Merge branch 'main' into Teams-chrisda

Author: chrisda

.github/workflows/StaleBranch.yml

@@ -2,12 +2,17 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
-      
+
+# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
+# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
+# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
+# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
+
 on:
   schedule:
-    - cron: "0 9 1 * *"
+    - cron: "0 9 1,15-31 * *"
 
-  # workflow_dispatch:
+  workflow_dispatch:
 
 
 jobs:

ATPDocs/deploy/activate-capabilities.md

@@ -117,8 +117,8 @@ The first time you activate Defender for Identity capabilities on your domain co
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
-- [Specified security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
-- [Specified alert detections](#test-alert-functionality)
+- [Security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
+- [Alert detections](#test-alert-functionality)
 - [Remediation actions](#test-remediation-actions)
 - [Automatic attack disruption](/microsoft-365/security/defender/automatic-attack-disruption)
 

ATPDocs/health-alerts.md

@@ -32,6 +32,15 @@ The Microsoft Defender for Identity **Health issues** page lets you know when th
 
     :::image type="content" source="media/health-issues/close-suppress.png" alt-text="Screenshot of a health issue details pane." lightbox="media/health-issues/close-suppress.png":::
 
+## Health issue status
+
+Health issues in Microsoft Defender for Identity can have different statuses depending on their state and how they're handled. 
+
+- **Open:**: The health issue is marked as open. 
+- **Closed:** A health issue is automatically marked as **Closed** when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have [Azure ATP (workspace name) Administrator](/defender-for-identity/role-groups#defender-for-identity-security-groups)  you can also manually close a health issue.
+- **Suppressed:** If you have Azure ATP (workspace name) Administrators permissions, you can suppress the health alert for seven days. Suppress a health alert if you're aware of an expected temporary known issue, for example, taking down a machine for maintenance.
+
+For example, if a domain controller is taken offline for maintenance, a "Sensor stopped communicating" alert might be triggered. You can use the API to change the alert status from Open to Suppressed. Once the domain controller is back online, revert the status to Open and let Microsoft Defender for Identity close the alert automatically when the issue is resolved.
 
 ## Health issues
 
@@ -43,7 +52,7 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 
 |Alert|Description|Resolution|Severity|Displayed in|
 |----|----|----|----|----|
-|The virtual machines that the listed Defender for Identity sensors are installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
+|The virtual machines that the listed Defender for Identity sensors is installed on has a network configuration mismatch. This issue might affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
 
 ### A domain controller is unreachable by a sensor
 

CloudAppSecurityDocs/media/connect-azure-menu.png

@@ -8,9 +8,9 @@ ms.topic: how-to
 
 
 
-Atlassian is an online collaborative and software development platform (including Confluence, Jira and Bitbucket). Along with the benefits of effective collaboration in the cloud, your organization's most critical assets may be exposed to threats. Exposed assets include posts, tasks, and files with potentially sensitive information, collaboration, and partnership details, and more. Preventing exposure of this data requires continuous monitoring to prevent any malicious actors or security-unaware insiders from exfiltrating sensitive information.
+Atlassian is an online collaborative and software development platform (including Confluence, Jira, and Bitbucket). Along with the benefits of effective collaboration in the cloud, your organization's most critical assets might be exposed to threats. Exposed assets include posts, tasks, and files with potentially sensitive information, collaboration, and partnership details, and more. Preventing exposure of this data requires continuous monitoring to prevent any malicious actors or security-unaware insiders from exfiltrating sensitive information.
 
-Connecting Atlassian to Defender for Cloud Apps gives you improved insights into your users' activities and provides threat detection for anomalous behavior. The connector will cover all users in your organization that use the Atlassian platform, and will show activities from Confluence, Jira, and specific Bitbucket activities.
+Connecting Atlassian to Defender for Cloud Apps gives you improved insights into your users' activities and provides threat detection for anomalous behavior. The connector covers all users in your organization that use the Atlassian platform, and shows activities from Confluence, Jira, and specific Bitbucket activities.
 
 Main threats include:
 
@@ -68,7 +68,7 @@ For more information, see:
 This section provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Atlassian products using the App Connector APIs. This connection gives you visibility into and control over your organization's Atlassian use.
 
 >[!NOTE]
->The connector will cover all users in your organization that use the Atlassian platform, and will show activities from Confluence, Jira, and specific Bitbucket activities. For more information about Atlassian activities, see [Atlassian audit log activities](https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/#Auditlogging-Accessauditlogactivities).
+>The connector covers all users in your organization that use the Atlassian platform, and shows activities from Confluence, Jira, and specific Bitbucket activities. For more information about Atlassian activities, see [Atlassian audit log activities](https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/#Auditlogging-Accessauditlogactivities).
 
 ### Prerequisites
 
@@ -116,19 +116,17 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 >[!NOTE]
 >
 > - The first connection can take up to four hours to get all users and their activities.
-> - The activities that will display are the activities that were generated from the moment the connector is connected.
+> - The activities displayed are the activities that were generated from the moment the connector is connected.
 > - Activities from the "Atlassian Access" audit log are fetched by Defender for Cloud apps. Other activities aren't fetched currently. See [Product Audit Logs](https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/).
 > - After the connector’s **Status** is marked as **Connected**, the connector is live and works.
 
