MicrosoftDocs
diff --git a/‎articles/sentinel/create-analytics-rules.md
Lines changed: 25 additions & 26 deletions b/‎articles/sentinel/create-analytics-rules.md
Lines changed: 25 additions & 26 deletions
diff --git a/‎articles/sentinel/media/create-analytics-rules/defender-view-incidents.png
127 KB b/‎articles/sentinel/media/create-analytics-rules/defender-view-incidents.png
127 KB
diff --git a/‎articles/sentinel/media/create-analytics-rules/view-incidents.png
127 KB b/‎articles/sentinel/media/create-analytics-rules/view-incidents.png
127 KB
diff --git a/‎articles/sentinel/scheduled-rules-overview.md
Lines changed: 5 additions & 15 deletions b/‎articles/sentinel/scheduled-rules-overview.md
Lines changed: 5 additions & 15 deletions
@@ -210,26 +210,17 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
 ### Review or add automated responses
 
-In the **Automated responses** tab, see the [automation rules](automate-incident-handling-with-automation-rules.md) displayed in the list. If you want to add any responses that aren't already covered by existing rules, you have two choices:
+1. In the **Automated responses** tab, see the automation rules displayed in the list. If you want to add any responses that aren't already covered by existing rules, you have two choices:
 
-- Edit an existing rule if you want the added response to apply to many or all rules.
-- Select **Add new** to [create a new automation rule](create-manage-use-automation-rules.md) that will apply only to this analytics rule.
+    - Edit an existing rule if you want the added response to apply to many or all rules.
+    - Select **Add new** to [create a new automation rule](create-manage-use-automation-rules.md) that will apply only to this analytics rule.
 
+    To learn more about what you can use automation rules for, see [Automate threat response in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md)
 
-to set automated responses to occur at any of three types of occasions:
-- When an alert is generated by this analytics rule.
-- When an incident is created from alerts generated by this analytics rule.
-- When an incident is updated with alerts generated by this analytics rule.
+    - Under **Alert automation (classic)** at the bottom of the screen, you'll see any playbooks you've configured to run automatically when an alert is generated using the old method. 
+        - **As of June 2023**, you can no longer add playbooks to this list. Playbooks already listed here will continue to run until this method is **deprecated, effective March 2026**.
 
-The grid displayed under **Automation rules** shows the automation rules that already apply to this analytics rule (by virtue of it meeting the conditions defined in those rules). You can edit any of these by selecting the name of the rule or the ellipsis at the end of each row. Or, you can
-
-Use automation rules to perform [basic triage](investigate-incidents.md#navigate-and-triage-incidents), assignment, [workflow](incident-tasks.md), and closing of incidents. 
-
-Automate more complex tasks and invoke responses from remote systems to remediate threats by calling playbooks from these automation rules. You can invoke playbooks for incidents as well as for individual alerts.
-
-- For more information and instructions on creating playbooks and automation rules, see [Automate threat responses](tutorial-respond-threats-playbook.md#automate-threat-responses).
-
-- For more information about when to use the **incident created trigger**, the **incident updated trigger**, or the **alert created trigger**, see [Use triggers and actions in Microsoft Sentinel playbooks](playbook-triggers-actions.md#microsoft-sentinel-triggers-summary).
+        - If you still have any playbooks listed here, you should instead create an automation rule based on the **alert created trigger** and invoke the playbook from the automation rule. After you've done that, select the ellipsis at the end of the line of the playbook listed here, and select **Remove**. See [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md) for full instructions.
 
 # [Azure portal](#tab/azure-portal)
 
@@ -241,12 +232,15 @@ Automate more complex tasks and invoke responses from remote systems to remediat
 
 ---
 
-- Under **Alert automation (classic)** at the bottom of the screen, you'll see any playbooks you've configured to run automatically when an alert is generated using the old method. 
-    - **As of June 2023**, you can no longer add playbooks to this list. Playbooks already listed here will continue to run until this method is **deprecated, effective March 2026**.
+1. Select **Next: Review and create** to review all the settings for your new analytics rule.
+
+### Validate configuration and create the rule
 
-    - If you still have any playbooks listed here, you should instead create an automation rule based on the **alert created trigger** and invoke the playbook from the automation rule. After you've done that, select the ellipsis at the end of the line of the playbook listed here, and select **Remove**. See [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md) for full instructions.
+1. When the "Validation passed" message appears, select **Create**.
 
-Select **Next: Review and create** to review all the settings for your new analytics rule. When the "Validation passed" message appears, select **Create**.
+1. If an error appears instead, find and select the red X on the tab in the wizard where the error occurred.
+
+1. Correct the error and go back to the **Review and create** tab to run the validation again.
 
 # [Azure portal](#tab/azure-portal)
 
@@ -260,23 +254,28 @@ Select **Next: Review and create** to review all the settings for your new analy
 
 ## View the rule and its output
 
-**View the rule definition:**
+### View the rule definition
 
-- You can find your newly created custom rule (of type "Scheduled") in the table under the **Active rules** tab on the main **Analytics** screen. From this list you can enable, disable, or delete each rule.
+You can find your newly created custom rule (of type "Scheduled") in the table under the **Active rules** tab on the main **Analytics** screen. From this list you can enable, disable, or delete each rule.
 
-**View the results of the rule:**
+### View the results of the rule
 
 # [Azure portal](#tab/azure-portal)
 
-- To view the results of the analytics rules you create in the Azure portal, go to the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md).
+To view the results of the analytics rules you create in the Azure portal, go to the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md).
+
+:::image type="content" source="media/create-analytics-rules/view-incidents.png" alt-text="Screenshot of incidents page in the Azure portal." lightbox="media/create-analytics-rules/view-incidents.png":::
 
 # [Defender portal](#tab/defender-portal)
 
-- To view the results of the analytics rules you create in the Defender portal, expand **Investigation & response** in the navigation menu, then **Incidents & alerts**. View incidents on the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md). View individual alerts on the **Alerts** page.
+To view the results of the analytics rules you create in the Defender portal, expand **Investigation & response** in the navigation menu, then **Incidents & alerts**. View incidents on the **Incidents** page, where you can triage incidents, [investigate them](investigate-cases.md), and [remediate the threats](respond-threats-during-investigation.md). View individual alerts on the **Alerts** page.
+
+:::image type="content" source="media/create-analytics-rules/defender-view-incidents.png" alt-text="Screenshot of incidents page in the Azure portal." lightbox="media/create-analytics-rules/defender-view-incidents.png":::
 
 ---
 
-**Tune the rule:**
+### Tune the rule
+
 - You can update the rule query to exclude false positives. For more information, see [Handle false positives in Microsoft Sentinel](false-positives.md).
 
 > [!NOTE]
 
@@ -23,7 +23,7 @@ This article helps you understand how scheduled analytics rules are built, and i
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
-## Use analytics rule templates
+## Analytics rule templates
 
 The queries in **scheduled rule templates** were written by security and data science experts, either from Microsoft or from the vendor of the solution providing the template.
 
@@ -41,29 +41,19 @@ The rest of this article explains all the possibilities for customizing the conf
 
 ## Analytics rule configuration
 
-This section describes the configuration options available in the analytics rule wizard, giving you the information required to understand how to configure a rule in a given situation.
+This section explains the key considerations you need to take into account before you begin configuring your rules.
 
-### *General* tab: Analytics rule details
+### Analytics rule name and details
 
 The first page of the analytics rule wizard contains the rule’s basic information.
 
-# [Azure portal](#tab/azure-portal)
-
-:::image type="content" source="media/create-analytics-rules/general-tab.png" alt-text="Screenshot of opening screen of analytics rule wizard in the Azure portal.":::
-
-# [Defender portal](#tab/defender-portal)
-
-:::image type="content" source="media/create-analytics-rules/defender-wizard-general.png" alt-text="Screenshot of opening screen of analytics rule wizard in the Defender portal.":::
-
----
-
 **Name:** The name of the rule as it appears in the list of rules and in any rule-based filters. The name must be unique to your workspace.
 
 **Description:** A free-text description of the purpose of the rule.
 
-**ID:** The GUID of the rule as an Azure resource, used in API requests and responses, among other things. This is a read-only field that is displayed when you're editing an existing rule. The GUID is assigned only when the rule is created, so it doesn't show up when creating a new rule, either from a template or from scratch.
+**ID:** The GUID of the rule as an Azure resource, used in API requests and responses, among other things. This GUID is assigned only when the rule is created, so it's displayed only when you're **editing an existing rule**. As it's a read-only field, it's displayed as grayed out and can't be changed. It doesn't yet exist when creating a new rule, either from a template or from scratch.
 
-**Severity:** A rating to give the alerts produced by this rule. The severity of an activity is a product of the calculation of the **likelihood** of the activity’s occurrence and its potential negative **impact**.
+**Severity:** A rating to give the alerts produced by this rule. The severity of an activity is a calculation of the potential negative **impact** of the activity’s occurrence.
 
 | Severity | Description |
 | --- | --- |