Merge branch 'main' into docs-editor/investigate-assets-1733241639

Author: padmagit77

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -43,8 +43,23 @@ For editable functions, more options are available when you select the vertical
 - **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
 - **Delete** – deletes the function
 
+### Use adx() operator for Azure Data Explorer queries (Preview)
+Use the `adx()` operator to query tables stored in Azure Data Explorer. Read [What is Azure Data Explorer?](/azure/data-explorer/data-explorer-overview) for more details.
+
+This feature was previously only available in log analytics in Microsoft Sentinel. Users can now use the operator in advanced hunting in the unified Microsoft Defender portal without needing to manually open a Microsoft Sentinel window. 
+
+In the query editor, enter the query in the following format:
+```Kusto
+adx('<Cluster URI>/<Database Name>').<Table Name>
+```
+
+For example, to get the first 10 rows of data from the `StormEvents` table stored in a certain URI:
+
+:::image type="content" source="/defender-xdr/media/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="/defender-xdr/media/adx-sample.png":::
+
+
 ### Use arg() operator for Azure Resource Graph queries
-The *arg()* operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
+The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
 
 This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables are not supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 
 

defender-xdr/investigate-users.md

@@ -43,7 +43,8 @@ Wherever user entities appear in these views, select the entity to view the **Us
 
 When you investigate a specific user entity, you see the following tabs on its entity page:
 
-- [Overview](#overview), including entity details, incidents and alerts visual view, investigation priority, and scored timeline
+- [Overview](#overview), including entity details, incidents and alerts visual view, user account control flags and so on.
+
 - [Incidents and alerts](#incidents-and-alerts) tab
 - [Observed in organization](#observed-in-organization) tab
 - [Timeline](#timeline) tab
@@ -58,26 +59,21 @@ The user page shows the Microsoft Entra organization as well as groups, helping
 
 The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the insider risk severity level (Preview), the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled.
 
+> [!NOTE]
+> **Investigation Priority Score** has been deprecated on December 3, 2025. As a result, both the Investigation Priority Score breakdown and the Scored activities cards have been removed from the UI. 
+
 > [!NOTE]
 > (Preview) Microsoft Defender XDR users with access to [Microsoft Purview Insider Risk Management](/purview/insider-risk-management-solution-overview) can now see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the **insider risk severity** under Entity details to see the risk insights about the user.
 ### Visual view of incidents and alerts
 
 This card includes all incidents and alerts associated with the user entity, grouped by severity.
 
-### Investigation priority
-
-This card includes the user entity's calculated investigation priority score breakdown, and a two-week trend for that score, including the percentile of the score in relation to the tenant.
-
 ### Active directory account controls
 
 This card surfaces Microsoft Defender for Identity security settings that may need your attention. You can see important flags about the user's account settings, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc.
 
 For more information, see [User Account Control flags](/windows/win32/adschema/a-useraccountcontrol).
 
-### Scored activities
-
-This card includes all activities and alerts contributing to the entity's investigation priority score over the last seven days.
-
 ### Organization tree
 
 This section shows the user entity's place in the organizational hierarchy as reported by Microsoft Defender for Identity.
@@ -90,7 +86,7 @@ Microsoft Defender for Identity pulls tags out of Active Directory to give you a
 |-----|-------------|
 | **New** | Indicates that the entity was created less than 30 days ago. |
 | **Deleted** | Indicates that the entity was permanently deleted from Active Directory. |
-| **Disabled** |  Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object is not currently in use. <br><br>When an object is disabled, it can't be used to sign in or perform actions in the domain.|
+| **Disabled** | Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object is not currently in use. <br><br>When an object is disabled, it can't be used to sign in or perform actions in the domain.|
 | **Enabled** | Indicates that the entity is currently enabled in Active Directory, indicating that the entity is currently in use, and can be used to sign in or perform actions in the domain.  |
 | **Expired** |  Indicates that the entity is expired in Active Directory. When a user account is expired, the user is no longer able to log in to the domain or access any network resources. The expired account is essentially treated as if it were disabled, but with an explicit expiration date set. <br><br>Any services or applications that the user was authorized to access may also be affected, depending on how they are configured. |
 | **Honeytoken** |   Indicates that the entity is manually tagged as a honeytoken. |
@@ -104,7 +100,7 @@ For more information, see [Defender for Identity entity tags in Microsoft Defend
 > [!NOTE]
 > The organization tree section and the account tags are available when a Microsoft Defender for Identity license is available.
 
-:::image type="content" source="/defender/media/investigate-users/user-incident-overview.png" alt-text="Screenshot of a specific user's page in the Microsoft Defender portal" lightbox="/defender/media/investigate-users/user-incident-overview.png":::
+![Screenshot of a specific user's page in the Microsoft Defender portal.](media/investigate-users/image.png)
 
 ## Incidents and alerts
 
@@ -247,10 +243,11 @@ From the Overview page, you can do these additional actions:
 
 - Enable, disable, or suspend the user in Microsoft Entra ID
 - Direct user to do certain actions such as require the user to sign in again or force password reset
-- Reset investigation priority score for the user
 - View Microsoft Entra account settings, related governance, the user's owned files, or the user's shared files
 
-:::image type="content" source="/defender/media/investigate-users/user-incident-actions.png" alt-text="Screenshot of the actions for remediation for a user in the Microsoft Defender portal" lightbox="/defender/media/investigate-users/user-incident-actions.png":::
+![Screenshot of the actions for remediation for a user in the Microsoft Defender portal.](media/investigate-users/picture1111.png)
+
+
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
 

defender-xdr/media/adx-sample.png

@@ -29,6 +29,9 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+## December 2024
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
+
 ## November 2024
 
 - (Preview) **Attack paths** in the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, see [attack paths in the attack story](investigate-incidents.md#attack-paths).
@@ -42,7 +45,7 @@ You can also get product updates and important notifications through the [messag
 ## October 2024
 
 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability.
-- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the `arg()` operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
 
 ## September 2024