Merge branch 'main' into wi-502580-batch-4a-defender-xdr-image-reorg

Author: mberdugo

.openpublishing.redirection.defender-endpoint.json

@@ -159,6 +159,11 @@
       "source_path": "defender-endpoint/mde-linux-arm.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",
       "redirect_document_id": false
-    } 
+    }, 
+    {
+      "source_path": "defender-endpoint/contact-support.md",
+      "redirect_url": "/defender-xdr/contact-defender-support",
+      "redirect_document_id": false
+    },
   ]
 }

defender-endpoint/contact-support.md

@@ -349,11 +349,15 @@
           href: advanced-hunting-graph.md
       - name: Track and respond to emerging threats
         items:
-        - name: Threat analytics overview
-          href: threat-analytics.md
-        - name: Understand the analyst report
-          href: threat-analytics-analyst-reports.md
-        - name: Defender Threat Intelligence in Microsoft Defender XDR
+        - name: Threat analytics
+          items:
+          - name: Overview
+            href: threat-analytics.md
+          - name: Understand the analyst report
+            href: threat-analytics-analyst-reports.md
+          - name: Get access to indicators
+            href: threat-analytics-indicators.md
+        - name: Microsoft Defender Threat Intelligence in Defender XDR
           href: defender-threat-intelligence.md
       - name: Collaborate with Microsoft Defender Experts for Hunting
         items:
@@ -515,6 +519,8 @@
             href: m365d-threat-analytics-notifications.md
           - name: Configure alert notifications
             href: configure-email-notifications.md
+        - name: Contact Microsoft Defender XDR support
+          href: contact-defender-support.md
         - name: Manage devices through dynamic rules
           href: configure-asset-rules.md
         - name: Provide managed service provider (MSSP) access

defender-xdr/TOC.yml

@@ -56,7 +56,7 @@ adx('<Cluster URI>/<Database Name>').<Table Name>
 
 For example, to get the first 10 rows of data from the `StormEvents` table stored in a certain URI:
 
-:::image type="content" source="/defender-xdr/media/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="/defender-xdr/media/adx-sample.png":::
+:::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="./media/advanced-hunting-defender-use-custom-rules/adx-sample.png":::
 
 > [!NOTE]
 > The `adx()` operator isn't supported for custom detections.
@@ -76,7 +76,7 @@ In the query editor, enter *arg("").* followed by the Azure Resource Graph table
 
 For example:
 
-:::image type="content" source="/defender-xdr/media/arg-operator2.png" alt-text="Screenshot of arg operator in advanced hunting." lightbox="/defender-xdr/media/arg-operator2.png":::
+:::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/arg-operator2.png" alt-text="Screenshot of arg operator in advanced hunting." lightbox="./media/advanced-hunting-defender-use-custom-rules/arg-operator2.png":::
 
 You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
 
@@ -97,7 +97,7 @@ To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scro
 - **Open in query editor** – Loads the query in the query editor.
 - **View details** – Opens the query details side pane where you can inspect the query, run the query, or open the query in the editor.
 
-   :::image type="content" source="/defender/media/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-unified-view-details.png":::
+   :::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal." lightbox="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-view-details.png":::
 
 
 For editable queries, more options are available:
@@ -120,7 +120,7 @@ To help discover threats and anomalous behaviors in your environment, you can cr
 
 For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
+  :::image type="content" source="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="./media/advanced-hunting-defender-use-custom-rules/advanced-hunting-unified-rules.png":::
 
 The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
 

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -61,11 +61,11 @@ The report can be accessed in two ways:
 
 - In the advanced hunting page, select **Query resources report**:
 
-  :::image type="content" source="/defender/media/ah-query-resources/view-query-resources report.png" alt-text="view the query resources report button in the AH portal" lightbox="/defender/media/ah-query-resources/view-query-resources report.png":::
+  :::image type="content" source="./media/advanced-hunting-limits/view-query-resources report.png" alt-text="view the query resources report button in the AH portal" lightbox="./media/advanced-hunting-limits/view-query-resources report.png":::
 
 - Within the **Reports** page, find the new report entry in the **General** section
 
-  :::image type="content" source="/defender/media/ah-query-resources/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="/defender/media/ah-query-resources/reports-general-query-resources.png":::
+  :::image type="content" source="./media/advanced-hunting-limits/reports-general-query-resources.png" alt-text="view the query resources report in the Reports section" lightbox="./media/advanced-hunting-limits/reports-general-query-resources.png":::
 
 All users can access the reports; however, only the Microsoft Entra Global Administrator, Microsoft Entra Security Administrator, and Microsoft Entra Security Reader roles can see queries done by all users in all interfaces. Any other user can only see:
 
@@ -93,7 +93,7 @@ The query resources report contains all queries that ran, including detailed res
 > [!TIP]
 > If the query state is **Failed**, you can hover the field to view the reason for the query failure.
 
