Merge branch 'main' into v-jmathew-9802641-B5

Author: Ruchika-mittal01

ATPDocs/integrate-microsoft-and-pam-services.md

@@ -0,0 +1,59 @@
+---
+title: Integrate Defender for Identity with PAM services
+ms.service: microsoft-defender-for-identity
+ms.date: 03/30/2025
+ms.topic: concept-article
+#customerIntent: As a SOC engineer, I want to understand how to integrate Microsoft Defender for Identity with my PAM (Privilege Access Management) system to manage privileged access and detect threats.
+description: Learn how to integrate Microsoft Defender for Identity with your Privileged Access Management (PAM) services.
+---
+
+# Integrate Defender for Identity with PAM services
+
+## What are PAM services?
+
+Privileged Access Management (PAM) solutions help reduce the risk of credential misuse by securing, monitoring, and controlling privileged account access to critical resources.
+PAM solutions secure privileged accounts by storing their credentials in a secure vault, controlling access through approval workflows, and monitoring active sessions to enforce just-in-time (JIT) and just-enough-access (JEA) policies. Common PAM capabilities include, automated password rotation, multifactor authentication, session isolation, and anomaly detection.
+
+## Defender for Identity and PAM
+
+Defender for Identity helps identify and investigate suspicious activities related to privileged accounts, such as unusual sign in patterns or privilege escalation attempts. 
+When integrated with a PAM solution, Microsoft Defender for Identity can detect and investigate suspicious activity involving privileged accounts—such as abnormal sign-ins or privilege escalation attempts. The integration combines PAM’s access controls with Defender for Identity’s behavioral analytics for enhanced threat detection and containment.
+
+## Technology partners
+
+Microsoft Defender for Identity currently supports integration with the following PAM vendors. Dedicated integrations for each partner are now available in the Microsoft 365 Defender partner catalog for streamlined onboarding and visibility.
+
+:::image type="content" source="media/integrate-with-partner-system-services/screenshot-of-mdi-technology-partners.png" alt-text="Screenshot of the defender for identity connections page":::
+
+
+|Vendor |Description |
+|---------|---------|
+|CyberArk    | Provides credential vaulting, session monitoring, and threat remediation for privileged identities.       |
+|BeyondTrust     | BeyondTrust Offers identity-centric controls to manage the privilege attack surface and mitigate internal and external threats.        |
+|Delinea     | Delivers centralized authorization and session control for privileged identities across enterprise environments.       |
+
+### Reset password
+
+Once PAM integration is enabled, Microsoft Defender XDR automatically tags identities managed by your PAM solution, providing critical context during investigations.
+
+Additionally, you can initiate a password reset for high-risk privileged accounts directly from the Microsoft Defender XDR console. This action uses the connected PAM system.
+
+To reset a password:
+
+1. Go to **Assets > Identities**.
+2. Select the relevant identity.
+3. Click the three-dot menu (**⋯**) in the top-right corner.
+4. Select **Reset password**. The label might vary based on the vendor (for example, **Reset password by CyberArk**, **Reset password by BeyondTrust**).
+
+:::image type="content" source="media/screenshot-of-privilege-access-management-tags-for-identities.png" alt-text="Screenshot of the priviledge access management tags assigned to identity accounts" lightbox="media/screenshot-of-privilege-access-management-tags-for-identities.png":::
+
+This capability streamlines containment and response workflows by embedding privileged access controls directly into the investigation experience.
+
+
+### Next steps 
+
+For more information, see:
+
+[How to integrate Defender for Identity with Delinea](https://docs.delinea.com/online-help/integrations/microsoft/mdi/integrating-mdi.htm)
+
+[How to integrate Defender for Identity with CyberArk](https://community.cyberark.com/marketplace/s/#a35Ht0000018sDVIAY-a39Ht000004GLaEIAW)

ATPDocs/media/integrate-with-partner-system-services/screenshot-of-mdi-technology-partners.png

@@ -81,7 +81,7 @@ For a deeper dive into what's happening in your service account click on the dom
 
 When you investigate a specific Service account, you'll see the following details under the connections tab:
 
-:::image type="content" source="media/Screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
+:::image type="content" source="media/screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
 
 |Service account connection details  |Description |
 |---------|---------|

ATPDocs/media/screenshot-of-privilege-access-management-tags-for-identities.png

@@ -85,6 +85,10 @@ items:
         displayName: standalone
     - name: Activate Defender for Identity capabilities on your domain controller
       href: deploy/activate-capabilities.md
+  - name: Integrate with PAM services
+    items:
+    - name: Integrate Defender for Identity with PAM services
+      href: integrate-microsoft-and-pam-services.md
 - name: Manage
   items:
   - name: View the ITDR dashboard

ATPDocs/media/Screenshot-of-the-connections-page.png renamed to ATPDocs/media/screenshot-of-the-connections-page.png

@@ -22,6 +22,20 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## April 2025
+
+### New Defender for Identity and PAM Integration
+
+Microsoft Defender for Identity now supports integration with industry-leading Privileged Access Management (PAM) platforms to enhance detection and response for privileged identities.
+
+**Supported PAM vendors**:
+
+- CyberArk
+- Delinea
+- BeyondTrust
+
+For more information see: [Integrations Defender for Identity and PAM services.](Integrate-microsoft-and-pam-services.md)
+
 ## March 2025
 
 ### New Service Account Discovery page

ATPDocs/service-account-discovery.md

@@ -108,17 +108,28 @@ For editable queries, more options are available:
 
 ## Create custom analytics and detection rules
 
-To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. 
+To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. There are two kinds:
+- Analytics rules - to generate detections from rules that query data that is ingested through Microsoft Sentinel
+- Custom detection rules - to generate detections from rules that query data from Defender XDR or from both Microsoft Sentinel and Defender XDR
+
+
+##### Analytics rules
 
 For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
 
 :::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
 
 The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
 
-You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
 
-In custom detection rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs, see [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
+##### Custom detection rules
+You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+
+
+In both custom detection and analytics rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs. See [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
 
 If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.
 
+
+> [!NOTE]
+> If a Defender XDR table is not set up to stream to log analytics in Microsoft Sentinel but is recognized as a standard table in Microsoft Sentinel, an analytics rule can be created successfully but the rule won't run correctly since no data is actually available in Microsoft Sentinel. For these cases, use the custom detection rule wizard instead. 

ATPDocs/toc.yml

@@ -49,6 +49,8 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `UrlChain` | `string` | For scenarios involving redirections, it includes URLs present in the redirection chain|
 | `ReportId` | `string` | The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.|
 
+> [!NOTE]
+> For clicks originating from email in Drafts and Sent items folders, email metadata is either not available or `NetworkMessageId` is assigned by default. In this case, `UrlClickEvents` can't be joined with `Email*` tables like `EmailEvents`, `EmailPostDeliveryEvents`, and others, using `NetworkMessageId`. 
 
 You can try this example query that uses the `UrlClickEvents` table to return a list of links where a user was allowed to proceed: