Merge pull request #3578 from MicrosoftDocs/diannegali-xdrfreshapril

xdr article updates

Author: diannegali

defender-xdr/api-articles.md

@@ -18,27 +18,23 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 02/08/2024
+ms.date: 04/25/2025
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Other security and threat protection APIs
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR API
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 > [!NOTE]
-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
+> The **Microsoft Graph security API** is a unified schema and interface that integrates with various Microsoft security solutions and Microsoft security partners. To get started, see [Use the Microsoft Graph security API](/graph/api/resources/security-api-overview).
 
 The following resources provide more information about APIs available for other Microsoft security solutions, beyond the Microsoft Defender XDR API.
 
 - [Microsoft Defender for Endpoint](/defender-endpoint/api/apis-intro)
 - [Microsoft Defender for Office 365](/office/office-365-management-api/)
 - [Microsoft Defender for Cloud Apps](/cloud-app-security/api-introduction)
+- [Microsoft Defender Threat Intelligence](/graph/api/resources/security-threatintelligence-overview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/api-overview.md

@@ -28,7 +28,7 @@ appliesto:
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 > [!NOTE]
-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
+> The **Microsoft Graph security API** is a unified schema and interface that integrates with various Microsoft security solutions and Microsoft security partners. To get started, see [Use the Microsoft Graph security API](/graph/api/resources/security-api-overview).
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

defender-xdr/api-update-incidents.md

@@ -18,17 +18,15 @@ search.appverid:
   - MOE150
   - MET150
 ms.custom: api
-ms.date: 04/09/2024
+ms.date: 04/25/2025
+appliesto:
+ - Microsoft Defender XDR
 ---
 
 # Update incidents API
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
 > [!NOTE]
 > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview). For information about the new _update incident_ API using MS Graph security API, see [Update incident](/graph/api/security-incident-update).
 

defender-xdr/autoad-results.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 06/19/2024
+ms.date: 04/25/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -31,9 +31,9 @@ When an automatic attack disruption triggers in Microsoft Defender XDR, the deta
 
 ## Review the incident graph
 
-Microsoft Defender XDR automatic attack disruption is built in in the incident view. Review the incident graph to get the entire attack story and assess the attack disruption impact and status.
+Microsoft Defender XDR automatic attack disruption is built-in in the incident view. Review the incident graph to get the entire attack story and assess the attack disruption impact and status.
 
-Here are some examples of what it looks like:
+The incident page includes the following information:
 
 - Disrupted incidents include a tag for 'Attack Disruption' and the specific threat type identified (i.e., ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.
 - A highlighted notification below the incident title indicating that the incident was disrupted.
@@ -96,6 +96,7 @@ IdentityDirectoryEvents
 
 The above query was adapted from a [Microsoft Defender for Identity - Attack Disruption query](https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Identity/MDI-AttackDisruption.md#microsoft-365-defender).
 
-## Next step
+## Related content
 
-- [Get email notifications for response actions](m365d-response-actions-notifications.md)
+- [Exclude assets from automated response actions](automatic-attack-disruption-exclusions.md)
+- [Get email notifications for response actions](m365d-response-actions-notifications.md)

defender-xdr/automatic-attack-disruption.md

@@ -18,7 +18,7 @@ ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/20/2025
+ms.date: 04/25/2025
 appliesto:
   - Microsoft Defender XDR
 ---

defender-xdr/configure-attack-disruption.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 02/16/2025
+ms.date: 04/25/2025
 ms.collection:
 - m365-security
 - tier2

defender-xdr/configure-deception.md

@@ -16,7 +16,7 @@ ms.topic: how-to
 search.appverid: 
 - MOE150
 - MET150
-ms.date: 01/12/2024
+ms.date: 04/25/2025
 appliesto:
 - Microsoft Defender XDR
 #customer intent: As a security analyst, I want to learn how to configure the deception capability so that I can protect my organization from high-impact attacks that use human-operated lateral movement.

defender-xdr/configure-email-notifications.md

@@ -10,21 +10,20 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: met150
 ms.date: 01/17/2025
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint Plan 1
+- Microsoft Defender for Endpoint Plan 2
+- Microsoft Defender for Business
 ---
 
 # Configure alert notifications
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-- [Microsoft Defender for Endpoint Plan 1](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender for Endpoint Plan 2](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender for Business](/defender-business/mdb-overview)
-
 You can configure Microsoft Defender XDR to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
 
 If you're using [Defender for Business](/defender-business/mdb-overview), you can set up email notifications for specific users (not roles or groups).

defender-xdr/configure-event-hub.md

@@ -14,17 +14,16 @@ ms.collection:
 - m365-security
 - tier2
 ms.custom: admindeeplinkDEFENDER
-ms.topic: conceptual
-ms.date: 06/21/2024
+ms.topic: concept-article
+ms.date: 04/25/2025
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Configure your Event Hubs
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
 > [!NOTE]
 > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview).
 
