MicrosoftDocs
diff --git a/‎defender-endpoint/machines-view-overview.md‎
Lines changed: 6 additions & 0 deletions b/‎defender-endpoint/machines-view-overview.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎defender-xdr/TOC.yml‎
Lines changed: 2 additions & 0 deletions b/‎defender-xdr/TOC.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎defender-xdr/activate-defender-rbac.md‎
Lines changed: 9 additions & 8 deletions b/‎defender-xdr/activate-defender-rbac.md‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎defender-xdr/create-custom-rbac-roles.md‎
Lines changed: 1 addition & 0 deletions b/‎defender-xdr/create-custom-rbac-roles.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎defender-xdr/custom-permissions-details.md‎
Lines changed: 2 additions & 1 deletion b/‎defender-xdr/custom-permissions-details.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎defender-xdr/edit-delete-rbac-roles.md‎
Lines changed: 1 addition & 0 deletions b/‎defender-xdr/edit-delete-rbac-roles.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎defender-xdr/investigate-incidents.md‎
Lines changed: 13 additions & 12 deletions b/‎defender-xdr/investigate-incidents.md‎
Lines changed: 13 additions & 12 deletions
@@ -136,6 +136,7 @@ The available device properties to use as filters vary based on the device inven
 |**Device subtype**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
 |**Device type**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
 |**Device value**|All|The assigned value of the device. The available values are **High** and **Low**.|
+|**Discovery sources**|All|The source reporting on the device.|
 |**Exclusion state**|All|The available values are **Not excluded** and **Excluded**. For more information, see [Exclude devices](exclude-devices.md).|
 |**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: <ul><li>**High**</li><li>**Medium**</li><li>**Low**: Devices are less vulnerable to exploitation.</li><li>**No data available**: Possible causes for this value include: <ul><li>The device is inactive (stopped reporting for more than 30 days).</li><li>The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).</li><li>The agent software on the device is stale (unlikely).</li></ul></li></ul>|
 |**First seen**|All tabs except **Network devices**|How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are **Last 7 days** or **Over 7 days ago**.|
@@ -178,6 +179,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **OS version**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **First seen**
   - **Last device update**<sup\*</sup>
   - **Tags**<sup\*</sup>
@@ -204,6 +206,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Criticality level**<sup\*</sup>
   - **Sensor health state**<sup\*</sup>
   - **Onboarding status**<sup\*</sup>
+  - **Discovery sources**
   - **Last device update**<sup\*</sup>
   - **First seen**
   - **Tags**<sup\*</sup>
@@ -219,6 +222,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Vendor**<sup>\*</sup>
   - **Model**<sup>\*</sup>
   - **Name**<sup>\*</sup>
+  - **Discovery sources**
   - **Domain**
   - **Device type**
   - **Device subtype**
@@ -241,6 +245,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Model**<sup>\*</sup>
   - **Risk level**<sup>\*</sup>
   - **Exposure level**<sup>\*</sup>
+  - **Discovery sources**
   - **OS distribution**<sup>\*</sup>
   - **OS version**<sup>\*</sup>
   - **First seen**
@@ -253,6 +258,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Name**<sup>\*</sup>
   - **Vendor**<sup>\*</sup>
   - **IP**<sup>\*</sup>
+  - **Discovery sources**
   - **MAC address**
   - **Risk level**
   - **Exposure level**
 
@@ -154,6 +154,8 @@
                    href: dlp-investigate-alerts-defender.md
                  - name: Investigate data loss prevention alerts with Microsoft Sentinel
                    href: dlp-investigate-alerts-sentinel.md
+                 - name: Investigate and respond to container threats
+                   href: investigate-respond-container-threats.md  
                  - name: Alerts
                    href: investigate-alerts.md
                  - name: Alert classification playbooks
 
@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 09/30/2024
+ms.date: 11/17/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -29,6 +29,8 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
 
