Merge branch 'main' into EOP-chrisda

chrisda · chrisda · commit caa2fdf45ec4 · 2025-07-08T18:51:35.000-07:00
diff --git a/ATPDocs/health-alerts.md b/ATPDocs/health-alerts.md
diff --git a/defender-endpoint/respond-file-alerts.md b/defender-endpoint/respond-file-alerts.md
@@ -90,7 +90,8 @@ This action takes effect on devices with Windows 10, version 1703 or later, and
    - **Search box** - select **File** from the drop-down menu and enter the file name
 
    > [!NOTE]
-   > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
+   > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).<br>
+   >  The Stop and quarantine action has a maximum timeout period of 3 days. If the targeted device remains offline for longer than this period after the action is initiated, the action will not be delivered to that device.<br> To ensure the file remains blocked beyond the timeout or after the action completes, it's recommended to create an indicator to block the file explicitly.
 
 2. Go to the top bar and select **Stop and Quarantine File**.
 
diff --git a/defender-endpoint/troubleshoot-collect-support-log.md b/defender-endpoint/troubleshoot-collect-support-log.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/27/2025
+ms.date: 07/04/2025
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -57,7 +57,7 @@ This article provides instructions on how to run the tool via Live Response on W
 
 1. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
 
-      ```console
+   ```console
    Putfile MDEClientAnalyzerPreview.zip
    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
@@ -114,7 +114,7 @@ The following script performs the first six steps of the [Running the Binary ver
    
    echo "Getting XMDEClientAnalyzerBinary"
    wget --quiet -O /tmp/XMDEClientAnalyzerBinary.zip https://go.microsoft.com/fwlink/?linkid=2297517
-   echo 'c65a4e4c6851d130942bfacd147a9d18b8a92b4f50facf519477fd1c41a1c323 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
+   echo 'C65A4E4C6851D130942BFACD147A9D18B8A92B4F50FACF519477FD1C41A1C323 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
    
    echo "Unzipping XMDEClientAnalyzerBinary.zip"
    unzip -q /tmp/XMDEClientAnalyzerBinary.zip -d /tmp/XMDEClientAnalyzerBinary
@@ -140,7 +140,7 @@ The following script performs the first six steps of the [Running the Python ver
   
    echo "Getting XMDEClientAnalyzer.zip"
    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer 
-   echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | sha256sum -c  
+   echo '07E6A7B89E28A78309D5B6F1E25E4CDFBA9CA141450E422D76441C03AD3477E7 XMDEClientAnalyzer.zip' | sha256sum -c  
 
    echo "Unzipping XMDEClientAnalyzer.zip"
    unzip -q XMDEClientAnalyzer.zip -d /tmp/XMDEClientAnalyzer  
diff --git a/defender-vulnerability-management/fixed-reported-inaccuracies.md b/defender-vulnerability-management/fixed-reported-inaccuracies.md
@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 06/05/2025
+ms.date: 07/07/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -33,6 +33,28 @@ This article provides information on inaccuracies that have been reported. You c
  
 The following tables present the relevant vulnerability information organized by month.
 
+## July 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 96976 | Improved accuracy for HashiCorp Boundary | 01-July-25 |
+
+## June 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 91312 | Fixed inaccuracy in Zoom vulnerabilities- CVE-2018-15715, CVE-2024-27238, CVE-2024-27240 & CVE-2024-39819 | 10-June-25 |
+| 97104 | Fixed inaccuracy in Devolutions Remote Desktop Manager vulnerabilities- CVE-2024-11621, CVE-2024-8474, CVE-2025-1635 & CVE-2025-1636 | 10-June-25 |
+| 93464 | Fixed inaccuracy in Teamviewer vulnerabilities- CVE-2024-1933, CVE-2024-7479, CVE-2024-7481 & CVE-2025-0065 | 24-June-25 |
+| 99450 | Fixed inaccurate detections in MongoDB | 24-June-25 |
+| 98375 | Fixed inaccuracy in CVE-2023-32430 | 24-June-25 |
+| 99991 | Fixed bad normalization in Postman | 24-June-25 |
+| - | Fixed inaccurate detections in Git-scm | 24-June-25 |
+| 96989 | Fixed bad detections in Santesoft Sante Free PACS Server | 24-June-25 |
+| - | Added Microsoft Defender Vulnerability Management support for UI for ASP.NET AJAX | 24-June-25 |
+| - | Fixed bad normalization in Zotero | 24-June-25 |
+| 98813 | Fixed inaccuracy in Gonitro vulnerabilities- CVE-2016-8709 and CVE-2024-35288 | 24-June-25 |
+
 ## May 2025
 
 | Inaccuracy report ID | Description | Fix date |
diff --git a/defender-vulnerability-management/tvm-supported-os.md b/defender-vulnerability-management/tvm-supported-os.md
@@ -13,7 +13,7 @@ ms.collection:
   - Tier2
 ms.topic: reference
 search.appverid: met150
-ms.date: 06/27/2025
+ms.date: 07/07/2025
 ---
 
