updated screenshots

Author: diannegali

defender-xdr/incident-queue.md

@@ -107,7 +107,7 @@ The **Filters** list above the list of incidents shows the currently applied fil
 
 From the default incident queue, you can select **Add filter** to see the **Add filter** drop-down, from which you specify filters to apply to the incidents queue to limit the set of incidents shown. Here's an example.
 
-:::image type="content" source="/defender/media/incidents-queue/fig1-newfilters.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal.":::
+:::image type="content" source="/defender/media/incidents-queue/incidents-all-filters.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal.":::
 
 Select the filters you want to use, then select **Add** at the bottom of the list to make them available.
 
@@ -134,8 +134,9 @@ This table lists the filter names that are available.
 | **Classification** | Specify the set of classifications of the related alerts. |
 | **Automated investigation state** | Specify the status of automated investigation.  |
 | **Associated threat** | Specify a named threat.  |
-| **Alert policies** | Specify an alert policy title.  |
-| **Alert subscription IDs** | Specify an alert  based on a subscription ID.  |
+| **Policy/policy rule** | Filter incidents based on policy or policy rule.  |
+| **Product names** | Filter incidents based on product name.  |
+| **Data stream** | Filter incidents based on the location or workload.  |
 
 > [!NOTE]
 > If you have provisioned access to Microsoft Purview Insider Risk Management, you can view and manage insider risk management alerts and hunt for insider risk management events in the Microsoft Defender portal. For more information, see [Investigate insider risk threats in the Microsoft Defender portal](irm-investigate-alerts-defender.md).

defender-xdr/investigate-alerts.md

@@ -22,7 +22,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - met150
-ms.date: 1/17/2025
+ms.date: 1/27/2025
 appliesto:
 - Microsoft Defender XDR
 ---
@@ -46,9 +46,9 @@ Alerts from different Microsoft security solutions like Microsoft Defender for E
 
 By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last seven days. The most recent alert is at the top of the list so you can see it first.
 
-From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example.
+From the default alerts queue, you can select **Filter** to see all available filters from which you can specify a subset of the alerts. Here's an example.
 
-**INSERT SCREENSHOT**
+:::image type="content" source="/defender/media/investigate-alerts/alerts-all-filters.png" alt-text="All the filters available in the Alerts queue in the Microsoft Defender portal":::
 
 You can filter alerts according to these criteria:
 
@@ -63,7 +63,6 @@ You can filter alerts according to these criteria:
 - Entities (the impacted assets)
 - Automated investigation state
 - Data stream (workload or location)
-- Alert subscription IDs
 
 > [!NOTE]
 > Microsoft Defender XDR customers can now filter incidents with alerts where a compromised device communicated with operational technology (OT) devices connected to the enterprise network through the [device discovery integration of Microsoft Defender for IoT and Microsoft Defender for Endpoint](/defender-endpoint/device-discovery#device-discovery-integration). To filter these incidents, select **Any** in the Service/detection sources, then select **Microsoft Defender for IoT** in the Product name or see [Investigate incidents and alerts in Microsoft Defender for IoT in the Defender portal](/defender-for-iot/investigate-threats/). You can also use device groups to filter for site-specific alerts. For more information about Defender for IoT prerequisites, see [Get started with enterprise IoT monitoring in Microsoft Defender XDR](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).