Merge branch 'main' into mde-content-freshness

Author: emmwalshh

defender-business/mdb-partners.md

@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: overview
 ms.service: defender-business
 ms.localizationpriority: medium
-ms.date: 03/05/2025
+ms.date: 03/25/2025
 ms.reviewer: nehabha
 f1.keywords: NOCSH
 ms.collection:
@@ -43,6 +43,9 @@ Use the links in the following table to access the guide and summary checklist:
 |[Practical guide to security using Microsoft 365 Business (Basic, Standard, and Premium)](https://aka.ms/smbsecurityguide)|This Word document summarizes Microsoft's recommendations for enabling employees at small and medium-sized businesses to securely work from anywhere- whether from home, in the office or on the go, using the features included in Microsoft 365 Business Premium.|
 |[Checklist for security with Microsoft 365 Business Premium](https://aka.ms/smbsecuritychecklist)|This checklist includes all the planning and configuration steps covered in the guide, from getting started to configuring security and compliance capabilities, and provides general recommendations for each step.|
 
+> [!TIP]
+> The information is also available in the following videos: <https://aka.ms/M365GettingStarted>.
+
 ## Integrate Microsoft endpoint security with your RMM tools and PSA software
 
 If you're a Microsoft Managed Service Provider (MSP), you can integrate Microsoft endpoint security with your remote monitoring and management (RMM) tools and your professional service automation (PSA) software so that you can:

defender-office-365/how-policies-and-protections-are-combined.md

@@ -17,7 +17,7 @@ ms.custom:
 description: Admins can learn how the order of protection settings and the priority order of security policies affect the application of security policies in Microsoft 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 01/10/2025
+ms.date: 03/25/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -105,6 +105,7 @@ It's important to understand how user allows and blocks, tenant allows and block
 - After the filtering stack determines a verdict, only then are tenant policies and their configured actions evaluated.
 - If the same email address or domain exists in a user's Safe Senders list and Blocked Senders list, the Safe Senders list takes precedence.
 - If the same entity (email address, domain, spoofed sending infrastructure, file, or URL) exists in an allow entry and a block entry in the Tenant Allow/Block List, the block entry takes precedence.
+- If you use a file type in the [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies), allowing the same file in the Tenant Allow/Block list or Exchange mail flow rules (also known as transport rules) doesn't override the verdict.
 
 ### User allows and blocks
 

defender-xdr/TOC.yml

@@ -460,6 +460,8 @@
       items:
         - name: Microsoft Defender XDR FAQs
           href: m365d-enable-faq.md      
+        - name: Alert policies
+          href: alert-policies.md
         - name: Audit activities and events
           href: microsoft-xdr-auditing.md
         - name: Configure email notifications

defender-xdr/alert-policies.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - met150
-ms.date: 1/27/2025
+ms.date: 3/25/2025
 appliesto:
 - Microsoft Defender XDR
 ---
@@ -58,6 +58,7 @@ You can filter alerts according to these criteria:
 - Product name
 - Entities (the impacted assets)
 - Automated investigation state
+- Workspace
 - Data stream (workload or location)
 
 > [!NOTE]

defender-xdr/investigate-alerts.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 01/17/2025
+ms.date: 03/11/2025
 appliesto: 
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -119,6 +119,17 @@ Selecting an attack path from the list displays the attack path graph, which sho
 > To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
 > To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
 
+### Incident details
+
+You can view an incident's details on the right pane of an incident page. The incident details include incident assignment, ID, classification, categories, and first and last activity date and time. It also includes a description of the incident, impacted assets, active alerts, and where applicable, the related threats, recommendations, and disruption summary and impact. Here's an example of the incident details where the incident description is highlighted.
+
+:::image type="content" source="/defender/media/investigate-incidents/incident-desc-small.png" alt-text="An example of incident details where the description is highlighted." lightbox="/defender/media/investigate-incidents/incident-desc.png":::
+
+The incident description provides a brief overview of the incident. In some cases, the first alert in the incident is used as the incident description. In this case, the description is only shown in the portal and not stored in the activity log, advanced hunting tables, or the Microsoft Sentinel in Azure portal.
+
+> [!TIP]
+> Microsoft Sentinel customers can also view and overwrite the same incident description in the Azure portal by setting the incident description through API or automation.
+
 ## Alerts
 
 On the **Alerts** tab, you can view the alert queue for alerts related to the incident and other information about them like the following: