Merge branch 'main' into patch-6

Author: chrisda

.openpublishing.redirection.defender.json

@@ -109,6 +109,16 @@
       "source_path": "defender-endpoint/defender-endpoint-demonstration-amsi.md",
       "redirect_url": "/defender-endpoint/mde-demonstration-amsi",
       "redirect_document_id": true
-    }    
+    },
+    {
+      "source_path": "defender-xdr/tickets.md",
+      "redirect_url": "/defender-xdr/troubleshoot",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/portal-submission-troubleshooting.md",
+      "redirect_url": "/defender-xdr/troubleshoot",
+      "redirect_document_id": false
+    }            
   ]
 }

defender-office-365/air-about.md

@@ -7,7 +7,7 @@ ms.author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 06/09/2023
+ms.date: 10/22/2024
 ms.localizationpriority: medium
 search.appverid:
 - MET150
@@ -79,7 +79,9 @@ In addition, make sure to review your organization's [alert policies](alert-poli
 
 ## Which alert policies trigger automated investigations?
 
-Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft Defender portal, and how they're generated:
+Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. If these alerts are disabled or replaced by custom alerts, AIR isn't triggered. 
+
+The following table describes the alerts that trigger automated investigations, their severity in the Microsoft Defender portal, and how they're generated:
 
 |Alert|Severity|How the alert is generated|
 |---|---|---|

defender-office-365/attack-simulation-training-faq.md

@@ -256,7 +256,10 @@ A: Several options are available to target users:
 - Include all users (currently available to organizations with less than 40,000 users).
 - Choose specific users.
 - Select users from a CSV file (one email address per line).
-- Microsoft Entra group-based targeting.
+- Microsoft Entra group-based targeting. The following group types are supported:
+  - Microsoft 365 Groups (static and dynamic)
+  - Distribution groups (static only)
+  - Mail-enabled security groups (static only)
 
 We find that campaigns where the targeted users are identified by Microsoft Entra groups are easier to manage.
 
@@ -282,7 +285,7 @@ Managing a large CSV file or adding many individual recipients can be cumbersome
 > [!TIP]
 > Currently, shared mailboxes aren't supported in Attack simulation training. Simulations should target user mailboxes or groups containing user mailboxes.
 >
-> Distribution groups are expanded and the list of users is generated at the time of saving the simulation or simulation automation.
+> Groups are expanded and the list of users is generated at the time of saving the simulation, simulation automation, or training campaign.
 
 ### Q: Are the limits for the number of simulations that can be deployed during a specific time interval?
 

defender-xdr/TOC.yml

@@ -549,18 +549,14 @@
                 href: configure-email-notifications.md
             - name: Set time zone
               href: m365d-time-zone.md
-            - name: Troubleshoot service issues
-              href: troubleshoot.md
             - name: Set up dynamic rules for devices
               href: configure-asset-rules.md
             - name: Provide feedback
               href: feedback.md
             - name: Provide managed service provider (MSSP) access
               href: mssp-access.md
-            - name: Create ServiceNow tickets and tasks
-              items:
-              - name: ServiceNow integration overview
-                href: ./tickets.md
+        - name: Troubleshoot service issues
+          href: troubleshoot.md              
         - name: Microsoft Defender XDR APIs
           items:
             - name: Overview
@@ -627,8 +623,6 @@
                  href: /defender-endpoint/technological-partners
                - name: Professional services supported by Microsoft Defender XDR
                  href: /defender-endpoint/professional-services
-            - name: Understand threat intelligence concepts
-              href: /defender-endpoint/threat-indicator-concepts
         - name: Bi-directional connector for Microsoft Sentinel
           href: microsoft-365-defender-integration-with-azure-sentinel.md
     - name: Resources
@@ -641,8 +635,8 @@
           href: criteria.md
         - name: Submit files for analysis
           href: submission-guide.md
-        - name: Troubleshoot MSI portal errors caused by admin block
-          href: portal-submission-troubleshooting.md
+        - name: Understand threat intelligence concepts
+          href: /defender-endpoint/threat-indicator-concepts          
         - name: Microsoft virus initiative
           href: virus-initiative-criteria.md
         - name: Software developer FAQ