Merge branch 'main' into patch-4

Author: chrisda

ATPDocs/remove-discoverable-passwords-active-directory-account-attributes.md

@@ -1,7 +1,7 @@
 ---
 title:  'Security Assessment: Remove Discoverable Passwords in Active Directory Account Attributes (Preview)'
 description: Learn how to identify and address discoverable passwords in Active Directory account attributes to mitigate security risks and improve your organization's security posture.
-ms.date: 08/04/2025
+ms.date: 08/12/2025
 ms.topic: how-to
 ---
 
@@ -10,7 +10,7 @@ ms.topic: how-to
 
 ## Why do discoverable passwords in Active Directory account attributes pose a risk?
 
-Certain free-text attributes are often overlooked during hardening but are readable by any authenticated user in the domain. When credentials or clues are mistakenly stored in these attributes, attackers can abuse them to move laterally across the environment or escalate privileges—often without triggering traditional alerts.
+Certain free-text attributes are often overlooked during hardening but are readable by any authenticated user in the domain. When credentials or clues are mistakenly stored in these attributes, attackers can abuse them to move laterally across the environment or escalate privileges.
 
 Attackers seek low-friction paths to expand access. Exposed passwords in these attributes represent an easy win because:
 
@@ -26,12 +26,12 @@ Removing exposed credentials from these attributes reduces the risk of identity
 ## How does Microsoft Defender for Identity detect discoverable passwords?
 
 > [!NOTE] 
-> This security recommendation is part of Microsoft Defender for Identity and is powered by AI-based analysis of free-text attributes in Active Directory. 
 > Findings can include false positives. Always validate the results before taking action.
 
-Microsoft Defender for Identity detects potential credential exposure in Active Directory by analyzing commonly used free-text attributes. This includes looking for common password formats, hints,  `'description'`, `'info'`, and `'adminComment'` fields, and other contextual clues that might suggest the presence of credential misuse. Microsoft Defender for Identity detects indicators such as:
+Microsoft Defender for Identity detects potential credential exposure in Active Directory by analyzing commonly used free-text attributes. This includes looking for common password formats, hints,  `'description'`, `'info'`, and `'adminComment'` fields, and other contextual clues that might suggest the presence of credential misuse. 
+This recommendation uses GenAI-powered analysis of Active directory attributes to detect:
 
-- Plaintext passwords or variations. For example, '`Password=Summer2024!'`
+- Plaintext passwords or variations. For example, '`Password=Summer2025!'`
 
 - Credential patterns, reset hints, or sensitive account information. 
 

defender-endpoint/ios-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 05/15/2025
+ms.date: 08/12/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -125,7 +125,7 @@ Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. M
 
 **How does this affect you or your users?**
 
-New users won't be able to install the Microsoft Defender app on devices running iOS/iPadOS 15 and earlier versions. Similarly, existing users won't be to upgrade to the latest version of the app.
+New users won't be able to install the Microsoft Defender app on devices running iOS/iPadOS 15 and earlier versions. Similarly, existing users will be able to upgrade till April-Mid Release version (1.1.64030101) of the app and not beyond it. 
 
 To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:
 

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -49,6 +49,7 @@ For more information on what's new with other Microsoft Defender security produc
 ## July 2025
 
 - (GA) [Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) is now generally available on Windows Server 2019 or later.  Helps with the stability and performance of Microsoft Defender Antivirus.
+- Support for Azure Stack HCI OS is rolling out across commercial and government clouds.
 
 ## April 2025
 

defender-xdr/advanced-hunting-messageevents-table.md

@@ -6,10 +6,10 @@ ms.service: defender-xdr
 ms.subservice: adv-hunting
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -21,16 +21,13 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/18/2025
+ms.date: 08/13/2025
 ---
 
-# MessageEvents (Preview)
+# MessageEvents
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 The `MessageEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains details about messages sent and received within your organization at the time of delivery. Use this reference to construct queries that return information from this table. 
 
 This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](deploy-supported-services.md).

defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md

@@ -6,10 +6,10 @@ ms.service: defender-xdr
 ms.subservice: adv-hunting
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -21,15 +21,14 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/18/2025
+ms.date: 08/13/2025
 ---
 
-# MessagePostDeliveryEvents (Preview)
+# MessagePostDeliveryEvents
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 
 The `MessagePostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
 

defender-xdr/advanced-hunting-messageurlinfo-table.md

@@ -6,10 +6,10 @@ ms.service: defender-xdr
 ms.subservice: adv-hunting
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -21,10 +21,10 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/18/2025
+ms.date: 08/13/2025
 ---
 
-# MessageUrlInfo (Preview)
+# MessageUrlInfo
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 

defender-xdr/advanced-hunting-schema-tables.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 08/05/2025
+ms.date: 08/13/2025
 ---
 
 # Understand the advanced hunting schema
@@ -104,9 +104,9 @@ The following reference lists all the tables in the schema. Each table name link
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
 | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |
-| **[MessageEvents](advanced-hunting-messageevents-table.md)** (Preview) | Messages sent and received within your organization at the time of delivery |
-| **[MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md)** (Preview) | Security events that occurred after the delivery of a Microsoft Teams message in your organization |
-| **[MessageUrlInfo](advanced-hunting-messageurlinfo-table.md)** (Preview) | URLs sent through Microsoft Teams messages in your organization |
+| **[MessageEvents](advanced-hunting-messageevents-table.md)** | Messages sent and received within your organization at the time of delivery |
+| **[MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md)**  | Security events that occurred after the delivery of a Microsoft Teams message in your organization |
+| **[MessageUrlInfo](advanced-hunting-messageurlinfo-table.md)** | URLs sent through Microsoft Teams messages in your organization |
 | **[OAuthAppInfo](advanced-hunting-oauthappinfo-table.md)** (Preview) | Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability |
 | **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)** | Safe Links clicks from email messages, Teams, and Office 365 apps |
 
@@ -117,4 +117,5 @@ The following reference lists all the tables in the schema. Each table name link
 - [Use shared queries](advanced-hunting-shared-queries.md)
 - [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/custom-detection-rules.md

@@ -89,6 +89,7 @@ To create a custom detection rule, the query must return the following columns:
       - `RecipientEmailAddress`
       - `SenderFromAddress` (envelope sender or Return-Path address)
       - `SenderMailFromAddress` (sender address displayed by email client)
+      - `SenderObjectId`
       - `RecipientObjectId`
       - `AccountObjectId`
       - `AccountSid`

unified-secops-platform/microsoft-sentinel-onboard.md

@@ -161,6 +161,8 @@ When you switch the primary workspace for Microsoft Sentinel, the Defender XDR c
 
 If you decide to offboard a workspace from the Defender portal, disconnect the workspace from the settings for Microsoft Sentinel.
 
+If your workspace has the [Microsoft Defender XDR connector](/azure/sentinel/connect-microsoft-365-defender) configured, offboarding the workspace from the Defender portal will also disconnect the Microsoft Defender XDR connector.
+
 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in.
 1. In the Defender portal, under **System**, select **Settings** > **Microsoft Sentinel**.
 1. On the **Workspaces** page, select the connected workspace and **Disconnect workspace**.
@@ -178,3 +180,4 @@ If you want to connect to a different workspace, from the **Workspaces** page, s
 - [Automatic attack disruption in Microsoft Defender XDR](/defender-xdr/automatic-attack-disruption)
 - [Investigate incidents in Microsoft Defender portal](/defender-xdr/investigate-incidents)
 - [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal)
+