Merge pull request #21860 from MicrosoftDocs/chrisda

compliance to purview link updates 1

microsoft-365/security/office-365-security/air-about.md

@@ -75,17 +75,17 @@ During and after each automated investigation, your security operations team can
 
 AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings:
 
-- [Verify audit logging is turned on](../../compliance/audit-log-enable-disable.md)
+- [Verify audit logging is turned on](/purview/audit-log-enable-disable)
 - [Anti-malware protection](protect-against-threats.md#part-1---anti-malware-protection-in-eop)
 - [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2---anti-phishing-protection-in-eop-and-defender-for-office-365)
 - [Anti-spam protection](protect-against-threats.md#part-3---anti-spam-protection-in-eop)
 - [Safe Links and Safe Attachments](protect-against-threats.md#part-4---protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)
 
-In addition, make sure to [review your organization's alert policies](../../compliance/alert-policies.md), especially the [default policies in the Threat management category](../../compliance/alert-policies.md#default-alert-policies).
+In addition, make sure to [review your organization's alert policies](/purview/alert-policies), especially the [default policies in the Threat management category](/purview/alert-policies#default-alert-policies).
 
 ## Which alert policies trigger automated investigations?
 
-Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
+Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
 
 |Alert|Severity|How the alert is generated|
 |---|---|---|
@@ -101,7 +101,7 @@ Microsoft 365 provides many built-in alert policies that help identify Exchange
 |Admin triggered user compromise investigation|**Medium**|This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer.  This alert notifies your organization that the user compromise investigation was started.|
 
 > [!TIP]
-> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](../../compliance/alert-policies.md).
+> To learn more about alert policies or edit the default settings, see [Alert policies in the Microsoft Purview compliance portal](/purview/alert-policies).
 
 ## Required permissions to use AIR capabilities
 

microsoft-365/security/office-365-security/air-remediation-actions.md

@@ -58,7 +58,7 @@ Microsoft Defender for Office 365 includes remediation actions to address variou
 |User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#malware) or [phish](threat-explorer-views.md#phish).|
 |User|Email forwarding <br> (Mailbox forwarding rules are configured, chch could be used for data exfiltration.)|Remove forwarding rule <p> Use the [Autofowarded messages report](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) to view specific details about forwarded email.|
 |User|Email delegation rules <br> (A user's account has delegations set up.)|Remove delegation rule <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.|
-|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/dlp-learn-about-dlp.md) |Automated investigation doesn't result in a specific pending action. <p> [Get started with Activity Explorer](../../compliance/data-classification-activity-explorer.md#get-started-with-activity-explorer).|
+|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](/purview/dlp-learn-about-dlp) |Automated investigation doesn't result in a specific pending action. <p> [Get started with Activity Explorer](/purview/data-classification-activity-explorer#get-started-with-activity-explorer).|
 |User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation doesn't result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the [New users forwarding email insight in the EAC](/exchange/monitoring/mail-flow-insights/mfi-new-users-forwarding-email-insight) and [Outbound message report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to determine what's going on and take action.|
 
 ## Next steps

microsoft-365/security/office-365-security/air-view-investigation-results.md

@@ -41,7 +41,7 @@ The investigation status indicates the progress of the analysis and actions. As
 |**Starting**|The investigation has been triggered and waiting to start running.|
 |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.|
 |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer-about.md).|
-|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](../../compliance/dlp-learn-about-dlp.md) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)|
+|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](/purview/dlp-learn-about-dlp) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)|
 |**Terminated By System**|The investigation stopped. An investigation can stop for several reasons: <ul><li>The investigation's pending actions expired. Pending actions time out after awaiting approval for one week</li><li>There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts</li></ul> <br/> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer-about.md) to find and address threats.|
 |**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox setting, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.|
 |**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status doesn't change. View investigation details.|

microsoft-365/security/office-365-security/attack-simulation-training-faq.md

@@ -86,7 +86,7 @@ Audit logging is required by Attack simulation training so events can be capture
 - Reporting data isn't available across all reports. The reports appear empty.
 - Training assignments are blocked, because data isn't available.
 
