Merge branch 'main' into WI502000-mda-salesforce-connection

DeCohen · web-flow · commit b860488d6eb7 · 2025-11-30T12:34:18.000+02:00
diff --git a/defender-endpoint/api/run-live-response.md b/defender-endpoint/api/run-live-response.md
@@ -69,7 +69,7 @@ Runs a sequence of live response commands on a device
 
 - 25 concurrently running sessions (requests exceeding the throttling limit receives a "429 - Too many requests" response).
 
-- If the machine isn't available, the session is queued for up to three days.
+- If the machine isn't available, the session is queued for up to 2 hours.
 
 - RunScript command time-outs after 10 minutes.
 
diff --git a/defender-endpoint/configure-endpoints-gp.md b/defender-endpoint/configure-endpoints-gp.md
@@ -36,7 +36,7 @@ Check out [Identify Defender for Endpoint architecture and deployment method](de
 
 1. Open the GP configuration package file (`WindowsDefenderATPOnboardingPackage.zip`) that you downloaded from the service onboarding wizard. You can also get the package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management**  > **Onboarding**.
 
    1. Select the operating system.
 
@@ -179,7 +179,7 @@ For security reasons, the package used to Offboard devices will expire 7 days af
 
 1. Get the offboarding package from the [Microsoft Defender portal](https://security.microsoft.com):
 
-   1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Offboarding**.
+   1. In the navigation pane, select **System** > **Settings** > **Endpoints** > **Device management** > **Offboarding**.
 
    1. Select the operating system.
     
diff --git a/defender-endpoint/linux-install-with-defender-deployment-tool.md b/defender-endpoint/linux-install-with-defender-deployment-tool.md
@@ -95,21 +95,21 @@ The Defender deployment tool enforces the following set of prerequisites checks,
 
    :::image type="content" source="./media/linux-install-with-defender-deployment-tool/deployment-tool-help.png" alt-text="Screenshot showing the help command output." lightbox="./media/linux-install-with-defender-deployment-tool/deployment-tool-help.png":::
 
-The following table provides examples of commands for useful scenarios.
-
-| **Scenario** | **Command** |
-|:-------------|:------------|
-| Check for unmet non-blocking prerequisites | `sudo ./defender_deployment_tool.sh --pre-req-non-blocking` |
-| Run the connectivity test | `sudo ./defender_deployment_tool.sh --connectivity-test` |
-| Deploy to a custom location | `sudo ./defender_deployment_tool.sh --install-path /usr/microsoft/` |
-| Deploy from the insider-slow channel | `sudo ./defender_deployment_tool.sh --channel insiders-slow` |
-| Deploy using a proxy | `sudo ./defender_deployment_tool.sh --http-proxy <http://username:password@proxy_host:proxy_port>` |
-| Deploy a specific agent version | `sudo ./defender_deployment_tool.sh --mdatp 101.25042.0003 --channel prod` |
-| Upgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --upgrade --mdatp 101.24082.0004` |
-| Downgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --downgrade --mdatp 101.24082.0004` |
-| Uninstall Defender | `sudo ./defender_deployment_tool.sh --remove` |
-| Only onboard if Defender is already installed | `sudo ./defender_deployment_tool.sh --only-onboard` |
-| Offboard Defender | `sudo ./defender_deployment_tool.sh --offboard MicrosoftDefenderATPOffboardingLinuxServer.py`<br>*(Note: The latest offboarding file can be downloaded from the Microsoft Defender portal)* |
+   The following table provides examples of commands for useful scenarios.
+    
+   | **Scenario** | **Command** |
+   |:-------------|:------------|
+   | Check for unmet non-blocking prerequisites | `sudo ./defender_deployment_tool.sh --pre-req-non-blocking` |
+   | Run the connectivity test | `sudo ./defender_deployment_tool.sh --connectivity-test` |
+   | Deploy to a custom location | `sudo ./defender_deployment_tool.sh --install-path /usr/microsoft/` |
+   | Deploy from the insider-slow channel | `sudo ./defender_deployment_tool.sh --channel insiders-slow` |
+   | Deploy using a proxy | `sudo ./defender_deployment_tool.sh --http-proxy <http://username:password@proxy_host:proxy_port>` |
+   | Deploy a specific agent version | `sudo ./defender_deployment_tool.sh --mdatp 101.25042.0003 --channel prod` |
+   | Upgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --upgrade --mdatp 101.24082.0004` |
+   | Downgrade to a specific agent version | `sudo ./defender_deployment_tool.sh --downgrade --mdatp 101.24082.0004` |
+   | Uninstall Defender | `sudo ./defender_deployment_tool.sh --remove` |
+   | Only onboard if Defender is already installed | `sudo ./defender_deployment_tool.sh --only-onboard` |
+   | Offboard Defender | `sudo ./defender_deployment_tool.sh --offboard MicrosoftDefenderATPOffboardingLinuxServer.py`<br>*(Note: The latest offboarding file can be downloaded from the Microsoft Defender portal)* |
 
