Merge pull request #267820 from MicrosoftDocs/release-usx-pub-preview

{Publishing] Release branch USX pub preview - MERGE Apr 3, 8am PDT or earlier (for 10am publish)

Author: huypub

articles/azure-vmware/azure-security-integration.md

@@ -159,7 +159,7 @@ After connecting data sources to Microsoft Sentinel, you can create rules to gen
 
 6. On the **Incident settings** tab, enable **Create incidents from alerts triggered by this analytics rule** and select **Next: Automated response**.
  
-    :::image type="content" source="../sentinel/media/tutorial-detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel.":::
+    :::image type="content" source="../sentinel/media/detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel.":::
 
 7. Select **Next: Review**.
 

articles/sentinel/TOC.yml

@@ -9,6 +9,8 @@
     href: whats-new.md
   - name: Best practices
     href: best-practices.md
+  - name: Experience in Defender portal
+    href: microsoft-sentinel-defender-portal.md
 - name: Plan
   items:
   - name: Deployment planning guide  
@@ -252,6 +254,8 @@
     href: best-practices-data.md
   - name: Tutorial - Forward syslog data to workspace
     href: forward-syslog-monitor-agent.md
+  - name: Connect data sources
+    href: configure-data-connector.md
   - name: Classifying data with entities
     href: entities.md
   - name: Ingestion-time data transformation
@@ -979,7 +983,9 @@
     - name: Handle ingestion delay in analytics rules
       href: ingestion-delay.md
     - name: Get fine-tuning recommendations
-      href: detection-tuning.md    
+      href: detection-tuning.md
+    - name: Troubleshoot analytics rules
+      href: troubleshoot-analytics-rules.md
   - name: Deploy and monitor decoy honeytokens
     href: monitor-key-vault-honeytokens.md
   - name: Handle false positives

articles/sentinel/add-advanced-conditions-to-automation-rules.md

@@ -1,10 +1,15 @@
 ---
 title: Add advanced conditions to Microsoft Sentinel automation rules
 description: This article explains how to add complex, advanced "Or" conditions to automation rules in Microsoft Sentinel, for more effective triage of incidents.
-author: yelevin
-ms.author: yelevin
 ms.topic: how-to
-ms.date: 05/09/2023
+author: batamig
+ms.author: bagol
+ms.date: 03/14/2024
+appliesto:
+    - Microsoft Sentinel in the Azure portal
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.collection: usx-security
+
 ---
 
 # Add advanced conditions to Microsoft Sentinel automation rules
@@ -31,12 +36,16 @@ Condition groups can contain two levels of conditions:
 
 You can see that this capability affords you great power and flexibility in determining when rules will run. It can also greatly increase your efficiency by enabling you to combine many old automation rules into one new rule.
 
+[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
+
 ## Add a condition group
 
 Since condition groups offer a lot more power and flexibility in creating automation rules, the best way to explain how to do this is by presenting some examples.
 
 Let's create a rule that will change the severity of an incoming incident from whatever it is to High, assuming it meets the conditions we'll set.
 
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), select the **Configuration** > **Automation** page. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Automation**.
+
 1. From the **Automation** page, select **Create > Automation rule** from the button bar at the top.
 
     See the [general instructions for creating an automation rule](create-manage-use-automation-rules.md) for details.
@@ -45,14 +54,23 @@ Let's create a rule that will change the severity of an incoming incident from w
 
 1. Select the trigger **When incident is created**.
 
-1. Under **Conditions**, leave the **Incident provider** and **Analytics rule name** conditions as they are. We'll add more conditions below.
+1. Under **Conditions**, if you see the **Incident provider** and **Analytics rule name** conditions, leave them as they are. These conditions aren't available if your workspace is onboarded to the unified security operations platform. In either case, we'll add more conditions later in this process.
 
 1. Under **Actions**, select **Change severity** from the drop-down list.
 
 1. Select **High** from the drop-down list that appears below **Change severity**.
 
+For example, the following tabs show samples from a workspace that's onboarded to the unified security operations platform, in either the Azure or Defender portals, and a workspace that isn't:
+
+### [Onboarded workspaces](#tab/after-onboarding)
+
+:::image type="content" source="media/add-advanced-conditions-to-automation-rules/create-automation-rule-no-conditions-onboarded.png" alt-text="Screenshot of creating new automation rule without adding conditions.":::
+
+### [Workspaces that aren't onboarded](#tab/before-onboarding)
+
 :::image type="content" source="media/add-advanced-conditions-to-automation-rules/create-automation-rule-no-conditions.png" alt-text="Screenshot of creating new automation rule without adding conditions.":::
 
+---
 ## Example 1: simple conditions
 
 In this first example, we'll create a simple condition group: If either condition A **or** condition B is true, the rule will run and the incident's severity will be set to *High*.

articles/sentinel/add-entity-to-threat-intelligence.md

@@ -1,21 +1,26 @@
 ---
-title: Add entities to threat intelligence in Microsoft Sentinel
-description: This article shows you, if you discover a malicious entity in an incident investigation, how to add the entity to your threat intelligence indicator lists in Microsoft Sentinel.
+title: Add entities to threat intelligence
+titleSuffix: Microsoft Sentinel
+description: Learn how to add a malicious entity discovered in an incident investigation to your threat intelligence in Microsoft Sentinel.
 author: yelevin
 ms.author: yelevin
 ms.topic: how-to
-ms.date: 01/17/2023
+ms.date: 3/14/2024
+appliesto: 
+    - Microsoft Sentinel in the Azure portal
+ms.collection: usx-security
+#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so I don't lose important information.
 ---
 
 # Add entities to threat intelligence in Microsoft Sentinel
 
-When investigating an incident, you examine entities and their context as an important part of understanding the scope and nature of the incident. In the course of the investigation, you may discover a domain name, URL, file, or IP address in the incident that should be labeled and tracked as an indicator of compromise (IOC), a threat indicator.
+During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise (IOC) in your threat intelligence.
 
-For example, you may discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
+For example, you discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
 
-Microsoft Sentinel allows you to flag these types of entities as malicious, right from within your incident investigation, and add it to your threat indicator lists. You'll then be able to view the added indicators both in Logs and in the Threat Intelligence blade, and use them across your Microsoft Sentinel workspace.
+Microsoft Sentinel allows you to flag these types of entities right from within your incident investigation, and add it to your threat intelligence. You are able to view the added indicators both in **Logs** and **Threat Intelligence**, and use them across your Microsoft Sentinel workspace.
 
-## Add an entity to your indicators list
+## Add an entity to your threat intelligence
 
 The new [incident details page](investigate-incidents.md) gives you another way to add entities to threat intelligence, in addition to the investigation graph. Both ways are shown below.
 
@@ -123,7 +128,7 @@ Whichever of the two interfaces you choose, you will end up here:
 
 1. The entity will be added as a threat indicator in your workspace. You can find it [in the list of indicators in the **Threat intelligence** page](work-with-threat-indicators.md#find-and-view-your-indicators-in-the-threat-intelligence-page), and also [in the *ThreatIntelligenceIndicators* table in **Logs**](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs). 
 
-## Next steps
+## Related content
 
 In this article, you learned how to add entities to your threat indicator lists. For more information, see: