Merge pull request #290797 from batamig/patch-965576

Updates for new USX docset - publish only after USX docset goes live

Author: AnnaMHuff

articles/security/index.yml

@@ -30,10 +30,13 @@ highlightedContent:
       url: ../sentinel/mitre-coverage.md
     - title: Combine SIEM and XDR to defend against modern attacks
       itemType: overview
-      url: https://www.microsoft.com/security/business/threat-protection
-    - title: Use watchlists in Microsoft Sentinel
+      url: /unified-secops-platform/overview-unified-security
+    - title: Aggregate data with summary rules
+      itemType: how-to-guide
+      url: ../sentinel/summary-rules.md
+    - title: Optimize security operations
       itemType: concept
-      url: ../sentinel/watchlists.md
+      url: ../sentinel/soc-optimization/soc-optimization-access.md
     - title: Azure Network Security
       itemType: concept
       url: ../networking/security/index.yml

articles/sentinel/microsoft-365-defender-sentinel-integration.md

@@ -69,16 +69,16 @@ With the integration of Defender XDR with Microsoft Sentinel, Defender XDR incid
 
 Defender XDR enriches and groups alerts from multiple Microsoft Defender products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. Alerts from the following Microsoft Defender products and services are also included in the integration of Defender XDR to Microsoft Sentinel:
 
-- Microsoft Defender for Endpoint
-- Microsoft Defender for Identity
-- Microsoft Defender for Office 365
-- Microsoft Defender for Cloud Apps
-- Microsoft Defender Vulnerability Management
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft Defender for Identity](/defender-for-identity/what-is)
+- [Microsoft Defender for Office 365](/defender-office-365/mdo-about)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)
+- [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 
 Other services whose alerts are collected by Defender XDR include:
 
-- Microsoft Purview Data Loss Prevention ([Learn more](/microsoft-365/security/defender/investigate-dlp))
-- Microsoft Entra ID Protection ([Learn more](/defender-cloud-apps/aadip-integration))
+- [Microsoft Purview Data Loss Prevention](/microsoft-365/security/defender/investigate-dlp)
+- [Microsoft Entra ID Protection](/defender-cloud-apps/aadip-integration)
 
 The Defender XDR connector also brings incidents from Microsoft Defender for Cloud. To synchronize alerts and entities from these incidents as well, you must enable the Defender for Cloud connector in Microsoft Sentinel. Otherwise, your Defender for Cloud incidents appear empty. For more information, see [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](ingest-defender-for-cloud-incidents.md).
 
@@ -112,11 +112,17 @@ Enable the Microsoft Defender XDR connector in Microsoft Sentinel to send all De
 
 ### Ingestion costs
 
-Alerts and incidents from Defender XDR, including items that populate the *SecurityAlert* and *SecurityIncident* tables, are ingested into and synchronized with Microsoft Sentinel at no charge. For all other data types from individual Defender components such as the *Advanced hunting* tables *DeviceInfo*, *DeviceFileEvents*, *EmailEvents*, and so on, ingestion is charged. For more information, see [Plan costs and understand Microsoft Sentinel pricing and billing](billing.md).
+Alerts and incidents from Defender XDR, including items that populate the *SecurityAlert* and *SecurityIncident* tables, are ingested into and synchronized with Microsoft Sentinel at no charge. For all other data types from individual Defender components such as the *Advanced hunting* tables *DeviceInfo*, *DeviceFileEvents*, *EmailEvents*, and so on, ingestion is charged. 
+
+For more information, see [Plan costs and understand Microsoft Sentinel pricing and billing](billing.md).
 
 ### Data ingestion behavior
 
-When the Defender XDR connector is enabled, alerts created by Defender XDR-integrated products are sent to Defender XDR and grouped into incidents. Both the alerts and the incidents flow to Microsoft Sentinel through the Defender XDR connector. The exception to this process is Defender for Cloud. You have the option to enable tenant-based Defender for Cloud alerts to receive all alerts and incidents through Defender XDR, or keep subscription-based alerts and promote them to incidents within Microsoft Sentinel in the Azure portal. For the available options and more information, see the following articles:
+When the Defender XDR connector is enabled, alerts created by Defender XDR-integrated products are sent to Defender XDR and grouped into incidents. Both the alerts and the incidents flow to Microsoft Sentinel through the Defender XDR connector.
+
+The exception to this process is Defender for Cloud. You have the option to enable tenant-based Defender for Cloud alerts to receive all alerts and incidents through Defender XDR, or keep subscription-based alerts and promote them to incidents within Microsoft Sentinel in the Azure portal. 
+
+For the available options and more information, see:
 
 - [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud)
 - [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](ingest-defender-for-cloud-incidents.md)
@@ -125,11 +131,11 @@ When the Defender XDR connector is enabled, alerts created by Defender XDR-integ
 
