add what's new

Author: poliveria

defender-xdr/before-you-begin-xdr.md

@@ -62,7 +62,7 @@ The following product isn't covered by this service:
 
 **Microsoft Defender Experts for Servers**
 
-To enable the Defender Experts for Severs coverage, Defender for Servers Plan 1 or Plan 2 in Defender for Cloud must be enabled. [Endpoint protection](/azure/defender-for-cloud/integration-defender-for-endpoint) should also be turned on for Windows and Linux devices that allow protection powered by Defender for Endpoint, including automatic agent deployment to your servers, and security data integration with Defender for Cloud. 
+To enable the Defender Experts for Servers coverage, Defender for Servers Plan 1 or Plan 2 in Defender for Cloud must be enabled. [Endpoint protection](/azure/defender-for-cloud/integration-defender-for-endpoint) should also be turned on for Windows and Linux devices that allow protection powered by Defender for Endpoint, including automatic agent deployment to your servers, and security data integration with Defender for Cloud. 
 
 Depending on the coverage you're looking for, you can enable the Defender for Servers plan for a Microsoft Azure subscription, Amazon Web Services account, or Google Cloud Platform project.
 

defender-xdr/faq-cloud-coverage-defender-experts.md

@@ -31,7 +31,7 @@ The following section lists down questions you or your SOC team might have regar
 |---------|---------|
 |**What does the server and cloud workload coverage add-on mean for the Microsoft Defender Experts service? Can I purchase this coverage only?** | The server and cloud coverage service, called **Microsoft Defender Experts for Servers** and **Microsoft Defender Experts for Hunting – Servers**, is only available as an add-on to existing [Microsoft Defender Experts for XDR](dex-xdr-overview.md) and [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) customers, respectively. To avail of this add-on, you need at least one Defender Experts for XDR or Defender Experts for Hunting license to enable coverage of all your servers in Microsoft Defender for Cloud.|
 |**Can I configure which servers the Defender Experts will cover?** | This add-on service covers **all** your servers in your tenant that have [Defender for Servers](/azure/defender-for-cloud/defender-for-servers-overview) protection enabled in Defender for Cloud. |
-|**Do the Defender Experts investigate all Defender for Servers alerts?** | The Defender for Servers plan in Defender for Cloud covers multicloud servers, such as Microsoft Azure, Amazon Web Services, and Google Cloud Project, provided the Microsoft Defender for Endpoint is installed on the servers. All Defender for Servers P1 and P2 alerts (Detection Source = Microsoft Defender for Servers) are in scope except for [DNS alerts](/azure/defender-for-cloud/alerts-dns) due to limited data available for investigation.  |
+|**Do the Defender Experts investigate all Defender for Servers alerts?** | The Defender for Servers plan in Defender for Cloud covers multicloud servers, such as Microsoft Azure, Amazon Web Services, and Google Cloud Platform, provided the Microsoft Defender for Endpoint is installed on the servers. All Defender for Servers P1 and P2 alerts (Detection Source = Microsoft Defender for Servers) are in scope except for [DNS alerts](/azure/defender-for-cloud/alerts-dns) due to limited data available for investigation.  |
 |**I only have Microsoft Defender Endpoint. How can I get server coverage?** | If you have servers that have Defender for Endpoint deployed on them with a Microsoft Defender for Endpoint for Server license, you can get the server coverage through the Defender Experts for XDR service. The service doesn't cover Microsoft Defender for Cloud workloads. [Learn more](before-you-begin-xdr.md#product-configuration-and-service-coverage)<br><br>If you want coverage for servers in Defender for Cloud, you need to avail the Microsoft Defender Experts for Servers or Defender Experts for Hunting - Servers add-on. |
 
 

defender-xdr/reports-xdr.md

@@ -45,6 +45,7 @@ The topmost section of the Defender Experts for XDR report provides the percenta
 - **Resolved** – The total number of investigated incidents that were closed.
 - **Resolved directly** – The number of investigated incidents that we were able to close directly on your behalf.
 - **Resolved with your help** – The number of investigated incidents that were resolved because of your action on one or more managed response tasks.
+- **Third-party enriched** - The number of incidents that were enriched with third-party network signals. This data is availiable when you're enrolled in the [third-party network enrichment](third-party-enrichment-defender-experts.md).
 
 The **Average time to resolve incidents** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the required managed response actions.
 

defender-xdr/third-party-enrichment-defender-experts.md

@@ -26,7 +26,7 @@ ms.date: 08/01/2025
 - [Microsoft Defender Experts for XDR](dex-xdr-overview.md)
 - Microsofot Defender Experts for Servers
 
-Microsoft Defender Experts lets you incorporate third-party network signals from Palo Alto, Fortinet, and Zscaler **for enrichment**. By enriching Microsoft Defender incidents with these network signals, our security analysts not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, they could also provide you with a more holistic view of the threat in your environment. 
+Microsoft Defender Experts lets you incorporate third-party network signals from Palo Alto Networks, Fortinet, and Zscaler **for enrichment**. By enriching Microsoft Defender incidents with these network signals, our security analysts not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, they could also provide you with a more holistic view of the threat in your environment. 
 
