Update investigation priority score section

Author: batamig

CloudAppSecurityDocs/investigate-anomaly-alerts.md

@@ -713,41 +713,12 @@ Establishing a new user's activity pattern requires an initial learning period o
 
 ### Investigation priority score increase (legacy)
 
-> [!IMPORTANT]
-> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired.
->
-> If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information:
->
->[Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk)
->
->[Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies)
-> 
-
-Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants.
-
-When there's a significant and anomalous increase in the investigation priority score of a certain user, the alert will be triggered.
-
-This alert enables detecting potential breaches that are characterized by activities that don't necessarily trigger specific alerts but accumulate to a suspicious behavior for the user.
-
-**Learning period**
-
-Establishing a new user's activity pattern requires an initial learning period of seven days, during which alerts aren't triggered for any score increase.
+Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information:
 
-**TP**, **B-TP**, or **FP**?
-
-1. **TP**: If you're able to confirm that the activities of the user aren't legitimate.
-  
-    **Recommended action**: Suspend the user, mark the user as compromised, and reset their password.
+- [Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk)
 
-1. **B-TP**: If you're able to confirm that user indeed significantly deviated from usual behavior, but there's no potential breach.
+- [Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies)
 
-1. **FP**  (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline.
-
-    **Recommended action**: Dismiss the alert.
-
-**Understand the scope of the breach**
-
-1. Review all user activity and alerts for additional indicators of compromise.
 
 ## See also