Merge branch 'main' into docs-editor/enable-attack-surface-reductio-1748222591

Author: padmagit77

ATPDocs/whats-new-archive.md

@@ -904,7 +904,7 @@ We are expanding our sensitivity definition for on-premises accounts to include
 
 Released June 14, 2020
 
-- **Feature enhancement: Additional activity details available in the unified SecOps experience**  
+- **Feature enhancement: Additional activity details available**  
 We've extended the device information we send to Defender for Cloud Apps including device names, IP addresses, account UPNs and used port. For more information about our integration with Defender for Cloud Apps, see [Using Azure ATP with Defender for Cloud Apps](/defender-for-identity/deploy-defender-identity).
 
 - Version includes improvements and bug fixes for internal sensor infrastructure.

CloudAppSecurityDocs/release-notes.md

@@ -29,6 +29,14 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## May 2025 
 
+
+### New Applications inventory page now available in Defender XDR
+
+The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. This view helps streamline application discovery, monitoring, and risk assessment.
+
+For more information, see [Application inventory overview](applications-inventory.md).
+
+
 ### Changes to Microsoft Defender for Cloud Apps SIEM agent availability
 
 As part of our ongoing convergence process across Microsoft Defender workloads, [Microsoft Defender for Cloud Apps SIEM agents](siem.md) will be deprecated starting November 2025.
@@ -41,6 +49,7 @@ To ensure continuity and access to data currently available through Microsoft De
 
 For detailed guidance see: [Migrate from Defender for Cloud Apps SIEM agent to supported APIs](migrate-to-supported-api-solutions.md)
 
+
 ### New and improved Cloud App Catalog page
 
 The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications.
@@ -100,7 +109,7 @@ For more information, see:
 
  The new *Permissions filter and export capabilities allow you to quickly identify apps with specific permissions to access Microsoft 365.
 
- You can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights enable you to get deeper visibility into apps accessing emails using legacy EWS API.
+ You can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights enables you to get deeper visibility into apps accessing emails using legacy EWS API.
 
  We're also expanding the coverage of privilege level feature for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification enables you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365.
 
@@ -157,7 +166,7 @@ For more information, see:
 
 The Enterprise application 'Microsoft Defender for Cloud Apps – Session Controls' is used internally by the Conditional Access App Control service.  
 Ensure there's no CA policy restricting access to this application.
-For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate.  
+For policies that restrict all or certain applications, ensure this application is listed as an exception or confirm that the blocking policy is deliberate.  
 
 For more information, see [Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps](session-policy-aad.md#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps).
 
@@ -173,7 +182,7 @@ For more information, see:
 ### SaaS Security initiative in Exposure Management
 
 [Microsoft Security Exposure Management](/security-exposure-management/) offers a focused, metric-driven way of tracking exposure in specific security areas using security [initiatives](/security-exposure-management/initiatives). The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations.
-This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD
+This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High, and DoD
 
 For more information, see [SaaS security initiative](saas-security-initiative.md).
 
@@ -191,13 +200,13 @@ For more information, see [filters on app governance](/defender-cloud-apps/app-g
 
 ### Visibility into privilege level for popular Microsoft first-party APIs (Preview)
 
-Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. 
+Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification enables you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. 
 
 For more information, see [OAuth app permission related details on app governance](/defender-cloud-apps/app-governance-visibility-insights-view-apps#getting-detailed-information-on-an-app).
 
 ### Granular data usage insights into EWS API access (Preview)
 
-Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API.
+Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights enable you to get deeper visibility into apps accessing emails using legacy EWS API.
 
 For more information, see [OAuth app data usage insights on app governance](/defender-cloud-apps/app-governance-visibility-insights-view-apps#getting-detailed-information-on-an-app).
 
@@ -206,7 +215,7 @@ For more information, see [OAuth app data usage insights on app governance](/def
 ### New anomaly data in advanced hunting CloudAppEvents table
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
-The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+The new columns are designed to assist you to better __identify uncommon activities__ that might appear suspicious, and allow you to create more accurate custom detections, and investigate any suspicious activities that arise.
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
 
@@ -227,13 +236,13 @@ For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/micro
 
 ## September 2024
 
-### Enforce Edge in-browser when accessing business apps
+### Enforce Microsoft Edge in-browser when accessing business apps
 
-Administrators who understand the power of Edge in-browser protection, can now require their users to use Edge when accessing corporate resources. 
+Administrators who understand the power of Microsoft Edge in-browser protection, can now require their users to use Microsoft Edge when accessing corporate resources. 
 
-A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
+A primary reason is security, since the barrier to circumventing session controls using Microsoft Edge is higher than with reverse proxy technology.
 
-For more information, see [Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
+For more information, see [Enforce Microsoft Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -248,13 +257,13 @@ For more information, see:
 
 ### Removing the ability to email end users about blocked actions
 
-Effective October 1st, 2024, we will discontinue the feature that notifies end users via email when their action is blocked by session policies.
+Effective October 1, 2024, we'll discontinue the feature that notifies end users via email when their action is blocked by session policies.
 
 This option ensures that if a user's action is blocked, they get both a browser message and an email notification.
 
 Admins can no longer configure this setting when creating new session policies.
 
-Existing session policies with this setting will not trigger email notifications to end users when a block action occurs.
+Existing session policies with this setting won't trigger email notifications to end users when a block action occurs.
 
 End users will continue to receive the block message directly through the browser and will stop receiving block notification via email.
 
@@ -293,7 +302,7 @@ For more information, see [Configure custom URL for MDA block pages](mde-govern.
 
 ### In-browser protection for macOS users and newly supported policies (Preview)
 
-Edge browser users from macOS who are scoped to session policies are now protected with in-browser protection.
+Microsoft Edge browser users from macOS who are scoped to session policies are now protected with in-browser protection.
 
 The following session policies are now supported:
 
@@ -304,7 +313,7 @@ The following session policies are now supported:
 
 See [In-browser protection](in-browser-protection.md).
 
-  In-browser protection is supported with the last 2 stable versions of Edge (for example, if the newest Edge is 126, in-browser protection works for v126 and v125). 
+  In-browser protection is supported with the last two stable versions of Microsoft Edge (for example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125). 
 
 See [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).
 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -131,7 +131,7 @@ The following table lists the supported operating systems for rules that are cur
 | [Block rebooting machine in Safe Mode](#block-rebooting-machine-in-safe-mode)| Y | Y | Y |
 | [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y | Y | Y |
 | [Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools)| Y | Y | Y |
-| [Block Webshell creation for Servers](#block-webshell-creation-for-servers)  | N | Y <br>Exchange role only  | Y <br>Exchange role only |
+| [Block Webshell creation for Servers](#block-webshell-creation-for-servers)| N | Y <br>Exchange role only|Y on Windows Server 2016  <br>     Exchange role only <br>N on Windows Server 2012 R2 |
 | [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | Y | N  |  N |
 | [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y <br> version 1803 or later | Y | Y |
 

defender-xdr/advanced-hunting-oauthappinfo-table.md

@@ -37,9 +37,9 @@ The `OAuthAppInfo` table might not include all the app or service principal-rela
 
 ## Prerequisites
 
-This advanced hunting table is populated by app governance records from Microsoft Defender for Cloud Apps. To turn on app governance, follow the steps in [Turn on app governance](/defender-cloud-apps/app-governance-get-started).
+This advanced hunting table is populated by app governance records from Microsoft Defender for Cloud Apps. 
 
-If your organization hasn’t deployed Microsoft Defender for Cloud Apps in Microsoft Defender XDR nor turned on app governance, you can't view the `OAuthAppInfo` table in advanced hunting.
+You need to turn on app governance to view the `OAuthAppInfo` table in advanced hunting. To turn on app governance, follow the steps in [Turn on app governance](/defender-cloud-apps/app-governance-get-started).
 
 
 ## Schema

defender-xdr/data-privacy.md

@@ -56,7 +56,7 @@ Customer data stored by integrated services might also be stored in the followin
 
 Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in **Advanced hunting** queries. 
 
