Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into WI444612-antimalware

Author: ElazarK

articles/defender-for-cloud/data-ingestion-benefit.md

@@ -51,7 +51,6 @@ The following subset of  [security data types](/azure/azure-monitor/reference/ta
 - [Update](/azure/azure-monitor/reference/tables/update) and [UpdateSummary](/azure/azure-monitor/reference/tables/updatesummary) when the Update Management solution isn't running in the workspace or solution targeting is enabled.
 - [MDCFileIntegrityMonitoringEvents](/azure/azure-monitor/reference/tables/mdcfileintegritymonitoringevents)
 - [WindowsEvent](/azure/azure-monitor/reference/tables/windowsevent?branch=main)
-- [LinuxAuditLog](/azure/azure-monitor/reference/tables/linuxauditlog)
 
 > [!NOTE]
 > Although `WindowsEvent` is listed, only security events from the `Microsoft-SecurityEvent` stream that go to the `SecurityEvent` table qualify for the 500 MB/day allowance. Application, System, or other event log channels are not covered and are billed as regular ingestion.

articles/defender-for-cloud/defender-for-containers-azure-enable-portal.md

@@ -137,8 +137,9 @@ You can exclude specific AKS clusters from automatic provisioning by applying ta
 
 1. Under **Overview**, select **Tags**.
 
-1. Add one of these tags:
-   - For Defender sensor: `ms_defender_container_exclude_sensors` = `true`
+1. Add this tag:
+
+- For Defender sensor: `ms_defender_container_exclude_sensors` = `true`
 
 ## Monitor ongoing security
 

articles/defender-for-cloud/release-notes.md

@@ -29,13 +29,15 @@ This article summarizes what's new in Microsoft Defender for Cloud. It includes
 
 ## February 2026
 
-|Date| Category|Update|
+| Date | Category | Update |
 | -------- | -------- | -------- |
 | February 20, 2026 | Preview | [Container runtime antimalware detection and prevention (Preview)](#container-runtime-antimalware-detection-and-prevention-preview) |
 | February 10, 2026| Preview | [Database-level recommendations experience for SQL Vulnerability Assessment findings (Preview)](#database-level-recommendations-experience-for-sql-vulnerability-assessment-preview) |
 | February 10, 2026| GA | [Scanning support for Minimus and Photon OS container images](#scanning-support-for-minimus-and-photon-os-container-images) |
 | February 9, 2026| GA | [Simulate alerts for SQL servers on machines](#simulate-alerts-for-sql-servers-on-machines) |
 | February 3, 2026| Preview | [Threat protection for AI agents (Preview)](#threat-protection-for-ai-agentspreview) |
+|February 2, 2026| GA | [Updated CIEM recommendation logic](#updated-ciem-recommendation-logic) |
+|February 2, 2026| Preview | [Threat protection for AI agents (Preview)](#threat-protection-for-ai-agentspreview) |
 
 ### Container runtime antimalware detection and prevention (Preview)
 
@@ -45,7 +47,7 @@ Microsoft Defender for Cloud is announcing container runtime anti-malware detect
 
 Learn more about [antimalware detection and prevention](anti-malware.md).
 
-## Database-level recommendations experience for SQL Vulnerability Assessment (Preview)
+### Database-level recommendations experience for SQL Vulnerability Assessment (Preview)
 
 February 10, 2026
 
@@ -71,13 +73,13 @@ The SQL [vulnerability assessment rules reference](sql-azure-vulnerability-asses
 
 The existing server-level (aggregated) experience remains available during preview.
 
-## Scanning support for Minimus and Photon OS container images
+### Scanning support for Minimus and Photon OS container images
 
 February 10, 2026
 
 Microsoft Defender for Cloud's vulnerability scanner, powered by Microsoft Defender Vulnerability Management, is extending its scanning coverage to Minimus and Photon OS container images, and identify vulnerabilities in Minimus Images and Photos OS to validate that they're shipping the most secure builds possible.  As additional image types are being scanned, your bill might increase. For all supported distributions, see [Registries and images support for vulnerability assessment](support-matrix-defender-for-containers.md#registries-and-images-support-for-vulnerability-assessment).
 
-## Simulate alerts for SQL servers on machines
+### Simulate alerts for SQL servers on machines
 
 February 9, 2026
 
@@ -87,6 +89,32 @@ Simulated alerts generates realistic alerts with full SQL and machine context on
 
 Learn how to [simulate alerts for SQL servers on machines](simulate-alerts-sql-machines.md).
 
+## Updated CIEM recommendation logic  
+
+February 2, 2026
+
+Cloud Infrastructure Entitlement Management (CIEM) recommendations are now available as a native capability in Microsoft Defender for Cloud across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+
+This update changes how inactive identities and over-permissioned roles are evaluated and improves recommendation accuracy. It may affect existing recommendation results.
+
+### Key changes
+
+- Inactive identity detection now evaluates unused role assignments instead of sign-in activity.
+- The inactivity lookback window is extended to 90 days (previously 45 days).
+- Identities created within the past 90 days aren’t evaluated as inactive.
+- The Permissions Creep Index (PCI) metric is deprecated and no longer appears in recommendations.
+- CIEM onboarding no longer requires elevated high-risk permissions.
+
+### Cloud-specific considerations
+
+| Cloud | Details |
+|--------|---------|
+| **Azure** | Inactive identity recommendations include evaluation of read-level permissions. |
+| **AWS** | CIEM evaluates AWS users and roles whose permissions can be reliably assessed. SAML and SSO identities require [AWS CloudTrail Logs (Preview)](integrate-cloud-trail.md) to be enabled in the Defender CSPM plan. Serverless and compute identities are excluded from CIEM inactivity evaluation, which might affect recommendation counts. |
+| **GCP** | CIEM evaluation requires [Cloud Logging ingestion (Preview)](logging-ingestion.md) to be enabled in the Defender CSPM plan. |
+
+Learn more about [permissions management in Defender for Cloud](permissions-management.md).
+
 ## Threat protection for AI agents (Preview)
 
 February 2, 2026 
@@ -103,7 +131,7 @@ Learn more about [Threat Protection for AI Agents with Microsoft Defender for Cl
 | -------- | -------- | -------- |
 |January 8, 2026| Preview | [Microsoft Security Private Link (Preview)](#microsoft-security-private-link-preview) |
 
-## Microsoft Security Private Link (Preview)
+### Microsoft Security Private Link (Preview)
 
 January 8, 2026