Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into yelevin/investigate-alerts

Author: yelevin

.openpublishing.redirection.defender-endpoint.json

@@ -79,6 +79,11 @@
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-endpoint/monthly-security-summary-report.md",
+      "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
+      "redirect_document_id": true
+    }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -10,7 +10,6 @@
       "redirect_url": "/defender-for-identity/microsoft-365-security-center-mdi",
       "redirect_document_id": false
     },
-
     {
       "source_path": "defender-xdr/eval-create-eval-environment.md",
       "redirect_url": "/defender-xdr/pilot-deploy-overview",
@@ -131,6 +130,11 @@
       "redirect_url": "/defender-xdr/entity-page-device",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-xdr/unlink-alert-from-incident.md",
+      "redirect_url": "/defender-xdr/move-alert-to-another-incident",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-xdr/unified-secops-platform/defender-xdr-portal.md",
       "redirect_url": "/defender-xdr/",
@@ -166,6 +170,31 @@
       "redirect_url": "/defender-xdr/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-threat-actor-naming.md",
+      "redirect_url": "/unified-secops-platform/microsoft-threat-actor-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/malware-naming.md",
+      "redirect_url": "/unified-secops-platform/malware-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/criteria.md",
+      "redirect_url": "/unified-secops-platform/criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/submission-guide.md",
+      "redirect_url": "/unified-secops-platform/submission-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/virus-initiative-criteria.md",
+      "redirect_url": "/unified-secops-platform/virus-initiative-criteria",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/tickets.md",
       "redirect_url": "/defender-xdr/troubleshoot",
@@ -175,6 +204,61 @@
       "source_path": "defender-xdr/portal-submission-troubleshooting.md",
       "redirect_url": "/defender-xdr/troubleshoot",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-advanced-hunting.md",
+      "redirect_url": "/unified-secops-platform/mto-advanced-hunting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-dashboard.md",
+      "redirect_url": "/unified-secops-platform/mto-dashboard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-endpoint-security-policy.md",
+      "redirect_url": "/unified-secops-platform/mto-endpoint-security-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-incidents-alerts.md",
+      "redirect_url": "/unified-secops-platform/mto-incidents-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-overview.md",
+      "redirect_url": "/unified-secops-platform/mto-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-requirements.md",
+      "redirect_url": "/unified-secops-platform/mto-requirements",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenant-devices.md",
+      "redirect_url": "/unified-secops-platform/mto-tenant-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenantgroups.md",
+      "redirect_url": "/unified-secops-platform/mto-tenantgroups",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/mto-tenants.md",
+      "redirect_url": "/unified-secops-platform/mto-tenants",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/portals.md",
+      "redirect_url": "/unified-secops-platform/overview-plan#understand-microsoft-security-portals-and-admin-centers",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
+      "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
+      "redirect_document_id": false
     }
   ]
-}
+}

ATADocs/docfx.json

@@ -48,7 +48,13 @@
       "uhfHeaderId": "MSDocsHeader-M365-IT",
       "searchScope": ["ATA"],
       "contributors_to_exclude": [
-        "beccarobins"
+        "beccarobins",
+        "rjagiewich",
+        "claydetels19",
+        "garycentric",
+        "padmagit77",
+        "aditisrivastava07",
+        "Ruchika-mittal01"
       ]
     },
     "markdownEngineName": "markdig"

ATADocs/media/ATA-windows-event-forwarding.jpg

@@ -55,9 +55,6 @@ Configure the SQL server to allow the Directory Service Account with the followi
 - *read*
 - *select*
 
-> [!NOTE]
-> If the AD FS database runs on a dedicated SQL server instead of the local AD FS server, and you're using a group Managed Service Account (gMSA) as the Directory Service Account, make sure that you grant the SQL server the [required permissions](create-directory-service-account-gmsa.md#prerequisites-grant-permissions-to-retrieve-the-gmsa-accounts-password) to retrieve the gMSA's password.
-
 ### Grant access to the AD FS database
 
 Grant access to the AD FS database by using SQL Server Management Studio, Transact-SQL (T-SQL), or PowerShell.

ATPDocs/deploy/active-directory-federation-services.md

@@ -50,9 +50,8 @@ Use the following steps to prepare for deploying Defender for Identity:
 1. [Plan your Defender for Identity capacity](capacity-planning.md).
 
 > [!TIP]
-> We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if your environment has the necessary prerequisites.
->
-> The link to the *Test-MdiReadiness.ps1* script is also available from Microsoft Defender XDR, on the **Identities > Tools** page (Preview).
+> We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if the servers in your environment have the necessary prerequisites.
+> You can use the [DefenderForIdentity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/) to add the required auditing and configure the necessary settings.
 