-In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft Sentinel with Microsoft's unified security operations platform](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
+In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
 
 Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.
 

defender-xdr/incidents-overview.md

@@ -27,7 +27,7 @@ appliesto:
 
 # Incidents and alerts in the Microsoft Defender portal
 
-Microsoft's unified SecOps platform in the Microsoft Defender portal brings together a unified set of security services to reduce your exposure to security threats, improve your organizational security posture, detect security threats, and investigate and respond to breaches. These services collect and produce signals that are displayed in the portal. The two main kinds of signals are:
+The Microsoft Defender portal brings together a unified set of security services to reduce your exposure to security threats, improve your organizational security posture, detect security threats, and investigate and respond to breaches. These services collect and produce signals that are displayed in the portal. The two main kinds of signals are:
 
 **Alerts**: Signals that result from various threat detection activities. These signals indicate the occurrence of malicious or suspicious events in your environment.
 

defender-xdr/index.yml

@@ -65,19 +65,19 @@ landingContent:
           url: deploy-configure-m365-defender.md
 
   # Card
-  - title: Microsoft's unified security operations platform
+  - title: Unified security operations in the Defender portal
     linkLists:
       - linkListType: overview
         links:
-          - text: "What is Microsoft's unified SecOps platform?"
+          - text: "What are unified security operations?"
             url: /unified-secops-platform/overview-unified-security
           - text: "Microsoft Defender portal overview"
             url: /unified-secops-platform/overview-defender-portal
       - linkListType: deploy
         links:
-          - text: "Plan your unified SecOps deployment"
+          - text: "Plan for unified security operations"
             url: /unified-secops-platform/overview-plan
-          - text: "Deploy Microsoft's unified SecOps platform"
+          - text: "Deploy for unified security operations"
             url: /unified-secops-platform/overview-deploy
 
 # Card

defender-xdr/investigate-incidents.md

@@ -107,7 +107,7 @@ If the incident or related alerts were the result of an analytics rule you've se
 
 > [!NOTE]
 > To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
-> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
+> To view attack path details with Microsoft Sentinel in the Defender portal, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
 
 The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **View attack paths**. The top attack paths are shown within the incident graph. Here's an example.
 

defender-xdr/investigate-respond-container-threats.md

@@ -19,7 +19,7 @@ search.appverid:
 ms.date: 01/07/2025
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
-- <a href="https://learn.microsoft.com/unified-secops-platform/" target="_blank">Microsoft's unified security operations platform</a>
+- <a href="https://learn.microsoft.com/unified-secops-platform/" target="_blank">Microsoft Sentinel in the Defender portal</a>
 ---
 # Investigate and respond to container threats in the Microsoft Defender portal
 

defender-xdr/irm-investigate-alerts-defender.md

@@ -19,7 +19,7 @@ search.appverid:
 ms.date: 02/17/2025
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
-- <a href="https://learn.microsoft.com/unified-secops-platform/" target="_blank">Microsoft's unified security operations platform</a>
+- <a href="https://learn.microsoft.com/unified-secops-platform/" target="_blank">Microsoft Sentinel in the Defender portal</a>
 ---
 # Investigate insider risk threats in the Microsoft Defender portal
 
@@ -132,7 +132,7 @@ The following alert classification mapping is used to sync the alert classificat
 |Microsoft Defender alert classification|Microsoft Purview Insider Risk Management alert classification|
 |:---|:---|
 |True positive </br> Includes multi-staged attack, phishing, etc.|Confirmed|
-|Information, expected activity (benign positive) </br> Includes Ssecurity testing, confirmed activity, etc.|Dismissed|
+|Information, expected activity (benign positive) </br> Includes security testing, confirmed activity, etc.|Dismissed|
 |False positive </br> Includes not malicious, not enough data to validate, etc.|Dismissed|
 
 For more information about alert statuses and classifications in Microsoft Defender XDR, see [Manage alerts in Microsoft Defender](investigate-alerts.md#manage-alerts).
@@ -213,4 +213,4 @@ If you are using automation on Microsoft Sentinel incidents, note that automatio
 After investigating an insider risk incident or alert, you can do any of the following:
 
 - Continue to respond to the alert in the Microsoft Purview portal.
-- Use advanced hunting to investigate other insider risk management events in the Microsoft Defender portal.
+- Use advanced hunting to investigate other insider risk management events in the Microsoft Defender portal.