diff --git a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md
index 4dde9a602e..ac89969d30 100644
--- a/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md
+++ b/CloudAppSecurityDocs/ops-guide/ops-guide-daily.md
@@ -13,7 +13,7 @@ This article lists daily operational activities that we recommend you perform wi
 
 Alerts and incidents are two of the most important items your security operations (SOC) team should be reviewing on a daily basis.
 
-- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents-queue) in Microsoft Defender XDR, prioritizing high and medium severity alerts.
+- Triage incidents and alerts regularly from the [incidents queue](https://security.microsoft.com/incidents) in Microsoft Defender XDR, prioritizing high and medium severity alerts.
 
 - If you're working with a SIEM system, your SIEM system is usually the first stop for triage. SIEM systems provide more context with extra logs and SOAR functionality. Then, use Microsoft Defender XDR for a deeper understanding of an alert or incident timeline.
 
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
index 5fe2259865..becadd494f 100644
--- a/defender-endpoint/TOC.yml
+++ b/defender-endpoint/TOC.yml
@@ -11,7 +11,7 @@
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
     - name: Pilot and deploy Defender for Endpoint
-      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
+      href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/defender-endpoint/TOC.json&bc=/defender-endpoint/breadcrumb/toc.json
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform
diff --git a/defender-endpoint/breadcrumb/toc.yml b/defender-endpoint/breadcrumb/toc.yml
index f2f5363fb8..8cbb9188d0 100644
--- a/defender-endpoint/breadcrumb/toc.yml
+++ b/defender-endpoint/breadcrumb/toc.yml
@@ -5,10 +5,9 @@
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /defender-endpoint/
       topicHref: /defender-endpoint/index
-      items:
-       - name: 'Microsoft Defender XDR'
-         tocHref: /defender-xdr/
-         topicHref: /defender-xdr/pilot-deploy-defender-office-365
     - name: 'Microsoft Defender for Endpoint'
       tocHref: /mem/intune/protect/
       topicHref: /mem/intune/protect/
+    - name: 'Microsoft Defender for Endpoint'
+      tocHref: /defender-xdr/
+      topicHref: /defender-xdr/pilot-deploy-defender-endpoint
diff --git a/defender-endpoint/health-status.md b/defender-endpoint/health-status.md
index b042f75141..d518707443 100644
--- a/defender-endpoint/health-status.md
+++ b/defender-endpoint/health-status.md
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 05/06/2021
+ms.date: 11/04/2024
 ---
 
 # Investigate agent health issues
@@ -24,53 +24,59 @@ ms.date: 05/06/2021
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
-The following table provides information on the values returned when you run the `mdatp health` command and their corresponding descriptions.
+The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions.
 
-|Value|Description|
+| Value | Description |
 |---|---|
-|automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.|
-|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that don't contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|
-|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
-|cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.|
-|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
-|definitions_status|Status of antivirus definitions.|
-|definitions_updated|Date and time of last antivirus definition update.|
-|definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.|
-|definitions_version|Antivirus definition version.|
-|edr_client_version|Version of the EDR client running on the device.|
-|edr_configuration_version|EDR configuration version.|
-|edr_device_tags|List of tags associated with the device.|
-|edr_group_ids|Group ID that the device is associated with.|
-|edr_machine_id|Device identifier used in Microsoft Defender XDR.|
-|engine_version|Version of the antivirus engine.|
-|healthy|True if the product is healthy, false otherwise.|
-|licensed|True if the device is onboarded to a tenant, false otherwise.|
-|log_level|Current log level for the product.|
-|machine_guid|Unique machine identifier used by the antivirus component.|
-|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection isn't running</li></ul>|
-|org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
-|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.|
-|product_expiration|Date and time when the current product version reaches end of support.|
-|real_time_protection_available|True if the real-time protection component is healthy, false otherwise.|
-|real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.|
-|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.|
-|release_ring|Release ring. For more information, see [Deployment rings](onboarding.md).|
+| `app_version` | Displays Microsoft Defender application version.|
+|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.|
+|`behavior_monitoring`|Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files.<br/><br/>Can have one of the following values: <br/>- **disabled** - default <br/>- **enabled** |
+|`cloud_automatic_sample_submission_consent`|Current sample submission level. <br/><br/>Can have one of the following values: <br/>- **None**: No suspicious samples are submitted to Microsoft.<br/>- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.<br/>- **All**: All suspicious samples are submitted to Microsoft.|
+|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`. <br/><br/>For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
+|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.|
+|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
+|`definitions_status`|Status of antivirus definitions. Can have one of the following values: <br/>- **up_to_date**<br/>- **updating**<br/>- **unavailable**|
+|`definitions_updated`|Date and time of last antivirus definition update.|
+|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.|
+|`definitions_version`|Antivirus definition version.|
+|`edr_client_version`|Version of the EDR client running on the device.|
+|`edr_configuration_version`|EDR configuration version.|
+|`edr_device_tags`|List of tags associated with the device.|
+|`edr_early_preview_enabled`|Setting of edr early preview. Can have one of the following values: <br/>- **disabled** <br/>- **enabled**|
+|`edr_group_ids`|Group ID that the device is associated with.|
+|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.|
+|`engine_load_status`|Status of antivirus engine to determine whether it's running. <br/><br/>Can have one of the following values: <br/>- **Engine not loaded** - antivirus engine process is down<br/>- **Engine load succeeded** - antivirus engine process is up and running|
+|`engine_version`|Version of the antivirus engine.|
+|`healthy`|`True` if the product is healthy; otherwise, `false`.|
+|`health_issues`|Lists health issues if any.|
+|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.|
+|`log_level`|Current log level for the product. <br/><br/>Can have one of the following values: <br/>- **info** <br/>- **debug**|
+|`machine_guid`|Unique machine identifier used by the antivirus component.|
+|`network_protection_enforcement_level`|Mode of network protection. <br/><br/>Can have one of the following: <br/>- **disabled** - all components associated with network protection are disabled<br/>- **block** - network protection prevents connection to malicious websites<br/>- **audit** - Check how blocks occur|
+|`network_protection_status`|Status of the network protection component (macOS only).<br/><br/> Can have one of the following values: <br/>- **starting** - Network protection is starting<br/>- **failed_to_start** - Network protection couldn't be started due to an error<br/>- **started** - Network protection is running on the device<br/>- **restarting** - Network protection is restarting<br/>- **stopping** - Network protection is stopping<br/>- **stopped** - Network protection isn't running|
+|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
+|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.|
+|`product_expiration`|Date and time when the current product version reaches end of support.|
+|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.|
+|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`.|
+|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.|
+|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).|
+|`supplementary_events_subsystem`|Subsystem that provides supplementary event data. Can have one of the following values: <br/>- **ebpf** - Default from app version: `101.2408.0000`<br/>- **auditd**|
 
