MicrosoftDocs
diff --git a/‎.openpublishing.redirection.defender-xdr.json‎
Lines changed: 11 additions & 0 deletions b/‎.openpublishing.redirection.defender-xdr.json‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎defender-xdr/microsoft-365-security-center-mdi.md‎ renamed to ‎ATPDocs/microsoft-365-security-center-mdi.md‎
Lines changed: 24 additions & 26 deletions b/‎defender-xdr/microsoft-365-security-center-mdi.md‎ renamed to ‎ATPDocs/microsoft-365-security-center-mdi.md‎
Lines changed: 24 additions & 26 deletions
diff --git a/‎ATPDocs/toc.yml‎
Lines changed: 5 additions & 3 deletions b/‎ATPDocs/toc.yml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎CloudAppSecurityDocs/activity-filters-queries.md‎
Lines changed: 4 additions & 1 deletion b/‎CloudAppSecurityDocs/activity-filters-queries.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-app-policies-create.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-app-policies-create.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-manage-app-governance.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-manage-app-governance.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-predefined-policies.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-predefined-policies.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/app-governance-secure-apps-app-hygiene-features.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/app-governance-secure-apps-app-hygiene-features.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/investigate-anomaly-alerts.md‎
Lines changed: 4 additions & 65 deletions b/‎CloudAppSecurityDocs/investigate-anomaly-alerts.md‎
Lines changed: 4 additions & 65 deletions
diff --git a/‎CloudAppSecurityDocs/mde-investigation.md‎
Lines changed: 1 addition & 1 deletion b/‎CloudAppSecurityDocs/mde-investigation.md‎
Lines changed: 1 addition & 1 deletion
@@ -1,5 +1,16 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud-apps.md",
+      "redirect_url": "/defender-cloud-apps/microsoft-365-security-center-defender-cloud-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-mdi.md",
+      "redirect_url": "/defender-for-identity/microsoft-365-security-center-mdi",
+      "redirect_document_id": false
+    },
+
     {
       "source_path": "defender-xdr/eval-create-eval-environment.md",
       "redirect_url": "/defender-xdr/pilot-deploy-overview",
 
@@ -11,16 +11,18 @@ items:
     href: zero-trust.md
   - name: System architecture
     href: architecture.md
-  - name: Defender for Identity in Microsoft Defender XDR
-    href: /microsoft-365/security/defender/microsoft-365-security-center-mdi?bc=/defender-for-identity/bread/toc.json&toc=/defender-for-identity/TOC.json
+  - name: Defender for Identity in the Microsoft Defender portal
+    href: microsoft-365-security-center-mdi.md
   - name: Defender for Identity for US Government
     href: us-govt-gcc-high.md
 - name: Deploy
   expanded: true
   items:
   - name: Quick installation guide
     href: deploy/quick-installation-guide.md
-  - name: Deployment overview
+  - name: Pilot and deploy Microsoft Defender XDR
+    href: /defender-xdr/pilot-deploy-overview?toc=/defender-for-identity/toc.json&bc=/defender-for-identity/breadcrumb/toc.json
+  - name: Defender for Identity deployment overview
     href: deploy/deploy-defender-identity.md
   - name: Plan and prepare
     items:
 
@@ -20,8 +20,11 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 - Activity objects – Search for the objects the activity was done on. This filter applies to files, folders, users, or app objects.
     - Activity object ID - the ID of the object (file, folder, user, or app ID).
 
-    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contain**, **Equal**, or **Starts with** the specific item.
+    - Item - Enables you to search by the name or ID of any activity object (for example, user names, files, parameters, sites). For the **Activity object Item** filter, you can select whether to filter for items that **Contains**, **Equals**, or **Starts with** the specific item.
 
+    > [!NOTE]
+    > Activity-Policy's **Activity object Item** filter supports the **Equals** operator only.
+  
 - Action type - Search for a more specific action performed in an app.
 
 - Activity type - Search for the app activity.
 
@@ -17,7 +17,7 @@ Use app governance to create OAuth policies for apps connected to Microsoft 365,
 
 <br>
 
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4YU37]
+>[!VIDEO https://learn-video.azurefd.net/vod/player?id=b10dbf02-9f56-4f37-8c68-8221be5b4aea]
 
 <a name='create-oauth-app-policies-for-azure-ad'></a>
 
 
@@ -11,7 +11,7 @@ Cyber attacks have become increasingly sophisticated in the ways they exploit th
 
 To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organization’s app compliance posture. You need to be able to quickly identify when an app exhibits anomalous behaviors and respond when these behaviors present risks to your environment, data, and users. <br><br>
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4S7sp]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=ed7ad7f7-58dc-4a09-ace3-e1d6b8f55353]
 
 ## App governance features
 
 
@@ -10,7 +10,7 @@ description: Get started learning about predefined app policies.
 App governance contains a set of out of the box policies to detect anomalous app behaviors. These policies are activated by default, but you can deactivate them if you choose to.<br>
 <br>
 
