Merge pull request #702 from MicrosoftDocs/diannegali-defenderboxed

added Defender Boxed text and note

Author: diannegali

defender-endpoint/view-incidents-queue.md

@@ -15,14 +15,15 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 06/05/2024
+ms.date: 01/06/2025
 ---
 
 # View and organize the Microsoft Defender for Endpoint Incidents queue
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 **Applies to:**
+
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
@@ -31,12 +32,13 @@ ms.date: 06/05/2024
 
 The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
 
-By default, the queue displays incidents seen in the last 6 months, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
+By default, the queue displays incidents seen in the last six months, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
 
 There are several options you can choose from to customize the Incidents queue view. 
 
 On the top navigation you can:
-- Customize columns to add or remove columns 
+
+- Customize columns to add or remove columns
 - Modify the number of items to view per page
 - Select the items to show per page
 - Batch-select the incidents to assign 
@@ -46,7 +48,11 @@ On the top navigation you can:
 
 :::image type="content" source="media/atp-incident-queue.png" alt-text="The Incidents queue" lightbox="media/atp-incident-queue.png":::
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](/defender-xdr/incident-queue#defender-boxed) highlights.
+
 ## Sort and filter the incidents queue
+
 You can apply the following filters to limit the list of incidents and get a more focused view.
 
 ### Severity
@@ -55,32 +61,36 @@ Incident severity | Description
 :---|:---
 High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
 Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
+Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that don't necessarily indicate an advanced threat targeting the organization.
 Informational </br>(Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
 
 ## Assigned to
+
 You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
 
 ### Category
+
 Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
 
 ### Status
+
 You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
 
 ### Data sensitivity
+
 Use this filter to show incidents that contain sensitivity labels.
 
 ## Incident naming
 
-To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories.
 
 For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
 
 > [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-
+> Incidents that existed prior to the rollout of automatic incident naming retains their original name.
 
 ## See also
+
 - [Incidents queue](view-incidents-queue.md)
 - [Manage incidents](manage-incidents.md)
 - [Investigate incidents](investigate-incidents.md)

defender-xdr/incident-queue.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 07/18/2024
+ms.date: 01/06/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -61,6 +61,33 @@ If you onboarded Microsoft Sentinel to the unified security operations platform,
 
 We recommend that you avoid using the incident name as a condition for triggering [automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules). If the incident name is a condition, and the incident name changes, the rule will not be triggered.
 
+### Defender Boxed
+
+For a limited time during January and July of each year, **Defender Boxed** automatically appears when you first open the incident queue. Defender Boxed highlights your organization's security success, improvements, and response actions during the previous six months or calendar year.
+
+:::image type="content" source="/defender/media/defender-boxed/defender-boxed-recording.gif" alt-text="Defender Boxed as shown in the incident queue.":::
+
+> [!NOTE]
+> Defender Boxed is only available to users who performed applicable activities in the Microsoft Defender portal.
+
+You can do the following actions in the series of cards that appear in Defender Boxed:
+
+- Download a detailed summary of your achievements that can be shared with others in your organization.
+
+  :::image type="content" source="/defender/media/defender-boxed/defender-boxed-summary-small.png" alt-text="Screenshot of Defender Boxed slide with the download summary option highlighted." lightbox="/defender/media/defender-boxed/defender-boxed-summary.png":::
+
+- Change the frequency of how often Defender Boxed will appear. You can choose between once (every January) or twice (every January and July) per year.
+
+  :::image type="content" source="/defender/media/defender-boxed/defender-boxed-frequency-small.png" alt-text="Screenshot of Defender Boxed slide with the frequency highlighted." lightbox="/defender/media/defender-boxed/defender-boxed-frequency.png":::
+
+- Share your achievement to your social media networks, email, and other forums by saving the slide as an image.
+
+  :::image type="content" source="/defender/media/defender-boxed/defender-boxed-save-small.png" alt-text="Screenshot of Defender Boxed slide with the save option highlighted." lightbox="/defender/media/defender-boxed/defender-boxed-save.png":::
+
+To reopen Defender Boxed, go to the Incidents queue and then select **Your Defender Boxed** on the right side of the pane.
+
+:::image type="content" source="/defender/media/defender-boxed/defender-boxed-incident-small.png" alt-text="Screenshot of Defender Boxed slide with the save option highlighted." lightbox="/defender/media/defender-boxed/defender-boxed-incident.png":::
+
 ## Filters <a name="available-filters"></a>
 
 The incident queue also provides multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention.

