Merge pull request #12759 from MicrosoftDocs/Josephd-working-new

IR scrub

Author: v-dihans

microsoft-365/media/incidents-overview/incidents.png

@@ -36,10 +36,10 @@ Once you have performed an [incident response for a simulated attack](eval-defen
 
 |Capability |Description |
 |:-------|:-----|
-| [Prioritize incidents](#prioritize-incidents) | Use filtering and sorting of the incidents queue to determine which incidents to address next. |
-| [Manage incidents](#manage-incidents) | Modify incident properties to ensure correct assignment, add tags and comments, and to resolve an incident. |
-| [Automated investigation and response](#examine-automated-investigation-and-response-with-the-action-center) | Automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. The Action center is a "single pane of glass" experience for incident and alert tasks such as approving pending remediation actions. |
-| [Advanced hunting](#advanced-hunting) | A query-based threat-hunting tool that lets you proactively inspect events in your network and locate threat indicators and entities. You also use advanced hunting during the investigation and remediation of an incident. |
+| [Prioritizing incidents](#prioritize-incidents) | Use filtering and sorting of the incidents queue to determine which incidents to address next. |
+| [Managing incidents](#manage-incidents) | Modify incident properties to ensure correct assignment, add tags and comments, and to resolve an incident. |
+| [Automated investigation and response](#examine-automated-investigation-and-response-with-the-action-center) | Use automated investigation and response (AIR) capabilities to help your security operations team address threats more efficiently and effectively. The Action center is a "single pane of glass" experience for incident and alert tasks such as approving pending remediation actions. |
+| [Advanced hunting](#use-advanced-hunting) | Use queries to proactively inspect events in your network and locate threat indicators and entities. You also use advanced hunting during the investigation and remediation of an incident. |
 
 
 ## Prioritize incidents
@@ -56,7 +56,7 @@ To examine the list of incidents and prioritize their importance for assignment
 
 - Use filtering to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incidents require immediate attention. 
 
-From the default incident queue, select **Filters** to see a **Filters** pane, from which you can specify a specific set of incidents. Here is an example.
+From the default incident queue, select **Filters** to see a **Filters** pane, from which you can specify a specific set of incidents. Here's an example.
 
 :::image type="content" source="../../media/incidents-queue/incidents-ss-incidents-filters.png" alt-text="Example of the filters pane for the incident queue.":::
 
@@ -83,9 +83,9 @@ Here are the ways you can manage your incidents:
 
   Add tags that your security team uses to classify incidents, which can be later filtered.
 
-- Assign the incident to yourself
+- Assign the incident
 
-  Assign it to your user account name, which can be later filtered.
+  Assign it to a user account name, which can be later filtered.
 
 - Resolve an incident
 
@@ -117,7 +117,7 @@ Approve (or reject) pending actions as soon as possible so that your automated i
 
 For more information, see [Automated investigation and response](m365d-autoir.md) and [Action center](m365d-action-center.md).
 
-## Advanced hunting
+## Use advanced hunting
 
 > [!NOTE]
 > Before we walk you through the advanced hunting simulation, watch the following video to understand advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations.
@@ -187,7 +187,7 @@ There's a single internal mailbox and device required for this simulation. You'l
         > [!NOTE]
         > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
 
-   1. Look at the results and see if you can identify the email you opened. It may take up to two hours for the message to show up in advanced hunting. To narrow down the results, you can add the **where** condition to your query to only look for emails that have "yahoo.com" as their SenderMailFromDomain. Here is an example.
+   1. Look at the results and see if you can identify the email you opened. It may take up to two hours for the message to show up in advanced hunting. To narrow down the results, you can add the **where** condition to your query to only look for emails that have "yahoo.com" as their SenderMailFromDomain. Here's an example.
 
