Merge pull request #3600 from MicrosoftDocs/diannegali-aprilxdrfresh

xdr updates

Author: diannegali

defender-xdr/m365d-action-center.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 5/9/2024
+ms.date: 4/28/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -40,11 +40,6 @@ The unified Action center ([https://security.microsoft.com/action-center](https:
 
 :::image type="content" source="/defender/media/m3d-action-center-unified.png" alt-text="The unified Action center in the Microsoft Defender portal." lightbox="/defender/media/m3d-action-center-unified.png":::
 
-For example:
-
-- If you were using the Action center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
-- If you were already using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
-
 The unified Action center brings together remediation actions across Microsoft Defender for Endpoint and Microsoft Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.
 
 You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
@@ -59,20 +54,20 @@ You can use the unified Action center if you have appropriate permissions and on
 You can navigate to the list of actions pending approval in two different ways:
 
 - Go to [https://security.microsoft.com/action-center](https://security.microsoft.com/action-center); or
-- In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the Automated investigation & response card, select **Approve in Action Center**.
+- In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) homepage, in the Automated investigation & response card, select **View pending actions**.
 
 ## Using the Action center
 
 1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> and sign in.
 
-2. In the navigation pane under **Actions and submissions**, choose **Action center**. Or, in the Automated investigation & response card, select **Approve in Action Center**.
+2. In the navigation pane under **Actions and submissions**, choose **Action center**. Or, in the Automated investigation & response card in the homepage, select **View pending actions**.
 
 3. Use the **Pending actions** and **History** tabs. The following table summarizes what you'll see on each tab:
 
    |Tab|Description|
    |---|---|
-   |**Pending**|Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file). <br/><br/> Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.|
-   |**History**|Serves as an audit log for actions that were taken, such as: <ul><li>>Remediation actions that were taken as a result of automated investigations</li><li>Remediation actions that were taken on suspicious or malicious email messages, files, or URLs</li><li>Remediation actions that were approved by your security operations team</li><li>Commands that were run and remediation actions that were applied during Live Response sessions</li><li>Remediation actions that were taken by your antivirus protection</li></ul> <br/><br/> Provides a way to undo certain actions (see [Undo completed actions](m365d-autoir-actions.md#undo-completed-actions)).|
+   |**Pending**|Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (like Quarantine file). <br/><br/> Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner.|
+   |**History**|Serves as an audit log for actions that were taken, such as: <ul><li>Remediation actions that were taken as a result of automated investigations</li><li>Remediation actions that were taken on suspicious or malicious email messages, files, or URLs</li><li>Remediation actions that were approved by your security operations team</li><li>Commands that were run and remediation actions that were applied during Live Response sessions</li><li>Remediation actions that were taken by your antivirus protection</li></ul> <br/><br/> Provides a way to undo certain actions (see [Undo completed actions](m365d-autoir-actions.md#undo-completed-actions)).|
 
 4. You can customize, sort, filter, and export data in the Action center.
 

defender-xdr/m365d-autoir-actions.md

@@ -1,14 +1,14 @@
 ---
 title: View and manage actions in the Action center
-description: Use the Action center to view and manage remediation actions
+description: Use the Action center in the Microsoft Defender portal to view and manage remediation actions for affected assets.
 search.appverid: met150
 ms.service: defender-xdr
 f1.keywords: 
 - NOCSH
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 11/25/2024
+ms.date: 04/28/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 

defender-xdr/m365d-autoir-results.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 08/11/2022
+ms.date: 04/28/2025
 manager: dansimp
 audience: ITPro
 ms.collection: 
@@ -21,6 +21,7 @@ ms.custom:
 ms.reviewer: evaldm, isco
 appliesto:
 - Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand the results and key findings of automated investigation in Microsoft Defender XDR
 ---
 
 # Details and results of an automated investigation
@@ -29,9 +30,9 @@ appliesto:
 
 With Microsoft Defender XDR, when an [automated investigation](m365d-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](m365d-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view that provides you with up-to-date status and the ability to approve any pending actions. 
 
-## (NEW) Unified investigation page
+## Unified investigation page
 
-The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](/defender-office-365/mdo-about). To access the unified investigation page, select the link in the yellow banner you'll see on:
+The investigation page includes information across your devices, email, and collaboration content. The unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](/defender-office-365/mdo-about). To access the unified investigation page, select the link in the yellow banner you'll see on:
 
 - Any investigation page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview portal</a>
 - Any investigation page in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com))
@@ -42,11 +43,11 @@ The investigation page has recently been updated to include information across y
 You can open the investigation details view by using one of the following methods:
 
 - [Select an item in the Action center](#select-an-item-in-the-action-center)
-- [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-details-page)
+- [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-page)
 
 ### Select an item in the Action center
 
-The improved [Action center](m365d-action-center.md) ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together [remediation actions](m365d-remediation-actions.md) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.
+The [Action center](m365d-action-center.md) ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together [remediation actions](m365d-remediation-actions.md) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.
 
 > [!TIP]
 > You must have [certain permissions](m365d-action-center.md#required-permissions-for-action-center-tasks) to approve, reject, or undo actions.
@@ -63,9 +64,9 @@ The improved [Action center](m365d-action-center.md) ([https://security.microsof
    - Select **Reject** to prevent a pending action from being taken.
    - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
 
-### Open an investigation from an incident details page
+### Open an investigation from an incident page
 
-Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
+Use the incident page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
 
 1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> and sign in. 
 
