Merge branch 'WI408100-PAM-vendors-integration-article' of https://github.com/DeCohen/defender-docs-pr into WI408100-PAM-vendors-integration-article

Author: DeCohen

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -108,17 +108,28 @@ For editable queries, more options are available:
 
 ## Create custom analytics and detection rules
 
-To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. 
+To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. There are two kinds:
+- Analytics rules - to generate detections from rules that query data that is ingested through Microsoft Sentinel
+- Custom detection rules - to generate detections from rules that query data from Defender XDR or from both Microsoft Sentinel and Defender XDR
+
+
+##### Analytics rules
 
 For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
 
 :::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
 
 The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
 
-You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
 
-In custom detection rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs, see [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
+##### Custom detection rules
+You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+
+
+In both custom detection and analytics rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs. See [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
 
 If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.
 
+
+> [!NOTE]
+> If a Defender XDR table is not set up to stream to log analytics in Microsoft Sentinel but is recognized as a standard table in Microsoft Sentinel, an analytics rule can be created successfully but the rule won't run correctly since no data is actually available in Microsoft Sentinel. For these cases, use the custom detection rule wizard instead. 

defender-xdr/advanced-hunting-urlclickevents-table.md

@@ -49,6 +49,8 @@ For information on other tables in the advanced hunting schema, see [the advance
 | `UrlChain` | `string` | For scenarios involving redirections, it includes URLs present in the redirection chain|
 | `ReportId` | `string` | The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.|
 
+> [!NOTE]
+> For clicks originating from email in Drafts and Sent items folders, email metadata is either not available or `NetworkMessageId` is assigned by default. In this case, `UrlClickEvents` can't be joined with `Email*` tables like `EmailEvents`, `EmailPostDeliveryEvents`, and others, using `NetworkMessageId`. 
 
 You can try this example query that uses the `UrlClickEvents` table to return a list of links where a user was allowed to proceed: 
 

exposure-management/initiatives-list.md

@@ -25,6 +25,10 @@ The CIS Microsoft 365 Foundations Benchmark (v3.0.0) is a set of security assess
 
 This initiative aims to reflect the status around cloud security coverage, ROI, health, configuration, and performance. It consists of measurements across multiple domains and disciplines to provide security managers with a high-level view into how posture is enforced in cloud ops.
 
+> [!NOTE]
+>
+> The current Cloud initiative will be deprecated soon. A new Cloud initiative will be available soon. Please use it for updates and support.
+
 ## Critical Asset Protection
 
 Critical asset protection refers to the strategies, processes, and technologies implemented to safeguard an organization's most valuable and important assets from various threats and risks. It involves identifying, prioritizing, and applying targeted security measures to ensure the resilience and integrity of these critical assets.
@@ -43,11 +47,11 @@ IoT devices are often connected to endpoints, to one another or to the internet,
 
 ## External Attack Surface Protection
 
-The External Attack Surface Initiative in Microsoft Security Exposure Management uses Defender EASM to continuously discover and map your digital attack surface, providing an external view of your online infrastructure. This helps security and IT teams identify unknown assets, prioritize risks, eliminate threats, and extend control beyond the firewall.
+The External Attack Surface Management (EASM) initiative in Microsoft Security Exposure Management uses Defender EASM to continuously discover and map your digital attack surface, providing an external view of your online infrastructure. This helps security and IT teams identify unknown assets, prioritize risks, eliminate threats, and extend control beyond the firewall.
 
 > [!NOTE]
 >
-> This initiative provides high-level insights without a full connection to the MDEASM subscription and supports pre-built footprints only.
+> This initiative provides high-level insights without a full connection to the MDEASM subscription and supports prebuilt footprints only.
 
 [Learn more here.](https://aka.ms/xspm/EasmLearnMore)
 
@@ -75,6 +79,9 @@ This initiative focuses on displaying the current state of SaaS (software as a s
 
 This initiative serves as a central hub for security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track, and delegate vulnerabilities with in the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement. This collaborative environment ensures a holistic approach to vulnerability management, empowering stakeholders to proactively strengthen their security defenses, reduce the attack surface, and enhance overall resilience against evolving cyber threats.
 
+> [!NOTE]
+> The Vulnerability Assessment initiative will be deprecated soon, as it is now part of the new Cloud initiative. Use the new Cloud initiative for updates and support.
+
 ## Zero Trust (Foundational)
 
 Zero Trust is a security strategy that follows three principles, verify explicitly, use least privilege access, and assume breach. This initiative follows Microsoft's Zero Trust adoption framework to help you identify next steps in your Zero Trust strategy. You can learn more about the Zero Trust adoption framework here.