MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/defender-for-iot/device-builders/index.yml
Lines changed: 3 additions & 3 deletions b/‎articles/defender-for-iot/device-builders/index.yml
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/defender-for-iot/organizations/appliance-catalog/index.yml
Lines changed: 1 addition & 1 deletion b/‎articles/defender-for-iot/organizations/appliance-catalog/index.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/defender-for-iot/organizations/index.yml
Lines changed: 1 addition & 3 deletions b/‎articles/defender-for-iot/organizations/index.yml
Lines changed: 1 addition & 3 deletions
diff --git a/‎articles/security/fundamentals/TOC.yml
Lines changed: 0 additions & 2 deletions b/‎articles/security/fundamentals/TOC.yml
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/security/fundamentals/recover-from-identity-compromise.md
Lines changed: 0 additions & 363 deletions b/‎articles/security/fundamentals/recover-from-identity-compromise.md
Lines changed: 0 additions & 363 deletions
diff --git a/‎articles/sentinel/automation/automate-responses-with-playbooks.md
Lines changed: 21 additions & 21 deletions b/‎articles/sentinel/automation/automate-responses-with-playbooks.md
Lines changed: 21 additions & 21 deletions
diff --git a/‎articles/sentinel/configure-data-connector.md
Lines changed: 22 additions & 31 deletions b/‎articles/sentinel/configure-data-connector.md
Lines changed: 22 additions & 31 deletions
@@ -504,6 +504,11 @@
       "redirect_url": "/azure/security/fundamentals/azure-CA-details",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/security/fundamentals/recover-from-identity-compromise.md",
+      "redirect_url": "/azure/security/fundamentals/ransomware-detect-respond#road-to-recovery",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/event-grid/event-schema-storage-actions.md",
       "redirect_url": "/azure/storage-actions/overview",
 
@@ -7,11 +7,11 @@ metadata:
   title: Microsoft Defender for IoT for device builders documentation
   description: Microsoft Defender for IoT provides comprehensive threat detection for IoT/OT environments, with multiple deployment options including fully on-premises, cloud-connected, or hybrid.
   ms.service: defender-for-iot
-  ms.author: raynew
+  ms.author: lwainstein
   ms.topic: landing-page
   ms.collection: M365-security-compliance
-  author: batamig
-  manager: raynew
+  author: lwainstein
+  manager: orspodek
   ms.date: 01/01/2023
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
 
@@ -7,7 +7,7 @@ metadata:
   title: Microsoft Defender for IoT - OT monitoring appliance reference
   description: Learn about the appliances available for use with Microsoft Defender for IoT OT sensors.
   ms.topic: landing-page
-  ms.author: raynew
+  ms.author: lwainstein
   ms.date: 07/24/2022
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
@@ -6,11 +6,9 @@ metadata:
   title: Microsoft Defender for IoT documentation for organizations
   description: Microsoft Defender for IoT provides comprehensive threat detection for IoT/OT environments, with multiple deployment options that include cloud-connected, fully on-premises, or hybrid.
   ms.service: defender-for-iot
-  ms.author: raynew
+  ms.author: lwainstein
   ms.topic: landing-page
   ms.collection: M365-security-compliance
-  author: batamig
-  manager: raynew
   ms.date: 07/10/2022
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
 
@@ -36,8 +36,6 @@
         href: backup-plan-to-protect-against-ransomware.md
       - name: Ransomware protection with Azure Firewall Premium
         href: ransomware-protection-with-azure-firewall.md
-      - name: Recovering from systemic identity compromise
-        href: recover-from-identity-compromise.md
   - name: Threat protection
     href: threat-detection.md
 
 
@@ -1,10 +1,10 @@
 ---
-title: Automate threat response with playbooks in Microsoft Sentinel | Microsoft Docs
-description: This article explains automation in Microsoft Sentinel, and shows how to use playbooks to automate threat prevention and response.
+title: Automate Threat Response with Playbooks in Microsoft Sentinel
+description: Learn how to automate threat response in Microsoft Sentinel using playbooks to efficiently manage security alerts and incidents.
 ms.topic: conceptual
 author: batamig
 ms.author: bagol
-ms.date: 03/14/2024
+ms.date: 05/27/2025
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -15,33 +15,33 @@ ms.collection: usx-security
 
 # Automate threat response with playbooks in Microsoft Sentinel
 
-SOC analysts deal with numerous security alerts and incidents, and the sheer volume can overwhelm teams, leading to ignored alerts and uninvestigated incidents. Many alerts and incidents can be addressed by the same sets of predefined remediation actions, which can be automated to make the SOC more efficient and free up analysts for deeper investigations.
+Security operations centers (SOCs) face a constant stream of security alerts and incidents. Managing these efficiently is critical to keeping your organization’s security strong. Microsoft Sentinel playbooks are automated workflows that help you respond to threats quickly and consistently. This article shows how to use playbooks in Microsoft Sentinel to automate threat response, cut manual effort, and let your team focus on deeper investigations.
 
-Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions to help [automate and orchestrate your threat response](tutorial-respond-threats-playbook.md). Run playbooks automatically, in response to specific alerts and incidents that trigger a configured [automation rule](../automate-incident-handling-with-automation-rules.md), or manually and on-demand for a particular entity or alert.
+Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions and [automate and orchestrate your threat response](tutorial-respond-threats-playbook.md). Run playbooks automatically in response to specific alerts and incidents that trigger a configured [automation rule](../automate-incident-handling-with-automation-rules.md), or run them manually for a particular entity or alert.
 
-For example, if an account and machine are compromised, a playbook can automatically isolate the machine from the network and block the account by the time the SOC team is notified of the incident.
+For example, if an account and machine are compromised, a playbook can automatically isolate the machine from the network and block the account before the SOC team gets notified of the incident.
 
 > [!NOTE]
-> Because playbooks make use of Azure Logic Apps, additional charges may apply. Visit the [Azure Logic Apps](https://azure.microsoft.com/pricing/details/logic-apps/) pricing page for more details.
+> Because playbooks use Azure Logic Apps, additional charges can apply. Go to the [Azure Logic Apps](https://azure.microsoft.com/pricing/details/logic-apps/) pricing page for more details.
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
 ## Recommended use cases
 
-The following table lists high-level use cases where we recommend using Microsoft Sentinel playbooks to automate your threat response:
+The following table lists common use cases where Microsoft Sentinel playbooks help automate threat response:
 
 |Use case  |Description  |
 |---------|---------|
-|**Enrichment**     |    Collect data and attach it to an incident to help your team make smarter decisions.   |
-|**Bi-directional sync**     | Sync Microsoft Sentinel incidents with other ticketing systems. For example, create an automation rule for all incident creations, and attach a playbook that opens a ticket in ServiceNow.        |
-|**Orchestration**     | Use the SOC team's chat platform to better control the incidents queue. For example, send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident.      |
-|**Response**     |  Immediately respond to threats, with minimal human dependencies, such as when a compromised user or machine is indicated. Alternately, manually trigger a series of automated steps during an investigation or while hunting.     |
+|**Enrichment**     |    Collect data and attach it to an incident so your team can make better decisions.   |
+|**Bi-directional sync**     | Sync Microsoft Sentinel incidents with other ticketing systems. For example, create an automation rule for all new incidents, and attach a playbook that opens a ticket in ServiceNow.        |
+|**Orchestration**     | Use the SOC team's chat platform to manage the incident queue. For example, send a message to your security operations channel in Microsoft Teams or Slack so your security analysts know about the incident.      |
+|**Response**     |  Respond to threats right away with minimal human involvement, such as when a compromised user or machine is detected. Or, manually trigger automated steps during an investigation or while hunting.     |
 
 For more information, see [Recommended playbook use cases, templates, and examples](playbook-recommendations.md).
 
 ## Prerequisites
 
-The following roles are required to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel.
+You need the following roles to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel.
 
 [!INCLUDE [playbooks-roles](../includes/playbooks-roles.md)]
 
@@ -56,15 +56,15 @@ The following roles are required to use Azure Logic Apps to create and run playb
 
 Playbook templates are prebuilt, tested, and ready-to-use workflows that aren't usable as playbooks themselves, but are ready for you to customize to meet your needs. We also recommend that you use playbook templates as a reference of best practices when developing playbooks from scratch, or as inspiration for new automation scenarios.
 
-Access playbook templates from the following sources:
+Get playbook templates from these sources:
 
 |Location  |Description  |
 |---------|---------|
-|**Microsoft Sentinel Automation page**     |  The **Playbook templates** tab lists all installed playbooks. Create one or more active playbooks using the same template.  <br><br>When we publish a new version of a template, any active playbooks created from that template have an extra label added in the **Active playbooks** tab to indicate that an update is available.    |
-|**Microsoft Sentinel Content hub page**     |   Playbook templates are available as part of product solutions or standalone content installed from the **Content hub**.  <br><br>For more information, see: <br> [About Microsoft Sentinel content and solutions](../sentinel-solutions.md) <br>[Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md)|
-|**GitHub**     |    The [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks) contains many other playbook templates. Select **Deploy to Azure** to deploy a template to your Azure subscription.|
+|**Microsoft Sentinel Automation page**     |  The **Playbook templates** tab shows all installed playbooks. Create one or more active playbooks using the same template.  <br><br>When a new version of a template is published, any active playbooks created from that template get an extra label in the **Active playbooks** tab to show that an update is available.    |
+|**Microsoft Sentinel Content hub page**     |   Playbook templates are part of product solutions or standalone content you install from the **Content hub**.  <br><br>For more information, see: <br> [About Microsoft Sentinel content and solutions](../sentinel-solutions.md) <br>[Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md)|
+|**GitHub**     |    The [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks) has many other playbook templates. Select **Deploy to Azure** to deploy a template to your Azure subscription.|
 
-Technically, a playbook template is an [Azure Resource Manager (ARM) template](/azure/azure-resource-manager/templates/), which consists of several resources: an Azure Logic Apps workflow and API connections for each connection involved.
+A playbook template is an [Azure Resource Manager (ARM) template](/azure/azure-resource-manager/templates/) that includes several resources: an Azure Logic Apps workflow and API connections for each connection involved.
 
 For more information, see:
 
@@ -74,15 +74,15 @@ For more information, see:
 
 ## Playbook creation and usage workflow
 
-Use the following workflow to create and run Microsoft Sentinel playbooks:
+Follow these steps to create and run Microsoft Sentinel playbooks:
 
-1. Define your automation scenario. We recommend that you review [recommended playbooks use cases](playbook-recommendations.md#recommended-playbook-use-cases) and [playbook templates](playbook-recommendations.md#recommended-playbook-templates) to start.
+1. Define your automation scenario. Review [recommended playbooks use cases](playbook-recommendations.md#recommended-playbook-use-cases) and [playbook templates](playbook-recommendations.md#recommended-playbook-templates) to get started.
 
 1. If you're not using a template, create your playbook and build your logic app. For more information, see [Create and manage Microsoft Sentinel playbooks](create-playbooks.md).
 
     Test your logic app by running it manually. For more information, see [Run a playbook manually, on demand](run-playbooks.md#run-a-playbook-manually-on-demand).
 
-1. Configure your playbook to run automatically on a new alert or incident creation, or run it manually as needed for your processes. For more information, see [Respond to threats with Microsoft Sentinel playbooks](run-playbooks.md).
+1. Set up your playbook to run automatically when a new alert or incident is created, or run it manually as needed for your process. For more information, see [Respond to threats with Microsoft Sentinel playbooks](run-playbooks.md).
 
 ## Related content
 
 
@@ -1,10 +1,10 @@
 ---
-title: Connect your data sources to Microsoft Sentinel by using data connectors
-description: Learn how to install and configure a data connector in Microsoft Sentinel.
-author: cwatson-cat
+title: Connect Data Sources to Microsoft Sentinel Using Data Connectors
+description: Learn how to connect data sources to Microsoft Sentinel using data connectors for improved threat detection.
+author: batamig
 ms.topic: how-to
-ms.date: 03/28/2024
-ms.author: cwatson
+ms.date: 05/27/2025
+ms.author: bagol
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -15,21 +15,20 @@ ms.collection: usx-security
 
 ---
 
-# Connect your data sources to Microsoft Sentinel by using data connectors
+# Connect data sources to Microsoft Sentinel by using data connectors
 
-Install and configure data connectors to ingest your data into Microsoft Sentinel. Data connectors are available as part of solutions from the content hub in Microsoft Sentinel. After you install a solution from the content hub, the related data connectors are available to enable and configure. To find and install solutions that include data connectors, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md). 
-
-This article provides general information about how to enable a data connector and how to find more detailed installation instructions for other data connectors. For more information about data connectors in Microsoft Sentinel, see the following articles:
+Connect data sources to Microsoft Sentinel by installing and configuring data connectors. This article generally explains how to install data connectors available in the Microsoft Sentinel **Content hub** to ingest and analyze data for improved threat detection.
 
 - [Microsoft Sentinel data connectors](connect-data-sources.md)
 - [Find your Microsoft Sentinel data connector](data-connectors-reference.md)
-
+- [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md)
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
 ## Prerequisites
 
 Before you begin, make sure you have the appropriate access and you or someone in your organization installs the related solution.
+
 - You must have read and write permissions on the Microsoft Sentinel workspace.
 - Install the solution that includes the data connector from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
@@ -38,8 +37,10 @@ Before you begin, make sure you have the appropriate access and you or someone i
 
 After you or someone in your organization installs the solution that includes the data connector you need, configure the data connector to start ingesting data.
 
-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configurations** > **Data connectors**.
-1. Search for and select the connector. If you don't see the data connector you want, install the solution associated with it from the **Content Hub**.
+1. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configurations** > **Data connectors**. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**.
+
+1. Search for and select the connector. If you don't see the data connector you want, check again that the relevant solution is installed in the **Content hub**.
+
 1. Select **Open connector page**.  
 
    #### [Defender portal](#tab/defender-portal)
@@ -48,32 +49,24 @@ After you or someone in your organization installs the solution that includes th
    :::image type="content" source="media/configure-data-connector/open-connector-page-option.png" alt-text="Screenshot of data connector details page with open connector page button.":::
    ---
 
-1. Review the **Prerequisites**. To configure the data connector, fulfill all the prerequisites.
-1. Follow the steps outlined in the **Configurations** section.
+1. Review the **Prerequisites** for your data connector and ensure that they're fulfilled.
+
+1. Follow the steps outlined in the **Configurations** section for your data connector.
 
-   For some connectors, find more specific configuration information in the **Collect data** section in the Microsoft Sentinel documentation. For example, see the following articles:
+   For some connectors, find more specific configuration information in the **Collect data** section in the Microsoft Sentinel documentation.
+
    - [Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services](connect-azure-windows-microsoft-services.md)
-   - [Find your Microsoft Sentinel data connector](data-connectors-reference.md)
+   - [Data connector prerequisites](data-connectors-reference.md#windows-security-events-via-ama)
 
    After you configure the data connector, it might take some time for the data to be ingested into Microsoft Sentinel. When the data connector is connected, you see a summary of the data in the **Data received** graph, and the connectivity status of the data types.  
 
    :::image type="content" source="media/configure-data-connector/connected-data-connector.png" alt-text="Screenshot of a data connector page with status connected and graph that shows the data received.":::
 
 ## Find your data
 
-After you enable the connector successfully, the connector begins to stream data to the table schemas related to the data types you configurated.
+After you enable the connector successfully, the connector begins to stream data to the table schemas related to the data types you configured.
 
-To view the data:
-
-#### [Defender portal](#tab/defender-portal-1)
-
-See [Where to find your Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender#where-to-find-your-microsoft-sentinel-data).
-
-#### [Azure portal](#tab/azure-portal-1)
-
-Query the tables in the Microsoft Sentinel workspace linked to your Microsoft Sentinel workspace.
-
----
+In the Defender portal, query data in the **Advanced hunting** page, or in the Azure portal, query data in the **Logs** page.
 
 ## Find support for a data connector
 
@@ -92,6 +85,4 @@ For more information about solutions and data connectors in Microsoft Sentinel,
 
 - [Microsoft Sentinel data connectors](connect-data-sources.md)
 - [Find your Microsoft Sentinel data connector](data-connectors-reference.md)
--  [Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services](connect-azure-windows-microsoft-services.md)
-- [About Microsoft Sentinel content and solutions](sentinel-solutions.md)
-- [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md)
+- [Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services](connect-azure-windows-microsoft-services.md)