       ```console
       EmailEvents
@@ -289,24 +289,6 @@ Custom detections will run the query according to the frequency you set, and the
 
    ![Example of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on.](../../media/mtp/fig28.png)
 
-<!--
-
-### Advanced hunting walk-through exercises
-
-To learn more about advanced hunting, the following webcasts will walk you through the capabilities of advanced hunting within Microsoft 365 Defender to create cross-pillar queries, pivot to entities, and create custom detections and remediation actions.
-
-> [!NOTE]
-> Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
-
-|Title|Description|Download MP4|Watch on YouTube|CSL file to use|
-|---|---|---|---|---|
-|Episode 1: KQL fundamentals|We'll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators.|[MP4](https://aka.ms/MTP15JUL20_MP4)|[YouTube](https://youtu.be/0D9TkGjeJwM)|[Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl)|
-|Episode 2: Joins|We'll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join.|[MP4](https://aka.ms/MTP22JUL20_MP4)|[YouTube](https://youtu.be/LMrO6K5TWOU)|[Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl)|
-|Episode 3: Summarizing, pivoting, and visualizing data|Now that we're able to filter, manipulate, and join data, it's time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we'll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.|[MP4](https://aka.ms/MTP29JUL20_MP4)|[YouTube](https://youtu.be/UKnk9U1NH6Y)|[Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl)|
-|Episode 4: Let's hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, we'll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.|[MP4](https://aka.ms/MTP5AUG20_MP4)|[YouTube](https://youtu.be/2EUxOc_LNd8)|[Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)|
-|
-
---> 
 
 ### Expert training on advanced hunting
 

microsoft-365/security/defender/eval-defender-investigate-respond-additional.md

@@ -1,6 +1,6 @@
 ---
 title: Run an attack simulation in a Microsoft 365 Defender pilot environment
-description: Run attack simulations for Microsoft 365 Defender to see how how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
+description: Run attack simulations for Microsoft 365 Defender to see how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
@@ -57,15 +57,15 @@ Defender for Office 365 with Microsoft 365 E5 or Microsoft Defender for Office 3
 
 1. Create a simulation
 
-   For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](/microsoft-365/security/office-365-security/attack-simulation-training).
+   For step by step instructions on how to create and launch a new simulation, see [Simulate a phishing attack](/microsoft-365/security/office-365-security/attack-simulation-training).
 
 2. Create a payload
 
-   For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads).
+   For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads).
 
 3. Gaining insights
 
-   For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights).
+   For step by step instructions on how to gain insights with reporting, see [Gain insights through attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights).
 
    > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWMhvB]
 
@@ -78,15 +78,15 @@ Here are the Defender for Endpoint simulations from Microsoft:
 - Document drops backdoor
 - Automated investigation (backdoor)
 
-There are additional simulations from Attack IQ and SafeBreach. There are also a set of tutorials.
+There are additional simulations from third-party sources. There are also a set of tutorials.
 
 For each simulation or tutorial:
 
-1. Download and read the corresponding walk through document provided with your selected simulation or scenario.
+1. Download and read the corresponding walk-through document provided.
 
 2. Download the simulation file. You can choose to download the file or script on the test device but it's not mandatory.
 
-3. Run the simulation file or script on the test device as instructed in the walk through document.
+3. Run the simulation file or script on the test device as instructed in the walk-through document.
 
  For more information, see [Experience Microsoft Defender for Endpoint through simulated attack](/microsoft-365/security/defender-endpoint/attack-simulations).
 
@@ -317,11 +317,11 @@ After the investigation is complete and confirmed to be remediated, you resolve
 
 From the **Incident** page, select **Manage incident**. Set the status to **Resolve incident** and select **True alert** for the classification and **Security testing** for the determination.
 
-![Example of the incidents page with the open Manage incident panel where you can click the switch to resolve incident.](../../media/mtp/fig16.png)
+![Example of the incidents page with the open Manage incident panel where you can resolve the incident.](../../media/mtp/fig16.png)
 
 When the incident is resolved, it resolves all of the associated alerts in the Microsoft 365 Defender portal and the related portals.
 
-This wraps up the attack simulation for incident analysis, automated investigation, and incident resolution.
+This wraps up attack simulations for incident analysis, automated investigation, and incident resolution.
 
 ## Next step
 

microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md

@@ -36,11 +36,11 @@ Use the following steps.
 
 The following table describes the steps in the illustration.
 
-| |Step  |Description  |
-|---------|---------|---------|
-|1|[Simulate attacks](eval-defender-investigate-respond-simulate-attack.md)     |   Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response.      |
-|2|[Try incident response capabilities ](eval-defender-investigate-respond-additional.md)    |    Try features and capabilities in Microsoft 365 Defender.     |
-||||
+|Step  |Description  |
+|---------|---------|
+| 1. [Simulate attacks](eval-defender-investigate-respond-simulate-attack.md)     |   Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response.      |
+| 2. [Try incident response capabilities ](eval-defender-investigate-respond-additional.md)    |    Try additional incident response features and capabilities in Microsoft 365 Defender.     |
+|||
 
 ### Navigation you may need
 

microsoft-365/security/defender/eval-defender-investigate-respond.md

@@ -60,7 +60,7 @@ Analysts then initiate investigations based on the **Priority** criteria set by
 
 Incident prioritization might vary depending on the organization. NIST recommends also considering the functional and informational impact of the incident, and recoverability.
 
-The following is just one approach to triage:
+The following is just one approach to triage to consider:
 
 1. Go to the [incidents](incidents-overview.md) page to initiate triage. Here you can see a list of incidents affecting your organization. By default, they are arranged from the most recent to the oldest incident. From here, you can also see different columns for each incident showing their severity, category, number of active alerts, and impacted entities, among others. You can customize the set of columns and sort the incident queue by some of these columns by selecting the column name. You can also filter the incident queue according to your needs. For a full list of available filters, see [Prioritize incidents](incident-queue.md#available-filters).
 
@@ -90,19 +90,19 @@ The following is just one approach to triage:
 
 ## Analyze your first incident
 
-Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, an analyst must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
+Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, you must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
 
 There are multiple ways to read and analyze data using Microsoft 365 Defender but the end goal for analysts is to respond to incidents as quickly as possible. While Microsoft 365 Defender can significantly reduce [Mean Time to Remediate (MTTR)](https://www.microsoft.com/security/blog/2020/05/04/lessons-learned-microsoft-soc-part-3c/) through the industry-leading [automated investigation and response](m365d-autoir.md) feature, there are always cases that require manual analysis.
 
 Here's an example:
 
-1. Once triage priority has been determined, an analyst begins an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
+1. Once triage priority has been determined, you can begin an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
 
     :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="Example of the Summary tab of an incident.":::
 
     For a quick guide about which domain each detection source covers, review the [Detect](#detection-by-microsoft-365-defender) section of this article.
 
-2. From the **Alerts** tab, an analyst can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Defender for Cloud Apps as the detection source takes the analyst to its corresponding alert page.
+2. From the **Alerts** tab, you can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Defender for Cloud Apps as the detection source takes the analyst to its corresponding alert page.
 
     :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-select-alert.png" alt-text="Example of selecting an alert of an incident.":::
 
@@ -120,7 +120,7 @@ Here's an example:
 
     :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" alt-text="Example of alerts details for Microsoft Defender for Cloud Apps .":::
 
-6. By selecting other alerts, an analyst can get a complete picture of the attack.
+6. By selecting other alerts, you can get a complete picture of the attack.
 
 ## Next step
 

microsoft-365/security/defender/first-incident-analyze.md

@@ -32,7 +32,7 @@ ms.technology: m365d
 
 An organization's incident response strategy determines its ability to deal with increasingly disruptive security incidents and cybercrime. While taking preventative measures is important, the ability to act quickly to contain, eradicate, and recover from detected incidents can minimize damage and business losses.
 
-This incident response walkthrough shows how you, as part of a security operations team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:
+This incident response walkthrough shows how you, as part of a security operations (SecOps) team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:
 
 - Preparation of your security posture
 - For each incident:
@@ -42,7 +42,7 @@ This incident response walkthrough shows how you, as part of a security operatio
 
 A security incident is defined by National Institute of Standards and Technology (NIST) as "an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies."
 
-Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a security operations team's tasks.
+Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a  (SecOps) team's tasks and time.
 
 ## Next step
 

microsoft-365/security/defender/first-incident-overview.md

@@ -42,7 +42,7 @@ By mapping alerts to this industry framework, you can:
 - Identify skill gaps in attack method awareness.
 - Create a Power Automate Playbook for faster remediation.
 
-Post-incident review activity can also result in fine-tuning your security configuration and security team's processes, enhancing your organization’s response capabilities.
+Post-incident review activity can also result in fine-tuning your security configuration and security team's processes to streamline your organization’s response capabilities.
 
 ## Next step