 To avoid creating *duplicate incidents for the same alerts*, the **Microsoft incident creation rules** setting is turned off for Defender XDR-integrated products when connecting Defender XDR. Defender XDR-integrated products include Microsoft Defender for Identity, Microsoft Defender for Office 365, and more.  Also, Microsoft incident creation rules aren't supported in Microsoft's unified SecOps platform. Defender XDR has its own incident creation rules. This change has the following potential impacts:
 
-- Microsoft Sentinel's incident creation rules allowed you to filter the alerts that would be used to create incidents. With these rules disabled, preserve the alert filtering capability by configuring [alert tuning in the Microsoft Defender portal](/microsoft-365/security/defender/investigate-alerts), or by using [automation rules](automate-incident-handling-with-automation-rules.md#incident-suppression) to suppress or close incidents you don't want.
+- **Alert filtering**. Microsoft Sentinel's incident creation rules allowed you to filter the alerts that would be used to create incidents. With these rules disabled, preserve the alert filtering capability by configuring [alert tuning in the Microsoft Defender portal](/microsoft-365/security/defender/investigate-alerts), or by using [automation rules](automate-incident-handling-with-automation-rules.md#incident-suppression) to suppress or close incidents you don't want.
 
-- After you enable the Defender XDR connector, you can no longer predetermine the titles of incidents. The Defender XDR correlation engine presides over incident creation and automatically names the incidents it creates. This change is liable to affect any automation rules you created that use the incident name as a condition. To avoid this pitfall, use criteria other than the incident name as conditions for [triggering automation rules](automate-incident-handling-with-automation-rules.md#conditions). We recommend using *tags*.
+- **Incident titles**. After you enable the Defender XDR connector, you can no longer predetermine the titles of incidents. The Defender XDR correlation engine presides over incident creation and automatically names the incidents it creates. This change is liable to affect any automation rules you created that use the incident name as a condition. To avoid this pitfall, use criteria other than the incident name as conditions for [triggering automation rules](automate-incident-handling-with-automation-rules.md#conditions). We recommend using *tags*.
 
-- If you use Microsoft Sentinel's incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to Microsoft's unified SecOps platform in the Defender portal, replace your incident creation rules with [scheduled analytics rules](scheduled-rules-overview.md).
+- **Scheduled analytics rules**. If you use Microsoft Sentinel's incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to Microsoft's unified SecOps platform in the Defender portal, replace your incident creation rules with [scheduled analytics rules](scheduled-rules-overview.md).
 
 ## Working with Microsoft Defender XDR incidents in Microsoft Sentinel and bi-directional sync
 

articles/sentinel/microsoft-sentinel-defender-portal.md

@@ -32,7 +32,7 @@ The following table describes the new or improved capabilities available in the
 | Capabilities      | Description              |
 | ----------------- | ------------------------ |
 | Advanced hunting  | Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Security Copilot to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.<br><br>  For more information, see the following articles:<br>- [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410)<br>- [Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot) |
-|SOC optimizations   | Get high-fidelity and actionable recommendations to help you identify areas to:<br>- Reduce costs <br>- Add security controls<br>- Add missing data<br>SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.  <br><br>For more information, see the following articles:<br>- [Optimize your security operations](soc-optimization/soc-optimization-access.md) <br>- [SOC optimization reference of recommendations](soc-optimization/soc-optimization-reference.md)  |
+|SOC optimizations   | Get high-fidelity and actionable recommendations to help you identify areas to:<br>- Reduce costs <br>- Add security controls<br>- Add missing data<br>SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.  <br><br>For more information, see the following articles:<br>- [Optimize your security operations](soc-optimization/soc-optimization-access.md) <br>- [Use SOC optimizations programmatically](soc-optimization/soc-optimization-api.md)<br>- [SOC optimization reference of recommendations](soc-optimization/soc-optimization-reference.md)  |
 |Microsoft Copilot in Microsoft Defender| When investigating incidents in the Defender portal, <br>- [Summarize incidents](/defender-xdr/security-copilot-m365d-incident-summary) <br>- [Analyze scripts](/defender-xdr/security-copilot-m365d-script-analysis)<br>- [Analyze files](/defender-xdr/copilot-in-defender-file-analysis)<br>- [Create incident reports](/defender-xdr/security-copilot-m365d-create-incident-report) <br><br>When hunting for threats in advanced hunting, create ready-to-run KQL queries by using the query assistant. For more information, see [Microsoft Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot).|
 
 The following table describes the additional capabilities available in the Defender portal with the integration of Microsoft Sentinel and Microsoft Defender XDR as part of Microsoft's unified security operations platform. 

articles/sentinel/soc-optimization/soc-optimization-api.md

@@ -18,7 +18,7 @@ appliesto:
 
 ---
 
-# Using SOC optimizations programmatically (Preview)
+# Use SOC optimizations programmatically (Preview)
 
 Use the Microsoft Sentinel `recommendations` API to programmatically interact with SOC optimization recommendations, helping you to close coverage gaps against specific threats and tighten ingestion rates. You can get details about all current recommendations across your workspaces or a specific SOC optimization recommendation, or you can reevaluate a recommendation if you've made changes in your environment.