Merge pull request #5423 from MicrosoftDocs/main

[AutoPublish] main to live - 10/30 13:31 PDT | 10/31 02:01 IST

Author: Ruchika-mittal01

defender-xdr/alert-policies.md

@@ -56,7 +56,7 @@ Alert policies let you categorize the alerts that are triggered by a policy, app
 
 Here's a quick overview of how alert policies work and the alerts that are triggers when user or admin activity matches the conditions of an alert policy.
 
-![Overview of how alert policies work.](media/M365ComplianceDefender-AlertPolicies-Overview.png)
+![Overview of how alert policies work.](media/alert-policies/M365ComplianceDefender-AlertPolicies-Overview.png)
 
 1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the compliance portal or the Microsoft Defender portal. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchangepowershell/new-protectionalert) cmdlet in Security & Compliance PowerShell.
 
@@ -77,7 +77,7 @@ An alert policy consists of a set of rules and conditions that define the user o
 
 To view and create alert policies, in the [Microsoft Defender portal](https://security.microsoft.com), under **Email & collaboration** select **Policies & rules** \> **Alert policy**. Alternatively, you can go directly to <https://security.microsoft.com/alertpolicies>.
 
-  :::image type="content" source="/defender/media/alert-policies/policies-rules-page-small.png" alt-text="Highlighting Alert policy in the Policies and rules page":::
+  :::image type="content" source="media/alert-policies/policies-rules-page-small.png" alt-text="Highlighting Alert policy in the Policies and rules page":::
 
 > [!NOTE]
 > You have to be assigned the View-Only Manage Alerts role to view alert policies in the Microsoft Defender portal. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions](compare-rbac-roles.md).
@@ -95,7 +95,7 @@ You can also define user tags as a condition of an alert policy. This definition
 
 - **When the alert is triggered**. You can configure a setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions, when a certain threshold is exceeded, or when the occurrence of the activity the alert is tracking becomes unusual for your organization.
 
-    ![Configure how alerts are triggered, based on when the activity occurs, a threshold, or unusual activity for your organization.](media/howalertsaretriggered.png)
+    ![Configure how alerts are triggered, based on when the activity occurs, a threshold, or unusual activity for your organization.](media/alert-policies/howalertsaretriggered.png)
 
     If you select the setting based on unusual activity, Microsoft establishes a baseline value that defines the normal frequency for the selected activity. It takes up to seven days to establish this baseline, during which alerts aren't generated. After the baseline is established, an alert is triggered when the frequency of the activity tracked by the alert policy greatly exceeds the baseline value. For auditing-related activities (such as file and folder activities), you can establish a baseline based on a single user or based on all users in your organization; for malware-related activities, you can establish a baseline based on a single malware family, a single recipient, or all messages in your organization.
 
@@ -226,7 +226,7 @@ When an activity performed by users in your organization matches the settings of
 
 To view alerts, in the [Microsoft Defender portal](https://security.microsoft.com), select **Incidents & alerts** \> **Alerts**. Alternatively, you can go directly to <https://security.microsoft.com/alerts>.
 
-![In the Microsoft Defender portal, select Incidents & alerts and then select Alerts.](media/ViewAlertsDefenderPortal.png)
+![In the Microsoft Defender portal, select Incidents & alerts and then select Alerts.](media/alert-policies/ViewAlertsDefenderPortal.png)
 
 You can use the following filters to view a subset of all the alerts on the **Alerts** page:
 
@@ -262,7 +262,7 @@ When events that match the same alert policy occur within the aggregation interv
 
 The following screenshot shows an alert with four aggregated events. The activity list contains information about the four email messages relevant to the alert.
 
-![Example of alert aggregation.](media/AggregatedAlertExample.png)
+![Example of alert aggregation.](media/alert-policies/AggregatedAlertExample.png)
 
 Keep the following things in mind about alert aggregation:
 

defender-xdr/copilot-in-defender-device-summary.md

@@ -65,15 +65,15 @@ You can access the device summary capability through the following ways:
 
 - From the main menu, open the Device inventory page by selecting **Devices** under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane.
 
