MicrosoftDocs
diff --git a/‎.openpublishing.redirection.ata-atp.json‎
Lines changed: 6 additions & 1 deletion b/‎.openpublishing.redirection.ata-atp.json‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎ATPDocs/alerts-overview.md‎
Lines changed: 22 additions & 13 deletions b/‎ATPDocs/alerts-overview.md‎
Lines changed: 22 additions & 13 deletions
diff --git a/‎ATPDocs/cef-format-sa.md‎
Lines changed: 3 additions & 3 deletions b/‎ATPDocs/cef-format-sa.md‎
Lines changed: 3 additions & 3 deletions
@@ -1039,6 +1039,11 @@
       "source_path": "ATPDocs/security-assessment-legacy-protocols.md",
       "redirect_url": "/defender-for-identity/security-assessment",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "ATPDocs/manage-security-alerts.md",
+      "redirect_url": "/defender-for-identity/understanding-security-alerts",
+      "redirect_document_id": false
+    },  
   ]
 }
@@ -1,17 +1,29 @@
 ---
 title: Security alerts
 description: This article provides a list of the security alerts issued by Microsoft Defender for Identity.
-ms.date: 03/23/2023
-ms.topic: conceptual
-ms.reviewer: morRubin
+ms.date: 05/08/2025
+ms.topic: reference
+ms.reviewer: rlitinsky
 ---
 
 # Security alerts in Microsoft Defender for Identity
 
+## What are Microsoft Defender for Identity security alerts?
+
+Microsoft Defender for Identity security alerts provide information about the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
+
 > [!NOTE]
-> The experience described in this page can be accessed at <https://security.microsoft.com> as part of Microsoft Defender XDR.
+> Defender for Identity isn't designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
+
+The Identity alerts page gives you cross-domain signal enrichment and  automated identity response capabilities. The benefit of investigating alerts with [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) is that Microsoft Defender for Identity alerts are correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft Defender XDR alert formats originating from [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).
+
+Alerts originating from Defender for Identity trigger [Microsoft Defender XDR automated investigation and response (AIR)](/microsoft-365/security/defender/m365d-autoir) capabilities, including automatically remediating alerts and the mitigation of tools and processes that can contribute to the suspicious activity.
 
-Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
+Microsoft Defender for Identity alerts currently appear in two different layouts in the Microsoft Defender XDR portal. While the alert views may show different information, all alerts are based on detections from Defender for Identity sensors. The differences in layout and information shown are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.
+
+For more information, see [View and manage security alerts](understanding-security-alerts.md).
+
+## Alert categories
 
 Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
 
@@ -21,14 +33,11 @@ Defender for Identity security alerts are divided into the following categories
 1. [Lateral movement alerts](lateral-movement-alerts.md)
 1. [Other alerts](other-alerts.md)
 
-To learn more about the structure and common components of all Defender for Identity security alerts, see [Understanding security alerts](understanding-security-alerts.md).
 
-## Security alert name mapping and unique external IDs
+##  Map security alerts to unique external ID and MITRE ATT&CK Matrix tactics
 
 The following table lists the mapping between alert names, their corresponding unique external IDs, their severity, and their MITRE ATT&CK Matrix&trade; tactic. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.
 
-### External IDs
-
 | Security  alert name                                         | Unique  external ID | Severity                                                 | MITRE  ATT&CK Matrix™                                        |
 | ------------------------------------------------------------ | ------------------- | -------------------------------------------------------- | ------------------------------------------------------------ |
 | [Suspected SID-History injection](persistence-privilege-escalation-alerts.md#suspected-sid-history-injection-external-id-1106)              | 1106                | High                                                   | Privilege Escalation                                             |
@@ -56,7 +65,7 @@ The following table lists the mapping between alert names, their corresponding u
 | [Suspected   Golden Ticket usage (nonexistent account)](persistence-privilege-escalation-alerts.md#suspected-golden-ticket-usage-nonexistent-account-external-id-2027)        | 2027                | High                                                     | Persistence, Privilege Escalation, Lateral movement          |
 | [Suspected   DCShadow attack (domain controller promotion)](other-alerts.md#suspected-dcshadow-attack-domain-controller-promotion-external-id-2028)    | 2028                | High                                                     | Defense evasion                                              |
 | [Suspected   DCShadow attack (domain controller replication request)](other-alerts.md#suspected-dcshadow-attack-domain-controller-replication-request-external-id-2029) | 2029                | High                                                     | Defense evasion                                              |
-| [Data   exfiltration over SMB](other-alerts.md#data-exfiltration-over-smb-external-id-2030)                                 | 2030                | High                                                     | Exfiltration, Lateral movement, Command and control          |
+| [Data   exfiltration over SMB](other-alerts.md#data-exfiltration-over-smb-external-id-2030)                                 | 2030                | High                                                     | Exfiltration, Lateral movement, Command, and control          |
 | [Suspicious   communication over DNS](other-alerts.md#suspicious-communication-over-dns-external-id-2031)                          | 2031                | Medium                                                   | Exfiltration                                                 |
 | [Suspected   Golden Ticket usage (ticket anomaly)](persistence-privilege-escalation-alerts.md#suspected-golden-ticket-usage-ticket-anomaly-external-id-2032)             | 2032                | High                                                     | Persistence, Privilege Escalation, Lateral movement          |
 | [Suspected   Brute Force attack (SMB)](lateral-movement-alerts.md#suspected-brute-force-attack-smb-external-id-2033)                         | 2033                | Medium                                                   | Lateral movement                                             |
@@ -101,10 +110,10 @@ The following table lists the mapping between alert names, their corresponding u
 |[Group Policy Tampering ](/defender-for-identity/other-alerts)|2440|Medium|Defense evasion|
 