 ## Verify deployment status
 
@@ -204,11 +204,11 @@ Defender for Endpoint on Linux can be deployed from one of the following channel
 - insiders-slow
 - prod (production)
 
-Each of these channels corresponds to a Linux software repository. The channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first to receive updates and new features, followed later by insiders-slow and lastly by prod.
+Each of these channels corresponds to a Linux software repository. The channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first to receive updates and new features, followed later by insiders-slow and lastly by prod.
 
 By default, the deployment tool configures your device to use the prod channel. You can use the configuration options described in this document to deploy from a different channel.
 
-To preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow. If you've already deployed Defender for Endpoint on Linux from a channel and want to switch to a different channel (from prod to insiders-fast, for example), you must first remove the current channel, then delete the current channel repo, and then finally install Defender from the new channel, as illustrated in the following example, where the channel is changed from insiders-fast to prod:
+To preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow. If you've already deployed Defender for Endpoint on Linux from a channel and want to switch to a different channel (from prod to insiders-fast, for example), you must first remove the current channel, then delete the current channel repo, and then finally install Defender from the new channel, as illustrated in the following example, where the channel is changed from insiders-fast to prod:
 
 1. Remove the insiders-fast channel version of Defender for Endpoint on Linux..
 
@@ -225,7 +225,7 @@ To preview new features and provide early feedback, it's recommended that you co
 1. Install Microsoft Defender for Endpoint on Linux using the production channel.
 
    ```bash
-   sudo ./defender_deployment_tool.sh --install --channel prod
+   sudo ./defender_deployment_tool.sh --channel prod
    ```
 
 ## Related content
diff --git a/defender-endpoint/onboarding.md b/defender-endpoint/onboarding.md
@@ -37,7 +37,7 @@ If you're onboarding devices in the Microsoft Defender portal, follow these step
 
 1. Make sure to review the [Minimum requirements for Defender for Endpoint](minimum-requirements.md).
 
-2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
+2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
 
    :::image type="content" source="media/mde-device-onboarding-ui.png" alt-text="Screenshot showing device onboarding in the Microsoft Defender portal for Defender for Endpoint.":::
 
diff --git a/defender-endpoint/preferences-setup.md b/defender-endpoint/preferences-setup.md
@@ -23,7 +23,7 @@ appliesto:
 # Configure general Defender for Endpoint settings
 
 
-Use the **Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
+Use the **System > Settings > Endpoints** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 
 ## In this section
 
diff --git a/defender-for-cloud-apps/create-snapshot-cloud-discovery-reports.md b/defender-for-cloud-apps/create-snapshot-cloud-discovery-reports.md
@@ -83,6 +83,11 @@ To successfully generate a cloud discovery report, your traffic logs must meet t
 1. The log file is valid and includes outbound traffic information.
 1. Configure the appliance to forward only traffic logs. Including unrelated logs in the configuration can inflate the ingested traffic volume.
 