@@ -77,17 +78,13 @@ Use an incident details page to view detailed information about an incident, inc
 
 5. Select **Open investigation page**. 
 
-Here's an example.
-
-:::image type="content" source="/defender/media/mtp-incidentdetails-tabs.png" alt-text="The investigation page in the Microsoft Defender portal" lightbox="/defender/media/mtp-incidentdetails-tabs.png":::
-
 ## Investigation details
 
 Use the investigation details view to see past, current, and pending activity pertaining to an investigation. Here's an example.
 
 :::image type="content" source="/defender/media/mtp-air-investdetails.png" alt-text="The investigation details page in the Microsoft Defender portal" lightbox="/defender/media/mtp-air-investdetails.png":::
 
-In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
+In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Mailboxes**, **Devices**, **Users**, **Evidence**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
 
 > [!NOTE]
 > The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
@@ -104,7 +101,6 @@ In the Investigation details view, you can see information on the **Investigatio
 |**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
 | **Pending actions history** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
 
-
 ## Investigation states
 
 The following table lists investigation states and what they indicate.

defender-xdr/m365d-autoir.md

@@ -8,7 +8,7 @@ f1.keywords:
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 04/10/2023
+ms.date: 04/28/2025
 manager: dansimp
 audience: ITPro
 ms.collection: 
@@ -91,11 +91,11 @@ To view investigations, go to the **Incidents** page. Select an incident, and th
 
 ## Automated investigation & response card 
 
-The new Automated investigation & response card is available in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This new card visibility to the total number of available remediation actions. The card also gives an overview of all the alerts and required approval time for each alert.
+The Automated investigation & response card is available in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) homepage. This card provides visibility to the total number of available remediation actions. The card also gives an overview of all the alerts and required approval time for each alert.
 
 :::image type="content" source="/defender/media/automated-investigation-response-card.png" alt-text="Screenshot that shows the automated investigation & response card.":::
 
-Using the Automated investigation & response card, your security operations team can quickly navigate to the Action center by selecting the **Approve in Action Center** link, and then taking appropriate actions. The card enables your security operations team to more effectively manage actions that are pending approval. 
+Using the Automated investigation & response card, your security operations team can quickly navigate to the Action center by selecting the **View pending actions** link, and then taking appropriate actions. The card enables your security operations team to more effectively manage actions that are pending approval.
 
 ## Next steps
 

defender-xdr/m365d-configure-auto-investigation-response.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 07/08/2024
+ms.date: 04/28/2025
 ms.collection:
 - m365-security
 - tier2
@@ -18,6 +18,7 @@ ms.custom:
 - admindeeplinkDEFENDER
 ms.reviewer: evaldm, isco
 f1.keywords: CSH
+#customer intent: As a SOC analyst, I want to configure automated investigation and response capabilities in Microsoft Defender XDR
 ---
 
 # Configure automated investigation and response capabilities in Microsoft Defender XDR
@@ -55,16 +56,16 @@ Whether automated investigations run, and whether remediation actions are taken
 
 1. Go to the Microsoft Defender portal at <https://security.microsoft.com> and sign in.
 
-2. Go to **Settings** \> **Endpoints** \> **Device groups** under **Permissions**.
+2. Go to **System** \> **Settings** \> **Endpoints** \> **Device groups** under **Permissions**.
 
 3. Review your device group policies. In particular, look at the **Remediation level** column. We recommend using **Full - remediate threats automatically**.  You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles:
 
-   - [How threats are remediated](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated)
-   - [Create and manage device groups](/windows/security/threat-protection/microsoft-defender-atp/machine-groups)
+   - [How threats are remediated](/defender-endpoint/automated-investigations#how-threats-are-remediated)
+   - [Create and manage device groups](/defender-endpoint/machine-groups)
 
 ## Review your security and alert policies in Office 365
 
-Microsoft provides built-in [alert policies](/defender-office-365/alert-policies-defender-portal) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. Some alerts can trigger [automated investigation and response in Office 365](/defender-office-365/air-about). Make sure your [Defender for Office 365](/defender-office-365/mdo-about) features are configured correctly.
+Microsoft provides built-in [alert policies](alert-policies.md) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. Some alerts can trigger [automated investigation and response in Office 365](/defender-office-365/air-about). Make sure your [Defender for Office 365](/defender-office-365/mdo-about) features are configured correctly.
 
 Although certain alerts and security policies can trigger automated investigations, *no remediation actions are taken automatically for email and content*. Instead, all remediation actions for email and email content await approval by your security operations team in the [Action center](m365d-action-center.md).
 

defender-xdr/m365d-remediation-actions.md

@@ -16,16 +16,17 @@ ms.collection:
 ms.topic: concept-article
 ms.custom: autoir
 ms.reviewer: evaldm, isco
-ms.date: 08/06/2024
+ms.date: 04/28/2025
 appliesto:
   - Microsoft Defender XDR
+#customer intent: As a SOC analyst, I want to understand the remediation actions that follow automated investigations in Microsoft Defender XDR
 ---
 
 # Get notified about remediation actions
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.
+During and after an automated investigation, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.
 
 > [!IMPORTANT]
 > Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as automation levels. To learn more, see the following articles: