Fix circular reference between MS.EXO.16.1v1 and MS.DEFENDER.5.1v1 implementation instructions

[schrolla]

🗣 Description

Replicates list of activities from MS.EXO.16.1v1 to include when configuring M365 Defender alert policies as per MS.DEFENDER.5.1v1 implementation instructions.

💭 Motivation and context

Previously, readers would have to 'flip' between the two SCBs to follow Defender SCB implementation instructions while referencing Exchange Online alert policy activities list, then back to Defender to finish. Replicating the list from EXO in the Defender SCB eases the reader burden, makes the implementation instructions more standalone, while retaining the references between the two policy items for awareness.

Closes #565

🧪 Testing

This update only includes implementation instruction changes and does not change the contents or meaning of the policies themselves. Please review both MS.DEFENDER.5.1v1 and MS.EXO.16.1v1 SCBs (prior and proposed) to ensure the changes improve clarity and readability. Also recommend running through the MS.DEFENDER.5.1v1 implementation directly to validate usability.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All future TODOs are captured in issues, which are referenced in code comments.
• These code changes follow the ScubaGear content style guide.
• Related issues these changes resolve are linked preferably via closing keywords.
• All relevant type-of-change labels added.
• All relevant project fields are set.
• All relevant repo and/or project documentation updated to reflect these changes. (No doc updates required)
• Unit tests added/updated to cover PowerShell and Rego changes. (No code changes)
• Functional tests added/updated to cover PowerShell and Rego changes. (No code changes)
• All relevant functional tests passed.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• PR passed smoke test check.

• Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• Resolved all merge conflicts on branch

• Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

[mitchelbaker-cisa]

Looks good, requested a couple minor changes.

Unrelated to the changes in this PR, should we consider linking directly to respective admin consoles? i.e.

1. Sign in to Microsoft 365 Defender.

[buidav]

Unrelated to the changes in this PR, should we consider linking directly to respective admin consoles? i.e.

1. Sign in to Microsoft 365 Defender.

#423
We don't want to have to maintain a list of the different admin portals for commercial vs gcc vs gcchigh vs dod vs International domains.
There also isn't any good documentation we can point to that lists all of the admin centers with their correct domain names.

[schrolla]

@nanda-katikaneni This PR is ready for merge.