MicrosoftDocs
diff --git a/‎articles/sentinel/automation/create-playbooks.md
Lines changed: 5 additions & 5 deletions b/‎articles/sentinel/automation/create-playbooks.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/sentinel/configure-data-connector.md
Lines changed: 9 additions & 13 deletions b/‎articles/sentinel/configure-data-connector.md
Lines changed: 9 additions & 13 deletions
diff --git a/‎articles/sentinel/connect-data-sources.md
Lines changed: 5 additions & 5 deletions b/‎articles/sentinel/connect-data-sources.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/sentinel/create-analytics-rule-from-template.md
Lines changed: 11 additions & 11 deletions b/‎articles/sentinel/create-analytics-rule-from-template.md
Lines changed: 11 additions & 11 deletions
diff --git a/‎articles/sentinel/create-analytics-rules.md
Lines changed: 34 additions & 34 deletions b/‎articles/sentinel/create-analytics-rules.md
Lines changed: 34 additions & 34 deletions
@@ -6,8 +6,8 @@ ms.author: bagol
 ms.topic: how-to
 ms.date: 10/16/2024
 appliesto:
-    - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
+    - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 #Customer intent: As a security analyst, I want to manage automated response playbooks so that I can efficiently handle incidents and alerts in my environment.
 
@@ -50,14 +50,14 @@ This article describes how to create and manage Microsoft Sentinel playbooks. Yo
 
 Follow these steps to create a new playbook in Microsoft Sentinel:
 
-1. In the [Azure portal](https://portal.azure.com) or in the [Defender portal](https://security.microsoft.com/), go to your Microsoft Sentinel workspace. On the workspace menu, under **Configuration**, select **Automation**.
+1. In the [Defender portal](https://security.microsoft.com/) or in the [Azure portal](https://portal.azure.com), go to your Microsoft Sentinel workspace. On the workspace menu, under **Configuration**, select **Automation**.
+
+     #### [Defender portal](#tab/defender-portal)
+     :::image type="content" source="../media/create-playbooks/add-new-playbook-defender.png" alt-text="Screenshot shows Defender portal and Microsoft Sentinel Automation page with Create selected." lightbox="../media/create-playbooks/add-new-playbook-defender.png":::
 
      #### [Azure portal](#tab/azure-portal)
      :::image type="content" source="../media/create-playbooks/add-new-playbook.png" alt-text="Screenshot shows Azure portal and Microsoft Sentinel Automation page with Create selected." lightbox="../media/create-playbooks/add-new-playbook.png":::
 
-     #### [Defender portal](#tab/defender-portal)
-   :::image type="content" source="../media/create-playbooks/add-new-playbook-defender.png" alt-text="Screenshot shows Defender portal and Microsoft Sentinel Automation page with Create selected." lightbox="../media/create-playbooks/add-new-playbook-defender.png":::
-
      ---
 
 1. From the top menu, select **Create**, and then select one of the following options:
 
@@ -6,8 +6,8 @@ ms.topic: how-to
 ms.date: 03/28/2024
 ms.author: cwatson
 appliesto:
-    - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
+    - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 
 
@@ -42,14 +42,10 @@ After you or someone in your organization installs the solution that includes th
 1. Search for and select the connector. If you don't see the data connector you want, install the solution associated with it from the **Content Hub**.
 1. Select **Open connector page**.  
 
-   #### [Azure portal](#tab/azure-portal)
-
-   :::image type="content" source="media/configure-data-connector/open-connector-page-option.png" alt-text="Screenshot of data connector details page with open connector page button.":::
-
    #### [Defender portal](#tab/defender-portal)
-
    :::image type="content" source="media/configure-data-connector/open-connector-page-option-defender-portal.png" alt-text="Screenshot of data connector details page in the Defender portal.":::
-
+   #### [Azure portal](#tab/azure-portal)
+   :::image type="content" source="media/configure-data-connector/open-connector-page-option.png" alt-text="Screenshot of data connector details page with open connector page button.":::
    ---
 
 1. Review the **Prerequisites**. To configure the data connector, fulfill all the prerequisites.
@@ -69,15 +65,15 @@ After you enable the connector successfully, the connector begins to stream data
 
 To view the data:
 
-   #### [Azure portal](#tab/azure-portal-1)
+#### [Defender portal](#tab/defender-portal-1)
 
-   Query the tables in the Microsoft Sentinel workspace linked to your Microsoft Sentinel workspace.
+See [Where to find your Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender#where-to-find-your-microsoft-sentinel-data).
 
