Merge branch 'main' into automatic-windows-auditing

Author: aditisrivastava07

defender-endpoint/enable-attack-surface-reduction.md

@@ -345,6 +345,10 @@ Example:
    > Don't use quotes as they aren't supported for either the **Value name** column or the **Value** column.
    > The rule ID shouldn't have any leading or trailing spaces.
 
+> [!NOTE]
+> Microsoft rebranded Windows Defender Antivirus to Microsoft Defender Antivirus beginning with Windows 10 version 20H1.
+> Group Policy paths on earlier Windows versions may still reference Windows Defender Antivirus, while newer builds show Microsoft Defender Antivirus. Both names refer to the same policy location.
+
 ### PowerShell
 
 > [!WARNING]

defender-endpoint/media/atp-time-zone-menu.png

@@ -1,9 +1,9 @@
 ---
 title: Microsoft Defender XDR time zone settings
-description: Use the info contained here to configure the Microsoft Defender XDR time zone settings and view license information.
+description: Use the info contained here to configure the Microsoft Defender XDR time zone settings.
 ms.service: defender-endpoint
-ms.author: bagol
-author: batamig
+ms.author: painbar
+author: paulinbar
 ms.localizationpriority: medium
 manager: bagol
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: article
 ms.subservice: reference
 search.appverid: met150
-ms.date: 05/05/2025
+ms.date: 11/30/2025
 appliesto:
   - Microsoft Defender for Endpoint Plan 1
   - Microsoft Defender for Endpoint Plan 2
@@ -22,9 +22,7 @@ appliesto:
 # Microsoft Defender XDR time zone settings
 
 
-This article describes time zone settings and options. You can use **Time zone** menu to configure the time zone and view license information.
-
-:::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-1" lightbox="media/atp-time-zone.png":::
+This article describes how to configure time zone settings and options.
 
 > [!NOTE]
 > Changing the time zone setting in the [Microsoft Defender portal](https://security.microsoft.com) only affects how times are displayed. It doesn't affect the actual scheduling of operations, such as antivirus scans, which continue to follow the local system time or UTC settings, depending on how they're configured.
@@ -33,10 +31,6 @@ This article describes time zone settings and options. You can use **Time zone**
 
 The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It's important that your system reflects the correct time zone settings. Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
 
-Your current time zone setting is shown in the **Timezone** menu in the Microsoft Defender portal.
-
-:::image type="content" source="media/atp-time-zone-menu.png" alt-text="The Time zone settings-2" lightbox="media/atp-time-zone-menu.png":::
-
 ### UTC time zone
 
 Defender for Endpoint uses UTC time by default. Keeping this time zone displays all system timestamps (alerts, events, and others) in UTC for all users. This configuration can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
@@ -55,13 +49,9 @@ The Defender for Endpoint time zone is set by default to UTC. Setting the time z
 
 To set the time zone:
 
-1. Select the **Time zone** menu.
-
-   :::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="media/atp-time-zone.png":::
-
-2. Select the **Timezone UTC** indicator.
+1. In the Microsoft Defender portal, go to **System** > **Settings** > **Microsoft Defender portal** > **Time zone**.
 
-3. Select **Timezone UTC** or your local time zone, for example `-7:00`.
+1. In the **Time zone** drop down menu, select either UTC or your local time zone.
 
 ### Regional settings
 

defender-endpoint/media/atp-time-zone.png

@@ -26,6 +26,13 @@ Connecting Salesforce to Defender for Cloud Apps gives you improved insights int
 - Ransomware
 - Unmanaged bring your own device (BYOD)
 
+
+### Prerequisites
+
+- Install and authorize the Salesforce Connected App in the target Salesforce org before you start the connection process. Salesforce enforces usage restrictions on Connected Apps. For more information, see:[Prepare for Connected App Usage Restrictions Change](https://help.salesforce.com/s/articleView?id=005132365&type=1)
+
+- Assign the **Approve Uninstalled Connected Apps** permission to the Salesforce service account used to connect Microsoft Defender for Cloud Apps. Salesforce requires this permission to connect third-party apps via OAuth.
+
 ## How Defender for Cloud Apps helps to protect your environment
 
 - [Detect cloud threats, compromised accounts, and malicious insiders](best-practices.md#detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware)

defender-endpoint/time-settings.md

@@ -36,39 +36,63 @@ ms.date: 03/28/2025
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 ## Types of functions
-A function is a type of query in advanced hunting that can be used in other queries as if it's a command. You can create your own custom functions so you can reuse any query logic when you hunt in your environment.
+A function is a type of query in advanced hunting that you can use in other queries as if it's a command. You can create your own custom functions so you can reuse any query logic when you hunt in your environment.
 
 There are three different types of functions in advanced hunting:
 
 ![Function types](/defender/media/advanced-hunting-custom-fxns/function-types.png)
 
-- **Built-in functions** – Prebuilt functions included with Microsoft Defender XDR advanced hunting. These are available in all advanced hunting instances and can't be modified.
-- **Shared functions** – Custom functions created by users, which are available for all users in a specific tenant and can be modified and controlled by users.
-- **My functions** – Custom functions created by a user, which can be viewed and modified only by the user who created it.
+- **Built-in functions** – Prebuilt functions included with Microsoft Defender XDR advanced hunting. These functions are available in all advanced hunting instances and can't be modified.
+- **Shared functions** – Custom functions that users create. All users in a specific tenant can access these functions. Users can modify and control these functions.
+- **My functions** – Custom functions that a user creates. Only the user who created these functions can view and modify them.
 
