Merge pull request #249851 from yelevin/yelevin/incidents-to-ga

Incidents to GA

Author: v-dirichards

articles/sentinel/add-entity-to-threat-intelligence.md

@@ -15,9 +15,6 @@ For example, you may discover an IP address performing port scans across your ne
 
 Microsoft Sentinel allows you to flag these types of entities as malicious, right from within your incident investigation, and add it to your threat indicator lists. You'll then be able to view the added indicators both in Logs and in the Threat Intelligence blade, and use them across your Microsoft Sentinel workspace.
 
-> [!IMPORTANT]
-> Adding entities as TI indicators is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
 ## Add an entity to your indicators list
 
 The new [incident details page](investigate-incidents.md) gives you another way to add entities to threat intelligence, in addition to the investigation graph. Both ways are shown below.
@@ -32,7 +29,7 @@ The new [incident details page](investigate-incidents.md) gives you another way
 
 1. Find the entity from the **Entities** widget that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)
 
-1. Select the three dots to the right of the entity, and select **Add to TI (Preview)** from the pop-up menu.
+1. Select the three dots to the right of the entity, and select **Add to TI** from the pop-up menu.
 
     Only the following types of entities can be added as threat indicators:
     - Domain name

articles/sentinel/incident-investigation.md

@@ -11,13 +11,7 @@ ms.date: 01/01/2023
 
 Microsoft Sentinel gives you a complete, full-featured case management platform for investigating and managing security incidents. **Incidents** are Microsoft Sentinel’s name for case files that contain a complete and constantly updated chronology of a security threat, whether it’s individual pieces of evidence (alerts), suspects and parties of interest (entities), insights collected and curated by security experts and AI/machine learning models, or comments and logs of all the actions taken in the course of the investigation.
 
-The incident investigation experience in Microsoft Sentinel begins with the **Incidents** page – a new experience designed to give you everything you need for your investigation in one place. The key goal of this new experience is to increase your SOC’s efficiency and effectiveness, reducing its mean time to resolve (MTTR).
-
-> [!IMPORTANT]
->
-> The new incident experience is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
-> Some of the individual functionalities mentioned below are also in **PREVIEW**. They will be so indicated.
+The incident investigation experience in Microsoft Sentinel begins with the **Incidents** page—a new experience designed to give you everything you need for your investigation in one place. The key goal of this new experience is to increase your SOC’s efficiency and effectiveness, reducing its mean time to resolve (MTTR).
 
 This article takes you through the phases of a typical incident investigation, presenting all the displays and tools available to you to help you along.
 
@@ -55,7 +49,7 @@ This can benefit your investigation in several ways:
 
 The widget shows you the 20 most similar incidents. Microsoft Sentinel decides which incidents are similar based on common elements including entities, the source analytics rule, and alert details. From this widget you can jump directly to any of these incidents' full details pages, while keeping the connection to the current incident intact.
 
-Learn more about what you can do with [similar incidents](investigate-incidents.md#similar-incidents-preview).
+Learn more about what you can do with [similar incidents](investigate-incidents.md#similar-incidents).
 
 ### Examine top insights
 
@@ -79,11 +73,11 @@ The **Entities tab** contains a list of all the entities in the incident. When a
 Depending on the entity type, you can take a number of further actions from this side panel:
 - Pivot to the entity's full [entity page](entity-pages.md) to get even more details over a longer timespan or launch the graphical investigation tool centered on that entity.
 - Run a [playbook](respond-threats-during-investigation.md) to take specific response or remediation actions on the entity (in Preview).
-- Classify the entity as an [indicator of compromise (IOC)](add-entity-to-threat-intelligence.md) and add it to your Threat intelligence list (in Preview).
+- Classify the entity as an [indicator of compromise (IOC)](add-entity-to-threat-intelligence.md) and add it to your Threat intelligence list.
 
 Each of these actions is currently supported for certain entity types and not for others. The following table shows which actions are supported for which entity types:
 
-| Available actions &#9654;<br>Entity types &#9660;  | View full details<br>(in entity page) | Add to TI *<br>(Preview) | Run playbook *<br>(Preview) |
+| Available actions &#9654;<br>Entity types &#9660;  | View full details<br>(in entity page) | Add to TI * | Run playbook *<br>(Preview) |
 | ----- | :----: | :----: | :----: |
 | **User account** | &#10004; | | &#10004; |
 | **Host** | &#10004; | | &#10004; |
@@ -94,7 +88,7 @@ Each of these actions is currently supported for certain entity types and not fo
 | **Azure resource** | &#10004; | | | 
 | **IoT device** | &#10004; | | |
 
-\* For entities for which either or both of these two actions are available, you can take those actions right from the **Entities** widget in the **Overview tab**, never leaving the incident page.
+\* For entities for which the **Add to TI** or **Run playbook** actions are available, you can take those actions right from the **Entities** widget in the **Overview tab**, never leaving the incident page.
 