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4YpJN]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=22872b35-18aa-424d-bec7-3f77869a5e47]
 
 ## Working with predefined policies
 
 
@@ -17,7 +17,7 @@ These features enable automatic control over these apps and provide extra app be
 
 Watch this video for a brief explanation of these features:
 
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWWYEm]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=d22073a4-555a-413a-8e01-fc0f42d97f6f]
 
 ## App insights
 
 
@@ -40,7 +40,6 @@ Following proper investigation, all Defender for Cloud Apps alerts can be classi
 
 You should use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
 
-- Review the user's [investigation priority score](tutorial-ueba.md#understand-the-investigation-priority-score) and compare with the rest of the organization. This will help you identify which users in your organization pose the greatest risk.
 - If you identify a **TP**, review all the user's activities to gain an understanding of the impact.
 - Review all user activity for other indicators of compromise and explore the source and scope of impact. For example, review the following user device information and compare with known device information:
   - Operating system and version
@@ -712,74 +711,14 @@ Establishing a new user's activity pattern requires an initial learning period o
 1. Review the deletion activities and create a list of deleted files. If needed, recover the deleted files.
 1. Optionally, create a playbook using Power Automate to contact users and their managers to verify the activity.
 
-### Investigation priority score increase (preview)
+### Investigation priority score increase (legacy)
 
-Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants.
+Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information:
 
-When there's a significant and anomalous increase in the investigation priority score of a certain user, the alert will be triggered.
+- [Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk)
 
-This alert enables detecting potential breaches that are characterized by activities that don't necessarily trigger specific alerts but accumulate to a suspicious behavior for the user.
+- [Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies)
 
-**Learning period**
-
-Establishing a new user's activity pattern requires an initial learning period of seven days, during which alerts aren't triggered for any score increase.
-
-**TP**, **B-TP**, or **FP**?
-
-1. **TP**: If you're able to confirm that the activities of the user aren't legitimate.
-  
-    **Recommended action**: Suspend the user, mark the user as compromised, and reset their password.
-
-1. **B-TP**: If you're able to confirm that user indeed significantly deviated from usual behavior, but there's no potential breach.
-
-1. **FP**  (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline.
-
-    **Recommended action**: Dismiss the alert.
-
-**Understand the scope of the breach**
-
-1. Review all user activity and alerts for additional indicators of compromise.
-
-#### Deprecation timeline
-
-We're gradually retiring the **Investigation priority score increase** alert from Microsoft Defender for Cloud Apps by August 2024.
-
-After careful analysis and consideration, we decided to deprecate it due to the high rate of false positives associated with this alert, which we found wasn't contributing effectively to the overall security of your organization.
-
-Our research indicated that this feature wasn't adding significant value and wasn't aligned with our strategic focus on delivering high-quality, reliable security solutions.
-
-We're committed to continuously improving our services and ensuring that they meet your needs and expectations.
-
-For those who wish to continue using this alert, we suggest using the following advanced hunting query instead as a suggested template. Modify the query based on your needs.
-
-```kql    
-let time_back = 1d;
-let last_seen_threshold = 30;
-// the number of days which the resource is considered to be in use by the user lately, and therefore not indicates anomaly resource usage
-// anomaly score based on LastSeenForUser column in CloudAppEvents table
-let last_seen_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(LastSeenForUser)
-| mv-expand LastSeenForUser
-| extend resource = tostring(bag_keys(LastSeenForUser)[0])
-| extend last_seen = LastSeenForUser[resource]
-| where last_seen < 0 or last_seen > last_seen_threshold
-// score is calculated as the number of resources which were never seen before or breaching the chosen threshold
-| summarize last_seen_score = dcount(resource) by ReportId, AccountId;
-// anomaly score based on UncommonForUser column in CloudAppEvents table
-let uncommonality_scores =
-CloudAppEvents
-| where Timestamp > ago(time_back)
-| where isnotempty(UncommonForUser)
-| extend uncommonality_score = array_length(UncommonForUser)
-// score is calculated as the number of uncommon resources on the event
-| project uncommonality_score, ReportId, AccountId;
-last_seen_scores | join kind=innerunique uncommonality_scores on ReportId and AccountId
-| project-away ReportId1, AccountId1
-| extend anomaly_score = last_seen_score + uncommonality_score
-// joined scores
-```
 
 ## See also
 
 
@@ -110,7 +110,7 @@ Sometimes, access to an unsanctioned app isn't blocked, either because the endpo
 
 ## Related videos
 
-- [Hunting with Microsoft Cloud App Security data](https://www.microsoft.com/videoplayer/embed/RWFISa)
+- [Hunting with Microsoft Cloud App Security data](https://learn-video.azurefd.net/vod/player?id=ffdedc73-6edf-45a9-8c90-566296e8d4ec)
 
 - [Discover and block Shadow IT using Defender for Endpoint](https://www.youtube.com/watch?v=MsHkTOoqSQo)