MicrosoftDocs
diff --git a/‎ATPDocs/sensor-settings.md‎
Lines changed: 4 additions & 2 deletions b/‎ATPDocs/sensor-settings.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 26 additions & 15 deletions b/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 26 additions & 15 deletions
diff --git a/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 5 additions & 5 deletions b/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎CloudAppSecurityDocs/data-protection-policies.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/data-protection-policies.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/governance-actions.md‎
Lines changed: 7 additions & 0 deletions b/‎CloudAppSecurityDocs/governance-actions.md‎
Lines changed: 7 additions & 0 deletions
@@ -58,6 +58,8 @@ The sensors page provides the following information about each sensor:
 
   * **Standalone sensor**
 
+  * **Entra Connect sensor**. If your sensor is installed on a domain controller server with Entra Connect configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
+ 
   * **ADCS sensor** (Active Directory Certificate Services). If your sensor is installed on a domain controller server with AD CS configured, such as in a testing environment, the sensor type is shown as **Domain controller sensor** instead.
 
 * **Domain**: Displays the fully qualified domain name of the Active Directory domain where the sensor is installed.
@@ -186,9 +188,9 @@ Every few minutes, Defender for Identity sensors check whether they have the lat
 
 1. Sensors selected for **Delayed update** start their update process 72 hours after the Defender for Identity cloud service is updated. These sensors will then use the same update process as automatically updated sensors.
 
-For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
+    For any sensor that fails to complete the update process, a relevant [health alert](health-alerts.md#sensor-outdated) is triggered, and is sent as a notification.
 
-![Sensor update failure.](media/sensor-outdated.png)
+    ![Sensor update failure.](media/sensor-outdated.png)
 
 ### Silently update the Defender for Identity sensor
 
 
@@ -1,39 +1,45 @@
 ---
 title: Investigate activities 
 description: This article provides a list of activities, filters, and match parameters that can be applied to activity policies.
-ms.date: 01/29/2023
+ms.date: 06/24/2025
 ms.topic: how-to
 ---
 
 # Investigate activities
 
 
-
 Microsoft Defender for Cloud Apps gives you visibility into all the activities from your connected apps. After you connect Defender for Cloud Apps to an app using the App connector, Defender for Cloud Apps scans all the activities that happened - the retroactive scan period differs per app - and then it's updated constantly with new activities.
 
 > [!NOTE]
-> For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the compliance center](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
+> The activity types (such as `FileCreated`, `FileCreatedOnNetworkShare`, `ArchiveCreated`, or `FileDeleted`) and their associated data are sourced directly from the connected app’s third-party API (for example, Salesforce or ServiceNow).
+>
+> Microsoft Defender for Cloud Apps displays these activity names and types exactly as received and doesn't define or modify them. To understand the meaning of an activity, refer to the relevant third‑party API documentation.
+
+For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the Microsoft Purview portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
+
 
 The **Activity log** can be filtered to enable you to find specific activities. You create policies based on the activities and then define what you want to be alerted about and act on. You can search for activities performed on certain files. The type of activities and the information we get for each activity depends on the app and what kind of data the app can provide.
 
 For example, you can use the **Activity log** to find users in your organization who are using operating systems or browsers that are out of date, as follows:
 After you connect an app to Defender for Cloud Apps in the **Activity log** page, use the advanced filter and select **User agent tag**. Then select **Outdated browser** or **Outdated operating system**.
 
-![Activity outdated browser example.](media/activity-example-outdated.png)
+:::image type="content" source="media/activity-filters/activity-example-outdated.png" alt-text="Screenshot that shows the Activity log with an outdated browser example." lightbox="media/activity-filters/activity-example-outdated.png":::
+
 
 The basic filter provides great tools to start filtering your activities.
 
-![basic activity log filter.](media/activity-log-filter-basic.png)
+:::image type="content" source="media/activity-filters/activity-log-filter-basic.png" alt-text="Screenshot that shows the basic activity log filter." lightbox="media/activity-filters/activity-log-filter-basic.png":::
+
 
 You can expand the basic filter by selecting **Advanced filters** to drill down into more specific activities.
 
-![advanced activity log filter.](media/activity-log-filter-advanced.png)
+:::image type="content" source="media/activity-log-filter-advanced.png" alt-text="Screenshot that shows the advanced activity log filter.":::
+
 
 > [!NOTE]
 > 
-> - The Legacy tag is added to any activity policy that uses the older "user" filter. This filter will continue to work as usual. If you want to remove the Legacy tag, you can remove the filter and add the filter again using the new **User name** filter.
-> 
-> - In some rare cases, the count of the events presented in the activity log may show a slightly higher number than the real number of events that apply for the filter and being presented.
+> - The Legacy tag is added to any activity policy that uses the older "user" filter. This filter continues to work as usual. If you want to remove the Legacy tag, you can remove the filter and add the filter again using the new **User name** filter.
+> - In some rare cases, the count of the events presented in the activity log might show a slightly higher number than the real number of events that apply for the filter and being presented.
 
 ## The Activity drawer
 
@@ -53,7 +59,7 @@ You can view more information about each activity, by selecting the Activity its
 
 - IP address category and tags: Select the IP tag to view the list of IP tags found in this activity. You can then filter by all activities matching this tag.
 
-The fields in the Activity drawer provide contextual links to additional activities and drill-downs you may want to perform from the drawer directly. For example, if you move your cursor next to the IP address category, you can use the **add to filter** icon ![add to filter.](media/add-to-filter-icon.png) to immediately add the IP address to the current page's filter. You can also use the settings cog icon ![settings icon](media/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **User groups**.
+The fields in the Activity drawer provide contextual links to additional activities and drill-downs you might want to perform from the drawer directly. For example, if you move your cursor next to the IP address category, you can use the **add to filter** icon ![add to filter.](media/activity-filters/add-to-filter-icon.png) to immediately add the IP address to the current page's filter. You can also use the settings cog icon ![settings icon](media/activity-filters/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **User groups**.
 
 You can also use the icons at the top of the tab to:
 
@@ -63,7 +69,9 @@ You can also use the icons at the top of the tab to:
 - View activities from the exact geographic location
 - View activities from the same period (48 hours)
 
-![activity drawer.](media/activity-drawer.png "activity drawer")
+
+:::image type="content" source="media/activity-filters/activity-drawer.png" alt-text="Screenshot that shows the activity drawer." lightbox="media/activity-filters/activity-drawer.png":::
+
 
 For a list of governance actions available, see [Activity governance actions](governance-actions.md#activity-governance-actions).
 
@@ -84,7 +92,8 @@ Selecting it opens the Activity drawer **User** tab provides the following insig
     - **ISPs**: The number of ISPs the user connected from in the past 30 days.
     - **IP addresses**: The number of IP addresses the user connected from in the past 30 days.
 
-![user insights in Defender for Cloud Apps.](media/user-insights.png)
+:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
+
 
 #### IP address insights
 
@@ -112,10 +121,11 @@ To view IP address insights:
         - Set as a VPN IP address and add to allowlist
         - Set as a Risky IP and add to blocklist
 
-![IP address insights in Defender for Cloud Apps.](media/ip-address-insights.png)
+:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows Ip address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
+
 
 > [!NOTE]
->- Internal IPv4 or IPv6 IP addresses audited by the cloud applications connected with API, may indicate internal services communications within the network of the cloud application, and shouldn't be confused with internal IPs from the source network the device connected from, as the cloud application is not exposed to the internal IPs of the devices.
+>- Internal IPv4 or IPv6 IP addresses audited by the cloud applications connected with API, might indicate internal services communications within the network of the cloud application, and shouldn't be confused with internal IPs from the source network the device connected from, as the cloud application isn't exposed to the internal IPs of the devices.
 >- To avoid raising [impossible travel](anomaly-detection-policy.md#impossible-travel) alerts when employees connect from their home locations via the corporate VPN, it's recommended to tag the IP address as **VPN**.
 
 ## Export activities
@@ -124,7 +134,8 @@ You can export all user activities to a CSV file.
 
 In the **Activity log**, select the **Export** button in the top-left corner.
 
-![export button.](media/export-button.png)
+:::image type="content" source="media/activity-filters/export-button.png" alt-text="Screenshot that shows the export button in the Activity log.":::
+
 
 [!INCLUDE [Handle personal data](../includes/gdpr-intro-sentence.md)]
 
 
@@ -88,7 +88,7 @@ Defender for Cloud Apps supports "File Sandboxing" malware detection for the fol
 ### Activity from anonymous IP addresses
 
 > [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Activity from a TOR IP address**.
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Activity from a TOR IP address** and **Anonymous proxy activity**.
 > If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
 
 This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device's IP address, and may be used for malicious intent. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
@@ -107,7 +107,7 @@ The detection looks for users whose accounts were deleted in Microsoft Entra ID,
 ### Activity from suspicious IP addresses
 
 > [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Successful logon from a suspicious IP address**.
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Successful logon from a suspicious IP address**.
 >
 > If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
 
@@ -116,7 +116,7 @@ This detection identifies that users were active from an IP address identified a
 ### Suspicious inbox forwarding
 
 > [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email forwarding rule created by third-party app**.
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email forwarding rule created by third-party app**.
 >
 > If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
 
@@ -128,15 +128,15 @@ This detection looks for suspicious email forwarding rules, for example, if a us
 ### Suspicious inbox manipulation rules
 
 > [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled.
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model.
 > If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
 
 This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This may indicate that the user's account is compromised, that messages are being intentionally hidden, and that the mailbox is being used to distribute spam or malware in your organization.
 
 ### Suspicious email deletion activity (Preview)
 
 > [!NOTE]
-> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email deletion activity**.
+> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email deletion activity**.
 >
 > If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
 
 
@@ -268,7 +268,7 @@ You can view more information about each file, by selecting the file itself in t
 - **Matched policies** - See a list of policies the file matched.
 - **Sensitivity labels** - View the list of sensitivity labels from Microsoft Purview Information Protection found in this file. You can then filter by all files matching this label.
 
-The fields in the File drawer provide contextual links to files and drill downs you might want to perform from the drawer directly. For example, if you move your cursor next to the **Owner** field, you can use the "add to filter" icon ![add to filter.](media/add-to-filter-icon.png) to add the owner immediately to the filter of the current page. You can also use the settings cog icon ![settings icon.](media/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **Sensitivity labels**.
+The fields in the File drawer provide contextual links to files and drill downs you might want to perform from the drawer directly. For example, if you move your cursor next to the **Owner** field, you can use the "add to filter" icon ![add to filter.](media/activity-filters/add-to-filter-icon.png) to add the owner immediately to the filter of the current page. You can also use the settings cog icon ![settings icon.](media/activity-filters/contextual-settings-icon.png) that pops up to arrive directly at the settings page necessary to modify the configuration of one of the fields, such as **Sensitivity labels**.
 
 :::image type="content" source="media/file-policies/file-drawer.png" alt-text="Screenshot showing the file drawer" lightbox="media/file-policies/file-drawer.png":::
 
 
@@ -83,6 +83,13 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
+> [!NOTE]
+> These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
+ - Security Operator
+ - Security administrator
+ - Global administrator
+ - Cloud app security administrator
+   
 :::image type="content" source="media/governance-actions/governance-actions-dropbox-google-workspace.png" alt-text="Screenshot that shows malware governance actions." lightbox="media/governance-actions/governance-actions-dropbox-google-workspace.png":::
 
 > [!NOTE]