MicrosoftDocs
diff --git a/‎CloudAppSecurityDocs/cloud-discovery-anomaly-detection-policy.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/cloud-discovery-anomaly-detection-policy.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/linux-install-with-saltack.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/linux-install-with-saltack.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/microsoft-defender-endpoint-linux.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/microsoft-defender-endpoint-linux.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/respond-machine-alerts.md‎
Lines changed: 98 additions & 93 deletions b/‎defender-endpoint/respond-machine-alerts.md‎
Lines changed: 98 additions & 93 deletions
diff --git a/‎defender-xdr/advanced-hunting-defender-results.md‎
Lines changed: 84 additions & 1 deletion b/‎defender-xdr/advanced-hunting-defender-results.md‎
Lines changed: 84 additions & 1 deletion
@@ -14,7 +14,7 @@ A cloud discovery anomaly detection policy enables you to set up and configure c
 This article describes how to create and configure a cloud discovery anomaly detection policy in Microsoft Defender for Cloud Apps.
 
 > [!IMPORTANT]
-> Starting August 2024, **cloud discovery anomaly** support for Microsoft Defender for Cloud Apps is retired. As such, the legacy procedure presented in this article is provided for informational purposes only. If you want to receive security alerts similar to anomaly detection, complete the steps in [Create app discovery policy](#create-app-discovery-policy).
+> Starting August 2024, **cloud discovery anomaly** support for Microsoft Defender for Cloud Apps is retired. As such, the legacy procedure presented in this article is provided for informational purposes only. If you want to receive security alerts similar to anomaly detection, complete the steps in [Create app discovery policy](cloud-discovery-policies.md).
 
 ## Create app discovery policy
 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/04/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Saltstack
@@ -43,7 +43,7 @@ Here are a few important points:
 
 - Saltstack is installed on at least one computer (Saltstack calls the computer as the master).
 - The Saltstack master accepted the managed nodes (Saltstack calls the nodes as minions) connections.
-- The Saltstack minions are able to resolve communication to the Saltstack master (be default the minions try to communicate with a machine named 'salt').
+- The Saltstack minions are able to resolve communication to the Saltstack master (by default the minions try to communicate with a machine named *salt*).
 - Run the following ping test: `sudo salt '*' test.ping`
 - The Saltstack master has a file server location where the Microsoft Defender for Endpoint files can be distributed from (by default Saltstack uses the `/srv/salt` folder as the default distribution point)
 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/23/2024
+ms.date: 12/04/2024
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -107,7 +107,7 @@ If you experience any installation failures, see [Troubleshooting installation f
   > [!NOTE]
   > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
   > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
-  > Microsoft Defender Vulnerablity Management is not supported on Rocky and Alma currently.
+  > Microsoft Defender Vulnerability Management is not supported on Rocky and Alma currently.
   > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
 
   > [!CAUTION]
 
@@ -23,7 +23,7 @@ ms.custom:
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 08/07/2024
+ms.date: 11/19/2024
 ---
 
 # Work with advanced hunting results containing Microsoft Sentinel data
@@ -47,3 +47,86 @@ You can also right-click on any result value in a row so that you can use it to:
 
 For Microsoft Defender XDR data, you can take further action by selecting the checkboxes to the left of each result row. Select **Link to incident** to link the selected results to an incident (read [Link query results to an incident](advanced-hunting-link-to-incident.md)) or **Take actions** to open the Take actions wizard (read [Take action on advanced hunting query results](advanced-hunting-take-action.md)).
 
