Update alert-policies.md

Author: denisebmsft

defender-xdr/alert-policies.md

@@ -171,7 +171,7 @@ The tables also indicate the Office 365 Enterprise and Office 365 US Government
 |**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](/microsoft-365/security/office-365-security/air-about-office#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). <br/><br/> This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation.|Informational|Yes|Microsoft 365 Business Premium, Defender for Office 365 Plan 1 add-on, E5/G5, or Defender for Office 365 Plan 2 add-on.|
 |**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](/microsoft-365/security/office-365-security/air-about-office#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. <br/><br/> This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation.|Medium|Yes|Microsoft 365 Business Premium, Defender for Office 365 Plan 1 add-on, E5/G5, or Defender for Office 365 Plan 2 add-on.|
 |**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Microsoft Purview portal. An alert is triggered when the following content search activities are performed: <ul><li>A content search is started.</li><li>The results of a content search are exported.</li><li>A content search report is exported.</li></ul> <br/> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. For more information about content search activities, see [Search for eDiscovery activities in the audit log](ediscovery-search-for-activities-in-the-audit-log.md#ediscovery-activities).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Microsoft Purview portal. An alert is triggered when the following content search activities are performed: <ul><li>A content search is started.</li><li>The results of a content search are exported.</li><li>A content search report is exported.</li></ul> <br/> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. For more information about content search activities, see [Search for eDiscovery activities in the audit log](/purview/ediscovery-search-for-activities-in-the-audit-log#ediscovery-activities).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|
 |**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](/microsoft-365/security/office-365-security/zero-hour-auto-purge). This policy automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/air-about). For more information on this new policy, see [Alert policies](/defender-office-365/alert-policies-defender-portal).|Informational|Yes|E1/F1/G1, E3/F3/G3, or E5/G5|
 |**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](/microsoft-365/security/office-365-security/zero-hour-auto-purge). This policy automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/air-about). For more information on this new policy, see [Alert policies](/defender-office-365/alert-policies-defender-portal).|Informational|Yes|Microsoft 365 Business Premium, Defender for Office 365 Plan 1 add-on, E5/G5, or Defender for Office 365 Plan 2 add-on.|
 |**Email messages containing malware removed after delivery**|**Note**: This alert policy was replaced by **Email messages containing malicious file removed after delivery**. This alert policy will eventually go away, so we recommend disabling it and using **Email messages containing malicious file removed after delivery** instead. For more information, see [Alert policies](/defender-office-365/alert-policies-defender-portal).|Informational|Yes|E5/G5 or Defender for Office 365 Plan 2 add-on subscription.|