@@ -54,20 +56,19 @@ You can activate your workloads in two ways from the Permissions and roles page:
 :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
 
 1. **Activate workloads**
-   - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
-   - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-   :::image type="content" source="/defender/media/defender/defender-rbac-select-workload.png" alt-text="Screenshot of the choose workloads to activate screen":::
+- Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
+- You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
+
+:::image type="content" source="/defender/media/defender/defender-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen.":::
 
    > [!NOTE]
    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
-   >
    > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
-   >
-   > Defender XDR Unified RBAC is automatically active for Secure Score access. Once a custom role with one of the permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
+   > Defender XDR Unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
    > 
    > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
-
+   
 2. **Workload settings**
     - Select **Workload settings**.
     - This brings you to the Microsoft Defender XDR **Permission and roles** page.
 
@@ -29,6 +29,7 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 ## Create a custom role
 
 
@@ -31,6 +31,7 @@ In Microsoft Defender XDR Unified role-based access control (RBAC) you can selec
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 <a name='microsoft-365-defender-unified-rbac-permission-details'></a>
 
@@ -74,7 +75,7 @@ Permissions for managing the organization's security posture and performing vuln
 |Remediation handling|Manage|Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management.|
 |Application handling|Manage|Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management.|
 |Security baseline assessment|Manage|Create and manage profiles so you can assess if your devices comply to security industry baselines.|
-|Exposure Management|Read / Manage|View or manage Secure Score recommendations from all products included in Secure Score.|
+|Exposure Management|Read / Manage|View or manage Exposure Management insights, including Microsoft Secure Score recommendations from all products that are covered by Secure Score.|
 
 ### Authorization and settings
 
 
@@ -29,6 +29,7 @@ search.appverid: met150
 - [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/?LinkID=2158212)
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+- [Microsoft Security Exposure Management](/security-exposure-management/)
 
 In Microsoft Defender XDR Unified role-based access control (RBAC), you can edit and delete custom roles or roles that were imported from Defender for Endpoint, Defender for Identity, or Defender for Office 365.
 
 
@@ -1,6 +1,6 @@
 ---
-title: Investigate incidents in Microsoft Defender XDR
-description: Investigate incidents related to devices, users, and mailboxes.
+title: Investigate incidents in the Microsoft Defender portal
+description: Investigate incidents on various assets from correlated signals of various Defender services and other Microsoft security products like Microsoft Sentinel.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -16,20 +16,19 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 12/04/2023
+ms.date: 11/13/2024
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Investigate incidents in Microsoft Defender XDR
+# Investigate incidents in the Microsoft Defender portal
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
+The Microsoft Defender portal presents correlated alerts, assets, investigations, and evidence from across all your assets into an incident to give you a comprehensive look into the entire breadth of an attack.
 
-Microsoft Defender XDR aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
-
-Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
+Within an incident, you analyze the alerts, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
 
 ## Initial investigation
 
@@ -84,7 +83,9 @@ From the graph, you can:
 
 - Hunt for entity information of a device, file, IP address, or URL.
 
-The *go hunt* option takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity you're investigating. You can select any of the options to find relevant information about the entity:
+### Go hunt
+
+The ***go hunt*** action takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity you're investigating. You can select any of the options to find relevant information about the entity:
 
   - See all available queries – the option returns all available queries for the entity type you're investigating.
   - All Activity – the query returns all activities associated with an entity, providing you with a comprehensive view of the incident's context.
@@ -96,7 +97,7 @@ The resulting logs or alerts can be linked to an incident by selecting a results
 
 :::image type="content" source="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png" alt-text="Highlighting the link to incident option in go hunt query results" lightbox="/defender/media/investigate-incidents/fig2-gohunt-attackstory.png":::
 
-If the incident or related alerts were the result of an analytics rule you've set, you can also select **Run query** to see other related results.
+If the incident or related alerts were the result of an analytics rule you've set, you can also select ***Run query*** to see other related results.
 
 ## Summary