From 6375a5f092f57285cedd5295a6298895f3461fb9 Mon Sep 17 00:00:00 2001 From: amitkumart <126546958+amitkumart@users.noreply.github.com> Date: Mon, 13 Jan 2025 13:39:57 +0530 Subject: [PATCH 1/2] Update investigate-alerts.md Hilde Alert Feature is available only for MDE Alert for now. As received ICM from customer that they were trying to Hide the MDO alert, however that is not a supported, hence Document needs to be updated. Related ICM https://portal.microsofticm.com/imp/v5/incidents/details/584016612/summary https://portal.microsofticm.com/imp/v5/incidents/details/476725879/summary --- defender-xdr/investigate-alerts.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/defender-xdr/investigate-alerts.md b/defender-xdr/investigate-alerts.md index 6704c2980f..8bd5e6c433 100644 --- a/defender-xdr/investigate-alerts.md +++ b/defender-xdr/investigate-alerts.md @@ -283,7 +283,9 @@ Create alert tuning rules from the Microsoft Defender XDR **Settings** area or f --- > [!NOTE] -> The **alert title (Name)** is based on the **alert type (IoaDefinitionId)**, which decides the alert title. Two alerts that have the same alert type can change to a different alert title. +> The **alert title (Name)** is based on the **alert type (IoaDefinitionId)**, which decides the alert title. Two alerts that have the same alert type can change to a different alert title. +> [!NOTE] +> Hide Alet Feature is available only for MDE alert From b0cc032ffefb33ee3dba4844e36c4f9cd0f80bc9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Jan 2025 10:38:54 -0800 Subject: [PATCH 2/2] Update metadata and notes in investigate-alerts.md --- defender-xdr/investigate-alerts.md | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/defender-xdr/investigate-alerts.md b/defender-xdr/investigate-alerts.md index 8bd5e6c433..e074f4b8eb 100644 --- a/defender-xdr/investigate-alerts.md +++ b/defender-xdr/investigate-alerts.md @@ -3,26 +3,23 @@ title: Investigate alerts in Microsoft Defender XDR description: Investigate alerts seen across devices, users, and mailboxes. keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365 ms.service: defender-xdr -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security f1.keywords: - - NOCSH +- NOCSH ms.author: diannegali author: diannegali ms.localizationpriority: medium manager: deniseb audience: ITPro ms.collection: - - m365-security - - m365initiative-m365-defender - - tier1 +- m365-security +- m365initiative-m365-defender +- tier1 ms.custom: admindeeplinkDEFENDER ms.topic: conceptual search.appverid: - - MOE150 - - met150 -ms.date: 07/18/2024 +- MOE150 +- met150 +ms.date: 01/16/2025 --- # Investigate alerts in Microsoft Defender XDR @@ -117,7 +114,6 @@ Throughout an alert page, you can select the ellipses (**...**) beside any entit Microsoft Defender XDR alerts come from solutions like Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, the app governance add-on for Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection, and Microsoft Data Loss Prevention. You might notice alerts with prepended characters in the alert. The following table provides guidance to help you understand the mapping of alert sources based on the prepended character on the alert. > [!NOTE] -> > - The prepended GUIDs are specific only to unified experiences such as unified alerts queue, unified alerts page, unified investigation, and unified incident. > - The prepended character does not change the GUID of the alert. The only change to the GUID is the prepended component. @@ -188,12 +184,11 @@ The **Manage alert** pane allows you to view or specify: - A comment on the alert. > [!NOTE] -> Around August 29th, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API. - -> [!NOTE] -> One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 is incrementally being rolled out and is currently in preview. +> - In August 2022, previously supported alert determination values (`Apt` and `SecurityPersonnel`) were deprecated and are no longer available via the API. +> +> - One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 is currently in preview, rolling out incrementally. > -> Currently, modified tag names are only applied to alerts created *after* the update. Alerts that were generated before the modification will not reflect the updated tag name. +> - Currently, modified tag names are only applied to alerts created *after* the update. Alerts that were generated before the modification don't reflect the updated tag name. To manage a *set of alerts similar to a specific alert*, select **View similar alerts** in the **INSIGHT** box in the summary details section of the alert page.