 > [!NOTE]
-> To disable any security alert, contact support.
+> Contact support to disable security alerts.
 
 ## See Also
 
-- [Working with security alerts](/defender-for-identity/manage-security-alerts)
-- [Understanding security alerts](understanding-security-alerts.md)
+- [View and manage security alerts](understanding-security-alerts.md)
+- [Investigate security alerts](/defender-for-identity/investigate-security-alerts)
 - [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
@@ -40,14 +40,14 @@ The cs2 field identifies if the alert is new or updated.
 The cs3 field identifies the fully qualified domain name of the source computer name.
 
 > [!NOTE]
-> If you plan to create automation or scripts for Defender for Identity SIEM logs, we recommend using the **externalId** field to identify the alert type instead of using the alert name for this purpose. Alert names may occasionally be modified, while the **externalId** of each alert is permanent. For a list of external IDs, see [Security alert name mapping and unique external IDs](alerts-overview.md#security-alert-name-mapping-and-unique-external-ids).
+> If you plan to create automation or scripts for Defender for Identity SIEM logs, we recommend using the **externalId** field to identify the alert type instead of using the alert name for this purpose. Alert names may occasionally be modified, while the **externalId** of each alert is permanent. For a list of external IDs, see [Security alert name mapping and unique external IDs](alerts-overview.md#map-security-alerts-to-unique-external-id-and-mitre-attck-matrix-tactics).
 
 ## Sample logs
 
 The log examples comply with RFC 5424, but Defender for Identity also supports RFC 3164.
 
 >[!NOTE]
->The list below is a sample of logs sent to a SIEM. For a full list of alert details, see [Security alert name mapping and unique external IDs](alerts-overview.md#security-alert-name-mapping-and-unique-external-ids).
+>The list below is a sample of logs sent to a SIEM. For a full list of alert details, see [Security alert name mapping and unique external IDs](alerts-overview.md#map-security-alerts-to-unique-external-id-and-mitre-attck-matrix-tactics).
 
 Priorities:
 
@@ -197,7 +197,7 @@ Priorities:
 
 ## See Also
 
-- [Security alert name mapping and unique external IDs](alerts-overview.md#security-alert-name-mapping-and-unique-external-ids).
+- [Security alert name mapping and unique external IDs](alerts-overview.md#map-security-alerts-to-unique-external-id-and-mitre-attck-matrix-tactics).
 - [Configure event collection](deploy/configure-event-collection.md)
 - [Configuring Windows event forwarding](deploy/configure-event-forwarding.md)
 - [Check out the Defender for Identity forum](https://aka.ms/MDIcommunity)
Original file line number	Diff line number	Diff line change
`@@ -1039,6 +1039,11 @@`
`1039`	`1039`	`"source_path": "ATPDocs/security-assessment-legacy-protocols.md",`
`1040`	`1040`	`"redirect_url": "/defender-for-identity/security-assessment",`
`1041`	`1041`	`"redirect_document_id": false`
`1042`		`- }`
	`1042`	`+ },`
	`1043`	`+ {`
	`1044`	`+ "source_path": "ATPDocs/manage-security-alerts.md",`
	`1045`	`+ "redirect_url": "/defender-for-identity/understanding-security-alerts",`
	`1046`	`+ "redirect_document_id": false`
	`1047`	`+ },`
`1043`	`1048`	`]`
`1044`	`1049`	`}`