Merge branch 'main' into release-preview-sentinel-graph

Author: v-alje

defender-for-cloud-apps/data-protection-policies.md

@@ -44,6 +44,11 @@ The following are examples of file policies that can be created:
 
 * **Sensitive file extension** - Receive an alert about files with specific extensions that are highly exposed. Select the specific extension (for example, crt for certificates) or filename and exclude those files with private sharing level.
 
+## Prerequisites
+
+To set up the first File Policy in a tenant, you need Microsoft Entra **Service Principal** permissions. **Service Principal** permissions are only automatically given if no file policy exists yet. After the first file policy is created, you can create more  without needing those permissions.
+
+
 ## Create a new file policy
 
 To create a new file policy, follow this procedure:
@@ -98,8 +103,6 @@ To create a new file policy, follow this procedure:
 
 :::image type="content" source="media/file-policy-edit-and-preview-results.png" alt-text="Screenshot that shows how you can see a preview of the filtered results for file policies.":::
 
-
-
 1. To view file policy matches, files that are suspected to violate the policy, go to **Policies** -> **Policy management**. Filter the results to display only the file policies using the **Type** filter at the top. For more information about the matches for each policy, under the **Count** column, select the number of **matches** for a policy. Alternatively, select the three dots at the end of the row for a policy and choose **View all matches**.  This opens the **File policy report**. Select the **Matching now** tab to see files that currently match the policy. Select the **History** tab to see a history back to up to six months of files that matched the policy.
 
 ## Limitations

defender-office-365/mdo-email-entity-page.md

@@ -5,7 +5,7 @@ f1.keywords:
 author: chrisda
 ms.author: chrisda
 manager: bagol
-ms.date: 07/07/2025
+ms.date: 09/22/2025
 audience: ITPro
 ms.topic: article
 ms.service: defender-office-365
@@ -297,7 +297,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 If you select an entry in the **Attachments** view by clicking on the **Attachment filename** value, a details flyout opens that contains the following information:
 
-- **Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **File detonation**.
+- **Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
+  - **Detection technology** query filter with the value **File detonation**.
+  - **Detonation available** indicator in the **Details** column.
+  - The detonation count shown in the Email Summary Panel.
 
   - **Detonation chain** section: Safe Attachments detonation of a single file can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious file that caused the verdict, and all other files affected by the detonation. These attached files might not be directly present in the email. But, including the analysis is important to determining why the file was found to be malicious.
 
@@ -378,7 +381,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 If you select an entry in the **URL** view by clicking on the **URL** value, a details flyout opens that contains the following information:
 
-- **Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **URL detonation**.
+- **Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
+  - **Detection technology** query filter with the value **URL detonation**.
+  - **Detonation available** indicator in the **Details** column.
+  - The detonation count shown in the Email Summary Panel.
 
   - **Detonation chain** section: Safe Links detonation of a single URL can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious URL that caused the verdict, and all other URLs affected by the detonation. These URLs might not be directly present in the email. But, including the analysis is important to determining why the URL was found to be malicious.
 

defender-office-365/tenant-allow-block-list-about.md

@@ -8,7 +8,7 @@ manager: bagol
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 09/08/2025
+ms.date: 09/22/2025
 search.appverid:
 - MET150
 ms.collection:
@@ -27,22 +27,21 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-> [!IMPORTANT]
-> To allow phishing URLs that are part of non-Microsoft attack simulation training, use the [advanced delivery configuration](advanced-delivery-policy-configure.md) to specify the URLs. Don't use the Tenant Allow/Block List.
-
 You might occasionally disagree with the Microsoft filtering verdict for email messages, Microsoft Teams messages, or Office apps. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative), or a URL might be blocked when it shouldn't have.
 
 The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override filtering verdicts. The list is used during mail flow (for email) or time of click (for email, Teams, or Office apps).
 
-Entries for **Domains and email addresses** and **Spoofed senders** apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
-
 The Tenant Allow/Block list is available in the Microsoft Defender portal at <https://security.microsoft.com> **Email & collaboration** \> **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
 
 For usage and configuration instructions, see the following articles:
 
 - **Domains and email addresses** and **spoofed senders**: [Allow or block emails using the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md)
+  - Entries apply to the MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender), not the From address (also known as the `5322.From` address or P2 sender). For more information about these addresses, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication).
+  - Entries apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios.
+  - Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
 - **Files**: [Allow or block files using the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
 - **URLs**: [Allow or block URLs using the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md).
+  - To allow phishing URLs from non-Microsoft attack simulation training, don't use URL allow entries in the Tenant Allow/Block List. Use the [advanced delivery policy](advanced-delivery-policy-configure.md) to specify the URLs.
 - **IP addresses**: [Allow or block IPv6 addresses using the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md).
 - **Teams domains**: [Block domains in Microsoft Teams using the Tenant Allow/Block List](tenant-allow-block-list-teams-domains-configure.md).
 

exposure-management/Qualys-data-connector.md

@@ -48,8 +48,6 @@ To establish a connection with Qualys in Exposure Management, follow these steps
 
 Qualys connector retrieves data on compute devices, including machines and virtual machines, and vulnerability findings from Qualys on those assets. It also retrieves some networking data to identify those devices.
 