 ## Deploy Defender for Identity
 
@@ -71,12 +70,12 @@ The following procedures help you complete the deployment process:
 
 - [**Enable and configure unified role-based access control (RBAC)**](../role-groups.md) for Defender for Identity.
 
-- [**Configure a Directory Service account (DSA) for use with Defender for Identity**](directory-service-accounts.md). While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage. For example, when you have a DSA configured, the DSA is used to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities
+- [**Configure a Directory Service account (DSA) for use with Defender for Identity**](directory-service-accounts.md). While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage. For example, when you have a DSA configured, the DSA is used to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities.
 
 - [**Configure remote calls to SAM**](remote-calls-sam.md) as needed. While this step is optional, we recommend that you configure remote calls to SAM-R for lateral movement path detection with Defender for Identity.
 
 > [!TIP]
-> By default, Defender for Identity sensors query the directory using LDAP on ports 389 and 3268. To switch to LDAPS on ports 636 and 3269, please open a support case. For more information, see [Microsoft Defender for Identity support](../support.md).
+> By default, Defender for Identity sensors query the directory using LDAP on ports 389 and 3268. To switch to LDAPS on ports 636 and 3269, open a support case. For more information, see [Microsoft Defender for Identity support](../support.md).
 >
 
 > [!IMPORTANT]

ATPDocs/deploy/deploy-defender-identity.md

@@ -14,18 +14,20 @@ In the case of a valid threat, or **true positive**, Defender for Identity enabl
 The information monitored by Defender for Identity is presented in the form of activities. Defender for Identity currently supports monitoring of the following activity types:
 
 > [!NOTE]
->
 > - This article is relevant for all Defender for Identity sensor types.
 > - Defender for Identity monitored activities appear on both the user and machine profile page.
-> - Defender for Identity monitored activities are also available in Microsoft Defender XDR's [Advanced Hunting](https://security.microsoft.com/advanced-hunting) page.
+> - Defender for Identity monitored activities are also available in [Microsoft Defender XDR's Advanced Hunting](/defender-xdr/advanced-hunting-overview) page.
+
+> [!TIP]
+> For detailed information on all supported event types (`ActionType` values) in Advanced Hunting Identity-related tables, use the built-in schema reference available in Microsoft Defender XDR.
 
 ## Monitored user activities: User account AD attribute changes
 
 |Monitored activity|Description|
 |---------------------|------------------|
 |Account Constrained Delegation State Changed|The account state is now enabled or disabled for delegation.|
 |Account Constrained Delegation SPNs Changed|Constrained delegation restricts the services to which the specified server can act on behalf of the user.|
-|Account Delegation Changed | Changes to the account delegation settings |
+|Account Delegation Changed | Changes to the account delegation settings. |
 |Account Disabled Changed|Indicates whether an account is disabled or enabled.|
 |Account Expired|Date when the account expires.|
 |Account Expiry Time Changed|Change to the date when the account expires.|
@@ -35,9 +37,9 @@ The information monitored by Defender for Identity is presented in the form of a
 |Account Password Never Expires Changed|User's password changed to never expire.|
 |Account Password Not Required Changed|User account was changed to allow logging in with a blank password.|
 |Account Smartcard Required Changed|Account changes to require users to log on to a device using a smart card.|
-|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256)|
-|Account Unlock changed | Changes to the account unlock settings |
-|Account UPN Name Changed|User's principle name was changed.|
+|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256).|
+|Account Unlock changed | Changes to the account unlock settings. |
+|Account UPN Name Changed|User's principal name was changed.|
 |Group Membership Changed|User was added/removed, to/from a group, by another user or by themselves.|
 |User Mail Changed|Users email attribute was changed.|
 |User Manager Changed|User's manager attribute was changed.|
@@ -48,8 +50,8 @@ The information monitored by Defender for Identity is presented in the form of a
 
 |Monitored activity|Description|
 |---------------------|------------------|
-|User Account Created|User account was created|  
-|Computer Account Created|Computer account was created|
+|User Account Created|User account was created.|  
+|Computer Account Created|Computer account was created.|
 |Security Principal Deleted Changed|Account was deleted/restored (both user and computer).|
 |Security Principal Display Name Changed|Account display name was changed from X to Y.|
 |Security Principal Name Changed|Account name attribute was changed.|
@@ -69,7 +71,7 @@ The information monitored by Defender for Identity is presented in the form of a
 |Private Data Retrieval|User attempted/succeeded to query private data using LSARPC protocol.|
 |Service Creation|User attempted to remotely create a specific service to a remote machine.|
 |SMB Session Enumeration|User attempted to enumerate all users with open SMB sessions on the domain controllers.|
-|SMB file copy|User copied files using SMB|
+|SMB file copy|User copied files using SMB.|
 |SAMR Query|User performed a SAMR query.|
 |Task Scheduling|User tried to remotely schedule X task to a remote machine.|
 |Wmi Execution|User attempted to remotely execute a WMI method.|
@@ -83,7 +85,7 @@ For more information, see [Supported logon types](/microsoft-365/security/defend
 |Monitored activity|Description|
 |---------------------|------------------|
 |Computer Operating System Changed|Change to the computer OS.|
-|SID-History changed | Changes to the computer SID history |
+|SID-History changed | Changes to the computer SID history. |
 
