Merge branch 'main' into docs-editor/fixed-reported-inaccuracies-1746705022

Author: denisebmsft

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -7,14 +7,11 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
-Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
-
-> [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
-> The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
+> [!IMPORTANT]
+> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
 > 
-> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
-> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
+
+Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -56,4 +56,6 @@ For more information, see:
 
 [How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
 
-[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)
+
+[How to integrate Defender for Identity with BeyondTrust](https://docs.beyondtrust.com/insights/docs/microsoft-defender)

ATPDocs/service-account-discovery.md

@@ -17,7 +17,7 @@ Service accounts are classified into several types:
 - sMSA (Managed Service Accounts): Designed for individual services on a single server rather than groups.
 - User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.
 
-The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
+The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria.These criteria include having a [Service Principal Name ](/windows/win32/ad/service-principal-names)(SPN) or a "password never expires" attribute assigned. The feature then classifies these accounts as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
 
 Service account types are displayed in the Identity Info table within Advanced Hunting.
 
@@ -68,7 +68,7 @@ You can use the sort and filter functionality on each service account tab to get
 |**Tags**    | Sensitive or Honey Token        |
 |**Auth protocols**   | Lists the available methods for verifying user identities, for example, Kerberos and NTLM (New Technology LAN Manager).         |
 |**Sources**     |  The number of potential source logins.        |
-|**Destinations**    | When a service account is trying to access a destination server, the request is directed to the target system, which can include a number of resources on that server. These resources might be a database, a file server, or other services hosted on the server.        |
+|**Destinations**    | When a service account is trying to access a destination server, the request is directed to the target system, which can include many resources on that server. These resources might be a database, a file server, or other services hosted on the server.        |
 |**Connections**   | The number of unique connections made between sources and destinations.         |
 |**Created**    |The timestamp when the service account was first created.         |
 |**Last updated**    | The timestamp of the most recent update to the service account.        |
@@ -79,7 +79,7 @@ You can use the sort and filter functionality on each service account tab to get
 
 For a deeper dive into what's happening in your service account click on the domain name to see the following information:
 
-When you investigate a specific Service account, you'll see the following details under the connections tab:
+When you investigate a specific Service account, you see the following details under the connections tab:
 
 :::image type="content" source="media/screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
 
@@ -96,8 +96,10 @@ When you investigate a specific Service account, you'll see the following detail
 Last seen   | The date and time of the most recent sign in event over this connection.        |
 
 
-
 For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths**, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details).
 
+## Related content
+- [Service principal names](/windows/win32/ad/service-principal-names)
+- [How to configure SPN](/windows-server/identity/ad-ds/manage/how-to-configure-spn?tabs=add%2Caduc)
 
 If you run into any problems, we're here to help. To get assistance or support for your product issue, see how to open a support ticket at [Microsoft Defender for Identity support](support.md).

ATPDocs/understand-lateral-movement-paths.md

@@ -7,9 +7,13 @@ ms.topic: conceptual
 
 # Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity
 
+> [!IMPORTANT]
+>  The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
+>
+
 Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts throughout your network. Lateral movement is used by attackers to identify and gain access to the sensitive accounts and machines in your network that share stored sign-in credentials in accounts, groups and machines. Once an attacker makes successful lateral moves towards your key targets, the attacker can also take advantage and gain access to your domain controllers. Lateral movement attacks are carried out using many of the methods described in [Microsoft Defender for Identity Security Alerts](alerts-overview.md).
 
-A key component of Microsoft Defender for Identity's security insights are Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
+A key component of Microsoft Defender for Identity's security insights is Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
 
 For example:
 

ATPDocs/whats-new.md

@@ -22,6 +22,15 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## May 2025
+
+### Local administrators collection (using SAM-R queries) feature will be disabled
+The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
+
+### New Health Issue
+
+New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
+
 ## April 2025
 
 ### Privileged Identity Tag Now Visible in Defender for Identity Inventory
@@ -47,7 +56,6 @@ For more information, see: [Integrations Defender for Identity and PAM services.
 
 ### New Service Account Discovery page
 
-
 Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you  centralized visibility into service accounts across your Active Directory environment.
 
 This update provides:
@@ -60,11 +68,6 @@ This update provides:
 
 For more information, see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md).
 