-   :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot of the device summary results in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page.png":::
+   :::image type="content" source="media/copilot-in-defender-device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot of the device summary results in Copilot in Defender." lightbox="media/copilot-in-defender-device-summary/copilot-defender-device-summary-device-page.png":::
 
 - From an incident page, you can choose a device on the incident graph and then (1) select **Device details**. On the device pane, (2) select **Summarize** to generate the device summary. The summary is displayed in the Copilot pane.
 
-   :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot highlighting the steps to access the device summary in an incident page in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png":::
+   :::image type="content" source="media/copilot-in-defender-device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot highlighting the steps to access the device summary in an incident page in Copilot in Defender." lightbox="media/copilot-in-defender-device-summary/copilot-defender-device-summary-device-page-small.png":::
 
    You can also access the device summary capability by choosing a device listed in the **Assets** tab of an incident. Select **Copilot** in the device pane to generate the device summary.
 
-   :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png":::
+   :::image type="content" source="media/copilot-in-defender-device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="media/copilot-in-defender-device-summary/copilot-defender-device-summary-assets.png":::
 
 Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the device summary card.
 

defender-xdr/m365d-enable-faq.md

@@ -117,7 +117,7 @@ Your feedback helps us get better at protecting your environment from advanced a
 
 In the Microsoft Defender portal, select the feedback icon on the top right and provide your feedback.
 
-![Screenshot of the portal menu, highlighting the feedback icon](/defender/media/portal-feedback.png)
+![Screenshot of the portal menu, highlighting the feedback icon](media/m365d-enable-faq/portal-feedback.png)
 
 Rate your experience and provide details on what you liked or where improvements can be made. You can also choose to be contacted about the feedback.
 

defender-xdr/m365d-threat-analytics-notifications.md

@@ -41,23 +41,23 @@ To set up email notifications for threat analytics reports, perform the followin
    > [!NOTE]
    > The name and description fields for a new notification rule only accept English letters and numbers. Punctuations like spaces, dashes, underscores, aren't supported.
 
-   ![Screenshot of the naming screen, with all fields filled out and the "Turn rule on" checkbox checked](/defender/media/threat-analytics/ta_create_notification_2.png)
+   ![Screenshot of the naming screen, with all fields filled out and the "Turn rule on" checkbox checked](media/m365d-threat-analytics-notifications/ta_create_notification_2.png)
 
 4. Choose the reports you want to be notified about. You can choose to be updated about all newly published or updated reports or only those reports of a certain type or with a specific tag.
 
-   ![Screenshot of the notification screen, with Ransomware tags selected and a drop down menu for types open](/defender/media/threat-analytics/ta_create_notification_3.png)
+   ![Screenshot of the notification screen, with Ransomware tags selected and a drop down menu for types open](media/m365d-threat-analytics-notifications/ta_create_notification_3.png)
 
 5. Add at least one recipient to receive the notification emails. You can also use this screen to send a test email to check the notification settings.
 
-   ![Screenshot of the recipients screen. There are 3 recipients listed, and a test email has been sent, as indicated by a green checkmark](/defender/media/threat-analytics/ta_create_notification_4.png)
+   ![Screenshot of the recipients screen. There are 3 recipients listed, and a test email has been sent, as indicated by a green checkmark](media/m365d-threat-analytics-notifications/ta_create_notification_4.png)
 
 6. Review your new rule. Select **Edit** at the end of each subsection to change any of the settings. Once your review is complete, select **Create rule**.
 
-   ![Screenshot of the review screen. An edit button is highlighted in red](/defender/media/threat-analytics/ta_create_notification_5.png)
+   ![Screenshot of the review screen. An edit button is highlighted in red](media/m365d-threat-analytics-notifications/ta_create_notification_5.png)
 
 7. Select **Done** to complete the process and close the flyout. 
 
-   ![Screenshot of the rule created screen. A successfully created rule will display green checkmarks along the sidebar, and a big green check in the main area of the screen](/defender/media/threat-analytics/ta_create_notification_6.png)
+   ![Screenshot of the rule created screen. A successfully created rule will display green checkmarks along the sidebar, and a big green check in the main area of the screen](media/m365d-threat-analytics-notifications/ta_create_notification_6.png)
 
 Your new rule now appears in the list of Threat analytics email notifications.