@@ -71,11 +70,11 @@ This client secret value is used by Microsoft Graph APIs to authenticate this ap
     Go **to Event Hub \> Add** and select the pricing tier, throughput units and Auto-Inflate (requires standard pricing and under features) appropriate for the load you're expecting. For more information, see [Pricing - Event Hubs \| Microsoft Azure](https://azure.microsoft.com/pricing/details/event-hubs/).
 
     > [!NOTE]
-    > You can use an existing event-hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event-hub in its own namespace.
+    > You can use an existing event-hub, but the throughput and scaling are set at the namespace level. Microsoft recommends to place an event-hub in its own namespace.
 
    :::image type="content" source="/defender/media/ebc4ca37c342ad1da75c4aee4018e51a.png" alt-text="The event hubs section in the Microsoft Azure portal" lightbox="/defender/media/ebc4ca37c342ad1da75c4aee4018e51a.png":::
 
-1. You'll also need the Resource ID of this Event Hubs Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the Microsoft 365 Configuration section below.
+1. You need the Resource ID of this Event Hubs Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the Microsoft 365 Configuration.
 
     :::image type="content" source="/defender/media/759498162a4e93cbf17c4130d704d164.png" alt-text="The event hubs properties section in the Microsoft Azure portal" lightbox="/defender/media/759498162a4e93cbf17c4130d704d164.png":::
 
@@ -86,7 +85,7 @@ You're required to add permissions to the following roles to entities that are i
 - **Contributor**: The permissions related to this role are added to entity who logs in to the Microsoft Defender portal.
 - **Reader** and **Azure Event Hub data Receiver**: The permissions related to these roles are assigned to the entity who is already assigned the role of a **Service Principal** and logs in to the Microsoft Entra application.
 
-To ensure that these roles have been added, perform the following step:
+To ensure that these roles are added, perform the following step:
 
 Go to **Event Hub Namespace** \> **Access Control (IAM)** \> **Add** and verify under **Role assignments**.
 
@@ -96,16 +95,16 @@ Go to **Event Hub Namespace** \> **Access Control (IAM)** \> **Add** and verify
 
 **Option 1:**
 
-You can create an Event Hubs within your Namespace and **all** the Event Types (Tables) you select to export will be written into this **one** Event Hub.
+You can create Event Hubs within your Namespace and **all** the Event Types (Tables) you select to export are written into this **one** Event Hub.
 
 **Option 2:**
 
 Instead of exporting all the Event Types (Tables) into one Event Hub, you can export each table into different Event Hubs inside your Event Hubs Namespace (one Event Hub per Event Type).
 
-In this option, Microsoft Defender XDR will create Event Hubs for you.
+In this option, Microsoft Defender XDR creates Event Hubs for you.
 
 > [!NOTE]
-> If you are using an Event Hub Namespace that is **not** part of an Event Hub Cluster, you will only be able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hub per Event Hub Namespace.
+> If you are using an Event Hub Namespace that is **not** part of an Event Hub Cluster, you're only able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hub per Event Hub Namespace.
 
 For example:
 
@@ -119,7 +118,7 @@ The Partition Count allows for more throughput via parallelism, so it's recommen
 
 :::image type="content" source="/defender/media/1db04b8ec02a6298d7cc70419ac6e6a9.png" alt-text="An event hubs creation section in the Microsoft Azure portal" lightbox="/defender/media/1db04b8ec02a6298d7cc70419ac6e6a9.png":::
 
-For these Event Hubs (not namespace), you'll need to configure a Shared Access Policy with Send, Listen Claims. Click on your **Event Hub** \> **Shared access policies** \> **+ Add** and then give it a Policy name (not used elsewhere) and check **Send** and **Listen**.
+For these Event Hubs (not namespace), you need to configure a Shared Access Policy with Send, Listen Claims. Click on your **Event Hub** \> **Shared access policies** \> **+ Add** and then give it a Policy name (not used elsewhere) and check **Send** and **Listen**.
 
 :::image type="content" source="/defender/media/1867d13f46dc6a0f4cdae6cf00df24db.png" alt-text="The Shared access policies page in the Microsoft Azure portal" lightbox="/defender/media/1867d13f46dc6a0f4cdae6cf00df24db.png":::
 
@@ -133,23 +132,23 @@ For these Event Hubs (not namespace), you'll need to configure a Shared Access P
 
 1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> with an account that meets all the following role requirements:
 
-    - Contributor role at the Event Hubs *Namespace* Resource level or higher for the Event Hubs that you'll be exporting to. Without this permission, you'll get an export error when you try to save the settings.
+    - Contributor role at the Event Hubs *Namespace* Resource level or higher for the Event Hubs that you're be exporting to. An export error occurs when you try to save the settings without this permission.
 
     - Security Admin Role on the tenant tied to Microsoft Defender XDR and Azure.
 
       :::image type="content" source="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png" alt-text="The Settings page of the Microsoft Defender portal" lightbox="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png":::
 
 1. Click on **Raw Data Export \> +Add**.
 
-    You'll now use the data that you recorded above.
+    Use the data that you previously recorded.
 
     **Name**: This value is local and should be whatever works in your environment.
 
     **Forward events to event hub**: Select this checkbox.
 
     **Event-Hub Resource ID**: This value is the Event Hubs Namespace Resource ID you recorded when you set up the Event Hubs.
 
-    **Event-Hub name**: If you created an Event Hubs inside your Event Hubs Namespace, paste the Event Hubs name you recorded above.
+    **Event-Hub name**: If you created an Event Hubs inside your Event Hubs Namespace, paste the Event Hubs name you previously recorded.
 
     If you choose to let Microsoft Defender XDR to create Event Hubs per Event Types (Tables) for you, leave this field empty.
 
@@ -172,15 +171,14 @@ EmailEvents
 |count
 ```
 
-This query will show you how many emails were received in the last hour joined across all the other tables. It will also show you if you're seeing events that could be exported to the event hubs. If this count shows 0, then you won't see any data going out to the Event Hubs.
+This query shows you how many emails were received in the last hour joined across all the other tables. It also shows you if you're seeing events that could be exported to the event hubs. If this count shows 0, then you won't see any data going out to the Event Hubs.
 
 :::image type="content" source="/defender/media/c305e57dc6f72fa9eb035943f244738e.png" alt-text="The advanced hunting page in the Microsoft Azure portal" lightbox="/defender/media/c305e57dc6f72fa9eb035943f244738e.png":::
 
 Once you've verified there's data to export, you can view the Event Hubs page to verify that messages are incoming. This process can take up to one hour.
 
 1. In Azure, go to **Event Hub** \> Click on the **Namespace** \> **Event Hub** \> Click on the **Event Hub**.
-1. Under **Overview**, scroll down and in the Messages graph you should see Incoming Messages. If you don't see any results, then there will be no messages
-for your custom app to ingest.
+1. Under **Overview**, scroll down and in the Messages graph you should see Incoming Messages. If you don't see any results, then there are no messages for your custom app to ingest.
 
 :::image type="content" source="/defender/media/e88060e315d76e74269a3fc866df047f.png" alt-text=" The Overview page in the Microsoft 365 Azure portal" lightbox="/defender/media/e88060e315d76e74269a3fc866df047f.png":::
 

defender-xdr/configure-siem-defender.md

@@ -11,18 +11,17 @@ audience: ITPro
 ms.collection:
 - m365-security
 - tier2
-ms.topic: conceptual
-ms.date: 06/27/2024
+ms.topic: concept-article
+ms.date: 04/25/2025
+appliesto:
+- Microsoft Defender for Endpoint   
+- Microsoft Defender XDR
 ---
 
 # Integrate your SIEM tools with Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
 <a name='pull-microsoft-365-defender-incidents-and-streaming-event-data-using-security-information-and-events-management-siem-tools'></a>
 
 ## Pull Microsoft Defender XDR incidents and streaming event data using security information and events management (SIEM) tools
@@ -84,14 +83,16 @@ For more information on:
 The new SmartConnector for Microsoft Defender XDR ingests incidents into ArcSight and maps these onto its Common Event
 Framework (CEF).
 
-For more information on the new ArcSight SmartConnector for Microsoft Defender XDR, see [ArcSight Product Documentation](https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/39246/smartconnector-for-microsoft-365-defender).
+For more information on the new ArcSight SmartConnector for Microsoft Defender XDR, see [ArcSight Product Documentation](https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.4/microsoft-365-defender/index.html).
 
 The SmartConnector replaces the previous FlexConnector for Microsoft Defender for Endpoint that's now retired.
 
 ### Elastic
 
 Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution.
+
 The Elastic integration for Microsoft Defender XDR and Defender for Endpoint enables organizations to leverage incidents and alerts from Defender within Elastic Security to perform investigations and incident response. Elastic correlates this data with other data sources, including cloud, network, and endpoint sources using robust detection rules to find threats quickly.
+
 For more information on the Elastic connector, see: [Microsoft M365 Defender | Elastic docs](https://docs.elastic.co/integrations/m365_defender)
 
 ## Ingesting streaming event data via Event Hubs
@@ -114,7 +115,7 @@ Use the new IBM QRadar Microsoft Defender XDR Device Support Module (DSM) that c
 
 For more information on the Elastic streaming API integration, see [Microsoft M365 Defender | Elastic docs](https://docs.elastic.co/integrations/m365_defender).
 
-## Related articles
+## Related content
 
 [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)