Merge branch 'main' into release-preview-sentinel-graph

Author: PhilKang0704

defender-endpoint/linux-custom-location-installation.md

@@ -18,7 +18,7 @@ search.appverid: met150
 ms.date: 08/18/2025
 ---
 
-# Enabling deployment of Microsoft Defender for Endpoint to a custom location (preview)
+# Enabling deployment of Microsoft Defender for Endpoint to a custom location
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 

defender-for-identity/remove-inactive-service-account.md

@@ -1,18 +1,18 @@
 ---
-title: 'Security Assessment: Remove Inactive Service Account (Preview)'
+title: 'Security Assessment: Remove Inactive Service Account'
 description: Learn how to identify and address inactive Active Directory service accounts to mitigate security risks and improve your organization's security posture.
 ms.date: 08/17/2025
 ms.topic: how-to
 #customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
 ---
 
-# Security Assessment: Remove Stale Service Accounts (Preview)
+# Security Assessment: Remove Inactive Service Accounts
 
-This recommendation lists Active Directory service accounts detected as stale within the past 90 days. 
+This recommendation lists Active Directory service accounts detected as inactive within the past 90 days. 
 
-## Why do stale service accounts pose a risk?
+## Why do inactive service accounts pose a risk?
 
-Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Stale service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Inactive service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
 
 This exposure creates several risks:
 
@@ -25,9 +25,9 @@ This exposure creates several risks:
 
 To use this security assessment effectively, follow these steps:
 
-1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions) for Remove stale service account.
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions) for Remove inactive service account.
 
-1. Review the list of exposed entities to discover which of your service accounts are stale and have not performed any login activity in the last 90 days.
+1. Review the list of exposed entities to discover which of your service accounts are inactive and haven't performed any login activity in the last 90 days.
 
 1. Take appropriate actions on those entities by removing the service account. For example:
 

defender-for-identity/whats-new.md

@@ -25,6 +25,9 @@ For updates about versions and features released six months ago or earlier, see
 
 ## September 2025
 
+### Unlock additional security value in the unified agent (Preview)
+Get enhance protection by applying the ‘Unified sensor RPC audit’ tag to your V3.x sensors through the Asset rule management feature. Learn more [here](/defender-for-identity/deploy/prerequisites-sensor-version-3).
+
 ### Identity posture recommendations view on the identity page (preview)
 
 We've added a new tab on the Identity profile page that contains all active identity-related identity security posture assessments (ISPMs). This feature consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions.   
@@ -95,11 +98,11 @@ Previously, Defender for Identity tenants received Microsoft Entra ID risk level
 
 For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Microsoft Entra ID risk level to the IdentityInfo table remains unchanged.
 
-### New security assessment: Remove stale service accounts (Preview)
+### New security assessment: Remove inactive service accounts
 
-Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been stale for the past 90 days, to help you mitigate security risks associated with unused accounts.
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive for the past 90 days, to help you mitigate security risks associated with unused accounts.
 
-For more information, see: Security Assessment: [Remove Stale Service Accounts (Preview)](/defender-for-identity/remove-inactive-service-account)
+For more information, see: Security Assessment: [Remove Inactive Service Accounts (Preview)](/defender-for-identity/remove-inactive-service-account).
 
 ### New Graph based API for response actions (preview) 
 

defender-xdr/advanced-hunting-overview.md

@@ -1,13 +1,13 @@
 ---
 title: Overview - Advanced hunting
-description: Learn about advanced hunting queries in Microsoft Defender and how to use them to proactively find threats and weaknesses in your network
+description: Learn about advanced hunting queries in Microsoft Defender and how to use them to proactively find threats and weaknesses in your network.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
   - m365-security
@@ -22,7 +22,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 search.appverid: met150
-ms.date: 06/03/2025
+ms.date: 09/09/2025
 
 ---
 
@@ -33,7 +33,7 @@ ms.date: 06/03/2025
 
 Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
 
-Advanced hunting supports two modes, guided and advanced. Use [guided mode](advanced-hunting-query-builder.md) if you are not yet familiar with Kusto Query Language (KQL) or prefer the convenience of a query builder. Use [advanced mode](advanced-hunting-query-language.md) if you are comfortable using KQL to create queries from scratch. 
+Advanced hunting supports two modes, guided and advanced. Use [guided mode](advanced-hunting-query-builder.md) if you aren't yet familiar with Kusto Query Language (KQL) or prefer the convenience of a query builder. Use [advanced mode](advanced-hunting-query-language.md) if you're comfortable using KQL to create queries from scratch. 
 
 **To start hunting, read [Choose between guided and advanced modes to hunt in the Microsoft Defender portal](advanced-hunting-modes.md).**
 
@@ -66,13 +66,13 @@ Advanced hunting data can be categorized into two distinct types, each consolida
 
 ### **Event or activity data**
 
-Event or activity data populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity. 
+Event or activity data populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they're available on Microsoft Defender for Endpoint and Microsoft Defender for Identity. 
 
 To collect even more event properties, you have the option of turning on [aggregated reporting](/defender-endpoint/aggregated-reporting).
 
 ### **Entity data**
 
-Entity data populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+Entity data populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated every hour to insert a record that contains the latest, most comprehensive data set about each entity, including other useful information such as health status and tags.
 
 
 ## Time zone
@@ -96,7 +96,7 @@ In order to extend the 30 days retention for Advanced Hunting, see the following
 - Microsoft Defender for Endpoint [Raw Data Streaming API](/defender-endpoint/api/raw-data-export)
 
 > [!NOTE]
-> The data retained is from the first (1st) day that you implement and enable the streaming api.
+> The data retained is from the first day that you implement and enable the streaming API.
 
 ## Related content