-   #### [Defender portal](#tab/defender-portal-1)
-   
-   See [Where to find your Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender#where-to-find-your-microsoft-sentinel-data).
+#### [Azure portal](#tab/azure-portal-1)
 
-   ---
+Query the tables in the Microsoft Sentinel workspace linked to your Microsoft Sentinel workspace.
+
+---
 
 ## Find support for a data connector
 
 
@@ -6,8 +6,8 @@ ms.topic: conceptual
 ms.date: 11/06/2024
 ms.author: yelevin
 appliesto:
-    - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
+    - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 #Customer intent: As a security engineer, I want to use data connectors to integrate various data sources into Microsoft Sentinel so that I can enhance threat detection and response capabilities.
 ---
@@ -32,14 +32,14 @@ Microsoft Sentinel solutions provide packaged security content, including data c
 
 The Microsoft Sentinel **Data connectors** page lists the installed or in-use data connectors.
 
-#### [Azure portal](#tab/azure-portal)
-
-:::image type="content" source="media/connect-data-sources/data-connector-list.png" alt-text="Screenshot of the data connectors gallery." lightbox="media/connect-data-sources/data-connector-list.png":::
-
 #### [Defender portal](#tab/defender-portal)
 
 :::image type="content" source="media/connect-data-sources/data-connector-list-defender.png" alt-text="Screenshot of the data connectors gallery." lightbox="media/connect-data-sources/data-connector-list-defender.png":::
 
+#### [Azure portal](#tab/azure-portal)
+
+:::image type="content" source="media/connect-data-sources/data-connector-list.png" alt-text="Screenshot of the data connectors gallery." lightbox="media/connect-data-sources/data-connector-list.png":::
+
 ---
 
 To add more data connectors, install the solution associated with the data connector from the **Content Hub**. For more information, see the following articles:
 
@@ -6,8 +6,8 @@ ms.author: yelevin
 ms.topic: how-to
 ms.date: 07/02/2024
 appliesto:
-    - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
+    - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 
 
@@ -28,9 +28,9 @@ This article shows you how to create a scheduled analytics rule using a template
 
 To view the installed analytics rules in Microsoft Sentinel, go to the **Analytics** page. The **Rule templates** tab displays all the installed rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel to install the related product solutions or standalone content.
 
-# [Azure portal](#tab/azure-portal)
+# [Defender portal](#tab/defender-portal)
 
-1. From the **Configuration** section of the Microsoft Sentinel navigation menu, select **Analytics**.
+1. From the Microsoft Defender navigation menu, expand **Microsoft Sentinel**, then **Configuration**. Select **Analytics**.
 
 1. On the **Analytics** screen, select the **Rule templates** tab.
 
@@ -40,11 +40,11 @@ To view the installed analytics rules in Microsoft Sentinel, go to the **Analyti
 
     1. From the resulting list, select **Scheduled**. Then select **Apply**.
 
-    :::image type="content" source="media/create-analytics-rule-from-template/view-detections.png" alt-text="Screenshot of scheduled analytics rule templates in Microsoft Azure portal." lightbox="media/create-analytics-rule-from-template/view-detections.png":::
+    :::image type="content" source="media/create-analytics-rule-from-template/view-detections-defender.png" alt-text="Screenshot of scheduled analytics rule templates in Microsoft Defender portal." lightbox="media/create-analytics-rule-from-template/view-detections-defender.png":::
 
-# [Defender portal](#tab/defender-portal)
+# [Azure portal](#tab/azure-portal)
 
-1. From the Microsoft Defender navigation menu, expand **Microsoft Sentinel**, then **Configuration**. Select **Analytics**.
+1. From the **Configuration** section of the Microsoft Sentinel navigation menu, select **Analytics**.
 
 1. On the **Analytics** screen, select the **Rule templates** tab.
 
@@ -54,22 +54,22 @@ To view the installed analytics rules in Microsoft Sentinel, go to the **Analyti
 
     1. From the resulting list, select **Scheduled**. Then select **Apply**.
 
-    :::image type="content" source="media/create-analytics-rule-from-template/view-detections-defender.png" alt-text="Screenshot of scheduled analytics rule templates in Microsoft Defender portal." lightbox="media/create-analytics-rule-from-template/view-detections-defender.png":::
+    :::image type="content" source="media/create-analytics-rule-from-template/view-detections.png" alt-text="Screenshot of scheduled analytics rule templates in Microsoft Azure portal." lightbox="media/create-analytics-rule-from-template/view-detections.png":::
 
 ---
 
 ## Create a rule from a template
 
 This procedure describes how to create an analytics rule from a template.
 
