Merge pull request #2838 from MicrosoftDocs/diannegali-xdrupdates

diannegali · web-flow · commit d0d9b739bb65 · 2025-02-19T13:50:34.000Z
metadata updates
diff --git a/defender-xdr/autoad-results.md b/defender-xdr/autoad-results.md
@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 06/19/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -19,15 +19,14 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Details and results of an automatic attack disruption action
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 When an automatic attack disruption triggers in Microsoft Defender XDR, the details about the risk and the containment status of compromised assets are available during and after the process. You can view the details on the incident page, which provides the full details of the attack and the up-to-date status of associated assets.
 
 ## Review the incident graph
@@ -58,16 +57,18 @@ You can use specific queries in [advanced hunting](advanced-hunting-overview.md)
 Contain actions triggered by attack disruption are found in the [DeviceEvents table](advanced-hunting-deviceevents-table.md) in advanced hunting. Use the following queries to hunt for these specific contain actions:
 
 - Device contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedDevice"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedDevice"
+  ```
 
 - User contain actions:
-```Kusto
-DeviceEvents
-| where ActionType contains "ContainedUser"
-```
+
+  ```Kusto
+  DeviceEvents
+  | where ActionType contains "ContainedUser"
+  ```
 
 ### Hunt for disable user account actions
 
diff --git a/defender-xdr/automatic-attack-disruption.md b/defender-xdr/automatic-attack-disruption.md
@@ -7,28 +7,26 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
   - m365-security
   - tier1
   - usx-security
   - usx-security
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: 
   - MOE150
   - MET150
 ms.date: 09/11/2024
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Automatic attack disruption in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
 
 Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online.
@@ -105,7 +103,7 @@ The Defender XDR user experience now includes additional visual cues to ensure v
 
     - A tag titled *Attack Disruption* appears next to affected incidents
 
-1. On the incident page:
+2. On the incident page:
 
     - A tag titled *Attack Disruption*
     - A yellow banner at the top of the page that highlights the automatic action taken
@@ -121,7 +119,7 @@ For more information, see [view attack disruption details and results](autoad-re
 
 ## Next steps
 
-- [Configuring automatic attack disruption in Microsoft Defender XDR](configure-attack-disruption.md)
+- [Configure automatic attack disruption](configure-attack-disruption.md)
 - [View details and results](autoad-results.md)
 - [Get email notifications for response actions](m365d-response-actions-notifications.md)
 
diff --git a/defender-xdr/configure-deception.md b/defender-xdr/configure-deception.md
@@ -1,6 +1,6 @@
 ---
 title: Configure the deception capability in Microsoft Defender XDR
-description: Learn how to create, edit, and delete deception rules in Microsoft Defender XDR.
+description: Learn how to create, edit, and delete deception rules in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
 - NOCSH
@@ -12,21 +12,20 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier1
-ms.topic: conceptual
+ms.topic: how-to
 search.appverid: 
 - MOE150
 - MET150
 ms.date: 01/12/2024
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a security analyst, I want to learn how to configure the deception capability so that I can protect my organization from high-impact attacks that use human-operated lateral movement.
 ---
 
 # Configure the deception capability in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/defender-endpoint/onboarding).
 
diff --git a/defender-xdr/deception-overview.md b/defender-xdr/deception-overview.md
@@ -7,27 +7,26 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
 - tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: 
 - MOE150
 - MET150
 ms.date: 08/14/2024
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+#customer intent: As a security analyst, I want to understand how to manage the deception capability in Microsoft Defender XDR to detect human-operated attacks with lateral movement.
 ---
 
 # Manage the deception capability in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-- Microsoft Defender for Endpoint
-
 > [!IMPORTANT]
 > Some information in this article relates to prereleased products/services that might be substantially modified before commercially release. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
@@ -63,9 +62,9 @@ Attackers interacting with the fake network assets set up by the deception capab
 
 The built-in deception capability in the Microsoft Defender portal uses rules to make decoys and lures that match your environment. The feature applies machine learning to suggest decoys and lures that are tailored to your network. You can also use the deception feature to manually create the decoys and lures. These decoys and lures are then automatically deployed to your network and planted to devices you specify using PowerShell.
 
-:::image type="content" source="/defender/media/deception/fig1-deception.png" alt-text="Screenshot of an attack with lateral movement and where deception intercepts the attack" lightbox="/defender/media/deception/fig1-deception.png":::
+Deception technology, through high confidence detections of human-operated lateral movement, alerts security teams when an attacker interacts with fake hosts or lures. Here's the process of how the deception capability works:
 
-*Figure 1. Deception technology, through high confidence detections of human-operated lateral movement, alerts security teams when an attacker interacts with fake hosts or lures*
+:::image type="content" source="/defender/media/deception/fig1-deception.png" alt-text="Screenshot of an attack with lateral movement and where deception intercepts the attack" lightbox="/defender/media/deception/fig1-deception.png":::
 
