Merge branch 'main' into patch-3

Author: aditisrivastava07

ATPDocs/security-assessment.md

@@ -9,13 +9,13 @@ ms.topic: how-to
 
 Typically, organizations of all sizes have limited visibility into whether or not their on-premises apps and services could introduce a security vulnerability to their organization. The problem of limited visibility is especially true regarding use of unsupported or outdated components.
 
-While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an on-going project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
+While your company might invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an ongoing project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
 
 Microsoft security research reveals that most identity attacks utilize common misconfigurations in Active Directory and continued use of legacy components (such as NTLMv1 protocol) to compromise identities and successfully breach your organization. To combat this effectively, Microsoft Defender for Identity now offers proactive identity security posture assessments to detect and recommend actions across your on-premises Active Directory configurations.
 
 ## What do Defender for Identity security assessments provide?
 
-Defender for Identity's security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
+Defender for Identity security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
 
 - **Detections and contextual data** on known exploitable components and misconfigurations, along with relevant paths for remediation.
 
@@ -25,11 +25,21 @@ Defender for Identity's security posture assessments are available in [Microsoft
 
 Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
 
+### Categorization of Defender for Identity security posture assessments
+
+Defender for Identity security posture assessments have five key categories. Each category addresses specific identity security risks and provides remediation guidance.
+
+- **Hybrid security**: Identifies misconfigurations in environments that integrate on-premises (e.g., Active Directory) and cloud-based identity providers (e.g., Entra ID, Okta). Assesses risks related to synchronization, authentication, and authorization across platforms.
+- **Identity infrastructure**: Detects misconfigurations and vulnerabilities in core identity components, including domain controllers.
+- **Certificates**: Assesses Active Directory Certificate Services (AD CS) for security gaps, such as misconfigured certificate templates or weak certificate authority settings. Identifying and addressing these issues helps prevent unauthorized access that could arise from certificate-related vulnerabilities.
+- **Group policy**: Analyzes Group Policy configurations to identify settings that might allow privilege escalation or unauthorized lateral movement within the network. Ensuring secure Group Policy settings helps maintain proper access controls and system configurations.
+- **Accounts**: Reviews users, devices, and groups to pinpoint security risks such as weak passwords, inactive accounts, or improper permissions.
+
 ## Access Defender for Identity security posture assessments
 
+> [!NOTE]
 You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-
-While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
 
