Merge pull request #4499 from MicrosoftDocs/main

[AutoPublish] main to live - 07/15 10:32 PDT | 07/15 23:02 IST

Author: m365-skilling-repo-management[bot]

ATPDocs/identity-inventory.md

@@ -76,7 +76,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Nondefault columns: Email and Microsoft Entra ID risk level.  
+Nondefault columns: Email, Microsoft Entra ID risk level and Cloud ID. 
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:

CloudAppSecurityDocs/caac-known-issues.md

@@ -114,6 +114,35 @@ A user who starts a session in Edge with a profile other than his work profile,
 
 If the URL points to a resource within the secured application, the user will be directed to the application's homepage in Edge.
 
+### Outdated session policy enforcement with Edge
+When a session policy is enforced using Edge in-browser protection and the user is later removed from the corresponding Conditional Access (CA) policy, the original session enforcement may still persist.
+
+Example Scenario:
+
+A user was originally assigned a CA policy for the Salesforce application, along with an Defender for Cloud apps session policy that blocked file downloads. As a result, downloads were blocked when the user accessed Salesforce in Edge.
+
+Although the admin later removed the CA policy, the user still experiences the download block in Edge due to cached policy data.
+
+Mitigation Options:
+
+Option 1: Automatic cleanup
+1.	Reassign the user/app to the CA policy.
+2.	Remove the corresponding Defender for Cloud Apps session policy.
+3.	Have the user access the application using Edge, this will trigger the policy removal automatically.
+4.	Remove the CA policy again.
+   
+Option 2: Manual cleanup
+1.	Delete the cached policy file
+     - Go to: C:\Users\<username>\AppData\Local\Microsoft\Edge\
+     - Delete the file: mda_store.txt
+
+2.	Remove the work profile in Edge
+    - Open Microsoft Edge.
+    - Navigate to Profile Settings.
+    - Delete the work profile associated with the outdated session policy.
+  
+These steps will force a policy refresh and resolve enforcement issues related to outdated session policies.
+
 ## Related content
 
 - [Conditional Access app control in Microsoft Defender for Cloud Apps](proxy-intro-aad.md)

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -65,9 +65,9 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
 ### Use arg() operator for Azure Resource Graph queries
 The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
 
-This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables aren't supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 
+This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
 
-Note that queries using the `arg()` operator return the first 1,000 records only. Read [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview) for more details.
+For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
 
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
@@ -78,14 +78,12 @@ For example:
 You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
 
 ```Kusto
-arg("").Resources 
-| where type == "microsoft.compute/virtualmachines" and properties.hardwareProfile.vmSize startswith "Standard_D"
-| join (
-    Heartbeat
-    | where TimeGenerated > ago(1d)
-    | distinct Computer
-    )
-    on $left.name == $right.Computer
+arg("").Resources
+| where type=="microsoft.compute/virtualmachines" | extend name = tolower(name)
+| join ( 
+BehaviorAnalytics
+| where isnotempty(SourceDevice) and InvestigationPriority > 2 | extend SourceDevice = tolower(SourceDevice)
+) on $left.name == $right.SourceDevice
 ```
 
 
@@ -141,4 +139,4 @@ You can view all your user-defined rules—both custom detection rules and analy
 
 
 For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
-   
+