Merge branch 'main' into release-preview-sentinel-lake

Author: v-alje

ATPDocs/deploy/activate-sensor.md

@@ -25,7 +25,7 @@ You can choose to activate eligible domain controllers either automatically, whe
 |---------|---------|
 |Activate new sensor |The domain controller is already onboarded to Defender for Endpoint. [Activate the sensor](#activate-the-defender-for-identity-sensor).|
 |Install classic sensor|[Deploy the classic Defender for Identity sensor](install-sensor.md) from the **Sensors page**.|
-|OS update is required     |This domain controller is running an unsupported operating system version for the new sensor. Update the server to Windows Server 2019 or later to use the new sensor. |
+|OS upgrade is required     |This domain controller is running an unsupported operating system version for the new sensor. Upgrade the OS version to the latest version. |
 
 <!--|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|-->
 

ATPDocs/identity-inventory.md

@@ -76,7 +76,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Nondefault columns: Email and Microsoft Entra ID risk level.  
+Nondefault columns: Email, Microsoft Entra ID risk level and Cloud ID. 
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:

CloudAppSecurityDocs/caac-known-issues.md

@@ -114,6 +114,35 @@ A user who starts a session in Edge with a profile other than his work profile,
 
 If the URL points to a resource within the secured application, the user will be directed to the application's homepage in Edge.
 
+### Outdated session policy enforcement with Edge
+When a session policy is enforced using Edge in-browser protection and the user is later removed from the corresponding Conditional Access (CA) policy, the original session enforcement may still persist.
+
+Example Scenario:
+
+A user was originally assigned a CA policy for the Salesforce application, along with an Defender for Cloud apps session policy that blocked file downloads. As a result, downloads were blocked when the user accessed Salesforce in Edge.
+
+Although the admin later removed the CA policy, the user still experiences the download block in Edge due to cached policy data.
+
+Mitigation Options:
+
+Option 1: Automatic cleanup
+1.	Reassign the user/app to the CA policy.
+2.	Remove the corresponding Defender for Cloud Apps session policy.
+3.	Have the user access the application using Edge, this will trigger the policy removal automatically.
+4.	Remove the CA policy again.
+   
+Option 2: Manual cleanup
+1.	Delete the cached policy file
+     - Go to: C:\Users\<username>\AppData\Local\Microsoft\Edge\
+     - Delete the file: mda_store.txt
+
+2.	Remove the work profile in Edge
+    - Open Microsoft Edge.
+    - Navigate to Profile Settings.
+    - Delete the work profile associated with the outdated session policy.
+  
+These steps will force a policy refresh and resolve enforcement issues related to outdated session policies.
+
 ## Related content
 
 - [Conditional Access app control in Microsoft Defender for Cloud Apps](proxy-intro-aad.md)

defender-office-365/submissions-admin-review-user-reported-messages.md

@@ -42,7 +42,7 @@ Admins can mark messages and notify users of review results only if the user [re
   - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.
   - **Grader analysis**: Review done by human graders to confirm whether or not messages are malicious.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+  For more information, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
   So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.
 

defender-office-365/submissions-admin.md

@@ -824,12 +824,12 @@ The analysis results of the reported item are shown in the details flyout that o
 - Current detonation results to see if the URLs or files in the message were malicious or not.
 - Feedback from graders.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+For more information about how Microsoft processes submissions, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
 If an override or policy configuration was found, the result should be available in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override or policy, the detonation and feedback from graders could take up to a day.
 
 > [!NOTE]
-> **Currently in Preview**, AI-powered Submissions Response capability introduces generative AI explanations for admin email submissions to Microsoft. For more information, see [Submission result definitions](submissions-result-definitions.md).
+> AI-powered Submissions Response capability introduces generative AI explanations for admin email submissions to Microsoft. For more information, see [Submission result definitions](submissions-result-definitions.md).
 
 ### Actions for admin submissions in Defender for Office 365
 

defender-office-365/submissions-result-definitions.md

@@ -34,12 +34,12 @@ When admins or users submit items to Microsoft for analysis, we do the following
 - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.
 - **Grader analysis**: Review done by human graders to confirm whether messages are malicious.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+For more information, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
 > [!NOTE]
 >
 > - In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).
-> - **Currently in Preview**, AI-powered Submissions Response capability introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions:
+> - AI-powered Submissions Response introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions:
 >   - Files
 >   - URLs
 >   - Microsoft Teams messages

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -65,9 +65,9 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
 ### Use arg() operator for Azure Resource Graph queries
 The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
 
-This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables aren't supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 
+This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
 
-Note that queries using the `arg()` operator return the first 1,000 records only. Read [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview) for more details.
+For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
 
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
@@ -78,14 +78,12 @@ For example:
 You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
 
 ```Kusto
-arg("").Resources 
-| where type == "microsoft.compute/virtualmachines" and properties.hardwareProfile.vmSize startswith "Standard_D"
-| join (
-    Heartbeat
-    | where TimeGenerated > ago(1d)
-    | distinct Computer
-    )
-    on $left.name == $right.Computer
+arg("").Resources
+| where type=="microsoft.compute/virtualmachines" | extend name = tolower(name)
+| join ( 
+BehaviorAnalytics
+| where isnotempty(SourceDevice) and InvestigationPriority > 2 | extend SourceDevice = tolower(SourceDevice)
+) on $left.name == $right.SourceDevice
 ```
 
 
@@ -141,4 +139,4 @@ You can view all your user-defined rules—both custom detection rules and analy
 
 
 For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
-   
+