Merge pull request #172 from MicrosoftDocs/chrisda

Link fixes per build report

Author: chrisda

defender-business/TOC.yml

@@ -102,7 +102,7 @@
     - name: Troubleshooting
       href: mdb-troubleshooting.yml
     - name: API reference information
-      href: /defender-endpoint/api/exposed-apis-create-app-partners.md?bc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-business%2Fbreadcrumb%2Ftoc.json&toc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-business%2Ftoc.json
+      href: /defender-endpoint/api/exposed-apis-create-app-partners?bc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-business%2Fbreadcrumb%2Ftoc.json&toc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-business%2Ftoc.json
     - name: Microsoft 365 Business Premium
       href: /microsoft-365/business-premium/
     - name: Microsoft 365 Lighthouse

defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.yml

@@ -141,7 +141,7 @@ sections:
           > [!WARNING]
           > Solutions suggesting that you edit the Windows Defender start values for `wdboot`, `wdfilter`, `wdnisdrv`, `wdnissvc`, and `windefend` in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` are unsupported, and might force you to reimage your system.
 
-          Passive mode is available if you start using Microsoft Defender for Endpoint and a non-Microsoft antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender Antivirus to scan files and update itself, but it doesn't remediate threats in passive mode. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) isn't available in passive mode, unless [Endpoint data loss prevention (DLP)](/defender-endpoint/information-protection-in-windows-overview) is deployed.
+          Passive mode is available if you start using Microsoft Defender for Endpoint and a non-Microsoft antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender Antivirus to scan files and update itself, but it doesn't remediate threats in passive mode. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) isn't available in passive mode, unless [Endpoint data loss prevention (DLP)](/purview/endpoint-dlp-getting-started) is deployed.
 
           Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to turn off automatically. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a non-Microsoft antivirus, using a limited number of detections.
 

defender-office-365/pim-in-mdo-configure.md

@@ -54,7 +54,7 @@ The name of the user (Alex in this scenario) appears under Eligible assignments
 > [!NOTE]
 > For a quick review of Privileged Identity Management see [this video](https://www.youtube.com/watch?v=VQMAg0sa_lE).
 
-:::image type="content" source="/defender/media/pim-mdo-role-setting-details-for-security-reader-show-8-hr-duration.png" alt-text="The Role setting details - Security Reader page" lightbox="/defender/media/pim-mdo-role-setting-details-for-security-reader-show-8-hr-duration.png":::
+:::image type="content" source="/defender/media/pim-mdo-role-setting-details-for-security-reader-show-8-hr-duration.PNG" alt-text="The Role setting details - Security Reader page" lightbox="/defender/media/pim-mdo-role-setting-details-for-security-reader-show-8-hr-duration.PNG":::
 
 ***Step 2***. Create the required second (elevated) permission group for other tasks and assign eligibility.
 

defender-vulnerability-management/TOC.yml

@@ -113,7 +113,7 @@
             - name: Authenticated scan methods and properties
               href: /defender-endpoint/get-authenticated-scan-properties
             - name:   Get all scan definitions
-              href: /defender-endpoint/get-all-scan-definitions
+              href: /defender-endpoint/api/get-all-scan-definitions
             - name: Add, delete or update a scan definition
               href: /defender-endpoint/api/add-a-new-scan-definition
             - name: Get all scan agents

defender-vulnerability-management/windows-authenticated-scan.md

@@ -192,7 +192,7 @@ To configure a new authenticated scan:
 
 You can use APIs to create a new scan and view all existing configured scans in your organization. For more information, see:
 
-- [Get all scan definitions](/defender-endpoint/get-all-scan-definitions)
+- [Get all scan definitions](/defender-endpoint/api/get-all-scan-definitions)
 - [Add, delete or update a scan definition](/defender-endpoint/api/add-a-new-scan-definition)
 - [Get all scan agents](/defender-endpoint/api/get-all-scan-agents)
 - [Get scan agent by Id](/defender-endpoint/api/Get-agent-details)

defender-xdr/advanced-hunting-security-copilot.md

@@ -29,7 +29,7 @@ ms.date: 04/01/2024
 
 ## Copilot for Security in advanced hunting
 
-[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting. 
+[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting.
 
 Threat hunters or security analysts who are not yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Copilot for Security then generates a KQL query that corresponds to the request using the advanced hunting data schema.
 
@@ -45,48 +45,50 @@ Users with access to Copilot for Security have access to this capability in adva
 1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Copilot for Security side pane for advanced hunting appears at the right hand side.
 
     :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png":::
-    
+
     You can also reopen Copilot by selecting **Copilot** at the top of the query editor.
-1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press ![Send icon](/defender/media/Send.png) or **Enter** .
+1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press :::image type="icon" source="media/Send.png" border="false"::: or **Enter** .
+
+
 
     :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Copilot for Security for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png":::
-       
+
 1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**.
 