defender-xdr/incidents-overview.md

@@ -74,6 +74,9 @@ The Microsoft Defender portal includes tools and methods to automate or otherwis
 | **[Proactively hunt with advanced hunting](advanced-hunting-overview.md)** | Use Kusto Query Language (KQL) to proactively inspect events in your network by querying the logs collected in the Defender portal. Advanced hunting supports a guided mode for users looking for the convenience of a query builder. |
 | **[Harness AI with Microsoft Copilot for Security](/defender-xdr/security-copilot-in-microsoft-365-defender)** | Add AI to support analysts with complex and time-consuming daily workflows. For example, Microsoft Copilot for Security can help with end-to-end incident investigation and response by providing clearly described attack stories, step-by-step actionable remediation guidance and incident activity summarized reports, natural language KQL hunting, and expert code analysis&mdash;optimizing on SOC efficiency across data from all sources. <br><br>This capability is in addition to the other AI-based functionality that Microsoft Sentinel brings to the unified platform, in the areas of user and entity behavior analytics, anomaly detection, multi-stage threat detection, and more. |
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](incident-queue.md#defender-boxed) highlights.
+
 ## Related items
 
 To learn more about alert correlation and incident merging in the Defender portal, see [Alerts, incidents, and correlation in Microsoft Defender XDR](alerts-incidents-correlation.md)

defender-xdr/investigate-incidents.md

@@ -254,6 +254,9 @@ Some incidents might have similar incidents listed on the **Similar incidents**
 
 :::image type="content" source="/defender/media/investigate-incidents/incident-similartab-small.png" alt-text="Screenshot that shows the Similar incidents tab for an incident in the Microsoft Defender portal." lightbox="/defender/media/investigate-incidents/incident-similartab.png":::
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](incident-queue.md#defender-boxed) highlights.
+
 ## Next steps
 
 As needed:

defender-xdr/manage-incidents.md

@@ -56,6 +56,9 @@ This article shows you how to perform various incident management tasks associat
 - Assess the activity audit and add comments in the [Activity log](#view-the-activity-log-of-an-incident).
 - [Export incident data to PDF](#export-incident-data-to-pdf).
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](incident-queue.md#defender-boxed) highlights.
+
 ## Access the *Manage incident* pane
 
 Most of these tasks are accessible from the **Manage incident** pane for an incident. You can reach this pane from any of several locations.

defender-xdr/respond-first-incident-365-defender.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 06/05/2024
+ms.date: 07/01/2024
 ---
 
 # Responding to your first incident in Microsoft Defender XDR
@@ -88,6 +88,9 @@ Learn how to classify incidents and alerts through this video:
 
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4LHJq]
 
+> [!TIP]
+> **Defender Boxed**, a series of cards showcasing your organization's security successes, improvements, and response actions in the past six months/year, appears for a limited time during January and July of each year. Learn how you can share your [Defender Boxed](incident-queue.md#defender-boxed) highlights.
+
 ## Next steps
 
 - [Analyze your first incident](respond-first-incident-analyze.md)

defender-xdr/whats-new.md

@@ -30,6 +30,10 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+## January 2025
+
+- **Defender Boxed** is available for a limited time in January and July of each year. This series of slides highlights your organization’s security successes, improvements, and response actions in the Microsoft Defender portal for the past six months/year. To learn how you can share your security operations team’s achievements, see [Defender Boxed](incident-queue.md#defender-boxed).
+
 ## December 2024
 
 - (GA) [Content distribution via tenant groups in multitenant management](mto-tenantgroups.md) is now generally available. Create tenant groups to manage content across tenants in multitenant management in Microsoft Defender XDR.
@@ -75,7 +79,6 @@ You can also get product updates and important notifications through the [messag
 - (Preview) Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see [Microsoft Defender multitenant management](mto-overview.md) and [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal).
 - To ensure a smooth experience while navigating the Microsoft Defender portal, configure your network firewall by adding the appropriate addresses to your allow list. For more information, see [Network firewall configuration for Microsoft Defender XDR](m365d-enable.md#configure-your-network-firewall).
 
-
 ## July 2024
 
 - Incidents with alerts where a compromised device communicated with an operational technology (OT) device are now visible in the Microsoft Defender portal through the [Microsoft Defender for IoT license and Defender for Endpoint’s device discovery capabilities](/defender-endpoint/device-discovery#device-discovery-integration). Using Defender for Endpoint data, Defender XDR automatically correlates these new OT alerts to incidents to provide a comprehensive attack story. To filter related incidents, see [Prioritize incidents in the Microsoft Defender portal](incident-queue.md#filters-).  
@@ -101,8 +104,6 @@ You can also get product updates and important notifications through the [messag
 
 - (GA) You can now **release or move email messages from quarantine** back to the user's inbox directly from [Take actions in advanced hunting](advanced-hunting-take-action.md#take-various-actions-on-emails) and in [custom detections](custom-detection-rules.md#actions-on-emails). This allows security operators to manage false positives more efficiently and without losing context. 
 
-
-
 ## June 2024
 
 - (Preview) **[Content distribution through tenant groups in multitenant management](mto-tenantgroups.md)** is now available. Content distribution helps you manage content at scale across tenants in multitenant management in Microsoft Defender XDR. In content distribution, you can create tenant groups to copy existing content, like custom detection rules, from the source tenant to the target tenants you assign during tenant group creation. The content then runs on the target tenant's devices or device groups that you set in the tenant group scope.