Merge pull request #5441 from sbreingold-ms/wi-502580-batch-2a-defender-xdr-image-reorg

wi 502580 batch 2a defender xdr image reorg

Author: mberdugo

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -56,7 +56,7 @@ adx('<Cluster URI>/<Database Name>').<Table Name>
 
 For example, to get the first 10 rows of data from the `StormEvents` table stored in a certain URI:
 
-:::image type="content" source="/defender-xdr/media/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="/defender-xdr/media/adx-sample.png":::
+:::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="./media/advanced-hunting-defender-use-custom-rules/adx-sample.png":::
 
 > [!NOTE]
 > The `adx()` operator isn't supported for custom detections.
@@ -76,7 +76,7 @@ In the query editor, enter *arg("").* followed by the Azure Resource Graph table
 
 For example:
 
-:::image type="content" source="/defender-xdr/media/arg-operator2.png" alt-text="Screenshot of arg operator in advanced hunting." lightbox="/defender-xdr/media/arg-operator2.png":::
+:::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/arg-operator2.png" alt-text="Screenshot of arg operator in advanced hunting." lightbox="./media/advanced-hunting-defender-use-custom-rules/arg-operator2.png":::
 
 You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
 
@@ -97,7 +97,7 @@ To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scro
 - **Open in query editor** – Loads the query in the query editor.
 - **View details** – Opens the query details side pane where you can inspect the query, run the query, or open the query in the editor.
 
-   :::image type="content" source="/defender/media/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-unified-view-details.png":::
+   :::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal." lightbox="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-view-details.png":::
 
 
 For editable queries, more options are available:
@@ -120,7 +120,7 @@ To help discover threats and anomalous behaviors in your environment, you can cr
 
 For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
+  :::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-rules.png":::
 
 The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
 

defender-xdr/advanced-hunting-limits.md

@@ -61,11 +61,11 @@ The report can be accessed in two ways:
 
 - In the advanced hunting page, select **Query resources report**:
 
-  :::image type="content" source="/defender/media/ah-query-resources/view-query-resources report.png" alt-text="view the query resources report button in the AH portal" lightbox="/defender/media/ah-query-resources/view-query-resources report.png":::
+  :::image type="content" source="./media/advanced-hunting-limits/view-query-resources report.png" alt-text="view the query resources report button in the AH portal" lightbox="./media/advanced-hunting-limits/view-query-resources report.png":::
 
 - Within the **Reports** page, find the new report entry in the **General** section
 
-  :::image type="content" source="/defender/media/ah-query-resources/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="/defender/media/ah-query-resources/reports-general-query-resources.png":::
+  :::image type="content" source="./media/advanced-hunting-limits/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="./media/advanced-hunting-limits/reports-general-query-resources.png":::
 
 All users can access the reports; however, only the Microsoft Entra Global Administrator, Microsoft Entra Security Administrator, and Microsoft Entra Security Reader roles can see queries done by all users in all interfaces. Any other user can only see:
 
@@ -93,7 +93,7 @@ The query resources report contains all queries that ran, including detailed res
 > [!TIP]
 > If the query state is **Failed**, you can hover the field to view the reason for the query failure.
 
-:::image type="content" source="/defender/media/ah-query-resources/excessive-usage-sample.png" alt-text="view inefficient queries" lightbox="/defender/media/ah-query-resources/excessive-usage-sample.png":::
+:::image type="content" source="./media/advanced-hunting-limits/excessive-usage-sample.png" alt-text="view inefficient queries" lightbox="./media/advanced-hunting-limits/excessive-usage-sample.png":::
 
 ### Find resource-heavy queries
 
@@ -112,7 +112,7 @@ The graph supports two views:
 - Average use per day –  the average use of resources per day
 - Highest use per day – the highest actual use of resources per day
 
-![Two view modes for query resources report](/defender/media/ah-query-resources/resource-usage-over-time.png)
+![Two view modes for query resources report](./media/advanced-hunting-limits/resource-usage-over-time.png)
 
 This means that, for instance, if on a specific day you ran two queries, one used 50% of your resources and one used 100%, the average daily use value would show 75%, while the top daily use would show 100%.
 

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -66,7 +66,7 @@ You can use advanced hunting KQL (Kusto Query Language) queries to hunt through
 When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables  organized by solution after the Microsoft Defender XDR tables under the **Schema** tab.
 
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-sentinel-data.png" alt-text="Screenshot of advanced hunting schema tab in the Microsoft Defender portal highlighting location of Sentinel tables" lightbox="/defender/media/advanced-hunting-unified-sentinel-data.png":::
+:::image type="content" source="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-sentinel-data.png" alt-text="Screenshot of advanced hunting schema tab in the Microsoft Defender portal highlighting location of Sentinel tables" lightbox="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-sentinel-data.png":::
 
 
 Likewise, you can find the functions from Microsoft Sentinel in the **Functions** tab, and your shared and sample queries from Microsoft Sentinel can be found in the **Queries** tab inside folders marked **Sentinel**.
@@ -81,7 +81,7 @@ In the unified portal, in addition to viewing the schema column names and descri
 - **Data retention period** – how long the data is set to be kept
 - **Tags** – available for Sentinel data tables
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-schema.png":::
+:::image type="content" source="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-view-schema.png":::
 
 ## Known issues
 

defender-xdr/advanced-hunting-modes.md

@@ -32,7 +32,7 @@ ms.date: 03/28/2025
 
 
 
-You can find the **advanced hunting** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](/defender/media/guided-hunting/hunting-icon.png).
+You can find the **advanced hunting** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](./media/advanced-hunting-modes/hunting-icon.png).
 