-    ![Screenshot of Copilot for Security in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png)  
+    ![Screenshot of Copilot for Security in advanced hunting generating a response.](/defender/media/advanced-hunting-security-copilot-generate.png)
+
 
- 
-1. Review the generated query. You can then choose to run the query by selecting **Add and run**. 
+1. Review the generated query. You can then choose to run the query by selecting **Add and run**.
 
-   ![Screenshot of Copilot button showing Add the query to query editor and run.](/defender/media/advanced-hunting-security-copilot-run-query.png) 
+   ![Screenshot of Copilot button showing Add the query to query editor and run.](/defender/media/advanced-hunting-security-copilot-run-query.png)
 
-    The generated query then appears as the last query in the query editor and runs automatically. 
+    The generated query then appears as the last query in the query editor and runs automatically.
 
-    If you need to make further tweaks, select **Add to editor**. 
+    If you need to make further tweaks, select **Add to editor**.
 
    ![Screenshot of Copilot for Security in advanced hunting showing the Add to editor option.](/defender/media/advanced-hunting-security-copilot-add-editor.png)
 
     The generated query appears in the query editor as the last query, where you can edit it before running using the regular **Run query** above the query editor.
 
-   
+
 1. You can provide feedback about the generated response by selecting the feedback icon ![Screenshot of feedback icon](/defender/media/advanced-hunting-security-copilot-feedback-icon.png) and choosing  **Confirm**, **Off-target**, or **Potentially harmful**.
 
 
 > [!TIP]
-> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used. 
+> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used.
 
 ## Query sessions
 
-You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page does not discard the session. You can still access the generated queries should you need them. 
+You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page does not discard the session. You can still access the generated queries should you need them.
 
-Select the chat bubble icon (**New chat**) to discard the current session. 
+Select the chat bubble icon (**New chat**) to discard the current session.
 
-   ![Screenshot of Copilot for Security in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png)     
+   ![Screenshot of Copilot for Security in advanced hunting showing the new chat icon.](/defender/media/advanced-hunting-security-copilot-clear-session.png)
 
 ## Modify settings
 
-Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting. 
+Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting.
 
-   ![Screenshot of Copilot for Security in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png)     
+   ![Screenshot of Copilot for Security in advanced hunting showing the settings ellipses icon.](/defender/media/advanced-hunting-security-copilot-settings.png)
 
-Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**). 
+Deselecting the **Run generated query automatically** setting gives you the option of running the generated query automatically (**Add and run**) or adding the generated query to the query editor for further modification (**Add to editor**).

defender-xdr/api-supported.md

@@ -60,7 +60,7 @@ All APIs along the `/api` path use the [OData](/odata/overview) Protocol; for ex
 
 - [Microsoft Defender XDR APIs overview](api-overview.md)
 - [Access the Microsoft Defender XDR APIs](api-access.md)
-- [Streaming API](/defender-endpoint/raw-data-export)
+- [Streaming API](/defender-endpoint/api/raw-data-export)
 - [Learn about API limits and licensing](/legal/microsoft-365/api-terms)
 - [Understand error codes](api-error-codes.md)
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/before-you-begin-defender-experts.md

@@ -71,9 +71,9 @@ The following sections enumerate additional information about the service's data
 
 ### Data collection, usage, and retention
 
-All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](/enterprise/o365-data-locations)
+All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations)
 
-Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days. 
+Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.
 
 Microsoft experts hunt over [advanced hunting logs](advanced-hunting-schema-tables.md) in Microsoft Defender XDR advanced hunting tables. The data in these tables depend on the set of Defender services the customer is enabled for (for example, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID). Experts also use a large set of internal threat intelligence data to inform their hunting and automation.
 

defender-xdr/configure-email-notifications.md

@@ -96,7 +96,8 @@ This section lists various issues that you may encounter when using email notifi
 
 ## Related topics
 
-- [Update data retention settings](/defender-endpoint/data-retention-settings)
+- [Update data retention settings](/defender-endpoint/preferences-setup)
 - [Configure advanced features](/defender-endpoint/advanced-features)
 - [Configure vulnerability email notifications](/defender-endpoint/configure-vulnerability-email-notifications)
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
+

defender-xdr/configure-siem-defender.md

@@ -99,9 +99,9 @@ For more information on the Elastic connector, see: [Microsoft M365 Defender | E
 
 ## Ingesting streaming event data via Event Hubs
 
-First you need to stream events from your Microsoft Entra tenant to your Event Hubs or Azure Storage Account. For more information, see [Streaming API](/defender/streaming-api).
+First you need to stream events from your Microsoft Entra tenant to your Event Hubs or Azure Storage Account. For more information, see [Streaming API](streaming-api.md).
 
-For more information on the event types supported by the Streaming API, see [Supported streaming event types](/defender/supported-event-types).
+For more information on the event types supported by the Streaming API, see [Supported streaming event types](supported-event-types.md).
 
 ### Splunk