Learn Editor: Update app-governance-anomaly-detection-alerts.md

Author: gayasalomon

CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md

@@ -20,6 +20,31 @@ For more information, see [App governance in Microsoft Defender for Cloud Apps](
 > - [Access Microsoft Graph activity logs](/graph/microsoft-graph-activity-logs-overview)
 > - [Analyze activity logs using Log Analytics](/entra/identity/monitoring-health/howto-analyze-activity-logs-log-analytics)
 > 
+## General investigation steps
+
+### Finding App Governance Related Alerts
+
+To locate alerts specifically related to App Governance, navigate to the XDR portal alerts page. In the alerts list, use the "Service Source" field to filter alerts. Set the value of this field to "App Governance" to view all alerts generated by App Governance.
+
+### General Guidelines
+
+Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
+
+- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk.
+- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information:
+
+  - Scopes granted access
+  - Unusual behavior  
+  - IP address and location
+    
+## Security alert classifications
+
+Following proper investigation, all app governance alerts can be classified as one of the following activity types:
+
+- **True positive (TP)**: An alert on a confirmed malicious activity.
+- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
+- **False positive (FP)**: An alert on a non-malicious activity.
+
 ## MITRE ATT&CK
 
 To make it easier to map the relationship between app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when app governance alert is triggered.
@@ -38,31 +63,6 @@ This guide provides information about investigating and remediating app governan
 - [Exfiltration](#exfiltration-alerts)
 - [Impact](#impact-alerts)
 
-## Security alert classifications
-
-Following proper investigation, all app governance alerts can be classified as one of the following activity types:
-
-- **True positive (TP)**: An alert on a confirmed malicious activity.
-- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
-- **False positive (FP)**: An alert on a non-malicious activity.
-
-## General investigation steps
-
-### Finding App Governance Related Alerts
-
-To locate alerts specifically related to App Governance, navigate to the XDR portal alerts page. In the alerts list, use the "Service Source" field to filter alerts. Set the value of this field to "App Governance" to view all alerts generated by App Governance.
-
-### General Guidelines
-
-Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action.
-
-- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk.
-- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information:
-
-  - Scopes granted access
-  - Unusual behavior  
-  - IP address and location
-
 ## Initial access alerts
 
 This section describes alerts indicating that a malicious app may be attempting to maintain their foothold in your organization.