Merge branch 'main' into dex-h-update

Author: vpattnai

.openpublishing.redirection.defender-cloud-apps.json

@@ -994,6 +994,11 @@
       "source_path": "CloudAppSecurityDocs/what-is-cloud-app-security.md",
       "redirect_url": "/defender-cloud-apps/what-is-defender-for-cloud-apps",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/file-filters.md",
+      "redirect_url": "/defender-cloud-apps/data-protection-policies",
+      "redirect_document_id": false
     }
   ]
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -11,7 +11,7 @@ Microsoft Defender for Identity mapping for [potential lateral movement paths](/
 
 > [!NOTE]
 > This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
-> The new Defender for Identity sensor is not affected by this issue as it uses different detection methods.
+> The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
 > 
 > It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
 > Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).

ATPDocs/health-alerts.md

@@ -1,7 +1,7 @@
 ---
 title: Microsoft Defender for Identity health issues
 description: This article describes all the health issues that can occur for each component, listing the cause and the steps needed to resolve the problem
-ms.date: 07/09/2024
+ms.date: 01/16/2025
 ms.topic: how-to
 ---
 
@@ -191,6 +191,12 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 |----|----|----|----|----|
 |Radius accounting (VPN integration) data ingestion failures.|The listed Defender for Identity sensors have radius accounting (VPN integration) data ingestion failures.|Validate that the shared secret in the Defender for Identity configuration settings matches your VPN server, according to the guidance described [Configure VPN in Defender for Identity](vpn-integration.md#configure-vpn-in-defender-for-identity) section, in the [Defender for Identity VPN integration](vpn-integration.md) page.|Low|Health issues page|
 
+### Auditing for AD CS servers is not enabled as required
+
+|Alert|Description|Resolution|Severity|Displayed in|
+|----|----|----|----|----|
+|Auditing for AD CS servers is not enabled as required. (This configuration is validated once a day, per sensor).|The Advanced Auditing Policy Configuration or AD CS auditing is not enabled as required.|Enable the Advanced Auditing Policy Configuration and AD CS auditing according to the guidance as described in the [Configure auditing on AD CS](configure-windows-event-collection.md#configure-auditing-on-ad-cs) section, in the [Configure Windows Event collection](configure-windows-event-collection.md) page.|Medium|Sensors health issues tab|
+
 ### Sensor failed to retrieve Microsoft Entra Connect service configuration
 
 | Alert| Description  |Resolution|Severity|Displayed in|

ATPDocs/role-groups.md

@@ -28,7 +28,7 @@ For more information, see [Custom roles in role-based access control for Microso
 > [!NOTE]
 > Information included from the [Defender for Cloud Apps activity log](classic-mcas-integration.md#activities) may still contain Defender for Identity data. This content adheres to existing Defender for Cloud Apps permissions.
 > 
-> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
+> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in Microsoft Defender for Cloud Apps, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
 
 ## Required permissions Defender for Identity in Microsoft Defender XDR
 

CloudAppSecurityDocs/activity-filters-queries.md

@@ -15,13 +15,16 @@ This article provides descriptions and instructions for Defender for Cloud Apps
 
 Below is a list of the activity filters that can be applied. Most filters support multiple values as well as *NOT* to provide you with a powerful tool for policy creation.
 
-- Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts within the Defender for Cloud Apps portal.
+- Activity ID - Search only for specific activities by their ID. This filter is useful when you connect Microsoft Defender for Cloud Apps to your SIEM (using the SIEM agent) and you want to further investigate alerts using Defender for Cloud Apps.
 
 - Activity objects – Search for the objects the activity was done on. This filter applies to files, folders, users, or app objects.
     - Activity object ID - the ID of the object (file, folder, user, or app ID).
 
-    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contain**, **Equal**, or **Starts with** the specific item.
+    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contains**, **Equals**, or **Starts with** the specific item.
 
+    > [!NOTE]
+    > Activity-Policy's **Activity object Item** filter supports the **Equals** operator only.
+  
 - Action type - Search for a more specific action performed in an app.
 
