updates

2025-07-03 03:03:43 +00:00 · 2019-05-15 11:28:42 -07:00
parent adea69932d
commit 04a6b90c8e
16 changed files with 118 additions and 145 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@ -249,43 +249,43 @@
 ###### [Advanced Hunting](run-advanced-query-api.md)
-###### [Alert](alerts-.md)
+###### [Alert](alerts.md)
-####### [List alerts](get-alerts-.md)
+####### [List alerts](get-alerts.md)
-####### [Create alert](create-alert-by-reference-.md)
+####### [Create alert](create-alert-by-reference.md)
-####### [Update Alert](update-alert-.md)
+####### [Update Alert](update-alert.md)
-####### [Get alert information by ID](get-alert-info-by-id-.md)
+####### [Get alert information by ID](get-alert-info-by-id.md)
-####### [Get alert related domains information](get-alert-related-domain-info-.md)
+####### [Get alert related domains information](get-alert-related-domain-info.md)
-####### [Get alert related file information](get-alert-related-files-info-.md)
+####### [Get alert related file information](get-alert-related-files-info.md)
-####### [Get alert related IPs information](get-alert-related-ip-info-.md)
+####### [Get alert related IPs information](get-alert-related-ip-info.md)
-####### [Get alert related machine information](get-alert-related-machine-info-.md)
+####### [Get alert related machine information](get-alert-related-machine-info.md)
-####### [Get alert related user information](get-alert-related-user-info-.md)
+####### [Get alert related user information](get-alert-related-user-info.md)
-###### [Machine](machine-.md)
+###### [Machine](machine.md)
-####### [List machines](get-machines-.md)
+####### [List machines](get-machines.md)
-####### [Get machine by ID](get-machine-by-id-.md)
+####### [Get machine by ID](get-machine-by-id.md)
-####### [Get machine log on users](get-machine-log-on-users-.md)
+####### [Get machine log on users](get-machine-log-on-users.md)
-####### [Get machine related alerts](get-machine-related-alerts-.md)
+####### [Get machine related alerts](get-machine-related-alerts.md)
-####### [Add or Remove machine tags](add-or-remove-machine-tags-.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags.md)
-####### [Find machines by IP](find-machines-by-ip-.md)
+####### [Find machines by IP](find-machines-by-ip.md)
-###### [Machine Action](machineaction-.md)
+###### [Machine Action](machineaction.md)
-####### [List Machine Actions](get-machineactions-collection-.md)
+####### [List Machine Actions](get-machineactions-collection.md)
-####### [Get Machine Action](get-machineaction-object-.md)
+####### [Get Machine Action](get-machineaction-object.md)
-####### [Collect investigation package](collect-investigation-package-.md)
+####### [Collect investigation package](collect-investigation-package.md)
-####### [Get investigation package SAS URI](get-package-sas-uri-.md)
+####### [Get investigation package SAS URI](get-package-sas-uri.md)
-####### [Isolate machine](isolate-machine-.md)
+####### [Isolate machine](isolate-machine.md)
-####### [Release machine from isolation](unisolate-machine-.md)
+####### [Release machine from isolation](unisolate-machine.md)
-####### [Restrict app execution](restrict-code-execution-.md)
+####### [Restrict app execution](restrict-code-execution.md)
-####### [Remove app restriction](unrestrict-code-execution-.md)
+####### [Remove app restriction](unrestrict-code-execution.md)
-####### [Run antivirus scan](run-av-scan-.md)
+####### [Run antivirus scan](run-av-scan.md)
-####### [Offboard machine](offboard-machine-api-.md)
+####### [Offboard machine](offboard-machine-api.md)
-####### [Stop and quarantine file](stop-and-quarantine-file-.md)
+####### [Stop and quarantine file](stop-and-quarantine-file.md)
-####### [Initiate investigation (preview)](initiate-autoir-investigation-.md)
+####### [Initiate investigation (preview)](initiate-autoir-investigation.md)
-###### [Indicators](ti-indicator-.md)
+###### [Indicators](ti-indicator.md)
-####### [Submit Indicator](post-ti-indicator-.md)
+####### [Submit Indicator](post-ti-indicator.md)
-####### [List Indicators](get-ti-indicators-collection-.md)
+####### [List Indicators](get-ti-indicators-collection.md)
-####### [Delete Indicator](delete-ti-indicator-by-id-.md)
+####### [Delete Indicator](delete-ti-indicator-by-id.md)
 ###### Domain
 ####### [Get domain related alerts](get-domain-related-alerts.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -43,7 +43,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#block-files-in-your-network) for more details.