-:::image type="content" source="/defender/media/ah-query-resources/excessive-usage-sample.png" alt-text="view inefficient queries" lightbox="/defender/media/ah-query-resources/excessive-usage-sample.png":::
+:::image type="content" source="./media/advanced-hunting-limits/excessive-usage-sample.png" alt-text="view inefficient queries" lightbox="./media/advanced-hunting-limits/excessive-usage-sample.png":::
 
 ### Find resource-heavy queries
 
@@ -112,7 +112,7 @@ The graph supports two views:
 - Average use per day –  the average use of resources per day
 - Highest use per day – the highest actual use of resources per day
 
-![Two view modes for query resources report](/defender/media/ah-query-resources/resource-usage-over-time.png)
+![Two view modes for query resources report](./media/advanced-hunting-limits/resource-usage-over-time.png)
 
 This means that, for instance, if on a specific day you ran two queries, one used 50% of your resources and one used 100%, the average daily use value would show 75%, while the top daily use would show 100%.
 

defender-xdr/advanced-hunting-limits.md

@@ -66,7 +66,7 @@ You can use advanced hunting KQL (Kusto Query Language) queries to hunt through
 When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables  organized by solution after the Microsoft Defender XDR tables under the **Schema** tab.
 
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-sentinel-data.png" alt-text="Screenshot of advanced hunting schema tab in the Microsoft Defender portal highlighting location of Sentinel tables" lightbox="/defender/media/advanced-hunting-unified-sentinel-data.png":::
+:::image type="content" source="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-sentinel-data.png" alt-text="Screenshot of advanced hunting schema tab in the Microsoft Defender portal highlighting location of Sentinel tables" lightbox="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-sentinel-data.png":::
 
 
 Likewise, you can find the functions from Microsoft Sentinel in the **Functions** tab, and your shared and sample queries from Microsoft Sentinel can be found in the **Queries** tab inside folders marked **Sentinel**.
@@ -81,7 +81,7 @@ In the unified portal, in addition to viewing the schema column names and descri
 - **Data retention period** – how long the data is set to be kept
 - **Tags** – available for Sentinel data tables
 
-:::image type="content" source="/defender/media/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-schema.png":::
+:::image type="content" source="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="./media/advanced-hunting-microsoft-defender/advanced-hunting-unified-view-schema.png":::
 
 ## Known issues
 

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -32,7 +32,7 @@ ms.date: 03/28/2025
 
 
 
-You can find the **advanced hunting** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](/defender/media/guided-hunting/hunting-icon.png).
+You can find the **advanced hunting** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Hunting** > **Advanced hunting**. If the navigation bar is collapsed, select the hunting icon ![hunting icon](./media/advanced-hunting-modes/hunting-icon.png).
 
 In the **advanced hunting** page, two modes are supported:
 
@@ -54,13 +54,13 @@ When you open the advanced hunting page for the first time after guided hunting
 
 To take the tour, select **Take tour** when this banner appears:
 
-[![banner inviting user to take the tour](/defender/media/guided-hunting/1-guided-hunting-banner-tb.png)](/defender/media/guided-hunting/1-guided-hunting-banner.png#lightbox)
+[![banner inviting user to take the tour](./media/advanced-hunting-modes/1-guided-hunting-banner-tb.png)](./media/advanced-hunting-modes/1-guided-hunting-banner.png#lightbox)
 
 Follow the blue teaching bubbles that appear throughout the page and select **Next** to move from one step to the next.
 
 You can take the tour again at any time by going to **Help resources** > **Learn more** and selecting **Take the tour**.
 
-![Screenshot of help resources](/defender/media/guided-hunting/help-resources.png)
+![Screenshot of help resources](./media/advanced-hunting-modes/help-resources.png)
 
 You can then start building your query to hunt for threats. The following articles can help you get the most out of hunting in guided mode: