Review

yelevin · yelevin · commit f66eb0fd94bc · 2024-04-17T17:42:24.000+03:00
diff --git a/articles/sentinel/create-incident-manually.md b/articles/sentinel/create-incident-manually.md
@@ -19,11 +19,11 @@ ms.date: 08/17/2022
 
 With Microsoft Sentinel as your security information and event management (SIEM) solution, your security operations' threat detection and response activities are centered on **incidents** that you investigate and remediate. These incidents have two main sources: 
 
-- They are generated automatically by detection mechanisms that operate on the logs and alerts that Sentinel ingests from its connected data sources.
+- They are generated automatically when detection mechanisms operate on the logs and alerts that Microsoft Sentinel ingests from its connected data sources.
 
 - They are ingested directly from other connected Microsoft security services (such as [Microsoft Defender XDR](microsoft-365-defender-sentinel-integration.md)) that created them.
 
-However, threat data can also come from other sources *not ingested into Microsoft Sentinel*, or events not recorded in any log, and yet can justify opening an investigation. For example, an employee might witness an unrecognized person engaging in suspicious activity related to your organization’s information assets, and this employee might call or email the security operations center (SOC) to report the activity.
+However, threat data can also come from other sources *not ingested into Microsoft Sentinel*, or events not recorded in any log, and yet can justify opening an investigation. For example, an employee might notice an unrecognized person engaging in suspicious activity related to your organization’s information assets. This employee might call or email the security operations center (SOC) to report the activity.
 
 Microsoft Sentinel allows your security analysts to manually create incidents for any type of event, regardless of its source or data, so you don't miss out on investigating these unusual types of threats.
 
@@ -39,7 +39,7 @@ Create incidents based on events from systems whose logs are not ingested into M
 
 ### Create incidents based on hunting results
 
-Create incidents based on the observed results of hunting activities. For example, in the course of your threat hunting activities in relation to a particular investigation (or independently), you might come across evidence of a completely unrelated threat that warrants its own separate investigation.
+Create incidents based on the observed results of hunting activities. For example, while threat hunting in the context of a particular investigation (or on your own), you might come across evidence of a completely unrelated threat that warrants its own separate investigation.
 
 ## Manually create an incident
 
diff --git a/articles/sentinel/microsoft-sentinel-defender-portal.md b/articles/sentinel/microsoft-sentinel-defender-portal.md
@@ -46,7 +46,7 @@ The following capabilities are only available in the Defender portal.
 | Capability | Learn more |
 | ---------- | ---------- |
 | Attack disruption for SAP | [Automatic attack disruption in the Microsoft Defender portal](/microsoft-365/security/defender/automatic-attack-disruption) |
-
+| Removing alerts from incidents | After onboarding Microsoft Sentinel to the unified security operations platform, you can no longer remove alerts from incidents in the Azure portal. <br><br>You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new). |
 
 ### Azure portal only
 
@@ -55,11 +55,12 @@ The following capabilities are only available in the Azure portal.
 | Capability | Learn more |
 | ---------- | ---------- |
 | Add entities to threat intelligence from incidents | [Add entity to threat indicators](add-entity-to-threat-intelligence.md) |
-| Advanced multistage attack detection | The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform. <br><br>The unified security operations platform uses Microsoft Defender XDR's incident-creation rules and correlation engine to replace the Fusion engine's functionality. <br><br>For more information, see [Advanced multistage attack detection in Microsoft Sentinel](fusion.md) |
+| Advanced multistage attack detection | The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform. <br><br>The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine. <br><br>For more information, see [Advanced multistage attack detection in Microsoft Sentinel](fusion.md) |
 | Automation | Some automation procedures are available only in the Azure portal. <br><br>Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the unified security operations platform and workspaces that aren't. <br><br>For more information, see [Automation with the unified security operations platform](automation.md#automation-with-the-unified-security-operations-platform). |
 | Hunt using bookmarks | [Bookmarks](/azure/sentinel/bookmarks) aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they are supported in the **Microsoft Sentinel > Threat management > Hunting**. |
 | Tasks | [Use tasks to manage incidents in Microsoft Sentinel](incident-tasks.md) |
-| Programmatic and manual creation of incidents | Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, are not synchronized to the unified platform in the Defender portal. These incidents are still supported in the Azure portal and the API. See [Create your own incidents manually in Microsoft Sentinel](create-incident-manually.md). |
+| Programmatic and manual creation of incidents | Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, are not synchronized to the unified security operations platform. These incidents are still supported in the Azure portal and the API. See [Create your own incidents manually in Microsoft Sentinel](create-incident-manually.md). |
+| Reopening closed incidents | In the unified security operations platform, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added. <br>Closed incidents aren't reopened in this case, and new alerts trigger new incidents. |
 
 ### Other portal differences
 
@@ -68,9 +69,7 @@ The following table describes the significant differences between the portals th
 | Feature area | Description |
 | ------------ | ----------- |
 | Data connectors | In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the **Data connectors** page:<li>Microsoft Defender for Cloud Apps<li>Microsoft Defender for Endpoint<li>Microsoft Defender for Identity<li>Microsoft Defender for Office 365 (Preview)<li>Microsoft Defender XDR<li>Subscription-based Microsoft Defender for Cloud (Legacy)<li>Tenant-based Microsoft Defender for Cloud (Preview)<br><br>In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel. |
-| Incident comments | After onboarding Microsoft Sentinel to the unified security operations platform in the Defender portal, you can add comments to incidents, but you can't edit existing comments that were created at the time the incident was created. |
-| Reopening closed incidents | In the Defender portal, the option to set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added to them is not currently available. Closed incidents will not reopen in this case, and instead the new alerts will result in the creation of new incidents. |
-| Removing alerts from incidents | After onboarding Microsoft Sentinel to the unified security operations platform in the Defender portal, you can no longer remove Microsoft Sentinel alerts from Microsoft Sentinel incidents. |
+| Incident comments | After onboarding Microsoft Sentinel to the unified security operations platform, you can add comments to incidents in either portal, but you can't edit existing comments. <br><br>(Edits made to comments in the Azure portal will not synchronize to the unified platform.) |
 
 ## Quick reference
 
diff --git a/articles/sentinel/relate-alerts-to-incidents.md b/articles/sentinel/relate-alerts-to-incidents.md
@@ -31,6 +31,8 @@ You can also use this automation to add alerts to [manually created incidents](c
 
     You *can* add Microsoft Defender XDR alerts to non-Defender incidents, and non-Defender alerts to Defender incidents, in the Microsoft Sentinel portal.
 
+- If you onboarded Microsoft Sentinel to the unified security operations portal, you can no longer add Microsoft Sentinel alerts to incidents, or remove Microsoft Sentinel alerts from incidents, in Microsoft Sentinel (in the Azure portal). You can do this only in the Microsoft Defender portal. For more information, see [Capability differences between portals](microsoft-sentinel-defender-portal.md#capability-differences-between-portals).
+
 - An incident can contain a maximum of 150 alerts. If you try to add an alert to an incident with 150 alerts in it, you will get an error message.
 
 ## Add alerts using the entity timeline (Preview)