-# [Azure portal](#tab/azure-portal)
-
-From the **Configuration** section of the Microsoft Sentinel navigation menu, select **Analytics**.
-
 # [Defender portal](#tab/defender-portal)
 
 From the Microsoft Defender navigation menu, expand **Microsoft Sentinel**, then **Configuration**. Select **Analytics**.
 
+# [Azure portal](#tab/azure-portal)
+
+From the **Configuration** section of the Microsoft Sentinel navigation menu, select **Analytics**.
+
 ---
 
 1. On the **Analytics** screen, select the **Rule templates** tab.
 
@@ -6,8 +6,8 @@ ms.author: yelevin
 ms.topic: how-to
 ms.date: 10/16/2024
 appliesto:
-    - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
+    - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 
 
@@ -58,18 +58,18 @@ This section describes how to create a rule using the Azure or Defender portals.
 
 To get started, go to the **Analytics** page in Microsoft Sentinel to create a scheduled analytics rule.
 
-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Analytics**.<br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com), select **Microsoft Sentinel** > **Configuration** > **Analytics**.
+1. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com), select **Microsoft Sentinel** > **Configuration** > **Analytics**. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Analytics**.
 
 1. Select **+Create** and select **Scheduled query rule**.
 
-    # [Azure portal](#tab/azure-portal)
-
-    :::image type="content" source="media/create-analytics-rules/create-scheduled-query.png" alt-text="Screenshot of Analytics screen in Azure portal." lightbox="media/create-analytics-rules/create-scheduled-query.png":::
-
     # [Defender portal](#tab/defender-portal)
 
     :::image type="content" source="media/create-analytics-rules/defender-create-scheduled-query.png" alt-text="Screenshot of Analytics screen in Defender portal." lightbox="media/create-analytics-rules/defender-create-scheduled-query.png":::
 
+    # [Azure portal](#tab/azure-portal)
+
+    :::image type="content" source="media/create-analytics-rules/create-scheduled-query.png" alt-text="Screenshot of Analytics screen in Azure portal." lightbox="media/create-analytics-rules/create-scheduled-query.png":::
+
     ---
 
 ### Name the rule and define general information
@@ -88,14 +88,14 @@ In the Azure portal, stages are represented visually as tabs. In the Defender po
 
 1. Select **Next: Set rule logic**.
 
-   # [Azure portal](#tab/azure-portal)
-
-   :::image type="content" source="media/create-analytics-rules/general-tab.png" alt-text="Screenshot of opening screen of analytics rule wizard in the Azure portal.":::
-
    # [Defender portal](#tab/defender-portal)
 
    :::image type="content" source="media/create-analytics-rules/defender-wizard-general.png" alt-text="Screenshot of opening screen of analytics rule wizard in the Defender portal.":::
 
+   # [Azure portal](#tab/azure-portal)
+
+   :::image type="content" source="media/create-analytics-rules/general-tab.png" alt-text="Screenshot of opening screen of analytics rule wizard in the Azure portal.":::
+
    ---
 
 ### Define the rule logic
@@ -150,18 +150,18 @@ The next step is to set the rule logic which includes adding the Kusto query tha
 
 1. Select **Next: Incident settings**.
 
-# [Azure portal](#tab/azure-portal)
-
-:::image type="content" source="media/create-analytics-rules/set-rule-logic-1.png" alt-text="Screenshot of first half of set rule logic tab in the analytics rule wizard in the Azure portal.":::
-
-:::image type="content" source="media/create-analytics-rules/set-rule-logic-2.png" alt-text="Screenshot of second half of set rule logic tab in the analytics rule wizard in the Azure portal.":::
-
 # [Defender portal](#tab/defender-portal)
 
 :::image type="content" source="media/create-analytics-rules/defender-set-rule-logic-1.png" alt-text="Screenshot of first half of set rule logic tab in the analytics rule wizard in the Defender portal.":::
 
 :::image type="content" source="media/create-analytics-rules/defender-set-rule-logic-2.png" alt-text="Screenshot of second half of set rule logic tab in the analytics rule wizard in the Defender portal.":::
 
+# [Azure portal](#tab/azure-portal)
+
+:::image type="content" source="media/create-analytics-rules/set-rule-logic-1.png" alt-text="Screenshot of first half of set rule logic tab in the analytics rule wizard in the Azure portal.":::
+
+:::image type="content" source="media/create-analytics-rules/set-rule-logic-2.png" alt-text="Screenshot of second half of set rule logic tab in the analytics rule wizard in the Azure portal.":::
+
 ---
 
 ### Configure the incident creation settings
@@ -217,14 +217,14 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
 1. Select **Next: Automated response**.
 