 ### Explore logs
 

articles/sentinel/investigate-incidents.md

@@ -13,12 +13,6 @@ Microsoft Sentinel gives you a complete, full-featured case management platform
 
 This article takes you through all the panels and options available on the incident details page, helping you navigate and investigate your incidents more quickly, effectively, and efficiently, and reducing your mean time to resolve (MTTR).
 
-> [!IMPORTANT]
->
-> The new incident experience is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
-> Some of the individual functionalities mentioned below are also in **PREVIEW**. They will be so indicated.
-
 See instructions for the [previous version of incident investigation](investigate-cases.md).
 
 Incidents are your case files that contain an aggregation of all the relevant evidence for specific investigations. Each incident is created (or added to) based on pieces of evidence ([alerts](detect-threats-built-in.md)) that were either generated by analytics rules or imported from third-party security products that produce their own alerts. Incidents inherit the [entities](entities.md) contained in the alerts, as well as the alerts' properties, such as severity, status, and MITRE ATT&CK tactics and techniques.
@@ -148,9 +142,9 @@ The **Overview** tab contains the following widgets, each of which represents an
 
     [Learn more about the **Incident timeline** widget below](#incident-timeline).
 
-- In the **Similar incidents (Preview)** widget, you'll see a collection of up to 20 other incidents that most closely resemble the current incident. This allows you to view the incident in a larger context and helps direct your investigation. 
+- In the **Similar incidents** widget, you'll see a collection of up to 20 other incidents that most closely resemble the current incident. This allows you to view the incident in a larger context and helps direct your investigation. 
 
-    [Learn more about the **Similar incidents** widget below](#similar-incidents-preview).
+    [Learn more about the **Similar incidents** widget below](#similar-incidents).
 
 - The **Entities** widget shows you all the [entities](entities.md) that have been identified in the alerts. These are the objects that played a role in the incident, whether they be users, devices, addresses, files, or [any other types](./entities-reference.md). Select an entity to see its full details (which will be displayed in the **Entities tab**—see below).
 
@@ -203,7 +197,8 @@ From the incident timeline widget, you can also take the following actions on al
 
     :::image type="content" source="media/investigate-incidents/remove-alert.png" alt-text="Screenshot of removing an alert from an incident.":::
 
-### Similar incidents (preview)
+<a name="similar-incidents-preview"></a>
+### Similar incidents
 
 As a security operations analyst, when investigating an incident you'll want to pay attention to its larger context. For example, you'll want to see if other incidents like this have happened before or are happening now.
 
@@ -213,7 +208,7 @@ As a security operations analyst, when investigating an incident you'll want to
 
 - You might want to identify the owners of past similar incidents, to find the people in your SOC who can provide more context, or to whom you can escalate the investigation.
 
-The **similar incidents** widget in the incident details page, now in preview, presents up to 20 other incidents that are the most similar to the current one. Similarity is calculated by internal Microsoft Sentinel algorithms, and the incidents are sorted and displayed in descending order of similarity.
+The **similar incidents** widget in the incident details page presents up to 20 other incidents that are the most similar to the current one. Similarity is calculated by internal Microsoft Sentinel algorithms, and the incidents are sorted and displayed in descending order of similarity.
 
 :::image type="content" source="media/investigate-incidents/similar-incidents.png" alt-text="Screenshot of the similar incidents display." lightbox="media/investigate-incidents/similar-incidents.png":::
 
@@ -265,7 +260,7 @@ You can search the list of entities in the entities widget, or filter the list b
 
 :::image type="content" source="media/investigate-incidents/entity-actions-from-overview.png" alt-text="Screenshot of the actions you can take on an entity from the overview tab.":::
 
-If you already know that a particular entity is a known indicator of compromise, select the three dots on the entity's row and choose **Add to TI (Preview)** to [add the entity to your threat intelligence](add-entity-to-threat-intelligence.md). (This option is available for [supported entity types](incident-investigation.md#view-entities).)
+If you already know that a particular entity is a known indicator of compromise, select the three dots on the entity's row and choose **Add to TI** to [add the entity to your threat intelligence](add-entity-to-threat-intelligence.md). (This option is available for [supported entity types](incident-investigation.md#view-entities).)
 
 If you want to [trigger an automatic response sequence for a particular entity](respond-threats-during-investigation.md), select the three dots and choose **Run playbook (Preview)**. (This option is available for [supported entity types](incident-investigation.md#view-entities).)
 
@@ -285,7 +280,7 @@ If the entity name appears as a link, selecting the entity's name will redirect
 
 You can take the same actions here that you can take from the widget on the overview page. Select the three dots in the row of the entity to either run a playbook or add the entity to your threat intelligence.
 
-You can also take these actions by selecting the button next to **View full details** at the bottom of the side panel. The button will read either **Add to TI (Preview)**, **Run playbook (Preview)**, or **Entity actions**&mdash;in which case a menu will appear with the other two choices.
+You can also take these actions by selecting the button next to **View full details** at the bottom of the side panel. The button will read either **Add to TI**, **Run playbook (Preview)**, or **Entity actions**&mdash;in which case a menu will appear with the other two choices.
 
 The **View full details** button itself will redirect you to the entity's full entity page.
 

articles/sentinel/media/add-entity-to-threat-intelligence/entity-actions-from-overview.png

@@ -26,6 +26,14 @@ See these [important announcements](#announcements) about recent changes to feat
 
 - [Updated MISP2Sentinel solution utilizes the new upload indicators API.](#updated-misp2sentinel-solution)
 
+### New incident investigation experience is now GA
+
+Microsoft Sentinel's comprehensive [incident investigation and case management experience](incident-investigation.md) is now generally available in both commercial and government clouds. This experience includes the revamped incident page, which itself includes displays of the incident's entities, insights, and similar incidents for comparison. The new experience also includes an incident log history and a task list.
+
+Also generally available are the similar incidents widget and the ability to add entities to your threat intelligence list of indicators of compromise (IoCs).
+
+- Learn more about [investigating incidents](investigate-incidents.md) in Microsoft Sentinel.
+
 ### Updated MISP2Sentinel solution
 The open source threat intelligence sharing platform, MISP, has an updated solution to push indicators to Microsoft Sentinel. This notable solution utilizes the new [upload indicators API](#connect-threat-intelligence-with-the-upload-indicators-api) to take advantage of workspace granularity and align the MISP ingested TI to STIX-based properties.
 
@@ -37,7 +45,7 @@ Learn more about the implementation details from the [MISP blog entry for MISP2S
 - Announcement: [Changes to Microsoft Defender for Office 365 connector alerts that apply when disconnecting and reconnecting](#changes-to-microsoft-defender-for-office-365-connector-alerts-that-apply-when-disconnecting-and-reconnecting)
 - [Content Hub generally available and centralization changes released](#content-hub-generally-available-and-centralization-changes-released)
 - [Deploy incident response playbooks for SAP](#deploy-incident-response-playbooks-for-sap)
-- [Microsoft Sentinel solution for D365 Finance and Operations (Preview)](#microsoft-sentinel-solution-for-d365-finance-and-operations-preview)
+- [Microsoft Sentinel solution for Dynamics 365 Finance and Operations (Preview)](#microsoft-sentinel-solution-for-dynamics-365-finance-and-operations-preview)
 - [Simplified pricing tiers](#simplified-pricing-tiers) in [Announcements](#announcements) section below
 - [Monitor and optimize the execution of your scheduled analytics rules (Preview)](#monitor-and-optimize-the-execution-of-your-scheduled-analytics-rules-preview)
 
@@ -64,9 +72,9 @@ Take advantage of Microsoft Sentinel's security orchestration, automation, and r
 
 Learn more about [Microsoft Sentinel incident response playbooks for SAP](sap/sap-incident-response-playbooks.md).
 
-### Microsoft Sentinel solution for D365 Finance and Operations (Preview)
+### Microsoft Sentinel solution for Dynamics 365 Finance and Operations (Preview)
 
-The Microsoft Sentinel Solution for D365 Finance and Operations monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more. 
+The Microsoft Sentinel Solution for Dynamics 365 Finance and Operations monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more. 
 
 The solution includes the **Dynamics 365 Finance and Operations** connector and [built-in analytics rules](dynamics-365/dynamics-365-finance-operations-security-content.md#built-in-analytics-rules) to detect suspicious activity in your Dynamics 365 Finance and Operations environment.