 # Supported operating systems, platforms, and capabilities
diff --git a/unified-secops-platform/mto-advanced-hunting.md b/unified-secops-platform/mto-advanced-hunting.md
@@ -3,18 +3,18 @@ title: Advanced hunting in Microsoft Defender multitenant management
 description: Learn about advanced hunting in Microsoft Defender multitenant management
 search.appverid: met150
 ms.service: unified-secops-platform
-ms.author: deniseb
-author: denisebmsft
+ms.author: bagol
+author: batamig
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
 - highpri
 - tier1
 - usx-security
 ms.topic: article
-ms.date: 05/02/2025
+ms.date: 07/07/2025
 appliesto:
   - Microsoft Defender XDR
   - Microsoft Sentinel in the Microsoft Defender portal
@@ -23,18 +23,15 @@ appliesto:
 # Advanced hunting in Microsoft Defender multitenant management
 
 Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
- 
 
 Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
 
-
 ## Quotas
 
 In multitenant environments, advanced hunting queries can return a maximum of 50,000 records in total. The result set from each individual tenant is capped at 50,000 divided by the number of tenants queried. 
 
 For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
 
-
 ## Run cross-tenant queries
 
 You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -70,8 +67,8 @@ You can run any query that you already have access to in the multitenant managem
    | take 10
    ```
 
-> [!NOTE]
-> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
+>[!IMPORTANT]
+> Running queries across multiple tenants using the `adx(x)` operator will run separate ADX queries per tenant and aggregate them, which might return duplicate results. Use the `adx(x)` operator with multiple tenants only if you need to join tenant results with ADX data. For more information about ADX in Advanced hunting, see [Use Microsoft Sentinel functions, saved queries, and custom rules](/defender-xdr/advanced-hunting-defender-use-custom-rules#use-adx-operator-for-azure-data-explorer-queries).
 
 To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
 
@@ -101,16 +98,14 @@ For more information, see [Query multiple workspaces](/azure/sentinel/extend-sen
 
 ## View schema tables
 
-You can view the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab. 
+View the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab. 
 
 The schema list is a unified view of all tables from all your tenants regardless of the tenant selected in the upper right tenant selector.
 
 This could mean that some tables that appear here might only be available for query in some tenants, like custom Microsoft Sentinel tables.
 
-
 ## View and manage custom detection rules
 
-
 You can also manage custom detection rules from multiple tenants in the custom detection rules page.
 
 ### View custom detection rules by tenant
@@ -139,11 +134,6 @@ To manage detection rules:
 
 1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
 
-
-
-
-
-
 ## Related content
 
 - [Set up Microsoft Defender multitenant management](mto-requirements.md)
diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md
@@ -6,7 +6,7 @@ ms.service: unified-secops-platform
 ms.author: bagol
 author: batamig
 ms.localizationpriority: medium
-ms.date: 07/01/2025
+ms.date: 07/08/2025
 manager: orspodek
 audience: ITPro
 ms.collection:
@@ -22,6 +22,21 @@ This article lists recent features added for unified security operations in the
 
 ## July 2025
 
+- [No limit on the number of workspaces you can onboard to the Defender portal](#no-limit-on-the-number-of-workspaces-you-can-onboard-to-the-defender-portal)
+- [Microsoft Sentinel in the Azure portal to be retired July 2026](#microsoft-sentinel-in-the-azure-portal-to-be-retired-july-2026)
+
+### No limit on the number of workspaces you can onboard to the Defender portal
+
+There is no longer any limit to the number of workspaces you can onboard to the Defender portal.
+
+Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule. 
+
+For more information, see:
+
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](microsoft-sentinel-onboard.md)
+- [Multiple Microsoft Sentinel workspaces in the Defender portal](/azure/sentinel/workspaces-defender-portal)
+- [Extend Microsoft Sentinel across workspaces and tenants](/azure/sentinel/extend-sentinel-across-workspaces-tenants)
+
 ### Microsoft Sentinel in the Azure portal to be retired July 2026
 
 Microsoft Sentinel is [generally available in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal), including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.
@@ -194,24 +209,6 @@ Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you
 
 For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data) and [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md).
 
-## November 2024
-
-- [Microsoft Sentinel availability in Microsoft Defender portal](#microsoft-sentinel-availability-in-microsoft-defender-portal)
-- [Feature availability for Government clouds](#feature-availability-for-government-clouds)
-
-### Microsoft Sentinel availability in Microsoft Defender portal
-
-We previously announced Microsoft Sentinel is generally available in the Microsoft Defender portal. For preview, Microsoft Sentinel is now available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see:
-
- - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)
- - [Connect Microsoft Sentinel to the Microsoft Defender portal](microsoft-sentinel-onboard.md)
-
-### Feature availability for Government clouds
-
-In the Defender portal, all Microsoft Sentinel features that are in general availability are now available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
-
-For more information, see [Microsoft Sentinel feature support for Azure commercial/other clouds](/azure/sentinel/feature-availability#experience-in-the-defender-portal) and [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov).
-
 ## Related content
 
 For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see:
