updated filters for incident and alert queues

Author: diannegali

defender-xdr/incident-queue.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 01/27/2025
+ms.date: 06/04/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -107,7 +107,7 @@ The **Filters** list above the list of incidents shows the currently applied fil
 
 From the default incident queue, you can select **Add filter** to see the **Add filter** drop-down, from which you specify filters to apply to the incidents queue to limit the set of incidents shown. Here's an example.
 
-:::image type="content" source="/defender/media/incidents-queue/incidents-all-filters.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal.":::
+:::image type="content" source="/defender/media/incidents-queue/incident-filters-small.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal." lightbox="/defender/media/incidents-queue/incident-filters.png":::
 
 Select the filters you want to use, then select **Add** at the bottom of the list to make them available.
 
@@ -128,7 +128,7 @@ This table lists the filter names that are available.
 | **Multiple category**  | Specify whether the filter is for more than one category. |
 | **Categories** | Choose categories to focus on specific tactics, techniques, or attack components seen. |
 | **Entities** | Specify the name of an asset such as a user, device, mailbox, or application name. |
-| **Data sensitivity** | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> This filter displays information only when you've applied [sensitivity labels from Microsoft Purview Information Protection](/Microsoft-365/compliance/sensitivity-labels). |
+| **Sensitivity label** | Filter incidents based on the sensitivity label applied on the data. Some attacks focus on exfiltrating sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information is potentially compromised and prioritize addressing those incidents. |
 | **Device groups** | Specify a [device group](/windows/security/threat-protection/microsoft-defender-atp/machine-groups) name. |
 | **OS platform** | Specify device operating systems. |
 | **Classification** | Specify the set of classifications of the related alerts. |

defender-xdr/investigate-alerts.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
 - MOE150
 - met150
-ms.date: 1/27/2025
+ms.date: 6/04/2025
 appliesto: 
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -45,7 +45,7 @@ By default, the alerts queue in the Microsoft Defender portal displays the new a
 
 From the default alerts queue, you can select **Filter** to see all available filters from which you can specify a subset of the alerts. Here's an example.
 
-:::image type="content" source="/defender/media/investigate-alerts/alerts-all-filters.png" alt-text="All the filters available in the Alerts queue in the Microsoft Defender portal":::
+:::image type="content" source="/defender/media/investigate-alerts/alerts-filters-small.png" alt-text="All the filters available in the Alerts queue in the Microsoft Defender portal" lightbox="/defender/media/investigate-alerts/alerts-filters.png":::
 
 You can filter alerts according to these criteria:
 
@@ -57,10 +57,12 @@ You can filter alerts according to these criteria:
 - Policy/Policy rule
 - Alert type
 - Product name
+- Alert subscription ID
 - Entities (the impacted assets)
 - Automated investigation state
 - Workspace
 - Data stream (workload or location)
+- Sensitivity label
 
 > [!NOTE]
 > Microsoft Defender XDR customers can now filter incidents with alerts where a compromised device communicated with operational technology (OT) devices connected to the enterprise network through the [device discovery integration of Microsoft Defender for IoT and Microsoft Defender for Endpoint](/defender-endpoint/device-discovery#device-discovery-integration). To filter these incidents, select **Any** in the Service/detection sources, then select **Microsoft Defender for IoT** in the Product name or see [Investigate incidents and alerts in Microsoft Defender for IoT in the Defender portal](/defender-for-iot/investigate-threats/). You can also use device groups to filter for site-specific alerts. For more information about Defender for IoT prerequisites, see [Get started with enterprise IoT monitoring in Microsoft Defender XDR](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).