Merge branch 'main' into mdav-release

Author: denisebmsft

ATPDocs/deploy/activate-capabilities.md

@@ -7,13 +7,12 @@ ms.topic: how-to
 
 # Activate Microsoft Defender for Identity capabilities directly on a domain controller
 
-Microsoft Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
 
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> Information in this article relates to a feature that is currently in limited availablility for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
->
+> Information in this article relates to a feature that is currently in limited availability for a select set of use cases. If you weren't directed to use the Defender for Identity **Activation** page, use our [main deployment guide](deploy-defender-identity.md) instead.
 
 ## Prerequisites
 
@@ -122,7 +121,7 @@ In the Defender portal, check for the following details:
 
 - **Device entities**: Select **Assets > Devices**, and select the machine for your new sensor. Defender for Identity events are shown on the device timeline.
 
-- **User entities**. Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
+- **User entities**: Select **Assets > Users** and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include **Overview**, **Observed in organization**, and **Timeline** data.
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
@@ -148,16 +147,7 @@ IdentityQueryEvents
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
 
-### Test Identity Security Posture Management (ISPM) recommendations
-
-Defender for Identity capabilities on domain controllers support the following ISPM assessments:
-
-- [**Install Defender for Identity Sensor on all Domain Controllers**](../security-assessment-unmonitored-domain-controller.md)
-- [**Microsoft LAPS usage**](../security-assessment-laps.md)
-- [**Resolve unsecure domain configurations**](../security-assessment-unsecure-domain-configurations.md)
-- **Set a honeytoken account**
-- [**Unsecure account attributes**](../security-assessment-unsecure-account-attributes.md)
-- [**Unsecure SID History attributes**](../security-assessment-unsecure-sid-history-attribute.md)
+## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
 
@@ -187,37 +177,6 @@ For more information, see [Microsoft Defender for Identity's security posture as
 
 ### Test alert functionality
 
-The following alerts are supported by Defender for Identity capabilities on domain controllers:
-
-:::row:::
-   :::column span="":::
-    - [Account enumeration reconnaissance](../reconnaissance-discovery-alerts.md#account-enumeration-reconnaissance-external-id-2003)
-    - [Active Directory attributes Reconnaissance using LDAP](../reconnaissance-discovery-alerts.md#active-directory-attributes-reconnaissance-ldap-external-id-2210)
-    - [Exchange Server Remote Code Execution (CVE-2021-26855)](../lateral-movement-alerts.md#exchange-server-remote-code-execution-cve-2021-26855-external-id-2414)
-    - [Honeytoken user attributes modified](../persistence-privilege-escalation-alerts.md#honeytoken-user-attributes-modified-external-id-2427)
-    - [Honeytoken was queried via LDAP](../reconnaissance-discovery-alerts.md#honeytoken-was-queried-via-ldap-external-id-2429)
-    - [Honeytoken authentication activity](../credential-access-alerts.md#honeytoken-authentication-activity-external-id-2014)
-    - [Honeytoken group membership changed](../persistence-privilege-escalation-alerts.md#honeytoken-group-membership-changed-external-id-2428) 
-    - [Remote code execution attempt](../other-alerts.md#remote-code-execution-attempt-external-id-2019)
-    - [Security principal reconnaissance (LDAP)](../credential-access-alerts.md#security-principal-reconnaissance-ldap-external-id-2038)
-    - [Suspicious service creation](../other-alerts.md#suspicious-service-creation-external-id-2026)
-    - [Suspected NTLM relay attack (Exchange account)](../lateral-movement-alerts.md#suspected-ntlm-relay-attack-exchange-account-external-id-2037)
-   :::column-end:::
-   :::column span="":::
-    - [Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-the-resource-based-constrained-delegation-attribute-by-a-machine-account--external-id-2423)
-    - [Suspicious additions to sensitive groups](../persistence-privilege-escalation-alerts.md#suspicious-additions-to-sensitive-groups-external-id-2024)
-    - [Suspicious modification of a dNSHostName attribute (CVE-2022-26923)](../persistence-privilege-escalation-alerts.md#suspicious-modification-of-a-dnshostname-attribute-cve-2022-26923--external-id-2421)
-    - [Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287)](../credential-access-alerts.md#suspicious-modification-of-a-samnameaccount-attribute-cve-2021-42278-and-cve-2021-42287-exploitation-external-id-2419)
-    - [Suspected DCShadow attack (domain controller promotion)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-promotion-external-id-2028)
-    - [Suspected DFSCoerce attack using Distributed File System Protocol](../credential-access-alerts.md#suspected-dfscoerce-attack-using-distributed-file-system-protocol-external-id-2426) 
-    - [Suspected DCShadow attack (domain controller replication request)](../other-alerts.md#suspected-dcshadow-attack-domain-controller-replication-request-external-id-2029)
-    - [Suspected account takeover using shadow credentials](../credential-access-alerts.md#suspected-account-takeover-using-shadow-credentials-external-id-2431)
-    - [Suspected SID-History injection](../persistence-privilege-escalation-alerts.md#suspected-sid-history-injection-external-id-1106)
-    - [Suspected AD FS DKM key read](../credential-access-alerts.md#suspected-ad-fs-dkm-key-read-external-id-2413)
-   :::column-end:::
-:::row-end:::
-
-
 Test alert functionality by simulating risky activity in a test environment. For example:
 
 - Tag an account as a honeytoken account, and then try signing in to the honeytoken account against the activated domain controller.
@@ -232,16 +191,12 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the options menu, select any or all of the following, one at a time:
-
-    - **Disable user in AD**
-    - **Enable user in AD**
-    - **Force password reset**
+1. From the **Options** menu, select any of the available remediation actions.
 