 ### Revoke and renew API keys
 
 1. Microsoft recommends using short lived keys or tokens for connecting apps as a security best practice.
 1. We recommend refreshing the Atlassian API key every 6 months as a best practice. To refresh the key, revoke the existing API key and generate a new key.
-1. To revoke API key, navigate to **admin.atlassian.com** > **Settings** > **API keys**, determine the API key used for integration and select **Revoke**.
+1. To revoke API key, navigate to **admin.atlassian.com** > **Settings** > **API keys**, determine the API key used for integration, and select **Revoke**.
 1. Recreate an API key in the Atlassian admin portal with the steps described above.
-1. Afterwards, go to the **App Connectors** page in the Microsoft Defender Portal and edit the connector:
-
-    ![Edit connector.](media/atlassian-edit-connector.png)
+1. Afterwards, go to the **App Connectors** page in the Microsoft Defender Portal and edit the connector.
 
 1. Enter the new generated new **API key** and select **Connect Atlassian**.
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
@@ -148,13 +146,13 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 
 ## Rate limits and limitations
 
-- **Rate limits** include 1000 requests per minute (per API key/connector instance).
+- **Rate limits** include 1,000 requests per minute (per API key/connector instance).
 
     For more information about the Atlassian API limitation, see [Atlassian admin REST APIs](https://developer.atlassian.com/cloud/admin/about/#about-the-cloud-admin-rest-apis).
 
 - **Limitations** include:
 
-    - Activities will be shown in Defender for Cloud Apps only for users with a verified domain.
+    - Activities are shown in Defender for Cloud Apps only for users with a verified domain.
 
     - The API key has a maximum expiration period of one year. After one year, you'll need to create another API key from the Atlassian Admin portal and replace it for the old API Key in the Defender for Cloud Apps console.
 

CloudAppSecurityDocs/protect-atlassian.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 
 
 
-Azure is an IaaS provider that enables your organization to host and manage their entire workloads in the cloud. Along with the benefits of leveraging infrastructure in the cloud, your organization's most critical assets may be exposed to threats. Exposed assets include storage instances with potentially sensitive information, compute resources that operate some of your most critical applications, ports, and virtual private networks that enable access to your organization.
+Azure is an IaaS provider that enables your organization to host and manage their entire workloads in the cloud. Along with the benefits of leveraging infrastructure in the cloud, your organization's most critical assets might be exposed to threats. Exposed assets include storage instances with potentially sensitive information, compute resources that operate some of your most critical applications, ports, and virtual private networks that enable access to your organization.
 
 Connecting Azure to Defender for Cloud Apps helps you secure your assets and detect potential threats by monitoring administrative and sign-in activities, notifying on possible brute force attacks, malicious use of a privileged user account, and unusual deletions of VMs.
 
@@ -74,7 +74,7 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**. Make sure the status of the connected App Connector is **Connected**.
 
 > [!NOTE]
-> After connecting Azure, data will be pulled. You will see data from then onwards.
+> After connecting to Azure, data will be pulled. You'll see data from then onwards.
 
 If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

CloudAppSecurityDocs/protect-azure.md

@@ -550,6 +550,8 @@
       href: onboarding-endpoint-configuration-manager.md
     - name: Onboarding using Microsoft Intune
       href: onboarding-endpoint-manager.md
+    - name: Deploy Microsoft Defender for Endpoint prerelease builds on Android devices
+      href: mobile-pretest-android.md   
 
   - name: Migration guides
     items:

defender-endpoint/TOC.yml

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 03/21/2025
+ms.date: 04/18/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -28,6 +28,17 @@ ms.date: 03/21/2025
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks
+
+April 2025
+
+**Setup a secure environment to test prerelease builds of Defender for Endpoint on Android**. Learn the steps on how to set up your environment for prerelease testing of Defender for Endpoint on Android. These steps are for Android devices that are onboarded to Microsoft Defender for Endpoint through the following methods:
+
+- Android Enterprise scenarios
+- Mobile Application Mangement (MAM) enrollment scenarios
+
+For more information, see [Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks](mobile-pretest-android.md).
+
 #### Defender for Endpoint on Android now supports Android 10 as the minimum version
 
 February 2025

defender-endpoint/android-whatsnew.md

@@ -78,7 +78,7 @@ By default, all onboarded devices running on Windows 10 version 1809 or later, W
 - `DHCPv6`
 - `IP` (headers)
 - `LLDP`
-- LL`MNR
+- `LLMNR`
 - `mDNS`
 - `MNDP`
 - `MSSQL`

defender-endpoint/device-discovery-faq.md

@@ -4,9 +4,9 @@ description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
 ms.author: ewalsh
 author: emmwalshh
-ms.reviewer: kumasumit, gopkr
+ms.reviewer: kumasumit, gopkr; mevasude
 ms.localizationpriority: medium
-ms.date: 04/08/2025
+ms.date: 04/18/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,9 +43,9 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
-### April-2025 Build: 101.25022.0001 | Release version: 30.125022.0001.0
+### April-2025 Build: 101.25022.0002 | Release version: 30.125022.0001.0
 
-|Build:             |**101.25022.0001**    |
+|Build:             |**101.25022.0002**    |
 |-------------------|----------------------|
 |Released:          |**April 07, 2025**    |
 |Published:         |**April 07, 2025**    |