 - Activity type - Search for the app activity.
@@ -67,41 +70,41 @@ Below is a list of the activity filters that can be applied. Most filters suppor
     - Tor exit nodes
     - Zscaler
 
-- Impersonated activity – Search only for activities that were performed in the name of another user.
+- Impersonated activity - Search only for activities that were performed in the name of another user.
 
 - Instance - The app instance where the activity was or wasn't performed.
 
-- Location – The country/region from which the activity was performed.
+- Location - The country/region from which the activity was performed.
 
-- Matched Policy – Search for activities that matched a specific policy that was set in the portal.
+- Matched Policy - Search for activities that matched a specific policy that was set in the portal.
 
-- Registered ISP – The ISP from which the activity was performed.
+- Registered ISP - The ISP from which the activity was performed.
 
 - Source - Search by the source from which the activity was detected. The source can be any of the following:
-  - App connector - logs coming directly from the app's API connector.
+  - App connector - Logs coming directly from the app's API connector.
   - App connector analysis - Defender for Cloud Apps enrichments based on information scanned by the API connector.
 
-- User – The user who performed the activity, which can be filtered into domain, group, name, or organization. In order to filter activities with no specific user, you can use the 'is not set' operator.
+- User - The user who performed the activity, which can be filtered into domain, group, name, or organization. In order to filter activities with no specific user, you can use the 'is not set' operator.
   - User domain - Search for a specific user domain.
-  - User organization – The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
-  - User group – Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
+  - User organization - The organizational unit of the user who performed the activity, for example, all activities performed by EMEA_marketing users. This is only relevant for connected Google Workspace instances using organizational units.
+  - User group - Specific user groups that you can import from connected apps, for example, Microsoft 365 administrators.
   - User name - Search for a specific username. To see a list of users in a specific user group, in the **Activity drawer**, select the name of the user group. Clicking will take you to the Accounts page, which lists all the users in the group. From there, you can drill down into the details of the accounts of specific users in the group.
   - The **User group** and **User name** filters can be further filtered by using the **As** filter and selecting the role of the user, which can be any of the following:
     - Activity object only - meaning that the user or user group selected didn't perform the activity in question; they were the object of the activity.
     - Actor only - meaning that the user or user group performed the activity.
     - Any role - Meaning that the user or user group was involved in the activity, either as the person who performed the activity or as the object of the activity.
 
-- User agent – The user agent of from with the activity was performed.
+- User agent - The user agent of from with the activity was performed.
 
-- User agent tag – Built-in user agent tag, for example, all activities from outdated operating systems or outdated browsers.
+- User agent tag - Built-in user agent tag, for example, all activities from outdated operating systems or outdated browsers.
 
 ## Activity queries
 
 To make investigation even simpler, you can now create custom queries and save them for later use.
 
 1. In the **Activity log** page, use the filters as described above to drill down into your apps as necessary.
 
-  :::image type="content" source="media/activity-log-query.png" alt-text="Use filters to make query.":::
+   :::image type="content" source="media/activity-log-query.png" alt-text="Use filters to make query.":::
 
 1. After you've finished building your query, select the **Save as** button.
 
@@ -115,23 +118,23 @@ To make investigation even simpler, you can now create custom queries and save t
 
 Defender for Cloud Apps also provides you with **Suggested queries**. Suggested queries provide you with recommended avenues of investigation that filter your activities. You can edit these queries and save them as custom queries. The following are optional suggested queries:
 
-- Admin activities - filters all your activities to display only those activities that involve admins.
+- Admin activities - Filters all your activities to display only those activities that involve admins.
 
-- Download activities - filters all your activities to display only those activities that were download activities, including downloading user list as a .csv file, downloading shared content, and downloading a folder.
+- Download activities - Filters all your activities to display only those activities that were download activities, including downloading user list as a .csv file, downloading shared content, and downloading a folder.
 
