move the location of the banner message

Author: DeCohen

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -7,17 +7,6 @@ ms.topic: how-to
 
 # Create Defender for Cloud Apps anomaly detection policies
 
-> [!IMPORTANT]
-> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
-> 
-> - [Activity from suspicious IP addresses](#activity-from-suspicious-ip-addresses)
-> - [Suspicious inbox manipulation rules](#suspicious-inbox-manipulation-rules)
-> - [Suspicious email deletion activity](#suspicious-email-deletion-activity-preview)
-> - [Activity from anonymous IP addresses](#activity-from-anonymous-ip-addresses)
-> - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
->
-> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
-
 
 The Microsoft Defender for Cloud Apps anomaly detection policies provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) so that you're ready from the outset to run advanced threat detection across your cloud environment. Because they're automatically enabled, the new anomaly detection policies immediately start the process of detecting and collating results, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. In addition, the policies expose more data from the Defender for Cloud Apps detection engine, to help you speed up the investigation process and contain ongoing threats.
 
@@ -52,6 +41,17 @@ You can see the anomaly detection policies in the Microsoft Defender Portal, by
 
 The following anomaly detection policies are available:
 
+> [!IMPORTANT]
+> Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
+> 
+> - [Activity from suspicious IP addresses](#activity-from-suspicious-ip-addresses)
+> - [Suspicious inbox manipulation rules](#suspicious-inbox-manipulation-rules)
+> - [Suspicious email deletion activity](#suspicious-email-deletion-activity-preview)
+> - [Activity from anonymous IP addresses](#activity-from-anonymous-ip-addresses)
+> - [Suspicious inbox forwarding](#suspicious-inbox-forwarding).
+>
+> You will continue to receive the same standard of protection without disruption to your existing security coverage. No action is required from your side.
+
 ### Impossible travel
 
 This detection identifies two user activities (in a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. This detection uses a machine-learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern. The impossible travel detection identifies unusual and impossible user activity between two locations. The activity should be unusual enough to be considered an indicator of compromise and worthy of an alert. To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location. The [sensitivity slider](#tune-anomaly-detection-policies) allows you to affect the algorithm and define how strict the detection logic is. The higher the sensitivity level, fewer activities will be suppressed as part of the detection logic. In this way, you can adapt the detection according to your coverage needs and your SNR targets.