MicrosoftDocs
diff --git a/‎CloudAppSecurityDocs/investigate-anomaly-alerts.md‎
Lines changed: 4 additions & 65 deletions b/‎CloudAppSecurityDocs/investigate-anomaly-alerts.md‎
Lines changed: 4 additions & 65 deletions
diff --git a/‎CloudAppSecurityDocs/tutorial-ueba.md‎
Lines changed: 0 additions & 6 deletions b/‎CloudAppSecurityDocs/tutorial-ueba.md‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 4 additions & 0 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎defender-endpoint/api/export-firmware-hardware-assessment.md‎
Lines changed: 10 additions & 18 deletions b/‎defender-endpoint/api/export-firmware-hardware-assessment.md‎
Lines changed: 10 additions & 18 deletions
diff --git a/‎defender-endpoint/api/export-security-baseline-assessment.md‎
Lines changed: 10 additions & 16 deletions b/‎defender-endpoint/api/export-security-baseline-assessment.md‎
Lines changed: 10 additions & 16 deletions
diff --git a/‎defender-endpoint/api/get-assessment-browser-extensions.md‎
Lines changed: 11 additions & 15 deletions b/‎defender-endpoint/api/get-assessment-browser-extensions.md‎
Lines changed: 11 additions & 15 deletions
diff --git a/‎defender-endpoint/api/get-assessment-information-gathering.md‎
Lines changed: 10 additions & 17 deletions b/‎defender-endpoint/api/get-assessment-information-gathering.md‎
Lines changed: 10 additions & 17 deletions
@@ -40,7 +40,6 @@ Following proper investigation, all Defender for Cloud Apps alerts can be classi
 
 You should use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
 
-- Review the user's [investigation priority score](tutorial-ueba.md#understand-the-investigation-priority-score) and compare with the rest of the organization. This will help you identify which users in your organization pose the greatest risk.
 - If you identify a **TP**, review all the user's activities to gain an understanding of the impact.
 - Review all user activity for other indicators of compromise and explore the source and scope of impact. For example, review the following user device information and compare with known device information:
   - Operating system and version
@@ -712,74 +711,14 @@ Establishing a new user's activity pattern requires an initial learning period o
 1. Review the deletion activities and create a list of deleted files. If needed, recover the deleted files.
 1. Optionally, create a playbook using Power Automate to contact users and their managers to verify the activity.
 
-### Investigation priority score increase (preview)
+### Investigation priority score increase (legacy)
 
-Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants.
+Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information:
 
-When there's a significant and anomalous increase in the investigation priority score of a certain user, the alert will be triggered.
+- [Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk)
 
-This alert enables detecting potential breaches that are characterized by activities that don't necessarily trigger specific alerts but accumulate to a suspicious behavior for the user.
+- [Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies)
 
