Update

Author: schmurky

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -138,7 +138,7 @@ If your Defender XDR data is ingested into Microsoft Sentinel, you have the opti
 
 You can view all your user-defined rules—both custom detection rules and analytics rules—in the **Detection rules** page. Read [Manage custom detections](custom-detection-manage.md) for more details.
 
-You can migrate any analytics rule that can run in [Continuous (near real-time) frequency](custom-detection-rules.md#continuous-nrt-frequency) by selecting the **Migrate now** button in the banner that appears when you open the detection rules list page.
+
 
 For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
 

defender-xdr/custom-detection-manage.md

@@ -34,6 +34,8 @@ You can view the list of existing custom detection rules, check their previous r
 > [!TIP]
 > Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft Defender XDR APIs](api-supported.md).
 
+For users who have onboarded a Microsoft Sentinel workspace to the unified Microsoft Defender portal, the custom detection rules list includes [analytics rules](advanced-hunting-defender-use-custom-rules.md#analytics-rules). The following sections also apply to analytics rules unless otherwise indicated.
+
 ### View existing rules
 
 To view your existing custom detection rules and analytics rules, navigate to **Hunting** > **Custom detection rules**. 
@@ -49,7 +51,7 @@ For multiworkspace organizations that onboarded multiple workspaces to Microsoft
 The page lists all the rules with the following run information:
 
 - **Last run** - When a rule was last run to check for query matches and generate alerts
-- **Last run status** - Whether a rule ran successfully
+- **Last run status** - Whether a rule ran successfully (for custom detection rules only)
 - **Next run** - The next scheduled run
 - **Status** - Whether a rule has been turned on or off
 
@@ -61,22 +63,22 @@ To view comprehensive information about a custom detection rule or an analytics
 
 You can also take the following actions on the rule from this page:
 
-- **Open detection rule page** - opens the detection rule page to view triggered alerts and actions (for custom detection rules only)
+- **Open detection rule page** - opens the detection rule page to view triggered alerts and review actions (for custom detection rules only)
 - **Run** - runs the rule immediately; this also resets the interval for the next run (for custom detection rules only)
 - **Edit** - allows you to modify the rule without changing the query
 - **Modify query** - allows you to edit the query in advanced hunting
 - **Turn on** / **Turn off** - allows you to enable the rule or stop it from running
 - **Delete** - allows you to turn off the rule and remove it
 
-### View and manage triggered alerts
+#### View and manage triggered alerts 
 
 In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to  **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
 
 - Manage the alert by setting its status and classification (true or false alert)
 - Link the alert to an incident
 - Run the query that triggered the alert on advanced hunting
 
-### Review actions
+#### Review actions
 
 In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.
 

defender-xdr/custom-detection-rules.md

@@ -171,7 +171,7 @@ Once you click **Save**, the selected rules' frequency gets updated to Continuou
 You can run a query continuously as long as:
 
 - The query references one table only.
-- The query uses an operator from the list of **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**. (For    `matches regex`, regular expressions must be encoded as string literals and follow the string quoting rules. For example, the regular expression `\A` is represented in KQL as `"\\A"`. The extra backslash indicates that the other backslash is part of the regular expression `\A`.)
+- The query uses an operator from the list of **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**. (For `matches regex`, regular expressions must be encoded as string literals and follow the string quoting rules. For example, the regular expression `\A` is represented in KQL as `"\\A"`. The extra backslash indicates that the other backslash is part of the regular expression `\A`.)
 - The query doesn't use joins, unions, or the `externaldata` operator.
 - The query doesn't include any comments line/information.
 

defender-xdr/whats-new.md

@@ -35,7 +35,6 @@ You can also get product updates and important notifications through the [messag
 
 ## May 2025
 - (Preview) In advanced hunting, you can now [view all your user-defined rules](custom-detection-manage.md)—both custom detection rules and analytics rules—in the **Detection rules** page. This feature also brings the following improvements:
-    - You can now migrate any analytics rule that can run in Continuous (near real-time) frequency by selecting the **Migrate now** button in the banner that appears when you open the detection rules list page.
     - You can now filter for *every* column (in addition to **Frequency** and **Organizational scope**).
     - For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
     - You can now view the details pane even for analytics rules.