-    # [Azure portal](#tab/azure-portal)
-
-    :::image type="content" source="media/create-analytics-rules/incident-settings-tab.png" alt-text="Screenshot of incident settings screen of analytics rule wizard in the Azure portal.":::
-
     # [Defender portal](#tab/defender-portal)
 
     :::image type="content" source="media/create-analytics-rules/defender-incident-settings.png" alt-text="Screenshot of incident settings screen of analytics rule wizard in the Defender portal.":::
 
+    # [Azure portal](#tab/azure-portal)
+
+    :::image type="content" source="media/create-analytics-rules/incident-settings-tab.png" alt-text="Screenshot of incident settings screen of analytics rule wizard in the Azure portal.":::
+
     ---
 
 ### Review or add automated responses
@@ -241,14 +241,14 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
         - If you still have any playbooks listed here, you should instead create an automation rule based on the **alert created trigger** and invoke the playbook from the automation rule. After you've done that, select the ellipsis at the end of the line of the playbook listed here, and select **Remove**. See [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md) for full instructions.
 
-    # [Azure portal](#tab/azure-portal)
-
-    :::image type="content" source="media/create-analytics-rules/automated-response-tab.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Azure portal.":::
-
     # [Defender portal](#tab/defender-portal)
 
     :::image type="content" source="media/create-analytics-rules/defender-automated-response.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Defender portal.":::
 
+    # [Azure portal](#tab/azure-portal)
+
+    :::image type="content" source="media/create-analytics-rules/automated-response-tab.png" alt-text="Screenshot of automated response screen of analytics rule wizard in the Azure portal.":::
+
     ---
 
 1. Select **Next: Review and create** to review all the settings for your new analytics rule.
@@ -261,14 +261,14 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
 1. Correct the error and go back to the **Review and create** tab to run the validation again.
 
-# [Azure portal](#tab/azure-portal)
-
-:::image type="content" source="media/create-analytics-rules/review-and-create-tab.png" alt-text="Screenshot of validation screen of analytics rule wizard in the Azure portal.":::
-
 # [Defender portal](#tab/defender-portal)
 
 :::image type="content" source="media/create-analytics-rules/defender-review-and-create.png" alt-text="Screenshot of validation screen of analytics rule wizard in the Defender portal.":::
 
+# [Azure portal](#tab/azure-portal)
+
+:::image type="content" source="media/create-analytics-rules/review-and-create-tab.png" alt-text="Screenshot of validation screen of analytics rule wizard in the Azure portal.":::
+
 ---
 
 ## View the rule and its output
@@ -279,18 +279,18 @@ You can find your newly created custom rule (of type "Scheduled") in the table u
 
 ### View the results of the rule
 
-# [Azure portal](#tab/azure-portal)
-
-To view the results of the analytics rules you create in the Azure portal, go to the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md).
-
-:::image type="content" source="media/create-analytics-rules/view-incidents.png" alt-text="Screenshot of incidents page in the Azure portal." lightbox="media/create-analytics-rules/view-incidents.png":::
-
 # [Defender portal](#tab/defender-portal)
 
 To view the results of the analytics rules you create in the Defender portal, expand **Investigation & response** in the navigation menu, then **Incidents & alerts**. View incidents on the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md). View individual alerts on the **Alerts** page.
 
 :::image type="content" source="media/create-analytics-rules/defender-view-incidents.png" alt-text="Screenshot of incidents page in the Azure portal." lightbox="media/create-analytics-rules/defender-view-incidents.png":::
 
+# [Azure portal](#tab/azure-portal)
+
+To view the results of the analytics rules you create in the Azure portal, go to the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md).
+
+:::image type="content" source="media/create-analytics-rules/view-incidents.png" alt-text="Screenshot of incidents page in the Azure portal." lightbox="media/create-analytics-rules/view-incidents.png":::
+
 ---
 
 ### Tune the rule