 ## See Also
 

ATPDocs/monitored-activities.md

@@ -22,14 +22,14 @@ For more information see: [Microsoft Defender for Identity monitored activities]
 
 Defender for Identity operates in the Microsoft Azure data centers in the following locations:
 
-- European Union
-- United Kingdom
-- United States
-- Australia
-- Switzerland
-- Singapore
-
-- India
+- Asia (Southeast Asia)
+- Australia (Australia East, Australia Southeast)
+- Europe (West Europe, North Europe)
+- India (Central India, South India)
+- North America (East US, West US, West US2)
+- Switzerland (Switzerland North, Switzerland West)
+- United Kingdom (UK South)
+
 
 Customer data collected by the service might be stored as follows:
 

ATPDocs/privacy-compliance.md

@@ -1,5 +1,4 @@
 ---
-
 title: Microsoft LAPS usage assessment
 description: This article provides an overview of Microsoft Defender for Identity's Microsoft LAPS usage identity security posture assessment report.
 ms.date: 01/29/2023
@@ -12,9 +11,9 @@ ms.topic: how-to
 
 Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
 
-This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) only.
+This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) and [Windows LAPS](/windows-server/identity/laps/laps-overview).
 
-## What risk does not implementing LAPS pose to an organization?
+## What risk does not implement LAPS pose to an organization?
 
 LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.
 
@@ -24,24 +23,20 @@ LAPS simplifies password management while helping customers implement more recom
 
 1. Review the recommended action at <https://security.microsoft.com/securescore?viewid=actions> to discover which of your domains have some (or all) compatible Windows devices that aren't protected by LAPS, or that haven't had their LAPS managed password changed in the last 60 days.
 
-    ![See which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)
-
+   [![Screenshot that shows which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)](media/cas-isp-laps-1.png#lightbox)
+   
 1. For domains that are partially protected, select the relevant row to view the list of devices not protected by LAPS in that domain.
 
     ![Select domain with devices unprotected by LAPS.](media/cas-isp-laps-2.png)
-
-    > [!NOTE]
-    > If the entire domain is not protected with LAPS, you won't see the list of all the unprotected devices.
-
-1. Take appropriate action on those devices by downloading, installing and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) using the documentation provided in the download.
+   
+1. Take appropriate action on those devices by downloading, installing, and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) or [Windows LAPS](/windows-server/identity/laps/laps-overview). 
 
     ![Remediate devices unprotected by LAPS.](media/laps-unprotected-devices.png)
 
 > [!NOTE]
-> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
-> 
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it will be marked as **Completed**.
 
 ## See also
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+

ATPDocs/security-assessment-laps.md

@@ -22,6 +22,38 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## February 2025
+
+### New attack paths tab on the Identity profile page
+
+This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview) 
+
+Additional identity page enhancements:
+
+- New side panel with more information for each entry on the user timeline.
+
+- Filtering capabilities on the Devices tab under Observed in organization.
+
+### Updating 'Protect and manage local admin passwords with Microsoft LAPS' posture recommendation
+
+This update aligns the security posture assessment within Secure Score with the latest version of [Windows LAPS](/windows-server/identity/laps/laps-overview), ensuring it reflects current security best practices for managing local administrator passwords.
+
+### New and updated events in the Advanced hunting IdentityDirectoryEvents table
+
+We have added and updated the following events in the `IdentityDirectoryEvents` table in Advanced Hunting:
+
+- User Account control flag has been changed
+
+- Security group creation in Active directory
+
+- Failed attempt to change an account password
+
+- Successful account password change
+
+- Account primary group ID has been changed
+
+Additionally, the **built-in schema reference** for Advanced Hunting in Microsoft Defender XDR has been updated to include detailed information on all supported event types (**`ActionType`** values) in identity-related tables, ensuring complete visibility into available events. For more information, see [Advanced hunting schema details](/defender-xdr/advanced-hunting-schema-tables).
+
 ## December 2024
 
 ### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
@@ -443,7 +475,7 @@ This version includes the following improvements:
 
     For more information, see [Download and schedule Defender for Identity reports in Microsoft Defender XDR (Preview)](reports.md).
 
-- **Health issues**: Added the *The 'Remove learning period' toggle was automatically switched off for this tenant* health issue
+- **Health issues**: The 'Remove learning period' toggle was automatically switched off for this tenant* health issue.
 
 This version also includes bug fixes for cloud services and the Defender for Identity sensor.