 ## Write your own custom function
 
-To create a function from the current query in the editor, select **Save** and then **Save as function**.
+To create a function from the current query in the editor:
 
-![Save as function](/defender/media/advanced-hunting-custom-fxns/save-as-function.png)
+1. Select **Save** and then **Save as function**.
+  ![Save as function](/defender/media/advanced-hunting-custom-fxns/save-as-function.png)
 
-Next, provide the following information:
+1. In the **Save as function** flyout panel, provide the following information:
 
-- **Name** - Name of the function. Can contain only numbers, English letters, and underscores. To avoid accidentally using Kusto keywords, begin or end function names with an underscore or begin with a capital letter.
-- **Location** - The folder in which you would like to save the function, either shared or private.
-- **Description** - A description that can help other users understand the purpose of the function and how it works.
-- **Parameters** - Add a parameter for each variable in the function that requires a value when it's used. 
-Add parameters to a function so that you can provide the arguments or values for certain variables when calling the function. This allows the same function to be used in different queries, each allowing for different values for the parameters. Parameters are defined by the following properties:
+    - **Name** - Name of the function. Can contain only numbers, English letters, and underscores. To avoid accidentally using Kusto keywords, begin or end function names with an underscore or begin with a capital letter.
+    - **Location** - The folder in which you want to save the function, either shared or private.
+    - **Description** - A description that helps other users understand the purpose of the function and how it works.
+    - **Parameters** - Add a parameter for each variable in the function that requires a value when it's used. For more information, see [Add parameters to your custom function](#add-parameters-to-your-custom-function).
+
+    ![Save as function dialog box](/defender/media/advanced-hunting-custom-fxns/save-as-function-dialog-box.png)
+
+1. Select **Save**.
+
+### Add parameters to your custom function
+
+You can add parameters to a function so that you can provide the arguments or values for certain variables when calling the function. This feature allows the same function to be used in different queries, each with different values for the parameters. 
+
+To add parameters when saving your custom function, select **Add parameter**, then enter the following properties:
   - **Type** - Data type for the value
   - **Name** - The name that must be used in the query to replace the parameter value
-  - **Default value** - Value to be used for the parameter if a value isn't provided
+  - **Default value** - Value to use for the parameter if you don't provide a value
 
-  Parameters are listed in the order they were created, with parameters that have no default value listed above those that have a default value.
+Parameters are listed in the order you create them, with parameters that have no default value listed before those that have a default value.
 
-![Save as function dialog box](/defender/media/advanced-hunting-custom-fxns/save-as-function-dialog-box.png)
+### Create custom functions with tabular parameters
 
+Create custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. This capability is especially useful for complex hunting scenarios that require structured data inputs.
+
+To create tabular parameters for your custom function:
+1. Select **Add parameter** and then choose **table** as its **Type**.
+1. Enter a **Name** and **Default value** for the table.
+1. Map each column that your query references to the table. Select **Add column**, then enter the column's properties.
+
+![Table parameter in custom functions](/defender/media/advanced-hunting-custom-fxns/save-as-function-table.png)
+
+> [!NOTE]
+>- You can save a function with more than one table. 
+>- If your query doesn't reference any columns in the table parameter, you can still save and run the function without mapping any columns. 
+>- You can set tabular and scalar parameters in the same function.
+  
 ## Use a custom function
-Use a function in a query by typing its name along with values for any parameter just as you would type in a command. The output of the function can either be returned as results or piped to another command.
+Use a function in a query by typing its name along with values for any parameter, just as you would type in a command. The output of the function can either be returned as results or piped to another command.
 
 Add a function to the current query by double-clicking on its name or selecting the three dots to the right of the function and selecting **Open in query editor**. 
 
@@ -77,27 +101,27 @@ If a query requires arguments, provide them using the following syntax: *functio
 ![Open in query editor](/defender/media/advanced-hunting-custom-fxns/open-in-query-editor.png)
 
 > [!NOTE]
-> Functions can't be used inside another function.
+> You can't use functions inside another function.
 
 ## Work with function codes
-You can view the code of a function either to gain insight into how it works or to modify its code. Select the three dots to the right of the function and select **Load function code** to open a new tab with the function code. 
+You can view the code of a function to understand how it works or to modify its code. Select the three dots to the right of the function and select **Load function code** to open a new tab with the function code. 
 
 ![Load function code](/defender/media/advanced-hunting-custom-fxns/load-function-code.png)
 
 ## Edit a custom function
 
-Edit the properties of a function by selecting the three dots to the right of the function and selecting **Edit details**. Make any modifications that you want to the properties and parameters of the function then select **Save**.
+Edit the properties of a function by selecting the three dots to the right of the function and selecting **Edit details**. Make any modifications that you want to the properties and parameters of the function, then select **Save**.
 
 ![Edit function code](/defender/media/advanced-hunting-custom-fxns/edit-function.png)
 
-If the function code is already loaded to the editor, you can also select **Save** to apply any changes to the code or properties of the function.
+If the function code is already loaded in the editor, you can also select **Save** to apply any changes to the code or properties of the function.
 
 > [!NOTE]
 > Once a function is in use in a saved query or a detection rule, you can't edit the function to expand its scope. For example, if you saved a function that queries identity tables, and this function is used in a detection rule, you can't edit the function to include a device table after the fact. To do that, you can save a new function. Product scoping can be narrowed for the same function but not extended.
 
 ## Delete a custom function
 
-You can delete functions from **My functions** and functions you created in **Shared functions**. You cannot delete functions that you have not created, unless you have security data manage permissions.
+You can delete functions from **My functions** and functions you created in **Shared functions**. You can't delete functions that you didn't create, unless you have security data manage permissions.
 
 To delete a function, select the three dots to the right of the function and select **Delete**.