Merge pull request #2487 from MicrosoftDocs/main

Publish main to live, 01/20, 11:00 AM IST

Author: aditisrivastava07

CloudAppSecurityDocs/behaviors.md

@@ -26,22 +26,22 @@ While behaviors might be related to security scenarios, they're not necessarily
 
 Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
 
-|Alert name  |Policy name  |
-|---------|---------|
-|**Activity from infrequent country**  |Activity from infrequent country/region   |
-|**Impossible travel activity**  |Impossible travel  |
-|**Mass delete**  |Unusual file deletion activity (by user)  |
-|**Mass download**  |Unusual file download (by user)  |
-|**Mass share**  |Unusual file share activity (by user)  |
-|**Multiple delete VM activities**  |Multiple delete VM activities  |
-|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |
-|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |
-|**Multiple VM creation activities**  |Multiple VM creation activities  |
-|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |
-|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |
-|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |
-|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |
-|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |
+|Alert name  |Policy name  |ActionType (Hunting)|
+|---------|---------|---------|
+|**Activity from infrequent country**  |Activity from infrequent country/region   |ActivityFromInfrequentCountry|
+|**Impossible travel activity**  |Impossible travel  |ImpossibleTravelActivity|
+|**Mass delete**  |Unusual file deletion activity (by user)  |MassDelete|
+|**Mass download**  |Unusual file download (by user)  |MassDownload|
+|**Mass share**  |Unusual file share activity (by user)  |MassShare|
+|**Multiple delete VM activities**  |Multiple delete VM activities  |MultipleDeleteVmActivities|
+|**Multiple failed login attempts**  |Multiple failed sign-in attempts  |MultipleFailedLoginAttempts|
+|**Multiple Power BI report sharing activities**  |Multiple Power BI report sharing activities  |MultiplePowerBiReportSharingActivities|
+|**Multiple VM creation activities**  |Multiple VM creation activities  |MultipleVmCreationActivities|
+|**Suspicious administrative activity**  |Unusual administrative activity (by user)  |SuspiciousAdministrativeActivity|
+|**Suspicious impersonated activity**  |Unusual impersonated activity (by user)  |SuspiciousImpersonatedActivity|
+|**Suspicious OAuth app file download activities**  |Suspicious OAuth app file download activities  |SuspiciousOauthAppFileDownloadActivities|
+|**Suspicious Power BI report sharing**  |Suspicious Power BI report sharing   |SuspiciousPowerBiReportSharing|
+|**Unusual addition of credentials to an OAuth app**  |Unusual addition of credentials to an OAuth app  |UnusualAdditionOfCredentialsToAnOauthApp|
 
 
 ## Defender for Cloud Apps' transition from alerts to behaviors

defender-xdr/advanced-hunting-deviceevents-table.md

@@ -97,12 +97,12 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 | `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
 |`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
-| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process's RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process's RDP session was initiated |
 
 
 

defender-xdr/advanced-hunting-devicefileevents-table.md

@@ -94,8 +94,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `string` | Additional information about the entity or event |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 
 
 > [!NOTE]

defender-xdr/advanced-hunting-deviceimageloadevents-table.md

@@ -78,8 +78,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 
 
 ## Related topics

defender-xdr/advanced-hunting-devicelogonevents-table.md

@@ -87,8 +87,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 
 
 > [!NOTE]

defender-xdr/advanced-hunting-devicenetworkevents-table.md

@@ -83,8 +83,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 
 
 ## Related topics

defender-xdr/advanced-hunting-deviceprocessevents-table.md

@@ -101,12 +101,12 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 | `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
 |`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
-| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process's RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process's RDP session was initiated |
 
 
 ## Related topics

defender-xdr/advanced-hunting-deviceregistryevents-table.md

@@ -79,8 +79,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
 | `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
-| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
-| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process's RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process's RDP session was initiated |
 
 
 ## Related topics

defender-xdr/investigate-respond-container-threats.md

@@ -26,7 +26,7 @@ appliesto:
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 > [!IMPORTANT]
-> Some information in this article relates to a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here
+> Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here
 
 Security operations can now investigate and respond to container-related alerts in near real-time and hunt for related activities with the integration of cloud-native response actions and investigation logs in the Microsoft Defender portal. The availability of attack paths can also help analysts immediately investigate and address critical security issues to prevent a potential breach.
 
@@ -100,7 +100,7 @@ Access threat analytics reports from **Threat intelligence > Threat analytics**.
 
 :::image type="content" source="/defender/media/defender-containers/view-threat-analytics-small.png" alt-text="Highlighting how to view threat analytics reports from the incident page." lightbox="/defender/media/defender-containers/view-threat-analytics.png":::
 
-Threat analytics reports also contain relevant mitigation, recovery, and prevention methods that analysts can assess and apply to their environment. Using the information in threat analytics reports helps SOC teams defend and protect their environment from container attacks. Here’s an example of an analyst report about a container attack.
+Threat analytics reports also contain relevant mitigation, recovery, and prevention methods that analysts can assess and apply to their environment. Using the information in threat analytics reports helps SOC teams defend and protect their environment from container attacks. Here's an example of an analyst report about a container attack.
 
 :::image type="content" source="/defender/media/defender-containers/threat-analytics-sample-small.png" alt-text="Sample page of a container attack threat analytics report." lightbox="/defender/media/defender-containers/threat-analytics-sample.png":::
 

defender-xdr/irm-investigate-alerts-defender.md

@@ -26,7 +26,7 @@ appliesto:
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 > [!IMPORTANT]
-> Some information in this article relates to a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
+> Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
 
 [Microsoft Purview Insider Risk Management alerts](/purview/insider-risk-management-activities#alert-dashboard) in the Microsoft Defender portal are vital for protecting an organization's sensitive information and maintaining security. These alerts and insights from Microsoft Purview Insider Risk Management help identify and mitigate internal threats like data leaks and intellectual property theft by employees or contractors. Monitoring these alerts allows organizations to address security incidents proactively, ensuring sensitive data remains protected and compliance requirements are met.
 
@@ -41,11 +41,11 @@ You can manage insider risk management alerts in the Microsoft Defender portal b
 - View individual insider risk alerts in the [alert queue](investigate-alerts.md).
 - Filter by service source on the incident and alert queues.
 - Hunt for all activities and all alerts related to the user in the insider risk alert.
-- View a user’s insider risk activity summary and risk level in the user entity page.
+- View a user's insider risk activity summary and risk level in the user entity page.
 
 ## Know before you begin
 
-If you’re new to Microsoft Purview and insider risk management, consider reading the following articles:
+If you're new to Microsoft Purview and insider risk management, consider reading the following articles:
 
 - [Learn about Microsoft Purview](/purview/purview)
 - [Learn about Microsoft Purview Insider Risk Management](/purview/insider-risk-management)