Merge branch 'main' into docs-editor/linux-whatsnew-1738652001

Author: denisebmsft

.openpublishing.redirection.defender-endpoint.json

@@ -79,6 +79,11 @@
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-endpoint/monthly-security-summary-report.md",
+      "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
+      "redirect_document_id": true
+    }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -131,6 +131,11 @@
       "redirect_url": "/defender-xdr/entity-page-device",
       "redirect_document_id": true
     },
+    {
+      "source_path": "defender-xdr/unlink-alert-from-incident.md",
+      "redirect_url": "/defender-xdr/move-alert-to-another-incident",
+      "redirect_document_id": true
+    },
     {
       "source_path": "defender-xdr/unified-secops-platform/defender-xdr-portal.md",
       "redirect_url": "/defender-xdr/",

ATPDocs/monitored-activities.md

@@ -14,18 +14,20 @@ In the case of a valid threat, or **true positive**, Defender for Identity enabl
 The information monitored by Defender for Identity is presented in the form of activities. Defender for Identity currently supports monitoring of the following activity types:
 
 > [!NOTE]
->
 > - This article is relevant for all Defender for Identity sensor types.
 > - Defender for Identity monitored activities appear on both the user and machine profile page.
-> - Defender for Identity monitored activities are also available in Microsoft Defender XDR's [Advanced Hunting](https://security.microsoft.com/advanced-hunting) page.
+> - Defender for Identity monitored activities are also available in [Microsoft Defender XDR's Advanced Hunting](/defender-xdr/advanced-hunting-overview) page.
+
+> [!TIP]
+> For detailed information on all supported event types (`ActionType` values) in Advanced Hunting Identity-related tables, use the built-in schema reference available in Microsoft Defender XDR.
 
 ## Monitored user activities: User account AD attribute changes
 
 |Monitored activity|Description|
 |---------------------|------------------|
 |Account Constrained Delegation State Changed|The account state is now enabled or disabled for delegation.|
 |Account Constrained Delegation SPNs Changed|Constrained delegation restricts the services to which the specified server can act on behalf of the user.|
-|Account Delegation Changed | Changes to the account delegation settings |
+|Account Delegation Changed | Changes to the account delegation settings. |
 |Account Disabled Changed|Indicates whether an account is disabled or enabled.|
 |Account Expired|Date when the account expires.|
 |Account Expiry Time Changed|Change to the date when the account expires.|
@@ -35,9 +37,9 @@ The information monitored by Defender for Identity is presented in the form of a
 |Account Password Never Expires Changed|User's password changed to never expire.|
 |Account Password Not Required Changed|User account was changed to allow logging in with a blank password.|
 |Account Smartcard Required Changed|Account changes to require users to log on to a device using a smart card.|
-|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256)|
-|Account Unlock changed | Changes to the account unlock settings |
-|Account UPN Name Changed|User's principle name was changed.|
+|Account Supported Encryption Types Changed|Kerberos supported encryption types were changed (types: Des, AES 129, AES 256).|
+|Account Unlock changed | Changes to the account unlock settings. |
+|Account UPN Name Changed|User's principal name was changed.|
 |Group Membership Changed|User was added/removed, to/from a group, by another user or by themselves.|
 |User Mail Changed|Users email attribute was changed.|
 |User Manager Changed|User's manager attribute was changed.|
@@ -48,8 +50,8 @@ The information monitored by Defender for Identity is presented in the form of a
 
 |Monitored activity|Description|
 |---------------------|------------------|
-|User Account Created|User account was created|  
-|Computer Account Created|Computer account was created|
+|User Account Created|User account was created.|  
+|Computer Account Created|Computer account was created.|
 |Security Principal Deleted Changed|Account was deleted/restored (both user and computer).|
 |Security Principal Display Name Changed|Account display name was changed from X to Y.|
 |Security Principal Name Changed|Account name attribute was changed.|
@@ -69,7 +71,7 @@ The information monitored by Defender for Identity is presented in the form of a
 |Private Data Retrieval|User attempted/succeeded to query private data using LSARPC protocol.|
 |Service Creation|User attempted to remotely create a specific service to a remote machine.|
 |SMB Session Enumeration|User attempted to enumerate all users with open SMB sessions on the domain controllers.|
-|SMB file copy|User copied files using SMB|
+|SMB file copy|User copied files using SMB.|
 |SAMR Query|User performed a SAMR query.|
 |Task Scheduling|User tried to remotely schedule X task to a remote machine.|
 |Wmi Execution|User attempted to remotely execute a WMI method.|
@@ -83,7 +85,7 @@ For more information, see [Supported logon types](/microsoft-365/security/defend
 |Monitored activity|Description|
 |---------------------|------------------|
 |Computer Operating System Changed|Change to the computer OS.|
-|SID-History changed | Changes to the computer SID history |
+|SID-History changed | Changes to the computer SID history. |
 
 ## See Also
 

ATPDocs/security-assessment-laps.md

@@ -1,5 +1,4 @@
 ---
-
 title: Microsoft LAPS usage assessment
 description: This article provides an overview of Microsoft Defender for Identity's Microsoft LAPS usage identity security posture assessment report.
 ms.date: 01/29/2023
@@ -12,9 +11,9 @@ ms.topic: how-to
 
 Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
 
-This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) only.
+This security assessment supports [legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) and [Windows LAPS](/windows-server/identity/laps/laps-overview).
 
-## What risk does not implementing LAPS pose to an organization?
+## What risk does not implement LAPS pose to an organization?
 
 LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.
 