-Only devices that were modified in the last 90 days are retrieved, based on assessing the "modified" field in the Qualys asset.
-
 | **Category**            | **Properties**                                                                 |
 |-------------------------|--------------------------------------------------------------------------------|
 | **Assets/devices**      | - Gateway address<br>- FQDN<br>- IP address<br>- MAC address<br>- OS information<br>- Qualys criticality data |
@@ -72,4 +70,14 @@ Here are some common issues that might arise when configuring the Qualys Connect
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Qualys data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Qualys data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/Rapid7-data-connector.md

@@ -31,8 +31,6 @@ To establish a connection with Rapid7 in Exposure Management, follow these steps
 
 Exposure Management retrieves data on compute devices from Rapid7, including machines and virtual machines. It also retrieves vulnerabilities reported by Rapid7 on those devices.
 
-Only devices that were actively scanned in the last 90 days are retrieved, based on assessing the "last_scan_end" field in the Rapid7 asset.
-
 | Category               | Properties                                                                 |
 |------------------------|----------------------------------------------------------------------------|
 | **Assets/devices, and data per each identifier** | - Rapid7 ID<br>- Hostname<br>- IP address<br>- mac Address<br>- OS information<br>- Rapid7 risk score<br>- Tags<br>- Rapid7 criticality data<br>- Cloud platform |
@@ -54,4 +52,14 @@ Here are some common issues that might arise when configuring the Rapid7 Connect
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Rapid7 data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Rapid7 data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/ServiceNow-data-connector.md

@@ -40,8 +40,6 @@ To establish a connection with ServiceNow in Exposure Management, follow these s
 
 Exposure Management currently retrieves data on devices, their business application association, and business criticality. Additional data is also retrieved that helps identify the device, such as network adapter information and OS data.
 
-Only devices that were active in the last 90 days are retrieved, based on assessing the "sys_updated_on" field in the ServiceNow CI.
-
 The following fields are ingested via the connector:
 
 | **Category**          | **Properties**                                                                 |
@@ -69,4 +67,14 @@ Here are some common issues that might arise when configuring the ServiceNow Con
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the ServiceNow data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see ServiceNow data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/TOC.yml

@@ -46,6 +46,12 @@
          items:
            - name: ServiceNow
              href: ServiceNow-data-connector.md
+       - name: Cloud Security data connectors
+         items:
+           - name: Wiz
+             href: wiz-data-connector.md
+           - name: Palo Alto Prisma
+             href: palo-alto-prisma-data-connector.md
        - name: Vulnerability Management data connectors
          items:
            - name: Qualys

exposure-management/Tenable-data-connector.md

@@ -44,8 +44,6 @@ To establish a connection with Tenable in Exposure Management, follow these step
 
 Exposure Management retrieves data on compute devices from Tenable, including machines and virtual machines. It also retrieves some networking data to identify those devices.
 
-Only devices that were modified in the last 90 days are retrieved, based on assessing the "updated_at" field in the Tenable asset.
-
 Exposure Management also retrieves vulnerability findings from Tenable on those assets.
 
 The vulnerability data retrieved for Tenable is applicable to CVEs only, and not other types of vulnerabilities or misconfigurations. Tenable shows total vulnerability counts that include other non-CVE misconfigurations as well, so these counts aren't applicable to the numbers of vulnerabilities ingested to Exposure Management.
@@ -77,4 +75,14 @@ Here are some common issues that might arise when configuring the Tenable Connec
 
 ## Next steps
 
-[Getting value from your data connectors](value-data-connectors.md).
+After configuring the Tenable data connector:
+
+- [Review your attack surface map](enterprise-exposure-map.md) to see Tenable data
+- [Explore security recommendations](security-recommendations.md)
+- [Set up security initiatives](initiatives.md) to track remediation progress
+
+## Related articles
+
+- [Data connectors overview](overview-data-connectors.md)
+- [Configure data connectors](configure-data-connectors.md)
+- [Getting value from your data connectors](value-data-connectors.md)

exposure-management/configure-data-connectors.md

@@ -6,7 +6,7 @@ author: dlanger
 manager: rayne-wiselman
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 11/06/2024
+ms.date: 09/21/2025
 ---
 
 # Configure your data connectors
@@ -30,6 +30,11 @@ To view the status of the connectors, you can use one of the following roles:
 - Global Reader (read permissions)
 - Security Reader (read permissions)
 
+You can also use [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) with the following permissions:
+    - **Exposure Management (read)** for read-only access to Exposure Management experiences
+    - **Exposure Management (manage)** for full access to manage Exposure Management experiences
+    - **Core security settings (manage)** for connecting or changing vendor configurations (located under Authorization and settings category)
+
 You can find more details about the permission levels here, [Prerequisites, and support](prerequisites.md).
 
 ## Establish a connection
@@ -42,8 +47,8 @@ To establish a connection with any of the supported external products, follow th
      - [Qualys VM](Qualys-data-connector.md)
      - [Rapid7 VM](Rapid7-data-connector.md)
      - [Tenable](Tenable-data-connector.md)
-     - Wiz (coming soon)
-     - Palo Alto (coming soon)
+     - [Wiz](wiz-data-connector.md)
+     - [Palo Alto Prisma](palo-alto-prisma-data-connector.md)
 
 2. Go to **Data Connectors** in the Exposure Management navigation.
 3. Select **Connect** on the selected data connector from the external connectors catalog.
@@ -81,4 +86,4 @@ Select the external data connector you want to configure and follow the steps to
 
 - [CMDB data connectors](ServiceNow-data-connector.md)
 - [Vulnerability management data connectors](Qualys-data-connector.md)
-- Cloud security data connectors (coming soon)
+- [Cloud security data connectors](wiz-data-connector.md)