 This enrichment has the following benefits:
 
@@ -36,17 +36,9 @@ This enrichment has the following benefits:
 
 >[!IMPORTANT]
 >The coverage is only for network signal use and doesn't include the triage or investigation of incidents and alerts generated by third-party network solutions.
+>
+>This feature is currently supported in certain regions only. For more information, refer to the [Prerequisites](#prerequisites) section of this document.
 
-This feature is currently supported in the following regions only:
-
-
-|Continent | Country/Region | Azure Region |
-|---------|---------|---------|
-| **North America** |   **United States** | • Central US<br>• East US<br>• East US 2<br>• West US<br>• West US 2<br>
-|**Europe**| | • North Europe<br>• West Europe|
-| | **UK**| • UK South |
-
-For more information, read [Geographical availability and data residency in Microsoft Sentinel](/azure/sentinel/geographical-availability-data-residency) or contact your Service Delivery Manager.
 
 ## How Defender Experts analysts use third-party network data to monitor customer tenants
 
@@ -62,22 +54,32 @@ The Defender Experts team employs a threat-centric methodology that monitors pot
 4. **Response:** Automated response actions are triggered, including revoking session tokens, isolating both devices, blocking the malicious IP addresses, and initiating a full credential reset for the affected user.
 
 ## Ingesting third-party network signals for enrichment
-If you're a Microsoft Defender XDR customer, [reach out to your Service Delivery Manager](communicate-defender-experts-xdr.md#collaborating-with-your-service-delivery-manager) if you're interested in enabling the third-party network signal enrichment.
+If you're a Microsoft Defender XDR customer, [reach out to your service delivery manager](communicate-defender-experts-xdr.md#collaborating-with-your-service-delivery-manager) if you're interested in enabling the third-party network signal enrichment.
 
 ### Prerequisites
 
 To enable third-party network signals enrichment, you must have a Microsoft Sentinel instance that's onboarded to Microsoft Defender. [Learn more about Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)
 
 Your Sentinel instance must also have the following settings and configurations:
 
-1.	Data ingestion is enabled, and at least one of the following supported network signals is ingested:
+-	Data ingestion is enabled, and at least one of the following supported network signals is ingested:
     - Palo Alto Networks (PAN-OS firewall)
     - Zscaler (Zscaler Internet Access and Zscaler Private Access)
     - Fortinet Firewall
-2.	Sentinel built-in data connectors are used to ingest the third-party network signals into the *[CommonSecurityLog](/azure/sentinel/data-source-schema-reference)* table.
-3.	Sentinel's General Data Collection & Opt-in is turned on. It's turned on by default on all Sentinel instances but if it's turned off, in your Azure portal go to **Microsoft Sentinel** > **Configuration** > **Settings** > **How do we use your data?** to turn it on. 
-4.	[Azure Lighthouse](/azure/lighthouse/overview) is configured on the tenant to allow Defender Experts analysts to access the customer’s Sentinel instance.
+-	Sentinel built-in data connectors are used to ingest the third-party network signals into the *[CommonSecurityLog](/azure/sentinel/data-source-schema-reference)* table.
+-	Sentinel's General Data Collection & Opt-in is turned on. It's turned on by default on all Sentinel instances but if it's turned off, in your Azure portal go to **Microsoft Sentinel** > **Configuration** > **Settings** > **How do we use your data?** to turn it on. 
+-	[Azure Lighthouse](/azure/lighthouse/overview) is configured on the tenant to allow Defender Experts analysts to access the customer’s Sentinel instance.
+
+This feature is currently supported in the following regions only:
+
+
+|Continent | Country/Region | Azure Region |
+|---------|---------|---------|
+| **North America** |   **United States** | • Central US<br>• East US<br>• East US 2<br>• West US<br>• West US 2<br>
+|**Europe**| | • North Europe<br>• West Europe|
+| | **UK**| • UK South |
 
+For more information, read [Geographical availability and data residency in Microsoft Sentinel](/azure/sentinel/geographical-availability-data-residency) or contact your service delivery manager.
 
 ## Frequently asked questions
 

defender-xdr/whats-new.md

@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 07/09/2025
+ms.date: 08/01/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -32,8 +32,16 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+## August 2025
+- (GA) [Microsoft Defender Experts for XDR](dex-xdr-overview.md) and [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, **Microsoft Defender Experts for Servers** and **Microsoft Defender Experts for Hunting - Servers**. [Learn more](faq-cloud-coverage-defender-experts.md)
+- (GA) Defender Experts for XDR customers can now [incorporate third-party network signals](third-party-enrichment-defender-experts.md) for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
+- (GA) In advanced hunting, you can now [view all your user-defined rules](custom-detection-manage.md)—both custom detection rules and analytics rules—in the **Detection rules** page. This feature also brings the following improvements:
+    - You can now filter for *every* column (in addition to **Frequency** and **Organizational scope**).
+    - For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
+    - You can now view the details pane even for analytics rules.
+    - You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
 ## July 2025
-- (Preview) The [GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
+- (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
 
 - (Preview) The [`DisruptionAndResponseEvents`](advanced-hunting-disruptionandresponseevents-table.md) table, now available in advanced hunting, contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.