 ## Component specific health
 
 You can get more detailed health information for different Defender's features with `mdatp health --details <feature>`. For example:
 
 ```bash
+
 mdatp health --details edr
 
-edr_early_preview_enabled                   : "disabled"
-edr_device_tags                             : []
-edr_group_ids                               : ""
-edr_configuration_version                   : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25"
-edr_machine_id                              : "a47ba049f43319ac669b6291ce73275cd445c9cd"
-edr_sense_guid                              : "298a1a8c-04dd-4929-8efd-3bb14cb54b94"
-edr_preferred_geo                           : "unitedstates"
+mdatp health --details definitions
+
+mdatp health --details help
+
 ```
 
-You can run `mdatp health --help` on recent versions to list all supported `feature`s.
+You can run `mdatp health --help` on recent versions to list all supported features.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml
index 8e49fe3e4b..b5e990b60c 100644
--- a/defender-office-365/TOC.yml
+++ b/defender-office-365/TOC.yml
@@ -38,7 +38,7 @@
    - name: Deploy
      items: 
      - name: Pilot and deploy Defender for Office 365
-       href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-xdr/TOC.json&bc=/defender-xdr/breadcrumb/toc.json
+       href: /defender-xdr/pilot-deploy-defender-office-365?toc=/defender-office-365/TOC.json&bc=/defender-office-365/breadcrumb/toc.json
      - name: Get started with Microsoft Defender for Office 365
        href: mdo-deployment-guide.md
      - name: Step 1 - Configure email authentication
diff --git a/defender-office-365/breadcrumb/toc.yml b/defender-office-365/breadcrumb/toc.yml
index 7bb4e72e14..cb856c7895 100644
--- a/defender-office-365/breadcrumb/toc.yml
+++ b/defender-office-365/breadcrumb/toc.yml
@@ -5,7 +5,7 @@
    - name: 'Microsoft Defender for Office 365'
      tocHref: /defender-office-365/
      topicHref: /defender-office-365/index
-     items:
-      - name: 'Microsoft Defender XDR'
-        tocHref: /defender-xdr/
-        topicHref: /defender-xdr/pilot-deploy-defender-endpoint
+   - name: 'Microsoft Defender for Office 365'
+     tocHref: /defender-xdr/
+     topicHref: /defender-xdr/pilot-deploy-defender-endpoint
+    
diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md
index ec1f8beccc..fe7693ca3c 100644
--- a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md
+++ b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md
@@ -106,7 +106,7 @@ Security teams can take wide variety of response actions on email using Defender
 
   You can take these actions from the following locations:
 
-  - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at <https://security.microsoft.com/incidents> (recommended).
+  - The **Evidence and response** tab from the details of the incident on the **Incidents** page at <https://security.microsoft.com/incidents> (recommended).
   - **Threat Explorer** at <https://security.microsoft.com/threatexplorer>.
   - The unified **Action center** at  <https://security.microsoft.com/action-center/pending>.