From 7c37109fb32f0ceb2f451f9a5f09ff835c0ab639 Mon Sep 17 00:00:00 2001
From: diannegali <diannegali@microsoft.com>
Date: Wed, 14 Aug 2024 13:30:29 +0100
Subject: [PATCH 1/3] updated threat actor table

---
 defender-xdr/microsoft-threat-actor-naming.md | 27 ++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/defender-xdr/microsoft-threat-actor-naming.md b/defender-xdr/microsoft-threat-actor-naming.md
index 528a0d82cb..424b05eb30 100644
--- a/defender-xdr/microsoft-threat-actor-naming.md
+++ b/defender-xdr/microsoft-threat-actor-naming.md
@@ -6,8 +6,8 @@ ms.service: defender-xdr
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
-ms.author: vpattnaik
-author: diannegali
+ms.author: diannegali
+author: vpattnaik
 manager: dansimp
 audience: ITPro
 ms.collection: 
@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 06/12/2024
+ms.date: 08/19/2024
 ---
 
 # How Microsoft names threat actors
@@ -54,6 +54,7 @@ Use the following reference table to understand how our previously publicly disc
 
 |Threat actor name|Previous name|Origin/Threat|Other names|
 |:---:|:---:|:---:|:---:|
+|Antique Typhoon|Storm-0558|China||
 |Aqua Blizzard|ACTINIUM|Russia|UNC530, Primitive Bear, Gamaredon|
 |Blue Tsunami||Private sector offensive actor|Black Cube|
 |Brass Typhoon|BARIUM|China|APT41|
@@ -97,7 +98,7 @@ Use the following reference table to understand how our previously publicly disc
 |Night Tsunami|DEV-0336|Private sector offensive actor|NSO Group|
 |Nylon Typhoon|NICKEL|China|ke3chang, APT15, Vixen Panda|
 |Octo Tempest|Storm-0875|Financially motivated|0ktapus, Scattered Spider, UNC3944|
-|Onyx Sleet|PLUTONIUM|North Korea|Silent Chollima, Andariel, DarkSeoul|
+|Onyx Sleet|PLUTONIUM|North Korea|APT45, Silent Chollima, Andariel, DarkSeoul|
 |Opal Sleet|OSMIUM|North Korea|Konni|
 |Peach Sandstorm|HOLMIUM|Iran|APT33, Refined Kitten|
 |Pearl Sleet|DEV-0215 (LAWRENCIUM)|North Korea||
@@ -110,13 +111,15 @@ Use the following reference table to understand how our previously publicly disc
 |Purple Typhoon|POTASSIUM|China|APT10, Cloudhopper, MenuPass|
 |Raspberry Typhoon|RADIUM|China|APT30, LotusBlossom|
 |Ruby Sleet|CERIUM|North Korea||
+|Ruza Flood|Storm-1099|Russia, Influence operations||
 |Salmon Typhoon|SODIUM|China|APT4, Maverick Panda|
 |Sangria Tempest|ELBRUS|Financially motivated|Carbon Spider, FIN7|
 |Sapphire Sleet|COPERNICIUM|North Korea|Genie Spider, BlueNoroff|
 |Seashell Blizzard|IRIDIUM|Russia|APT44, Sandworm|
 |Secret Blizzard|KRYPTON|Russia|Venomous Bear, Turla, Snake|
+|Sefid Flood|Storm-1364|Iran, Influence operations||
 |Silk Typhoon|HAFNIUM|China||
-|Smoke Sandstorm|BOHRIUM|Iran||
+|Smoke Sandstorm|BOHRIUM|Iran|UNC1549|
 |Spandex Tempest|CHIMBORAZO|Financially motivated|TA505|
 |Star Blizzard|SEABORGIUM|Russia|Callisto, Reuse Team|
 |Storm-0062||China|DarkShadow, Oro0lxy|
@@ -125,9 +128,10 @@ Use the following reference table to understand how our previously publicly disc
 |Storm-0257||Group in development|UNC1151|
 |Storm-0324||Financially motivated|TA543, Sagrid|
 |Storm-0381||Financially motivated||
+|Storm-0501||Group in development||
+|Storm-0506||Group in development||
 |Storm-0530||North Korea|H0lyGh0st|
 |Storm-0539||Financially motivated|Atlas Lion|
-|Storm-0558||China||
 |Storm-0569||Financially motivated||
 |Storm-0587||Russia|SaintBot, Saint Bear, TA471|
 |Storm-0744||Financially motivated||
@@ -135,13 +139,13 @@ Use the following reference table to understand how our previously publicly disc
 |Storm-0829||Group in development|Nwgen Team|
 |Storm-0835||Group in development|EvilProxy|
 |Storm-0842||Iran||
+|Storm-0844||Group in development||
 |Storm-0861||Iran||
 |Storm-0867||Egypt|Caffeine|
 |Storm-0971||Financially motivated|(Merged into Octo Tempest)|
 |Storm-0978||Group in development|RomCom, Underground Team|
 |Storm-1044||Financially motivated|Danabot|
 |Storm-1084||Iran|DarkBit|
-|Storm-1099||Russia||
 |Storm-1101||Group in development|NakedPages|
 |Storm-1113||Financially motivated||
 |Storm-1133||Palestinian Authority||
@@ -151,17 +155,22 @@ Use the following reference table to understand how our previously publicly disc
 |Storm-1283||Group in development||
 |Storm-1286||Group in development||
 |Storm-1295||Group in development|Greatness|
-|Storm-1364||Iran||
-|Storm-1376||China, Influence operations||
 |Storm-1516||Russia, Influence operations||
 |Storm-1567||Financially motivated|Akira|
 |Storm-1575||Group in development|Dadsec|
+|Storm-1660||Iran, Influence operations||
 |Storm-1674||Financially motivated||
 |Storm-1679||Russia, Influence operations||
+|Storm-1804||Iran, Influence operations||
+|Storm-1805||Iran, Influence operations||
 |Storm-1811||Financially motivated||
+|Storm-1841||Russia, Influence operations||
 |Storm-1849||China|UAT4356|
+|Storm-1852||Group in development||
+|Storm-2035||Iran, Influence operations||
 |Strawberry Tempest||Financially motivated|LAPSUS$|
 |Sunglow Blizzard||Russia||
+|Taizi Flood|Storm-1376|China, Influence operations|Spamouflage, Dragonbridge|
 |Tomato Tempest|SPURR|Financially motivated|Vatet|
 |Vanilla Tempest|DEV-0832|Financially motivated||
 |Velvet Tempest|DEV-0504|Financially motivated||

From 11838758dde3c4f5bf72bc299dea28ed53ffbfe2 Mon Sep 17 00:00:00 2001
From: Batami Gold <26892178+batamig@users.noreply.github.com>
Date: Wed, 21 Aug 2024 13:16:00 +0300
Subject: [PATCH 2/3] fixing soc opt breadcrumbs

---
 defender-xdr/TOC.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
index 250c79a896..92de7abacd 100644
--- a/defender-xdr/TOC.yml
+++ b/defender-xdr/TOC.yml
@@ -478,9 +478,11 @@
         items:
         - name: SOC optimization overview
           display name: SOC optimization
-          href: https://aka.ms/soc-opt-from-defender
+          href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
+        - name: Use SOC optimizations programmatically
+          href: /azure/sentinel/soc-optimization/soc-optimization-api?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
         - name: SOC optimization reference
-          href: https://aka.ms/soc-opt-ref
+          href: /azure/sentinel/soc-optimization/soc-optimization-reference?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
     - name: Manage multitenant environments
       items:
         - name: Overview

From 1ca5e1b90906379bc9876c92ccdbc3f42af0896b Mon Sep 17 00:00:00 2001
From: shdyas <v-shawndyas@microsoft.com>
Date: Wed, 21 Aug 2024 10:03:17 -0700
Subject: [PATCH 3/3] Migrate workflows from microsoft-365-docs-pr

---
 .github/workflows/AutoLabelAssign.yml         | 35 +++++++++++++++++++
 .../workflows/AutoLabelMsftContributor.yml    | 34 ++++++++++++++++++
 .github/workflows/BackgroundTasks.yml         | 26 ++++++++++++++
 .github/workflows/LiveMergeCheck.yml          | 19 ++++++++++
 .github/workflows/PrFileCount.yml             | 19 ++++++++++
 .github/workflows/ProtectedFiles.yml          | 17 +++++++++
 6 files changed, 150 insertions(+)
 create mode 100644 .github/workflows/AutoLabelAssign.yml
 create mode 100644 .github/workflows/AutoLabelMsftContributor.yml
 create mode 100644 .github/workflows/BackgroundTasks.yml
 create mode 100644 .github/workflows/LiveMergeCheck.yml
 create mode 100644 .github/workflows/PrFileCount.yml
 create mode 100644 .github/workflows/ProtectedFiles.yml

diff --git a/.github/workflows/AutoLabelAssign.yml b/.github/workflows/AutoLabelAssign.yml
new file mode 100644
index 0000000000..1a30efad7c
--- /dev/null
+++ b/.github/workflows/AutoLabelAssign.yml
@@ -0,0 +1,35 @@
+name: Assign and label PR
+
+permissions:
+  pull-requests: write
+  contents: read
+  actions: read
+      
+on: 
+    workflow_run:
+        workflows: [Background tasks]
+        types:
+            - completed
+
+jobs:
+    download-payload:
+        name: Download and extract payload artifact
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+        with:
+            WorkflowId: ${{ github.event.workflow_run.id }}
+            OrgRepo: ${{ github.repository }}
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+    label-assign:
+        name: Run assign and label
+        needs: [download-payload]
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
+        with:
+            PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+            AutoAssignUsers: 1
+            AutoLabel: 1
+            ExcludedUserList: '["user1", "user2"]'
+            ExcludedBranchList: '["branch1", "branch2"]'
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/AutoLabelMsftContributor.yml b/.github/workflows/AutoLabelMsftContributor.yml
new file mode 100644
index 0000000000..7058a420cf
--- /dev/null
+++ b/.github/workflows/AutoLabelMsftContributor.yml
@@ -0,0 +1,34 @@
+name: Auto label Microsoft contributors
+
+permissions:
+  pull-requests: write
+  contents: read
+  actions: read
+      
+on: 
+    workflow_run:
+        workflows: [Background tasks]
+        types:
+            - completed
+
+jobs:
+    download-payload:
+        if: github.repository_visibility == 'public'
+        name: Download and extract payload artifact
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
+        with:
+            WorkflowId: ${{ github.event.workflow_run.id }}
+            OrgRepo: ${{ github.repository }}
+        secrets:
+            AccessToken: ${{ secrets.GITHUB_TOKEN }}
+
+    label-msft:
+        name: Label Microsoft contributors
+        if: github.repository_visibility == 'public'
+        needs: [download-payload]
+        uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
+        with:
+          PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
+        secrets:
+          AccessToken: ${{ secrets.GITHUB_TOKEN }}
+          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
diff --git a/.github/workflows/BackgroundTasks.yml b/.github/workflows/BackgroundTasks.yml
new file mode 100644
index 0000000000..c0389bb252
--- /dev/null
+++ b/.github/workflows/BackgroundTasks.yml
@@ -0,0 +1,26 @@
+name: Background tasks
+
+permissions:
+  pull-requests: write
+  contents: read
+  
+on:
+  pull_request_target:
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Save payload data
+        env:
+          PayloadJson: ${{ toJSON(github) }}
+          AccessToken: ${{ github.token }}
+        run: |
+          mkdir -p ./pr
+          echo $PayloadJson > ./pr/PayloadJson.json
+          sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: PayloadJson
+          path: pr/
diff --git a/.github/workflows/LiveMergeCheck.yml b/.github/workflows/LiveMergeCheck.yml
new file mode 100644
index 0000000000..56b79b4813
--- /dev/null
+++ b/.github/workflows/LiveMergeCheck.yml
@@ -0,0 +1,19 @@
+name: PR can merge into branch
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+      
+on: 
+  pull_request_target:
+    types: [opened, reopened, synchronize, edited]
+
+jobs:
+
+  live-merge:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/PrFileCount.yml b/.github/workflows/PrFileCount.yml
new file mode 100644
index 0000000000..95fcf5e1ed
--- /dev/null
+++ b/.github/workflows/PrFileCount.yml
@@ -0,0 +1,19 @@
+name: PR file count less than limit
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+      
+on: 
+  pull_request_target:
+    types: [opened, reopened, synchronize, labeled, unlabeled, edited]
+
+jobs:
+
+  file-count:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ProtectedFiles.yml b/.github/workflows/ProtectedFiles.yml
new file mode 100644
index 0000000000..769cd0aa14
--- /dev/null
+++ b/.github/workflows/ProtectedFiles.yml
@@ -0,0 +1,17 @@
+name: PR has no protected files
+
+permissions:
+  pull-requests: write
+  statuses: write
+  contents: read
+      
+on: [pull_request_target]
+
+jobs:
+
+  protected-files:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}