 **Decoys** are fake devices and accounts that appear to belong to your network. **Lures** are fake content planted on specific devices or accounts and are used to attract an attacker. The content can be a document, a configuration file, cached credentials, or any content that an attacker can likely read, steal, or interact with. Lures imitate important company information, settings, or credentials.
 
@@ -94,9 +93,9 @@ The alert details contain:
 - The decoy device or user account where the alert originated
 - The type of attack like sign in attempts or lateral movement attempts
 
-:::image type="content" source="/defender/media/deception/deception-alert-small.png" alt-text="Screenshot of a deception alert highlighting the tag and the attempt" lightbox="/defender/media/deception/deception-alert.png":::
+Here's an example of a deception-related alert:
 
-*Figure 2. Details of a deception-related alert*
+:::image type="content" source="/defender/media/deception/deception-alert-small.png" alt-text="Screenshot of a deception alert highlighting the tag and the attempt" lightbox="/defender/media/deception/deception-alert.png":::
 
 ## Next step
 
diff --git a/defender-xdr/m365d-action-center.md b/defender-xdr/m365d-action-center.md
@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 5/9/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection:
 - m365-security
@@ -19,13 +19,13 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand how to view and approve automated investigation and remediation tasks in the Action center.
 ---
 
 # The Action center
 
-**Applies to:**
-- Microsoft Defender XDR
-
 The Action center provides a "single pane of glass" experience for incident and alert tasks such as:
 
 - Approving pending remediation actions.
diff --git a/defender-xdr/m365d-autoir-actions.md b/defender-xdr/m365d-autoir-actions.md
@@ -9,7 +9,7 @@ ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 ms.date: 11/25/2024
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -19,13 +19,13 @@ ms.custom:
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand how to view and manage remediation actions in the Action center
 ---
 
 # View and manage actions in the Action center
 
-**Applies to:**
-- Microsoft Defender XDR
-
 Threat protection features in Microsoft Defender XDR can result in certain remediation actions. Here are some examples:
 
 - [Automated investigations](m365d-autoir.md) can result in remediation actions that are taken automatically or await your approval.
diff --git a/defender-xdr/m365d-autoir-report-false-positives-negatives.md b/defender-xdr/m365d-autoir-report-false-positives-negatives.md
@@ -19,15 +19,14 @@ ms.custom:
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
 ms.date: 07/14/2023
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Address false positives or false negatives in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 False positives or negatives can occasionally occur with any threat protection solution. If [automated investigation and response capabilities](m365d-autoir.md) in Microsoft Defender XDR missed or wrongly detected something, there are steps your security operations team can take:
 
 - [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis)
diff --git a/defender-xdr/m365d-autoir-results.md b/defender-xdr/m365d-autoir-results.md
@@ -14,20 +14,19 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: concept-article
 ms.custom: 
 - autoir
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Details and results of an automated investigation
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 With Microsoft Defender XDR, when an [automated investigation](m365d-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](m365d-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view that provides you with up-to-date status and the ability to approve any pending actions. 
 
 ## (NEW) Unified investigation page
diff --git a/defender-xdr/m365d-autoir.md b/defender-xdr/m365d-autoir.md
@@ -14,18 +14,18 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: overview
 ms.custom: autoir
 ms.reviewer: evaldm, isco
+appliesto:
+- Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand the automated investigation and response capabilities in Microsoft Defender XDR
 ---
 
 # Automated investigation and response in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-- Microsoft Defender XDR
-
 If your organization is using [Microsoft Defender XDR](microsoft-365-defender.md), your security operations team receives an alert within the Microsoft Defender portal whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft Defender XDR includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
 
 This article provides an overview of AIR and includes links to next steps and additional resources.
@@ -97,7 +97,6 @@ The new Automated investigation & response card is available in the Microsoft De
 
 Using the Automated investigation & response card, your security operations team can quickly navigate to the Action center by selecting the **Approve in Action Center** link, and then taking appropriate actions. The card enables your security operations team to more effectively manage actions that are pending approval. 
 
-
 ## Next steps
 
 - [See the prerequisites for automated investigation and response](m365d-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender)
diff --git a/defender-xdr/m365d-remediation-actions.md b/defender-xdr/m365d-remediation-actions.md
@@ -5,28 +5,26 @@ search.appverid: met150
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
-ms.author: dansimp
-author: dansimp
+ms.author: diannegali
+author: diannegali
 ms.localizationpriority: medium
-manager: dansimp
+manager: deniseb
 audience: ITPro
 ms.collection: 
   - m365-security
   - tier3
-ms.topic: conceptual
+ms.topic: concept-article
 ms.custom: autoir
 ms.reviewer: evaldm, isco
 ms.date: 08/06/2024
+appliesto:
+  - Microsoft Defender XDR
 ---
 
 # Get notified about remediation actions
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.
 
 > [!IMPORTANT]