 **To access identity security posture assessments**:
 

ATPDocs/toc.yml

@@ -158,88 +158,92 @@ items:
       href: remediation-actions.md
   - name: Security posture
     items:
-    - name: Accounts with non-default Primary Group ID
-      href: accounts-with-non-default-pgid.md
-    - name: Built-in Active Directory Guest account is enabled
-      href: built-in-active-directory-guest-account-is-enabled.md
-    - name: Ensure privileged accounts are not delegated
-      href: ensure-privileged-accounts-with-sensitive-flag.md
-    - name: Change Domain Controller computer account old password
-      href: domain-controller-account-password-change.md
-    - name: Change password of built-in domain Administrator account
-      href: change-password-domain-administrator-account.md
-    - name: GPO assigns unprivileged identities to local groups with elevated privileges
-      href: gpo-assigns-unprivileged-identities.md
-    - name: Overview
-      href: security-assessment.md
-      displayName: security posture, security assessment
-    - name: Reversible passwords found in GPOs
-      href: reversible-passwords-group-policy.md
-    - name: GPO can be modified by unprivileged accounts
-      href: modified-unprivileged-accounts-gpo.md
-    - name: Change password for krbtgt account
-      href: change-password-krbtgt-account.md
-    - name: Unsafe permissions on the DnsAdmins group
-      href: unsafe-permissions-dns-admins-group.md
-    - name: Change password for Microsoft Entra seamless SSO account
-      href: change-password-microsoft-entra-seamless-single-sign-on.md
-      displayName: Microsoft Entra connect
-    - name: "Rotate password for Microsoft Entra Connect connector account "
-      href: rotate-password-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Admin SDHolder permissions
-      href: security-assessment-remove-suspicious-access-rights.md
-    - name: DCSync permissions
-      href: security-assessment-non-admin-accounts-dcsync.md
-    - name: Deploy Defender for Identity
-      href: security-assessment-deploy-defender-for-identity.md
-    - name: Domain controllers with Print spooler service available assessment
-      href: security-assessment-print-spooler.md
-    - name: Dormant entities in sensitive groups assessment
-      href: security-assessment-dormant-entities.md
-    - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-      href: security-assessment-enforce-encryption-rpc.md
-    - name: Entities exposing credentials in clear text assessment
-      href: security-assessment-clear-text.md
-    - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
-      href: remove-replication-permissions-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-      href: security-assessment-insecure-adcs-certificate-enrollment.md
-    - name: LAPS usage assessment
-      href: security-assessment-laps.md
-    - name: Misconfigured Certificate Authority ACL  (ESC7)
-      href: security-assessment-edit-misconfigured-ca-acl.md
-    - name: Misconfigured certificate templates ACL (ESC4)
-      href: security-assessment-edit-misconfigured-acl.md
-    - name: Misconfigured certificate templates owner  (ESC4)
-      href: security-assessment-edit-misconfigured-owner.md
-    - name: Misconfigured enrollment agent certificate template  (ESC3)
-      href: security-assessment-edit-misconfigured-enrollment-agent.md
-    - name: Overly permissive certificate template with privileged EKU (ESC2)
-      href: security-assessment-edit-overly-permissive-template.md
-    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-      href: prevent-certificate-enrollment-esc15.md
-    - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-      href: security-assessment-prevent-users-request-certificate.md
-    - name: Remove local admins on identity assets
-      href: security-assessment-remove-local-admins.md      
-    - name: Riskiest lateral movement paths
-      href: security-assessment-riskiest-lmp.md
-    - name: Unmonitored domain controllers
-      href: security-assessment-unmonitored-domain-controller.md
-    - name: Unsecure account attributes
-      href: security-assessment-unsecure-account-attributes.md
-    - name: Unsecure domain configurations
-      href: security-assessment-unsecure-domain-configurations.md
-    - name: Unsecure Kerberos delegation assessment
-      href: security-assessment-unconstrained-kerberos.md
-    - name: Unsecure SID History attributes
-      href: security-assessment-unsecure-sid-history-attribute.md
-    - name: Vulnerable Certificate Authority setting (ESC6)
-      href: security-assessment-edit-vulnerable-ca-setting.md
-    - name: Weak cipher usage assessment
-      href: security-assessment-weak-cipher.md
+     - name: Overview
+       href: security-assessment.md
+     - name: Hybrid security
+       items:
+       - name: Change password for Microsoft Entra seamless SSO account
+         href: change-password-microsoft-entra-seamless-single-sign-on.md
+         displayName: Microsoft Entra connect
+       - name: Rotate password for Microsoft Entra Connect connector account
+         href: rotate-password-microsoft-entra-connect.md
+         displayName: Microsoft Entra Connect
+       - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
+         href: remove-replication-permissions-microsoft-entra-connect.md
+     - name: Identity infrastructure
+       items:
+       - name: Built-in Active Directory Guest account is enabled
+         href: built-in-active-directory-guest-account-is-enabled.md
+       - name: Change Domain Controller computer account old password
+         href: domain-controller-account-password-change.md
+       - name: Domain controllers with Print spooler service available assessment
+         href: security-assessment-print-spooler.md
+       - name: Remove local admins on identity assets
+         href: security-assessment-remove-local-admins.md   
+       - name: Unmonitored domain controllers
+         href: security-assessment-unmonitored-domain-controller.md
+       - name: Unsecure domain configurations
+         href: security-assessment-unsecure-domain-configurations.md
+     - name: Certificates
+       items: 
+        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+          href: security-assessment-enforce-encryption-rpc.md
+        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+          href: security-assessment-insecure-adcs-certificate-enrollment.md
+        - name: Misconfigured certificate templates owner  (ESC4)
+          href: security-assessment-edit-misconfigured-owner.md
+        - name: Misconfigured Certificate Authority ACL  (ESC7)
+          href: security-assessment-edit-misconfigured-ca-acl.md
+        - name: Misconfigured certificate templates ACL (ESC4)
+          href: security-assessment-edit-misconfigured-acl.md
+        - name: Misconfigured enrollment agent certificate template  (ESC3)
+          href: security-assessment-edit-misconfigured-enrollment-agent.md    
+        - name: Overly permissive certificate template with privileged EKU (ESC2)
+          href: security-assessment-edit-overly-permissive-template.md
+        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+          href: prevent-certificate-enrollment-esc15.md
+        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+          href: security-assessment-prevent-users-request-certificate.md
+        - name: Vulnerable Certificate Authority setting (ESC6)
+          href: security-assessment-edit-vulnerable-ca-setting.md
+     - name: Group policy 
+       items: 
+        - name: GPO assigns unprivileged identities to local groups with elevated privileges
+          href: gpo-assigns-unprivileged-identities.md
+        - name: GPO can be modified by unprivileged accounts
+          href: modified-unprivileged-accounts-gpo.md
+        - name: Reversible passwords found in GPOs
+          href: reversible-passwords-group-policy.md
+     - name: Accounts
+       items: 
+         - name: Accounts with non-default Primary Group ID
+           href: accounts-with-non-default-pgid.md 
+         - name: Admin SDHolder permissions
+           href: security-assessment-remove-suspicious-access-rights.md
+         - name: Change password for krbtgt account
+           href: change-password-krbtgt-account.md
+         - name: Change password of built-in domain Administrator account
+           href: change-password-domain-administrator-account.md
+         - name: Dormant entities in sensitive groups assessment
+           href: security-assessment-dormant-entities.md
+         - name: DCSync permissions
+           href: security-assessment-non-admin-accounts-dcsync.md
+         - name: Ensure privileged accounts are not delegated
+           href: ensure-privileged-accounts-with-sensitive-flag.md
+         - name: Entities exposing credentials in clear text assessment
+           href: security-assessment-clear-text.md
+         - name: LAPS usage assessment
+           href: security-assessment-laps.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
+         - name: Unsecure Kerberos delegation assessment
+           href: security-assessment-unconstrained-kerberos.md
+         - name: Unsecure SID History attributes
+           href: security-assessment-unsecure-sid-history-attribute.md
+         - name: Unsecure account attributes
+           href: security-assessment-unsecure-account-attributes.md
+         - name: Weak cipher usage assessment
+           href: security-assessment-weak-cipher.md
 - name: Reference
   items:
   - name: Operations guide

ATPDocs/whats-new.md

@@ -25,9 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 ## March 2025
 
 ### New LDAP query events added to the IdentityQueryEvents table in Advanced Hunting
-New LDAP query events will be added by March 6th to the `IdentityQueryEvents` table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.
-This update may lead to an increase in activity within the Advanced Hunting IdentityQueryEvents table for LDAP queries. If you have custom detections related to these queries, you may see a higher number of triggered alerts.
-We recommend that you review your existing custom detections to ensure they align with your objectives. If needed, you can adjust your query accordingly.
+New LDAP query events were added to the `IdentityQueryEvents` table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.
 
 ## February 2025
 

unified-secops-platform/cases-overview.md

@@ -65,6 +65,8 @@ To start using case management, select **Cases** in the Defender portal to acces
 
 :::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of case queue.":::
 
+The maximum allowed per tenant is 100,000 cases.
+
 ## Case details
 
 Each case has a page which allows analysts to manage the case and displays important details.
@@ -112,6 +114,8 @@ Alternatively, if the IR team needs to escalate one or more incidents to the hun
 
 :::image type="content" source="media/cases-overview/link-incident-from-incident-graph.png" alt-text="Screenshot showing the link incident option from ellipses menu in the incident view.":::
 
+Each case has a threshold of 100 linked incidents.
+
 ### Activity log
 
 Need to write down notes, or that key detection logic to pass along? Create plain text comments and review the audit events in the activity log. Comments are a great place to quickly add information to a case.

unified-secops-platform/microsoft-sentinel-onboard.md

@@ -15,6 +15,8 @@ ms.collection:
 - highpri
 - tier1
 - usx-security
+- zerotrust-solution
+- msftsolution-secops
 ms.topic: how-to
 search.appverid: 
 - MOE150

unified-secops-platform/overview-deploy.md

@@ -8,7 +8,8 @@ ms.topic: how-to #Don't change.
 ms.date: 12/02/2024
 ms.collection:
 - usx-security
-
+- zerotrust-solution
+- msftsolution-secops
 
 #customer intent: As a security administrator, I want to deploy Microosft's unified security operations platform so that I can access Microsoft Sentinel services together with other Microsoft Defender services in the Microsoft Defender portal.
 

unified-secops-platform/overview-plan.md

@@ -8,6 +8,8 @@ ms.topic: concept-article #Don't change.
 ms.date: 02/09/2025
 ms.collection:
 - usx-security
+- zerotrust-solution
+- msftsolution-secops
 
 
 #customer intent: As a security administrator, I want to plan my unified security operations platform deployment so that I can access Microsoft Sentinel services together with other Microsoft Defender services in the Microsoft Defender portal.