Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into 486548-onboard-client-devices-winodws-mac-docker

Author: DeCohen

ATPDocs/change-password-krbtgt-account.md

@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)

ATPDocs/whats-new.md

@@ -25,22 +25,52 @@ For updates about versions and features released six months ago or earlier, see
 
 ## September 2025
 
+### Microsoft Defender for Identity sensor version updates
+
+|Version number |Updates |
+|---------|---------|
+|2.248|Improved event log query method, allowing us to capture a broader range of unique events at scale. You may notice an increase in captured activities. This update also includes additional security enhancements and performance improvements.|
+
+### Updates to multiple detections to reduce noise and improve alert accuracy
+
+Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you may see a decrease in the number of alerts raised.
+
+The improvements will gradually take effect across the following detections:
+
+- Suspicious communication over DNS
+
+- Suspected Netlogon privilege elevation attempt (CVE-2020-1472)
+
+- Honeytoken authentication activity
+
+- Remote code execution attempt over DNS
+
+- Suspicious password reset by Microsoft Entra Connect account
+
+- Data exfiltration over SMB
+
+- Suspected skeleton key attack (encryption downgrade)
+
+- Suspicious modification of Resource Based Constrained Delegation by a machine account
+
+- Remote code execution attempt
+
 ### Unified connectors is now available for Okta Single Sign-On connectors (Preview)
 
 Microsoft Defender for Identity supports the [Unified connectors](/azure/sentinel/unified-connector) experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency.
 
-For more information see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
+For more information, see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
 
 
 ## August 2025
 
 ### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
 
-Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+Microsoft Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Microsoft Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
 
-Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+Previously, Defender for Identity tenants received Microsoft Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Microsoft Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
 
-For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Microsoft Entra ID risk level to the IdentityInfo table remains unchanged.
 
 ### New security assessment: Remove stale service accounts (Preview)
 
@@ -478,7 +508,7 @@ Defender for Identity added the new **Edit insecure ADCS certificate enrollment
 
 Active Directory Certificate Services (AD CS) supports certificate enrollment through various methods and protocols, including enrollment via HTTP using the Certificate Enrollment Service (CES) or the Web Enrollment interface (Certsrv). Insecure configurations of the CES or Certsrv IIS endpoints might create vulnerabilities to relay attacks (ESC8).
 
-The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that post risks to the entire organization, together with related detections.
+The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recommendation is added to other AD CS-related recommendations recently released. Together, these assessments offer security posture reports that surface security issues and severe misconfigurations that pose risks to the entire organization, together with related detections.
 
 For more information, see:
 

CloudAppSecurityDocs/app-governance-app-policies-manage.md

@@ -1,8 +1,9 @@
 ---
 title: Manage app policies
-ms.date: 05/21/2023
+ms.date: 09/08/2025
 ms.topic: how-to
 description: Manage your app governance policies.
+ms.reviewer: shragar456
 ---
 
 # Manage app policies
@@ -12,55 +13,35 @@ Use app governance to manage OAuth policies for Microsoft 365, Google Workspace,
 You might need to manage your app policies as follows to keep up-to-date with your organization's apps, respond to new app-based attacks, and for ongoing changes to your app compliance needs:
 
 - Create new policies targeted at new apps
-- Change the status of an existing policy (active, inactive, audit mode)
+- Change the status of an existing policy (active or disable)
 - Change the conditions of an existing policy
 - Change the actions of an existing policy for auto-remediation of alerts
 
-<a name='manage-oauth-app-policies-for-azure-ad'></a>
 
-## Manage OAuth app policies for Microsoft Entra ID
-
-Here's an example of a process for managing an existing policy for Microsoft Entra apps:
-
-1. Edit the policy:
-
-    - Change the settings of the policy.
-    - If needed, change the status to **Audit mode** for testing.
-
-1. Check for expected behavior, such as alerts generated.
-1. If the behavior isn't expected, go back to step 1.
-1. If the behavior is expected, edit the policy and change its status to active (if needed).
-
-For example:
-
-:::image type="content" source="media/app-governance/mapg-manage-policy-process.png" alt-text="Diagram of the manage app policy workflow." lightbox="media/app-governance/mapg-manage-policy-process.png" border="false":::
+## Editing an app policy configuration
 
-> [!NOTE]
-> Following the change in the **Activity type** filter, policies with the previous filter will have a "LEGACY" label attached to the filter and if the policies are edited or deleted the filter can't be restored.
+To change the configuration of a user defined app policy:
 
-## Editing an app policy configuration
+1. Select the policy in the policy list, and then select **Edit** on the app policy pane.
 
-To change the configuration of an existing app policy:
+1. In the **Edit policy** page, you can make the following changes:
 
-- Select the policy in the policy list, and then select **Edit** on the app policy pane.
-- Select the vertical ellipses for the policy in the list, and then select **Edit**.
+    - **Description**: Change the description to make it easier to understand the policy's purpose.
+    - **Severity** : Change the severity for your app policy to low, medium, or high. 
+    - **Policy settings**: Change the set of apps to which the policy applies. You can also choose to use the existing conditions or modify the conditions
+    - **Actions**: Change the autoremediation action for alerts generated by the policy.
+    - **Status**: Change the policy status.
 
-For the **Edit policy** page, step through the pages and make the appropriate changes:
+:::image type="content" source="media/app-governance-app-policies-manage/edit-user-defined-policy.png" alt-text="Screenshot that shows how to edit a user defined policy in the Defender portal. " lightbox="media/app-governance-app-policies-manage/edit-user-defined-policy.png":::
 
-- **Description**: Change the description to make it easier to understand the policy's purpose.
-- **Severity**
-- **Policy settings**: Change the set of apps to which the policy applies. You can also choose to use the existing conditions or modify the conditions
-- **Actions**: Change the autoremediation action for alerts generated by the policy.
-- **Status**: Change the policy status.
 
 ## Deleting an app policy
 
 To delete an app policy, you can:
 
 - Select the policy in the policy list, and then select **Delete** on the app policy pane.
-- Select the vertical ellipses for the policy in the list, and then select **Delete**.
 
-An alternative to deleting an app policy is to change its status to inactive. Once inactive, the policy doesn't generate alerts. For example, rather than deleting an app policy for an app with a specific set of conditions that are useful for a future policy, rename the app policy to indicate its usefulness and set its status to inactive. You can later return to the policy and modify it for a similar app and set its status to audit mode or inactive.
+An alternative to deleting an app policy is to change its status to disabled. Once disabled, the policy doesn't generate alerts. For example, rather than deleting an app policy for an app with a specific set of conditions that are useful for a future policy, rename the app policy to indicate its usefulness and set its status to disabled. 
 
 ## Next steps
 

CloudAppSecurityDocs/app-governance-get-started.md

@@ -63,7 +63,7 @@ You must have at least one of these roles to turn on app governance:
 - Security Admin          
 - Compliance Admin  
 - Compliance Data Admin
-- Cloud App Security admin
+- Cloud App Security Admin
 
 The following table lists the app governance capabilities for each role.
 

CloudAppSecurityDocs/media/app-governance-app-policies-manage/edit-user-defined-policy.png

@@ -8,7 +8,7 @@
     - name: Requirements
       href: mdb-requirements.md
     - name: What's new in Defender for Business?
-      href: /Microsoft-365/business-premium/m365bp-mdb-whats-new?toc=/defender-business/toc.json&bc=/defender-business/breadcrumb/toc.json
+      href: mdb-whats-new.md
     - name: Preview features
       href: /defender-xdr/preview
   - name: Resources for partners