-- Failed log-in - filters all your activities to display only failed sign-in and failed sign-ins via SSO
+- Failed log-in - Filters all your activities to display only failed sign-in and failed sign-ins via SSO
 
-- File and folder activities - filters all your activities to display only those involving files and folders. The filter includes uploading, download, and accessing folders, along with creating, deleting, uploading, downloading, quarantining, and accessing files and transferring content.
+- File and folder activities - Filters all your activities to display only those involving files and folders. The filter includes uploading, download, and accessing folders, along with creating, deleting, uploading, downloading, quarantining, and accessing files and transferring content.
 
-- Impersonation activities - filters all your activities to display only impersonation activities.
+- Impersonation activities - Filters all your activities to display only impersonation activities.
 
-- Password changes and reset requests - filters all your activities to display only those activities that involve password reset, change password, and force a user to change the password on the next sign-in.
+- Password changes and reset requests - Filters all your activities to display only those activities that involve password reset, change password, and force a user to change the password on the next sign-in.
 
-- Sharing activities - filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
+- Sharing activities - Filters all your activities to display only those activities that involve sharing folders and files, including creating a company link, creating an anonymous link, and granting read/write permissions.
 
-- Successful log-in - filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
+- Successful log-in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
-![query activities.](media/queries-activity.png)
+  ![query activities.](media/queries-activity.png)
 
 Additionally, you can use the suggested queries as a starting point for a new query. First, select one of the suggested queries. Then, make changes as needed and finally select **Save as** to create a new **Saved query**.
 

CloudAppSecurityDocs/api-tokens-legacy.md

@@ -8,15 +8,15 @@ ms.topic: reference
 
 
 
-In order to access the Defender for Cloud Apps API, you have to create an API token and use it in your software to connect to the API. This token will be included in the header when Defender for Cloud Apps makes API requests.
+In order to access the Defender for Cloud Apps API, you have to create an API token and use it in your software to connect to the API. This token is included in the header when Defender for Cloud Apps makes API requests.
 
 The API tokens tab enables you to help you manage all the API tokens of your tenant.
 
 ## Generate a token
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **System**, select **API tokens**.
 
-1. Select the **Add token** and provide a name to identify the token in the future, and select **Generate**.
+1. Select **Add token** and provide a name to identify the token in the future, and select **Generate**.
 
     ![Defender for Cloud Apps generates API token.](media/api-token-gen.png)
 
@@ -26,9 +26,9 @@ The API tokens tab enables you to help you manage all the API tokens of your ten
 
     - **Generated:** Tokens that have never been used.
     - **Active:** Tokens that were generated and were used within the past seven days.
-    - **Inactive:** Tokens that were used but there was no activity in the last seven days.
+    - **Inactive:** Tokens that were used, but there was no activity in the last seven days.
 
-1. After you generate a new token, you'll be provided with a new URL to use to access the Defender for Cloud Apps portal.
+1. After you generate a new token, you'll be provided with a new URL to use to access Defender for Cloud Apps.
 
     ![Defender for Cloud Apps API token.](media/generate-api-token.png)
 
@@ -46,7 +46,7 @@ After a token is revoked, it's removed from the table, and the software that was
 
 > [!NOTE]
 >
-> - SIEM connectors and log collectors also use API tokens. These tokens should be managed from the log collectors and SIEM agent sections and do not appear in this table.
-> - Deprovisioned users API tokens are retained in Defender for Cloud Apps but cannot be used. Any attempt to use them will result in a permission denied response. However, we recommend that such tokens are revoked on the **API tokens** page.
+> - SIEM connectors and log collectors also use API tokens. These tokens should be managed from the log collectors and SIEM agent sections and don't appear in this table.
+> - Deprovisioned users API tokens are retained in Defender for Cloud Apps but can't be used. Any attempt to use them will result in a permission denied response. However, we recommend that such tokens are revoked on the **API tokens** page.
 
 [!INCLUDE [Open support ticket](includes/support.md)]