-To verify that audit logging is on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+To verify that audit logging is on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 > [!NOTE]
 > Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded.

microsoft-365/security/office-365-security/azure-ip-protection-features.md

@@ -91,4 +91,4 @@ Once this is enabled, provided you haven't opted out, you can start using the ne
 
 :::image type="content" source="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png" alt-text="An OME protected message in Outlook on the web" lightbox="../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png":::
 
-For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md).
+For more information about the new enhancements, see [Office 365 Message Encryption](/purview/ome).

microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md

@@ -103,7 +103,7 @@ In [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Ex
 
 #### Investigate and validate connector-related activity
 
-In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \<StartDate\> and \<EndDate\> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script).
+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), replace \<StartDate\> and \<EndDate\> with your values, and then run the following command to find and validate admin-related connector activity in the audit log. For more information, see [Use a PowerShell script to search the audit log](/purview/audit-log-search-script).
 
 ```powershell
 Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector","Set-InboundConnector","Remove-InboundConnector

microsoft-365/security/office-365-security/connectors-remove-blocked.md

@@ -82,10 +82,10 @@ For more information about compromised _user accounts_ and how to remove them fr
 
 ## Verify the alert settings for restricted connectors
 
-The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](/purview/alert-policies).
 
 > [!IMPORTANT]
-> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](/purview/audit-log-enable-disable).
 
 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpoliciesv2>.
 

microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md

@@ -185,7 +185,7 @@ For more information on what's new with other Microsoft Defender security produc
   - User restricted from sharing forms and collecting responses
   - Form blocked due to potential phishing attempt
   - Form flagged and confirmed as phishing
-  - [New alert policies for ZAP](../../compliance/new-defender-alert-policies.md)
+  - [New alert policies for ZAP](/purview/new-defender-alert-policies)
 - Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](../defender/investigate-alerts.md)
 - [User Tags](user-tags-about.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
   - Tags are also available in the unified alerts queue in the Microsoft 365 Defender portal (Microsoft Defender for Office 365 Plan 2)

microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md

@@ -61,7 +61,7 @@ You need to search the **audit log** to find signs, also called Indicators of Co
 >
 > It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs.
 >
-> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](/purview/audit-log-search).
 >
 > If this value is true, it indicates that someone with Global Administrator access may have granted broad access to data. If this is unexpected, take steps to [confirm an attack](#how-to-confirm-an-attack).
 
@@ -132,10 +132,10 @@ The script produces one file named Permissions.csv. Follow these steps to look f
 
 ## Determine the scope of the attack
 
-After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](../../compliance/search-the-audit-log-in-security-and-compliance.md).
+After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](/purview/audit-log-search).
 
 > [!IMPORTANT]
-> [Mailbox auditing](../../compliance/audit-mailboxes.md) and [Activity auditing for admins and users](../../compliance/audit-log-enable-disable.md) must have been enabled prior to the attack for you to get this information.
+> [Mailbox auditing](/purview/audit-mailboxes) and [Activity auditing for admins and users](/purview/audit-log-enable-disable) must have been enabled prior to the attack for you to get this information.
 
 ## How to stop and remediate an illicit consent grant attack
 

microsoft-365/security/office-365-security/eop-about.md

@@ -110,7 +110,7 @@ For information about requirements, important limits, and feature availability a
 |Mail flow reports|[Mail flow reports in the Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)|
 |Mail flow insights|[Mail flow insights in the Exchange admin center](/exchange/monitoring/mail-flow-insights/mail-flow-insights)|
 |Auditing reports|[Auditing reports in the Exchange admin center](/exchange/security-and-compliance/exchange-auditing-reports/exchange-auditing-reports)|
-|Alert policies|[Alert policies](../../compliance/alert-policies.md)|
+|Alert policies|[Alert policies](/purview/alert-policies)|
 |**Service Level Agreements (SLAs) and support**||
 |Spam effectiveness SLA|\> 99%|
 |False positive ratio SLA|\< 1:250,000|
@@ -120,5 +120,5 @@ For information about requirements, important limits, and feature availability a
 |**Other features**||
 |A geo-redundant global network of servers|EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the [EOP datacenters](#eop-datacenters) section earlier in this article.|
 |Message queuing when the on-premises server can't accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).|
-|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](../../compliance/encryption.md).|
+|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](/purview/encryption).|
 |||

microsoft-365/security/office-365-security/identity-access-prerequisites.md

@@ -115,7 +115,7 @@ For editions of Microsoft 365 or Office 365 that do not support Conditional Acce
 Here are some additional recommendations:
 
 - Use [Azure AD Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts.
-- [Use privileged access management](../../compliance/privileged-access-management-overview.md) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
+- [Use privileged access management](/purview/privileged-access-management) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
 - Create and use separate accounts that are assigned [Microsoft 365 administrator roles](../../admin/add-users/about-admin-roles.md) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.
 - Follow [best practices](/azure/active-directory/roles/best-practices) for securing privileged accounts in Azure AD.