 1. Check Active Directory for the expected activity.
 
 > [!NOTE]
-> The current version does not collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
+> The current version doesn't collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
 
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).

CloudAppSecurityDocs/release-notes.md

@@ -19,11 +19,50 @@ For more information on what's new with other Microsoft Defender security produc
 
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
+## February 2025
+
+### Enhanced alert source accuracy
+
+Microsoft Defender for Cloud Apps is enhancing its alert sources to deliver more precise information. This update, applicable to new alerts only, will be reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.   
+The goal is to improve the accuracy of alert origins, facilitating better identification, management, and response to alerts.
+
+To learn more about the different alert sources in Defender XDR see the _Alert sources_ section of [Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn](/defender-xdr/investigate-alerts?tabs=settings)
+
+To learn more about the Graph API alert resource: [alert resource type - Microsoft Graph v1.0 | Microsoft Learn](/graph/api/resources/security-alert?view=graph-rest-1.0)
+
+### Network requirement updates
+
+Due to improvements being made to Microsoft Defender for Cloud Apps to improve security and performance, you must update network information in your system's firewall and additional third-party services. Make these changes by March 16, 2025 to ensure uninterrupted access to our services:
+
+- Update your firewall rules to allow outbound traffic on port 443 to the following new CDN (Content Delivery Network)  endpoints before March 16, 2025:
+
+  - cdn.cloudappsecurity.com
+  - cdn-discovery.cloudappsecurity.com
+
+- All required outbound access URLs can also be found in Defender for Cloud Apps network requirements page under 'Portal Access'.
+
+- To use Defender for Cloud Apps in the Microsoft Defender portal, make sure you add outbound port 443 for all IP addresses and DNS names listed in our documentation to your firewall's allowlist.
+
+- To connect to third-party apps, enable Defender for Cloud Apps to connect from the following IP addresses, also available in our documentation:
+
+  - **US1**: - 23.101.201.123 - 20.228.186.154
+
+  - **US2**: - 20.15.114.156 - 172.202.90.196
+
+  - **US3**: - 20.3.226.231 - 4.255.218.227
+
+  - **EU1**: - 20.71.203.39 - 137.116.224.49
+
+  - **EU2**: - 20.0.210.84 - 20.90.9.64
+
+- To stay up to date on IP ranges that impact the experiences in Microsoft Defender for Cloud Apps in the areas of portal experience access, access and session controls, SIEM agent connection, app connectors, mail servers, and log collector, we recommend using the Azure service tag for Microsoft Defender for Cloud Apps services, and 'MicrosoftCloudAppSecurity.' The latest IP ranges are found in the service tag. For more information, see [Azure IP ranges](/azure/virtual-network/service-tags-overview).
+
 ## November 2024
 
 ### Internal Session Controls application notice
- The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service.  
-Please ensure there is no CA policy restricting access to this application. 
+
+The Enterprise application 'Microsoft Defender for Cloud Apps – Session Controls' is used internally by the Conditional Access App Control service.  
+Ensure there's no CA policy restricting access to this application.
 For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate.  
 
 For more information, see [Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps](session-policy-aad.md#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps).
@@ -73,13 +112,13 @@ For more information, see [OAuth app data usage insights on app governance](/def
 ### New anomaly data in advanced hunting CloudAppEvents table
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
-The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
 
 ### New Conditional Access app control / inline data in advanced hunting CloudAppEvents table
 
-Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.   
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.
 Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
 
 For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
@@ -100,8 +139,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
-For more information see: 
-[Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps)
+For more information, see [Enforce Edge in-browser protection when accessing business apps](in-browser-protection.md#enforce-microsoft-edge-browser-protection-when-accessing-business-apps).
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -140,7 +178,7 @@ Use the feedback mechanisms at the top and bottom of each documentation page to
 
 ### Large scale export of Activity logs (Preview)
 
-A new user experience dedicated to providing users the option to export from “activity log” page up to six months back or up to 100K events.
+A new user experience dedicated to providing users the option to export from 'activity log' page up to six months back or up to 100K events.
 
 You can filter the results using time range and various other filters and even hide private activities.
 
@@ -151,11 +189,12 @@ For more information, see [Export activities six months back](activity-filters-q
 
 Customize the Microsoft Defender for Cloud Apps(MDA) block experience for apps that are blocked using Cloud Discovery.
 
-You can set up a custom redirect URL on block pages 
+You can set up a custom redirect URL on block pages:
+
 - To educate and redirect end users to organization acceptable use policy 
 - To guide end users on steps to follow to secure an exception for block
 
-For more information, see  [Configure custom URL for MDA block pages](mde-govern.md#educate-users-when-accessing-blocked-apps--customize-the-block-page)
+For more information, see [Configure custom URL for MDA block pages](mde-govern.md#educate-users-when-accessing-blocked-apps--customize-the-block-page).
 
 
 ### In-browser protection for macOS users and newly supported policies (Preview)