 In the **advanced hunting** page, two modes are supported:
 
@@ -54,13 +54,13 @@ When you open the advanced hunting page for the first time after guided hunting
 
 To take the tour, select **Take tour** when this banner appears:
 
-[![banner inviting user to take the tour](/defender/media/guided-hunting/1-guided-hunting-banner-tb.png)](/defender/media/guided-hunting/1-guided-hunting-banner.png#lightbox)
+[![banner inviting user to take the tour](./media/advanced-hunting-modes/1-guided-hunting-banner-tb.png)](./media/advanced-hunting-modes/1-guided-hunting-banner.png#lightbox)
 
 Follow the blue teaching bubbles that appear throughout the page and select **Next** to move from one step to the next.
 
 You can take the tour again at any time by going to **Help resources** > **Learn more** and selecting **Take the tour**.
 
-![Screenshot of help resources](/defender/media/guided-hunting/help-resources.png)
+![Screenshot of help resources](./media/advanced-hunting-modes/help-resources.png)
 
 You can then start building your query to hunt for threats. The following articles can help you get the most out of hunting in guided mode:
 

defender-xdr/advanced-hunting-security-copilot.md

@@ -47,38 +47,38 @@ Users with access to Security Copilot have access to this capability in advanced
 
 1. Open the **Advanced hunting** page from the navigation bar in Microsoft Defender portal. The Security Copilot side pane for advanced hunting appears at the right hand side.
 
-    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane-big.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png":::
+    :::image type="content" source="./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-pane-big.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-pane-big.png":::
 
     You can also reopen Copilot by selecting **Copilot** at the top of the query editor.
-1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press :::image type="icon" source="media/Send.png" border="false"::: or **Enter**.
+1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press :::image type="icon" source="./media/advanced-hunting-security-copilot/Send.png" border="false"::: or **Enter**.
 
 
 
-    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query-big.png" alt-text="Screenshot that shows prompt bar in the Security Copilot for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png":::
+    :::image type="content" source="./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-query-big.png" alt-text="Screenshot that shows prompt bar in the Security Copilot for advanced hunting." lightbox="./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-query-big.png":::
 
 1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**.
 
-    ![Screenshot of Security Copilot in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png)
+    ![Screenshot of Security Copilot in advanced hunting generating a response.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-generate.png)
 
 
 1. Review the generated query. To check how Copilot came up with the query, you can select **See the logic behind the query** below the query text to expand the explanation behind the query. Select it again to minimize.
 
-   ![Screenshot of Copilot button showing See the logic behind the query.](/defender/media/advanced-hunting-security-copilot-see-logic.png)
+   ![Screenshot of Copilot button showing See the logic behind the query.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-see-logic.png)
 
      You can then choose to run the query by selecting **Run query**.
 
-   ![Screenshot of Copilot button showing Run query option.](/defender/media/advanced-hunting-security-copilot-run-query.png)
+   ![Screenshot of Copilot button showing Run query option.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-run-query.png)
 
     The generated query then appears as the last query in the query editor and runs automatically.
 
     If you need to make further tweaks, select **Add to editor**.
 
-   ![Screenshot of Security Copilot in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the Add to editor option.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-add-editor.png)
 
     The generated query appears in the query editor as the last query, where you can edit it before running using the regular **Run query** above the query editor.
 
 
-1. You can provide feedback about the generated response by selecting the feedback icon ![Screenshot of feedback icon.](/defender/media/advanced-hunting-security-copilot-feedback-icon.png) and choosing **Looks right**, **Needs improvement**, or **Inappropriate**.
+1. You can provide feedback about the generated response by selecting the feedback icon ![Screenshot of feedback icon.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-feedback-icon.png) and choosing **Looks right**, **Needs improvement**, or **Inappropriate**.
 
 
 > [!TIP]
@@ -94,7 +94,7 @@ You can start your first session anytime by asking a question in the Copilot sid
 
 Select the chat bubble icon (**New chat**) to discard the current session.
 
-   ![Screenshot of Security Copilot in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the new chat icon.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-clear-session.png)
 
 ## Query explanations
 
@@ -104,6 +104,6 @@ Select the chat bubble icon (**New chat**) to discard the current session.
 
 Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting.
 
-   ![Screenshot of Security Copilot in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png)
+   ![Screenshot of Security Copilot in advanced hunting showing the settings ellipses icon.](./media/advanced-hunting-security-copilot/advanced-hunting-security-copilot-settings.png)
 
 Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**).