+## Link query results to an incident
+
+You can use the link to incident feature to add advanced hunting query results to a new or existing incident under investigation. This feature helps you to easily capture records from advanced hunting activities, which allows you to create a richer timeline or context of events regarding an incident.
+
+### Link results to new or existing incidents
+
+1.	In the advanced hunting query pane, enter your query in the query field provided, then select **Run query** to get your results.
+   :::image type="content" source="/defender/media/advanced-hunting-results-link1.png" alt-text="Screenshot of the advanced hunting page in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link1.png":::
+
+2.	In the Results page, select the events or records that are related to a new or current investigation you're working on, then select **Link to incident**.
+   :::image type="content" source="/defender/media/advanced-hunting-results-link2.png" alt-text="Screenshot of the link to incident feature in advanced hunting in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link2.png":::
+
+3.	In the **Alert details** section in the Link to incident pane, select **Create new incident** to convert the events to alerts and group them to a new incident:
+
+    You can also select **Link to an existing incident** to add the selected records to an existing incident. Choose the related incident from the dropdown list of existing incidents. You can also enter the first few characters of the incident name or ID to find the incident you want.<br>
+   :::image type="content" source="/defender/media/advanced-hunting-results-link4.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link4.png":::
+4.	For either selection, provide the following details, then select **Next**:
+    - **Alert title** – a descriptive title for the results that your incident responders can understand; this descriptive title becomes the alert title
+    - **Severity** – choose the severity applicable to the group of alerts
+    - **Category** – choose the appropriate threat category for the alerts
+    - **Description** – give a helpful description of the grouped alerts
+    - **Recommended actions** – list the recommended remediation actions for the security analysts who are investigating the incident
+5.	In the **Entities** section, select the entities that are involved in the suspicious events. Those entities are used to correlate other alerts to the linked incident and are visible from the incident page. 
+
+      For Microsoft Defender XDR data, the entities are automatically selected. If the data is from Microsoft Sentinel, you need to select the entities manually.
+
+      There are two sections for which you can select entities:
+
+    a. **Impacted assets** – impacted assets that appear in the selected events should be added here. The following types of assets can be added: 
+    - Account
+    - Device
+    - Mailbox
+    - Cloud application
+    - Azure resource
+    - Amazon Web Services resource
+    - Google Cloud Platform resource
+
+    b. **Related evidence** – non-assets that appear in the selected events can be added in this section. The supported entity types are:
+    - Process
+    - File
+    - Registry value
+    - IP
+    - OAuth application
+    - DNS
+    - Security group
+    - URL
+    - Mail cluster
+    - Mail message
+ 
+> [!NOTE]
+> For queries containing only XDR data, only entity types that are available in XDR tables are shown.
+
+6. After an entity type is selected, select an identifier type that exists in the selected records so that it can be used to identify this entity. Each entity type has a list of supported identifiers, as can be seen in the relevant drop down. Read the description displayed when hovering on each identifier to better understand it.
+7. After selecting the identifier, select a column from the query results that contain the selected identifier. You can select **Explore query and results** to open the advanced hunting context panel. This allows you to explore your query and results to make sure you chose the right column for the selected identifier. 
+     <br>
+    :::image type="content" source="/defender/media/advanced-hunting-defender-results-identifier.png" alt-text="Screenshot of the link to incident wizard entities branch in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-defender-results-identifier.png":::
+     <br>
+    In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient's mailbox and recipient's account are the impacted entities, and the sender's IP as well as email message are related evidence.
+    
+    :::image type="content" source="/defender/media/advanced-hunting-defender-results-link-entities.png" alt-text="Screenshot of the link to incident wizard full entities branch in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-defender-results-link-entities.png":::
+    
+    A different alert is created for each record with a unique combination of impacted entities. In our example, if there are three different recipient mailboxes and recipient object ID combinations, for instance, then three alerts are created and linked to the chosen incident.
+
+6. Select **Next**.
+7. Review the details you've provided in the Summary section. 
+8.	Select **Done**.
+
+### View linked records in the incident
+You can select the generated link from the summary step of the wizard or select the incident name from the incident queue, to view the incident to which the events are linked.
+
+:::image type="content" source="/defender/media/advanced-hunting-results-link7.png" alt-text="Screenshot of the summary step in the link to incident wizard in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link7.png":::
+
+In our example, the three alerts, representing the three selected events, were linked successfully to a new incident.
+In each of the alert pages, you can find the complete information on the event or events in timeline view (if available) and the query results view. 
+
+You can also select the event from the timeline view or from the query results view to open the **Inspect record** pane.
+
+:::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the incident page in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link8.png":::
+
+### Filter for events added using advanced hunting
+You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source 
+
+:::image type="content" source="/defender/media/advanced-hunting-results-link9.png" alt-text="Screenshot of the filter dropdown in advanced hunting in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link9.png":::