-**Learning period**
-
-Establishing a new user's activity pattern requires an initial learning period of seven days, during which alerts aren't triggered for any score increase.
-
-**TP**, **B-TP**, or **FP**?
-
-1. **TP**: If you're able to confirm that the activities of the user aren't legitimate.
-  
-    **Recommended action**: Suspend the user, mark the user as compromised, and reset their password.
-
-1. **B-TP**: If you're able to confirm that user indeed significantly deviated from usual behavior, but there's no potential breach.
-
-1. **FP**  (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline.
-
-    **Recommended action**: Dismiss the alert.
-
-**Understand the scope of the breach**
-
-1. Review all user activity and alerts for additional indicators of compromise.
-
-#### Deprecation timeline
-
-We're gradually retiring the **Investigation priority score increase** alert from Microsoft Defender for Cloud Apps by August 2024.
-
-After careful analysis and consideration, we decided to deprecate it due to the high rate of false positives associated with this alert, which we found wasn't contributing effectively to the overall security of your organization.
-
-Our research indicated that this feature wasn't adding significant value and wasn't aligned with our strategic focus on delivering high-quality, reliable security solutions.
-
-We're committed to continuously improving our services and ensuring that they meet your needs and expectations.
-
-For those who wish to continue using this alert, we suggest using the following advanced hunting query instead as a suggested template. Modify the query based on your needs.
-
-```kql    
-let time_back = 1d;
-let last_seen_threshold = 30;
-// the number of days which the resource is considered to be in use by the user lately, and therefore not indicates anomaly resource usage
-// anomaly score based on LastSeenForUser column in CloudAppEvents table
-let last_seen_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(LastSeenForUser)
-| mv-expand LastSeenForUser
-| extend resource = tostring(bag_keys(LastSeenForUser)[0])
-| extend last_seen = LastSeenForUser[resource]
-| where last_seen < 0 or last_seen > last_seen_threshold
-// score is calculated as the number of resources which were never seen before or breaching the chosen threshold
-| summarize last_seen_score = dcount(resource) by ReportId, AccountId;
-// anomaly score based on UncommonForUser column in CloudAppEvents table
-let uncommonality_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(UncommonForUser)
-| extend uncommonality_score = array_length(UncommonForUser)
-// score is calculated as the number of uncommon resources on the event
-| project uncommonality_score, ReportId, AccountId;
-last_seen_scores | join kind=innerunique uncommonality_scores on ReportId and AccountId
-| project-away ReportId1, AccountId1
-| extend anomaly_score = last_seen_score + uncommonality_score
-// joined scores
-```
 
 ## See also
 
 
@@ -46,12 +46,6 @@ Defender for Cloud Apps uses the following to measure risk:
 
 Select the investigation priority score for an alert or an activity to view the evidence that explains how Defender for Cloud Apps scored the activity.
 
-> [!NOTE]
-> We're gradually retiring the [**Investigation priority score increase**](investigate-anomaly-alerts.md#investigation-priority-score-increase-preview) alert from Microsoft Defender for Cloud Apps by August 2024. The investigation priority score and the procedure described in this article are not affected by this change.
->
-> For more information, see [Investigation priority score increase deprecation timeline](investigate-anomaly-alerts.md#deprecation-timeline).
-
-
 ## Phase 1: Connect to the apps you want to protect<a name="connect-apps-protect"></a>
 
 Connect at least one app to Microsoft Defender for Cloud Apps using the [API connectors](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md). We recommend that you start by connecting [Microsoft 365](./connect-office-365.md).
 
@@ -934,6 +934,10 @@
               antivirus windows defender antivirus
           - name: Troubleshoot performance issues related to real-time protection
             href: troubleshoot-performance-issues.md
+          - name: Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
+            href: troubleshoot-av-performance-issues-with-wprui.md
+            displayName: Troubleshoot antivirus performance issues with WPRUI windows
+              performance recorder UI WPR windows performance recorder
           - name: Troubleshoot Microsoft Defender Antivirus performance issues with Process
               Monitor
             href: troubleshoot-av-performance-issues-with-procmon.md
 
@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 11/24/2022
+ms.date: 01/08/2025
 ---
 
 # Export Hardware and firmware assessment inventory per device
@@ -153,39 +153,31 @@ Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability
 GET /api/machines/HardwareFirmwareInventoryExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
-
-### 2.5 Properties (JSON response)
+### 2.4 Properties (JSON response)
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
 >
-> Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hour.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|DateTime|The time the export was generated.
 
 
+## 2.5 Examples
 
-## 2.6 Example
-
-### 2.6.1 Request example
+### 2.5.1 Request example
 
 ```http
 GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryExport
 ```
 
-### 2.6.2 Response example
+### 2.5.2 Response example
 
 ```json
     {
 
@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 05/02/2022
+ms.date: 01/08/2025
 ---
 
 # Export security baselines assessment per device
@@ -158,35 +158,29 @@ Returns all security baselines assessments for all devices, on a per-device basi
 GET /api/machines/BaselineComplianceAssessmentExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
-
-### 2.5 Properties (via files)
+### 2.4 Properties (via files)
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> 
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hours.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|String|The time that the export was generated.
 
-## 2.6 Example
+## 2.5 Examples
 
-### 2.6.1 Request example
+### 2.5.1 Request example
 