@@ -24,24 +23,20 @@ LAPS simplifies password management while helping customers implement more recom
 
 1. Review the recommended action at <https://security.microsoft.com/securescore?viewid=actions> to discover which of your domains have some (or all) compatible Windows devices that aren't protected by LAPS, or that haven't had their LAPS managed password changed in the last 60 days.
 
-    ![See which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)
-
+   [![Screenshot that shows which domains have devices unprotected by LAPS.](media/cas-isp-laps-1.png)](media/cas-isp-laps-1.png#lightbox)
+   
 1. For domains that are partially protected, select the relevant row to view the list of devices not protected by LAPS in that domain.
 
     ![Select domain with devices unprotected by LAPS.](media/cas-isp-laps-2.png)
-
-    > [!NOTE]
-    > If the entire domain is not protected with LAPS, you won't see the list of all the unprotected devices.
-
-1. Take appropriate action on those devices by downloading, installing and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) using the documentation provided in the download.
+   
+1. Take appropriate action on those devices by downloading, installing, and configuring or troubleshooting [Microsoft LAPS](https://go.microsoft.com/fwlink/?linkid=2104282) or [Windows LAPS](/windows-server/identity/laps/laps-overview). 
 
     ![Remediate devices unprotected by LAPS.](media/laps-unprotected-devices.png)
 
 > [!NOTE]
-> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
-> 
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours.  While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it will be marked as **Completed**.
 
 ## See also
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+

ATPDocs/whats-new.md

@@ -22,6 +22,38 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## February 2025
+
+### New attack paths tab on the Identity profile page
+
+This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview) 
+
+Additional identity page enhancements:
+
+- New side panel with more information for each entry on the user timeline.
+
+- Filtering capabilities on the Devices tab under Observed in organization.
+
+### Updating 'Protect and manage local admin passwords with Microsoft LAPS' posture recommendation
+
+This update aligns the security posture assessment within Secure Score with the latest version of [Windows LAPS](/windows-server/identity/laps/laps-overview), ensuring it reflects current security best practices for managing local administrator passwords.
+
+### New and updated events in the Advanced hunting IdentityDirectoryEvents table
+
+We have added and updated the following events in the `IdentityDirectoryEvents` table in Advanced Hunting:
+
+- User Account control flag has been changed
+
+- Security group creation in Active directory
+
+- Failed attempt to change an account password
+
+- Successful account password change
+
+- Account primary group ID has been changed
+
+Additionally, the **built-in schema reference** for Advanced Hunting in Microsoft Defender XDR has been updated to include detailed information on all supported event types (**`ActionType`** values) in identity-related tables, ensuring complete visibility into available events. For more information, see [Advanced hunting schema details](/defender-xdr/advanced-hunting-schema-tables).
+
 ## December 2024
 
 ### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
@@ -443,7 +475,7 @@ This version includes the following improvements:
 
     For more information, see [Download and schedule Defender for Identity reports in Microsoft Defender XDR (Preview)](reports.md).
 
-- **Health issues**: Added the *The 'Remove learning period' toggle was automatically switched off for this tenant* health issue
+- **Health issues**: The 'Remove learning period' toggle was automatically switched off for this tenant* health issue.
 
 This version also includes bug fixes for cloud services and the Defender for Identity sensor.
 

CloudAppSecurityDocs/governance-actions.md

@@ -34,11 +34,11 @@ The following governance actions can be taken for connected apps either on a spe
     - **Apply label** - Ability to add a Microsoft Purview Information Protection sensitivity label.
     - **Remove label** - Ability to remove a Microsoft Purview Information Protection sensitivity label.
   - **Change sharing**
-
+  
     - **Remove public sharing** – Allow access only to named collaborators, for example: *Remove public access* for Google Workspace, and *Remove direct shared link* for Box and Dropbox.
 
-    - **Remove external users** – Allow access only to company users.
-
+    - **Remove external users** – Allow access only to company users. When a group, containing both internal and external members, is added as a collaborator, the action removes members at the group level instead of individually. 
+        
     - **Make private** – Only Site Admins can access the file, all shares are removed.
 
     - **Remove a collaborator** – Remove a specific collaborator from the file.
@@ -60,7 +60,7 @@ The following governance actions can be taken for connected apps either on a spe
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint, Cisco Webex)
 
    ![policy_create alerts.](media/policy_create-alerts.png)
-
+  
 ## Malware governance actions (Preview)
 
 The following governance actions can be taken for connected apps either on a specific file, user or from a specific policy. For security reasons, this list is limited only to malware related actions that don't imply risk for the user or the tenant.
@@ -104,7 +104,7 @@ The following governance actions can be taken for connected apps either on a spe
 
 - **Governance actions in apps** - Granular actions can be enforced per app, specific actions vary depending on app terminology.
 
-  - **Suspend user** – Suspend the user from the application.
+- **Suspend user** – Suspend the user from the application.
     > [!NOTE]
     > If your Microsoft Entra ID is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment will override the Microsoft Entra settings and this governance action will be reverted.
 
@@ -113,7 +113,7 @@ The following governance actions can be taken for connected apps either on a spe
   - **Confirm user compromised** - Set the user's risk level to high. This causes the relevant policy actions defined in Microsoft Entra ID to be enforced. For more information How Microsoft Entra ID works with risk levels, see [How does Microsoft Entra ID use my risk feedback](/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback#how-does-azure-ad-use-my-risk-feedback).
 
   ![Defender for Cloud Apps activity policy governance actions.](media/activity-policy-ref6.png)
-
+  
 ## Revoke an OAuth app and notify user
 
 For Google Workspace and Salesforce, it's possible to revoke permission to an OAuth app or to notify the user that they should change the permission. When you revoke permission it removes all permissions that were granted to the application under "Enterprise Applications" in Microsoft Entra ID.