MicrosoftDocs
diff --git a/‎defender-xdr/activate-defender-rbac.md‎
Lines changed: 22 additions & 18 deletions b/‎defender-xdr/activate-defender-rbac.md‎
Lines changed: 22 additions & 18 deletions
diff --git a/‎defender-xdr/advanced-hunting-limits.md‎
Lines changed: 10 additions & 6 deletions b/‎defender-xdr/advanced-hunting-limits.md‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎defender-xdr/advanced-hunting-take-action.md‎
Lines changed: 14 additions & 9 deletions b/‎defender-xdr/advanced-hunting-take-action.md‎
Lines changed: 14 additions & 9 deletions
@@ -12,7 +12,7 @@ ms.collection:
 - tier3
 ms.custom: 
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 06/27/2024
 ms.reviewer: 
 search.appverid: met150
 ---
@@ -30,7 +30,7 @@ search.appverid: met150
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 
-For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md) you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
+For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md), you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
 
 <a name='activate-microsoft-365-defender-unified-rbac'></a>
 
@@ -43,6 +43,7 @@ The following steps guide you on how to activate the Microsoft Defender XDR Unif
 
 > [!IMPORTANT]
 > You must be a Global Administrator or Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ### Activate from the Permissions and roles page
 
@@ -53,26 +54,23 @@ You can activate your workloads in two ways from the Permissions and roles page:
 :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
 
 1. **Activate workloads**
-    - Select **Activate workloads** on the banner above the list of roles.
-    - This will bring you directly to the **Activate workloads** screen.
-    - You must activate each workload one by one. Once you select the individual toggle, you'll activate (or deactivate) that workload.
+   - Select **Activate workloads** on the banner above the list of roles to go directly to the **Activate workloads** screen.
+   - You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
 
-    :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png" alt-text="Screenshot of the choose workloads to activate screen" lightbox="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png":::
+   :::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png" alt-text="Screenshot of the choose workloads to activate screen" lightbox="/defender/media/defender/m365-defender-rbac-activate-workload-selection1.png":::
 
-    > [!NOTE]
-    > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
-
-    > [!NOTE]
-    > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
-
-    > [!NOTE]
-    > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
+   > [!NOTE]
+   > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC.
+   >
+   > Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC.
+   > 
+   > To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active. 
 
 2. **Workload settings**
     - Select **Workload settings**.
     - This brings you to the Microsoft Defender XDR **Permission and roles** page.
     - Select the toggle for the workload you want to activate.
-    - Select Activate on the confirmation message.
+    - Select **Activate** on the confirmation message.
 
 You have now successfully activated (or deactivated) that workload.
 
@@ -83,11 +81,16 @@ You have now successfully activated (or deactivated) that workload.
 Follow these steps to activate your workloads directly in Microsoft Defender XDR settings:
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
+
 2. In the navigation pane, select **Settings**.
+
 3. Select **Microsoft Defender XDR**.
+
 4. Select **Permissions and roles**. This brings you to the **Activate workloads** page.
+
 5. Select the toggle for the workload you want to activate.
-6. Select Activate on the confirmation message.
+
+6. Select **Activate** on the confirmation message.
 
 You have now successfully activated (or deactivated) that workload.
 
@@ -100,11 +103,12 @@ You have now successfully activated (or deactivated) that workload.
 
 You can deactivate Microsoft Defender XDR Unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).
 
-To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status will be set to **Not Active**.
+To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status is set to **Not Active**.
 
-If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC won't be effective and you'll return to using the previous permissions model. This will remove any access that users assigned these roles have.
+If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC are no longer in effect, and the previous permissions model is used instead.
 
 ## Next steps
 
 - [Edit or delete roles](edit-delete-rbac-roles.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: conceptual
-ms.date: 04/03/2024
+ms.date: 06/27/2024
 ---
 
 # Use the advanced hunting query resource report
@@ -35,8 +35,8 @@ Refer to the following table to understand existing quotas and usage parameters.
 |--|--|--|--|
 | Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
 | Result set | 30,000 rows | Every query | Each query can return up to 30,000 records. |
-| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
-| CPU resources | Based on tenant size | Every 15 minutes | The [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle. |
+| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it doesn't complete within 10 minutes, the service displays an error.
+| CPU resources | Based on tenant size | Every 15 minutes | The [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant consumes over 10% of allocated resources. Queries are blocked if the tenant reaches 100% until after the next 15-minute cycle. |
 
 > [!NOTE]
 > A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)
@@ -58,12 +58,15 @@ The report can be accessed in two ways:
 
   :::image type="content" source="/defender/media/ah-query-resources/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="/defender/media/ah-query-resources/reports-general-query-resources.png":::
 
-All users can access the reports, however, only the Microsoft Entra global admin, Microsoft Entra security admin, and Microsoft Entra security reader roles can see queries done by all users in all interfaces. Any other user can only see:
+All users can access the reports; however, only the Microsoft Entra Global Administrator, Microsoft Entra Security Administrator, and Microsoft Entra Security Reader roles can see queries done by all users in all interfaces. Any other user can only see:
 
 - Queries they ran via the portal
 - Public API queries they ran themselves and not through the application
 - Custom detections they created
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ### Query resource report contents
 
 By default, the report table displays queries from the last day, and is sorted by Resource usage, to help you easily identify which queries consumed the highest amount of CPU resources.
@@ -87,7 +90,7 @@ The query resources report contains all queries that ran, including detailed res
 
 Queries with high resource usage or a long query time can probably be optimized to prevent throttling via this interface.
 
-The graph displays resource usage over time per interface. You can easily identify excessive usage and click the spikes in the graph to filter the table accordingly. Once you select an entry in the graph, the table is filtered to that specific date.
+The graph displays resource usage over time per interface. You can easily identify excessive usage and select the spikes in the graph to filter the table accordingly. Once you select an entry in the graph, the table is filtered to that specific date.
 
 You can identify the queries that used the most resources on that day and take action to improve them – by [applying query best practices](advanced-hunting-best-practices.md) or educating the user who ran the query or created the rule to take query efficiency and resources into consideration. For guided mode, the user needs to [switch to advanced mode](advanced-hunting-query-builder-details.md#switch-to-advanced-mode-after-building-a-query) to edit the query.
 
@@ -100,9 +103,10 @@ The graph supports two views:
 
 This means that, for instance, if on a specific day you ran two queries, one used 50% of your resources and one used 100%, the average daily use value would show 75%, while the top daily use would show 100%.
 
-## Related topics
+## Related articles
 
 - [Advanced hunting best practices](advanced-hunting-best-practices.md)
 - [Handle advanced hunting errors](advanced-hunting-errors.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
@@ -15,7 +15,7 @@ ms.collection:
   - m365-security
   - tier1
 ms.topic: conceptual
-ms.date: 02/16/2024
+ms.date: 06/27/2024
 ---
 
 # Take action on advanced hunting query results
@@ -34,7 +34,12 @@ You can quickly contain threats or address compromised assets that you find in [
 
 ## Required permissions
 
-To take action on devices through advanced hunting, you need a role in Microsoft Defender for Endpoint with [permissions to submit remediation actions on devices](/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
+To take action on devices through advanced hunting, you need a role in Microsoft Defender for Endpoint with [permissions to submit remediation actions on devices](/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). 
+
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+If you can't take action, contact a Global Administrator about getting the following permission:
 
 *Active remediation actions > Threat and vulnerability management - Remediation handling*
 
@@ -54,9 +59,9 @@ To learn more about how these response actions are performed through Microsoft D
 
 ### Quarantine files
 
-You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
+You can deploy the *quarantine* action on files so that they're automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
 
-- `SHA1`: In most advanced hunting tables, this column refers to the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this affected file would be the copied file.
+- `SHA1`: In most advanced hunting tables, this column refers to the SHA-1 of the file that's affected by the recorded action. For example, if a file was copied, this affected file would be the copied file.
 - `InitiatingProcessSHA1`: In most advanced hunting tables, this column refers to the file responsible for initiating the recorded action. For example, if a child process was launched, this initiator file would be part of the parent process.
 - `SHA256`: This column is the SHA-256 equivalent of the file identified by the `SHA1` column.
 - `InitiatingProcessSHA256`: This column is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
@@ -66,19 +71,19 @@ To learn more about how quarantine actions are taken and how files can be restor
 > [!NOTE]
 > To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
 
-To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
+To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard guides you through the process of selecting and then submitting your preferred actions.
 
 :::image type="content" source="media/take-action-multiple.png" alt-text="Screenshot of the take actions option in the Microsoft Defender portal." lightbox="media/take-action-multiple.png":::
 
 ## Take various actions on emails
 
 Apart from device-focused remediation steps, you can also take some actions on emails from your query results. Select the records you want to take action on, select **Take actions**, then under **Choose actions**, select your choice from the following:
 
-- `Move to mailbox folder` - select this to move the email messages to Junk, Inbox, or Deleted items folder
+- `Move to mailbox folder` - select this action to move the email messages to Junk, Inbox, or Deleted items folder
 
    :::image type="content" source="media/advanced-hunting-take-actions-email.png" alt-text="Screenshot of the option Take actions in the Microsoft Defender portal." lightbox="media/advanced-hunting-take-actions-email.png":::
 
-- `Delete email` - select this to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**)
+- `Delete email` - select this action to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**)
 
    Selecting **Soft delete** also automatically soft deletes the messages from the sender's Sent Items folder if the sender is in the organization.
 
@@ -94,7 +99,6 @@ Apart from device-focused remediation steps, you can also take some actions on e
    | project NetworkMessageId,RecipientEmailAddress, EmailDirection, SenderFromAddress, LatestDeliveryAction,LatestDeliveryLocation
    ```
 
-
 You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard:
 
 :::image type="content" source="media/choose-email-actions-entities.png" alt-text="take actions wizard showing choose actions for entities" lightbox="media/choose-email-actions-entities.png":::
@@ -108,11 +112,12 @@ Each action is individually recorded in the [action center](m365d-action-center.
 > [!NOTE]
 > Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
 
-## Related topics
+## Related articles
 
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Understand the schema](advanced-hunting-schema-tables.md)
 - [Action center overview](m365d-action-center.md)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]