. Filter the results to display only the file policies using the **Type** filter at the top. For more information about the matches for each policy, under the **Count** column, select the number of **matches** for a policy. Alternatively, select the three dots at the end of the row for a policy and choose **View all matches**. This opens the **File policy report**. Select the **Matching now** tab to see files that currently match the policy. Select the **History** tab to see a history back to up to six months of files that matched the policy.
 
 ## Limitations
 
@@ -193,6 +196,7 @@ Below is a list of the file filters that can be applied:
 > [!NOTE]
 > - This filter doesn't support files that were shared with a group, only with specific users.
 > - This filter doesn't support files shared with a specific user through a shared link for SharePoint and OneDrive.
+> - When files are uploaded to SharePoint, OneDrive, etc., the **Collaborator > Domains** field automatically includes the domain of the file owner. If you use the **Any from domain** filter with the **does not contain** condition to exclude your organization's domain, files owned by users in your domain may be ignored by the policy.
 
   - **Entire organization** – If the entire organization has access to the file.
 
@@ -216,7 +220,7 @@ Labels include:
   - **Microsoft Purview Information Protection** - Requires integration with Microsoft Purview Information Protection.
    - **Defender for Cloud Apps** - Provides more insight into the files it scans. For each file scanned by Defender for Cloud Apps DLP, you can know if inspection was blocked because the file is encrypted or corrupted. For example, you can set up policies to alert and quarantine password-protected files that are shared externally.
        - **Azure RMS encrypted** – Files whose content wasn't inspected because they have an Azure RMS encryption set.
-    - **Password encrypted** – Files whose content wasn't inspected because they're password protected by the user.
+    - **Password encrypted** – Files whose content wasn't inspected because they were password protected by the user.
     - **Corrupt file** – Files whose content wasn't inspected because their contents couldn't be read.
 
 - **File type** – Defender for Cloud Apps scans the file to determine whether the true file type matches the MIME type received (see table) from the service. This scan is for files that are relevant for data scan (documents, images, presentations, spreadsheets, text, and zip/archive files). The filter works per file/folder type. For example, *All folders that are ...* or *All spreadsheet files that are...*

defender-for-cloud-apps/siem-sentinel.md

@@ -1,13 +1,30 @@
 ---
 title: Microsoft Sentinel integration 
 description: This article provides information integrating Microsoft Sentinel with Defender for Cloud Apps.
-ms.date: 01/29/2023
+ms.date: 10/29/2025
 ms.topic: how-to
 ms.reviewer: Naama-Goldbart 
 ---
-# Microsoft Sentinel integration (Preview)
 
+# Microsoft Sentinel integration (Preview)
 
+> [!IMPORTANT]
+> **Deprecation Notice: Microsoft Defender for Cloud Apps SIEM Agents**
+>
+> As part of our ongoing convergence process across Microsoft Defender workloads, Microsoft Defender for Cloud Apps SIEM agents will be deprecated starting **November 2025**. 
+>
+>
+> Existing Microsoft Defender for Cloud Apps SIEM agents will continue to function as is until that time. As of June 19, 2025, **no new SIEM agents can be configured**, but [Microsoft Sentinel](siem-sentinel.md) agent integration (Preview), will remain supported and can still be added.
+>
+> We recommend transitioning to APIs that support the management of activities and alerts data from multiple workloads.
+> These APIs enhance security monitoring and management and offer additional capabilities using data from multiple Microsoft Defender workloads.
+>
+> To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
+>
+> - For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
+> - For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema. 
+> - For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+> - To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
 
 You can integrate Microsoft Defender for Cloud Apps with Microsoft Sentinel (a scalable, cloud-native SIEM and SOAR) to enable centralized monitoring of alerts and discovery data. Integrating with Microsoft Sentinel allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures, and correlating between cloud-based and on-premises events.
 

defender-for-identity/whats-new.md

@@ -36,7 +36,7 @@ The [unified sensor](/defender-for-identity/deploy/activate-sensor) provides enh
 
 ## September 2025
 
-### Unlock additional security value in the unified agent (Preview)
+### Unlock additional security value in the unified agent
 Get enhance protection by applying the ‘Unified sensor RPC audit’ tag to your V3.x sensors through the Asset rule management feature. Learn more [here](/defender-for-identity/deploy/prerequisites-sensor-version-3).
 
 ### Identity posture recommendations view on the identity page (preview)

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -108,6 +108,9 @@ For editable queries, more options are available:
 
 ## Create custom analytics and detection rules
 
+>[!IMPORTANT]
+> [**Custom detections**](custom-detections-overview.md) is now the best way to create new rules across Microsoft Sentinel SIEM Microsoft Defender XDR. With custom detections, you can reduce ingestion costs, get unlimited real-time detections, and benefit from seamless integration with Defender XDR data, functions, and remediation actions with automatic entity mapping. For more information, read [this blog](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/custom-detections-are-now-the-unified-experience-for-creating-detections-in-micr/4463875).
+
 To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. There are two kinds:
 - Analytics rules - to generate detections from rules that query data that is ingested through Microsoft Sentinel
 - Custom detection rules - to generate detections from rules that query data from Defender XDR or from both Microsoft Sentinel and Defender XDR

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -23,7 +23,7 @@ ms.topic: concept-article
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 09/08/2025
+ms.date: 10/30/2025
 ---
 
 # Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal
@@ -88,10 +88,8 @@ In the unified portal, in addition to viewing the schema column names and descri
 - The Microsoft Sentinel `SecurityAlert` table is replaced by `AlertInfo` and `AlertEvidence` tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. 
 - Guided hunting mode and take actions capabilities are supported for Defender XDR data only.
 - Custom detections have the following limitations:
-    - Custom detections aren't available for KQL queries that don't include Defender XDR data.
     - Near real-time detection frequency isn't available for detections that include Microsoft Sentinel data. 
     - Custom functions that were created and saved in Microsoft Sentinel aren't supported.
-    - Defining entities from Sentinel data isn't yet supported in custom detections.
 - Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature. Alternatively, you can use the [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature to link query results to new or existing incidents.
 - If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column.
 - When prompting [Security Copilot](advanced-hunting-security-copilot.md) for advanced hunting queries, you might find that not all Microsoft Sentinel tables are currently supported. However, support for these tables can be expected in the future.