-
-### New Health Issue
-
-New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
-
 ### Enhanced Identity Inventory
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  

CloudAppSecurityDocs/activity-filters-queries.md

@@ -170,8 +170,21 @@ You can export all activities from the past six months by clicking the Export bu
 
 ![Click the export icon to export records.](media/activity-filters-queries/export-button-of-activity-logs.png)
 
-When exporting data:
+> [!NOTE]
+> **Required Permissions for Exporting Capabilities:** To utilize the exporting features, users must be assigned one of the following roles:
+> - **Built-in admin roles in Defender for Cloud Apps-** These roles must be granted via [Microsoft Defender for Cloud Apps Permissions and roles settings](/defender-cloud-apps/manage-admins):
+>   - Global Admin
+>   - Cloud Discovery Global Admin
+>   - Security Operator
+>   - Compliance Admin
+>   - Security Reader
+> - **Microsoft Entra ID Roles-** These roles must be assigned through [Microsoft Entra ID built-in roles](/entra/identity/role-based-access-control/permissions-reference):
+>   - Global Administrator
+>   - Security Administrator
+>   - Cloud App Security Administrator
+>   - Global Reader
 
+When exporting data:
 - You can choose a date range of up to six months.
 - You can choose to exclude private activities.  
 - The exported file is limited to 100,000 records and is delivered in CSV format.

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -64,14 +64,14 @@ Use this detection to control file uploads and downloads in real time with sessi
 
 By enabling file sandboxing, files that according to their metadata and based on proprietary heuristics to be potentially risky, will also be sandbox scanned in a safe environment. The Sandbox scan may detect files that were not detected based on threat intelligence sources.
 
-Defender for Cloud Apps supports malware detection for the following apps:
+Defender for Cloud Apps supports "File Sandboxing" malware detection for the following apps:
 
 * Box
 * Dropbox
 * Google Workspace
 
 > [!NOTE]
->* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself.
+>* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). **In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself**.
 > * In *Box*, *Dropbox*, and *Google Workspace*, Defender for Cloud Apps doesn't automatically block the file, but blocking may be performed according to the app's capabilities and the app's configuration set by the customer.
 > * If you're unsure about whether a detected file is truly malware or a false positive, go to the Microsoft Security Intelligence page at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission) and submit the file for further analysis.
 

CloudAppSecurityDocs/app-governance-visibility-insights-compliance-posture.md

@@ -52,8 +52,8 @@ For sensitivity labeling data, cards show the number apps that have accessed con
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![number apps that have accessed content with sensitivity labels.](sensitive-data-accessed-chart1.png)
+The number of apps that have accessed content with sensitivity labels.
+> :::image type="content" source="media/sensitive-data-accessed-chart1.png" alt-text="Number of apps that have accessed content with sensitivity labels.":::
 
 ## Next steps
 

CloudAppSecurityDocs/cloud-discovery-policies.md

@@ -44,8 +44,8 @@ Discovery policies enable you to set alerts that notify you when new apps are de
 
 > [!NOTE]
 >
-> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it may trigger additional alerts for apps that have already been discovered and alerted on.
-> - Data from **snapshot reports** do not trigger alerts in app discovery policies.
+> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it might trigger additional alerts for apps that have already been discovered and alerted on.
+> - Data from **snapshot reports** don't trigger alerts in app discovery policies.
 
 For example, if you're interested in discovering risky hosting apps found in your cloud environment, set your policy as follows:
 
@@ -73,6 +73,11 @@ Defender for Cloud Apps searches all the logs in your cloud discovery for anomal
 
 1. Under **Apply to** choose whether this policy applies **All continuous reports** or **Specific continuous reports**. Select whether the policy applies to **Users**, **IP addresses**, or both.
 
+    :::image type="content" source="media/apply-to-continous-reports.png" alt-text="Screenshot showing how to apply file polcies to specific continous reports" lightbox="media/apply-to-continous-reports.png":::
+
+    > [!IMPORTANT]
+    > When you configure an app discovery policy and select **Apply to > All continuous reports**, multiple alerts are generated for each discovery stream, including the global stream which aggregates data from all sources. To control alert volume, select **Apply to > Specific continuous reports** and choose only the relevant streams for your policy.
+    > Learn more: [Defender for Cloud apps continuous risk assessment reports](set-up-cloud-discovery.md#snapshot-and-continuous-risk-assessment-reports)
 1. Select the dates during which the anomalous activity occurred to trigger the alert under **Raise alerts only for suspicious activities occurring after date.**
 
 1. Set a **Daily alert limit** under **Alerts**. Select if the alert is sent as an email. Then provide email addresses as needed.