+> [!IMPORTANT]
+> ZIP upload is supported **only for a single compressed file.** ZIP archives containing multiple log files are **not supported.**
+> Individual log files larger than **1 GB** cannot be uploaded. Split large logs before uploading. You can upload up to 20 files per batch.
+
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md b/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md
@@ -26,7 +26,7 @@ This article provides information about new features and important product updat
 ## November 2025
 
 - (Preview) The **Vulnerability Management** section in the Microsoft Defender portal is now located under **Exposure management**. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. [Learn more](#microsoft-defender-vulnerability-management-and-microsoft-security-exposure-management-integration).
-- (Preview) **Microsoft Secure Score now includes new recommendations** to help organizations proactively prevent common endpoint attack techniques.
+- (GA) **Microsoft Secure Score now includes new recommendations** to help organizations proactively prevent common endpoint attack techniques.
     - **Require LDAP client signing** and **Require LDAP server signing** - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit.
     - **Encrypt LDAP client traffic** - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP.
     - **Enforce LDAP channel binding** - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay.
diff --git a/defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/28/2025
+ms.date: 11/27/2025
 ---
 
 # DeviceTvmSecureConfigurationAssessment
@@ -48,8 +48,8 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
 | `ConfigurationSubcategory` | `string` | Subcategory or subgrouping to which the configuration belongs. In many cases,  string describes specific capabilities or features. |
 | `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) |
-| `IsCompliant` | `boolean` | Indicates whether the configuration or policy is properly configured <br /> * A value of 1 is Compliant<br /> * A value of 0 is Not Compliant|
-| `IsApplicable` | `boolean` | Indicates whether the configuration or policy applies to the device <br /> * A value of 1 is Applicable<br /> * A value of 0 is Not Applicable |
+| `IsCompliant` | `boolean` | Indicates whether the configuration or policy is properly configured <br /> * A value of True is Compliant<br /> * A value of False is Not Compliant|
+| `IsApplicable` | `boolean` | Indicates whether the configuration or policy applies to the device <br /> * A value of True is Applicable<br /> * A value of False is Not Applicable |
 | `Context` | `dynamic` | Additional contextual information about the configuration or policy |
 | `IsExpectedUserImpact` | `boolean` | Indicates whether there will be user impact if the configuration or policy is applied |
 
diff --git a/defender-xdr/advanced-hunting-schema-changes.md b/defender-xdr/advanced-hunting-schema-changes.md
@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 11/04/2025
+ms.date: 11/27/2025
 ---
 
 # Advanced hunting schema - Naming changes
@@ -38,10 +38,12 @@ Naming changes are automatically applied to queries that are saved in Microsoft
 - Queries that are saved elsewhere outside Microsoft Defender XDR
 
 ## November 2025
+- The Boolean field values in advanced hunting results will change from numeric (`1` and `0`) to textual (`True` and `False`) on January 25, 2026. While your queries and custom detection rules won't be affected by this change, you might want to update your automated processes (for example, scripts, playbooks, or integrations) parsing these values.
 
-The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and  [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
 
-The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
+- The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and  [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
+
+    The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
 
 ## September 2025
 
@@ -60,7 +62,7 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
 
 ## February 2021
 
-1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
+- In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
 
     | Table name | Original column name | New column name | Reason for change
     |--|--|--|--|
@@ -70,11 +72,11 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
     | `EmailEvents` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
 
 
-2. In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
+- In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
 
-3. In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
+- In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
 
-4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
+- In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
 
     | Table name | Original ActionType name | New ActionType name | Reason for change
     |--|--|--|--|
diff --git a/defender-xdr/preview.md b/defender-xdr/preview.md
@@ -64,6 +64,6 @@ If you already have preview features turned on and you're a Microsoft Defender f
 
 :::image type="content" source="media/preview-features-settings.png" alt-text="Screenshot of the preview features settings.":::
 
-If you don't yet have preview features turned on, manage Defender for Business and Defender for Endpoint preview features from the **Settings > Endpoints > Advanced features > Preview features** page, and Defender for Cloud Apps preview features from the **Settings > Cloud Apps > General > Preview features** page.
+If you don't yet have preview features turned on, manage Defender for Business and Defender for Endpoint preview features from the **System > Settings > Endpoints > Advanced features > Preview features** page, and Defender for Cloud Apps preview features from the **Settings > Cloud Apps > General > Preview features** page.
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/exposure-management/exposure-insights-overview.md b/exposure-management/exposure-insights-overview.md
diff --git a/exposure-management/media/security-recommendations/recommendations-landing-page.png b/exposure-management/media/security-recommendations/recommendations-landing-page.png
diff --git a/exposure-management/security-recommendations.md b/exposure-management/security-recommendations.md
