diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index ddff438e13..c2499cf092 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -18,6 +18,6 @@ ms.topic: article
 
 >[!NOTE]
 >For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
+> - api-us.securitycenter.microsoft.com
+> - api-eu.securitycenter.microsoft.com
+> - api-uk.securitycenter.microsoft.com
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index e108eeae6b..41c9c858e4 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -373,7 +373,7 @@
 ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 #### [Microsoft Defender ATP API]()
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index 2e5c7cec45..0a85cb240c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -24,8 +24,9 @@ ms.topic: article
 
 
 ## API description
-Creates new [Alert](alerts.md).
-<br>Microsoft Defender ATP Event is a required parameter for the alert creation.
+Creates new [Alert](alerts.md) on top of **Event**.
+<br>**Microsoft Defender ATP Event** is required for the alert creation.
+<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
 <br>You can use an event found in Advanced Hunting API or Portal.
 <br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
 <br>An automatic investigation starts automatically on alerts created via the API.
@@ -68,13 +69,13 @@ In the request body, supply the following values (all are required):
 
 Property | Type | Description
 :---|:---|:---
+eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
+reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
 machineId | String | Id of the machine on which the event was identified. **Required**.
 severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
 title | String | Title for the alert. **Required**.
 description | String | Description of the alert. **Required**.
 recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
-reportId | String | The reportId, as obtained from the advanced query. **Required**.
 category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
 
 ## Response
@@ -91,16 +92,16 @@ Here is an example of the request.
 
 ```
 POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-Content-Length: application/json
-
+```
+```json
 {
-  "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-  "severity": "Low",
-  "title": "test alert",
-  "description": "test alert",
-  "recommendedAction": "test alert",
-  "eventTime": "2018-08-03T16:45:21.7115183Z",
-  "reportId": "20776",
-  "category": "None"
+	"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+	"severity": "Low",
+	"title": "example",
+	"description": "example alert",
+	"recommendedAction": "nothing",
+	"eventTime": "2018-08-03T16:45:21.7115183Z",
+	"reportId": "20776",
+	"category": "Exploit"
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 271622f774..f733ffb8a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -50,7 +50,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
 
 ## Review attack surface reduction events in Windows Event Viewer
 
-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
 
  Event ID | Description
 -|-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 549743f14c..5f6f4ad48c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -34,7 +34,6 @@ In general, you’ll need to take the following steps to use the APIs:
 - Use the token to access Microsoft Defender ATP API.
 
 The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
-<br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
 
 ## Create the multi-tenant app
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 1343ebbc71..449efaf986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -73,7 +73,7 @@ Here is an example of the response.
             "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
             "computerDnsName": "niw_pc",
             "osPlatform": "Windows10",
-            "rbacGroupId": 2154
+            "rbacGroupName": "GroupTwo"
         }
 		...
     ]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 2e2b69385b..a65e4c2dbb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -336,7 +336,7 @@
 ##### [Understand Microsoft Defender ATP APIs](use-apis.md)
 ##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
 
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Introduction](apis-intro.md)
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 540c957c3f..19ccd7e62c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -71,21 +71,18 @@ Request
 
 Here is an example of the request.
 
->[!NOTE]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
 
 ```
 POST https://api.securitycenter.windows.com/api/advancedqueries/run
 Content-type: application/json
 {
-	"Query":"ProcessCreationEvents  
-| where InitiatingProcessFileName =~ \"powershell.exe\"
-| where ProcessCommandLine contains \"appdata\"
-| project EventTime, FileName, InitiatingProcessFileName 
-| limit 2"
+	"Query":"DeviceProcessEvents  
+    | where InitiatingProcessFileName =~ 'powershell.exe'
+    | where ProcessCommandLine contains 'appdata'
+    | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
+    | limit 2"
 }
 ```
 
@@ -96,32 +93,40 @@ Here is an example of the response.
 >[!NOTE]
 >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
 
-```
-HTTP/1.1 200 OK
-Content-Type: application/json​
+```json
 {
-	"Schema": [{
-		"Name": "EventTime",
-		"Type": "DateTime"
-	},
-	{
-		"Name": "FileName",
-		"Type": "String"
-	},
-	{
-		"Name": "InitiatingProcessFileName",
-		"Type": "String"
-	}],
-	"Results": [{
-		"EventTime": "2018-07-09T07:16:26.8017265",
-		"FileName": "csc.exe",
-		"InitiatingProcessFileName": "powershell.exe"
-	},
-	{
-		"EventTime": "2018-07-08T19:00:02.7798905",
-		"FileName": "gpresult.exe",
-		"InitiatingProcessFileName": "powershell.exe"
-	}]
+	"Schema": [
+		{
+			"Name": "Timestamp",
+			"Type": "DateTime"
+		},
+		{
+			"Name": "FileName",
+			"Type": "String"
+		},
+		{
+			"Name": "InitiatingProcessFileName",
+			"Type": "String"
+		},
+		{
+			"Name": "DeviceId",
+			"Type": "String"
+		}
+	],
+	"Results": [
+		{
+			"Timestamp": "2020-02-05T01:10:26.2648757Z",
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		},
+		{
+			"Timestamp": "2020-02-05T01:10:26.5614772Z",
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		}
+	]
 }
 ```