 ```http
 GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentExport
 ```
 
-### 2.6.2 Response example
+### 2.5.2 Response example
 
 ```json
 {
 
@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/01/2022
+ms.date: 01/08/2025
 ---
 
 # Export browser extensions assessment per device
@@ -39,7 +39,7 @@ Different API calls get different types of data. Because the amount of data can
 
 - [Export browser extensions assessment **JSON response**](#1-export-browser-extensions-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
 
-- [Export browser extensions assessment **via files**](#2-export-browser-extension-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
+- [Export browser extensions assessment **via files**](#2-export-browser-extension-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. This is recommended for large organizations with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:
   - Call the API to get a list of download URLs with all your organization data.
   - Download all the files using the download URLs and process the data as you like.
 
@@ -57,7 +57,7 @@ This API response contains all the data for installed browser extensions per dev
 #### 1.1.1 Limitations
 
 - Maximum page size is 200,000.
-- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.
+- Rate limitations for this API are 30 calls per minute and 1,000 calls per hour.
 
 ### 1.2 Permissions
 
@@ -83,11 +83,11 @@ GET /api/Machines/BrowserExtensionsInventoryByMachine
 
 > [!NOTE]
 >
-> - Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
-> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
-> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+> - Each record is 0.5KB of data. You should take this size into account when choosing the correct pageSize parameter for you.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output isn't necessarily returned in the same order listed in this table.
+> - Some other columns might be returned in the response. These columns are temporary and might be removed so use only the documented columns.
 
-<br>
+</br>
 
 ****
 
@@ -103,7 +103,7 @@ ExtensionRisk|string|The highest risk level generated by the browser extension.
 ExtensionVersion|string|Version number of a specific browser extension.
 IsActivated|Boolean|Indicates whether a browser extension is active.
 RbacGroupId|integer|The role-based access control (RBAC) group ID.
-RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value is "Unassigned." If the organization doesn't contain any RBAC groups, the value is "None."
 InstallationTime|string|The time the browser extension was installed.
 Permissions|Array[string]|The set of permissions requested by a specific browser extension.
 
@@ -182,17 +182,13 @@ Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability
 GET /api/machines/browserextensionsinventoryExport
 ```
 
-### 2.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
-
-### 2.5 Properties
+### 2.4 Properties
 
 > [!NOTE]
 >
 > - The files are gzip compressed & in multiline JSON format.
-> - The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
-> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+> - The download URLs are only valid for 1 hour.
+> - For maximum download speed of your data, you can make sure you're downloading from the same Azure region that your data resides.
 
 <br>
 
 
@@ -15,8 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-
-ms.date: 07/26/2022
+ms.date: 01/08/2025
 ---
 
 # Information gathering assessment per device
@@ -70,35 +69,29 @@ Delegated (work or school account)|Vulnerability.Read|\'Read Threat and Vulnerab
 GET /api/Machines/InfoGatheringExport
 ```
 
-### 1.4 Parameters
-
-- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
-
-### 1.5 Properties
+### 1.4 Properties
 
 > [!NOTE]
-> The files are gzip compressed & in multiline Json format.
->
-> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.
->
-> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
->
-> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
+> 
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 1 hour.
+> - To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.
 
 Property (ID)|Data type|Description
 :---|:---|:---
 |Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.
 |GeneratedTime|DateTime|The time the export was generated.
 
-### 1.6 Examples
+### 1.5 Examples
 
-#### 1.6.1 Request example
+#### 1.5.1 Request example
 
 ```http
 GET https://api.securitycenter.microsoft.com/api/machines/InfoGatheringExport?$sasValidHours=1
 ```
 
-#### 1.6.2 Response example
+#### 1.5.2 Response example
 
 ```json
 {