Merge pull request #4408 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit c76f1d062206 · 2025-07-03T08:37:27.000Z
[AutoPublish] main to live - 07/03 01:35 PDT | 07/03 14:05 IST
diff --git a/ATPDocs/investigate-assets.md b/ATPDocs/investigate-assets.md
@@ -1,7 +1,7 @@
 ---
 title: Investigate assets
 description: This article explains how to investigate suspicious users, computers, and devices with Microsoft Defender for Identity.
-ms.date: 01/17/2024
+ms.date: 07/01/2025
 ms.topic: how-to
 ms.reviewer: LiorShapiraa
 ---
@@ -46,8 +46,7 @@ Find identity information in the following Microsoft Defender XDR areas:
 
 For example, the following image shows the details on an identity details page:
 
-![Screenshot of a specific user's page in the Microsoft Defender portal.](media/investigate-assets/image.png)
-
+:::image type="content" source="media/investigate-assets/investigate-assets.png" alt-text="Screenshot that shows a specific user's page in the Microsoft Defender portal." lightbox="media/investigate-assets/investigate-assets.png":::
 
 
 ### Identity details
@@ -57,7 +56,7 @@ When you investigate a specific identity, you'll see the following details on an
 
 |Identity details page area  |Description  |
 |---------|---------|
-|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, the investigation priority score, an organizational tree, entity tags, and a scored activity timeline.       |
+|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, and an organizational tree, entity tags.       |
 |[Incidents and alerts](/microsoft-365/security/defender/investigate-users#incidents-and-alerts)     | Lists active incidents and alerts involving the user from the last 180 days, including details like alert severity and the time the alert was generated. |
 |[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. |
 |[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     | The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
diff --git a/ATPDocs/media/investigate-assets/investigate-assets.png b/ATPDocs/media/investigate-assets/investigate-assets.png
diff --git a/ATPDocs/migrate-from-ata-overview.md b/ATPDocs/migrate-from-ata-overview.md
@@ -27,7 +27,6 @@ In contrast to the ATA sensor, the Defender for Identity sensor also uses data s
 
 - Support for [multi-forest environments](deploy/multi-forest.md)
 - [Microsoft Secure Score posture assessments](/defender-for-identity/security-assessment)
-- [UEBA capabilities](/cloud-app-security/tutorial-ueba)
 - Direct integrations with other services like Microsoft Defender for Cloud Apps and Microsoft Entra for a hybrid view of what's taking place in both on-premises and hybrid environments
 - And more
 
diff --git a/ATPDocs/ops-guide/ops-guide-daily.md b/ATPDocs/ops-guide/ops-guide-daily.md
@@ -52,35 +52,6 @@ For more information, see [Work with Defender for Identity's ITDR dashboard (Pre
 
 1. When the incident is remediated, resolve it to resolve all linked and related active alerts and set a classification.
 
-## Investigate users with a high investigation score
-
-**Where**: In Microsoft Defender XDR and in Microsoft Entra.
-
-In Microsoft Defender XDR:
-
-1. Check the **Users at risk** widget on the **Home** page or the  **Entra ID users at risk** on the **Identities > Dashboard** page.
-
-1. If you have users listed at *High risk*:
-
-    - Select **View all users** to review high risk identities in Microsoft Entra.
-    - Go to the **Identities** page and sort the grid to view users with high **Investigation priority** scores at the top. Select an identity to view the identity details page, including more details in the **Investigation priority** widget.
-
-    The investigation priority widget includes the calculated investigation priority score breakdown and a two-week trend for an identity, including whether the identity score is on the high percentile for that tenant.
-
-Find more identity-related information on:
-
-- Individual alert or incident details pages
-- Device details pages
-- Advanced hunting queries
-- The Action center page
-
-**Persona**: SOC analysts
-
-For more information, see:
-
-- [Investigate users in Microsoft Defender XDR](/microsoft-365/security/defender/investigate-users)
-- [Investigate assets](../investigate-assets.md)
-- [Work with Defender for Identity's ITDR dashboard (Preview)](../dashboard.md)
 
 ## Configure tuning rules for benign true positives / false positive alerts
 
diff --git a/ATPDocs/technical-faq.yml b/ATPDocs/technical-faq.yml
@@ -68,8 +68,6 @@ sections:
           
           - **[Microsoft Secure Score posture assessments](/defender-for-identity/security-assessment)**: Identifies common misconfigurations and exploitable components and provides remediation paths to reduce the attack surface.
           
-          - **[UEBA capabilities](/cloud-app-security/tutorial-ueba)**: Insights into individual user risk through user investigation priority scoring. The score can assist SecOps in their investigations and help analysts understand unusual activities for the user and the organization.
-          
           - **Native integrations**: Integrates with Microsoft Defender for Cloud Apps and Microsoft Entra ID Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.
           
           - **Contributes to Microsoft Defender XDR**: Contributes alert and threat data to  Microsoft Defender XDR. Microsoft Defender XDR uses the Microsoft 365 security portfolio (identities, endpoints, data, and applications) to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. 
@@ -150,7 +148,7 @@ sections:
 
       - question: Does Microsoft Defender for Identity require synchronizing users to Microsoft Entra ID?
         answer: |
-          Microsoft Defender for Identity provides security value for all Active Directory accounts including those that are not synced to Microsoft Entra ID. User accounts that are synced to Microsoft Entra ID will also benefit of security value provided by Microsoft Entra ID (based on license level) and of Investigation Priority Scoring.
+          Microsoft Defender for Identity provides security value for all Active Directory accounts including those that are not synced to Microsoft Entra ID. User accounts that are synced to Microsoft Entra ID benefit from the security value provided by Microsoft Entra ID based on license level. For more detailse see: [Identity inventory](/defender-for-identity/identity-inventory).
 
   - name: WinPcap and Npcap drivers
     questions: 