+This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
 If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
@ -94,7 +94,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you
 Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while  experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
 >[!NOTE]
->The Microsoft Threat Experts capability in Windows Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). 
+>The Microsoft Threat Experts capability in Windows Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
 ## Microsoft Cloud App Security
 Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. 
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -22,11 +22,8 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
 ## Performance best practices
@ -61,13 +58,14 @@ The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTi
 ### Using command line queries
-Command lines may vary - when applicable, filter on file names and do fuzzy matching. 
+Command lines may vary - when applicable, filter on file names and do fuzzy matching.
 There are numerous ways to construct a command line to accomplish a task. 
 For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
 To create more durable queries using command lines, we recommended the following guidelines:
 - Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
 - When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
 - Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@ -22,14 +22,10 @@ ms.date: 06/01/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 ## Advanced hunting column reference
 To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
@ -126,6 +122,6 @@ To effectively build queries that span multiple tables, you need to understand t
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
-## Related topic
+## Related topics
 - [Query data using Advanced hunting](advanced-hunting.md)
 - [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@ -23,8 +23,6 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) 
 The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
@ -38,7 +36,6 @@ On the top navigation you can:
 - Navigate between pages
 - Apply filters
 ![Image of alerts queue](images/alerts-queue-list.png)
 ##  Sort, filter, and group the alerts queue
@ -53,13 +50,12 @@ Medium </br>(Orange) | Threats rarely observed in the organization, such as anom
 Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
 Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
 #### Understanding alert severity
 It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
 The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
-The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. 
+The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
 So, for example:
 -	The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
@ -77,7 +73,7 @@ Corresponds to the automated investigation state.
 You can choose between showing alerts that are assigned to you or automation.
 ### Detection source
-Select the source that triggered the alert detection.  Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. 
+Select the source that triggered the alert detection.  Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service.
 >[!NOTE]
 >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
@ -90,8 +86,7 @@ Limit the alerts queue view by selecting the OS platform that you're interested
 If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups.
 ### Associated threat
-Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md). 
+Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
 ## Related topics
 - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@ -20,7 +20,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Represents an alert entity in Windows Defender ATP.
+Represents an alert entity in Microsoft Defender ATP.
 # Methods
 Method|Return Type |Description
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -22,21 +22,15 @@ ms.date: 10/16/2017
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) 
 Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
 ##	Alert API fields and portal mapping
 The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
 The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
 Field numbers match the numbers in the images below.
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@ -39,10 +39,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
 >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
 >- After switching to RBAC, you will not be able to switch back to using basic permissions management.
 ## Related topics
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
 ## Related topic
 - [Use basic permissions to access the portal](basic-permissions.md)
 - [Manage portal access using RBAC](rbac.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@ -22,18 +22,14 @@ ms.date: 11/20/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
 >[!TIP]
 >- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
 >- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
 You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
 ## Before you begin
@ -66,5 +62,6 @@ Read the walkthrough document provided with each attack scenario. Each document
 ## Related topics
 - [Onboard machines](onboard-configure.md)
 - [Onboard Windows 10 machines](configure-endpoints.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@ -29,7 +29,9 @@ To address this challenge, Microsoft Defender ATP uses Automated investigations
 The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. 
 ## Understand the Automated investigation flow
 ### How the Automated investigation starts
 Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
 >[!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@ -23,13 +23,10 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
 The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
 - **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
 - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@ -19,65 +19,70 @@ ms.date: 02/28/2019
 ---
 # Configure and manage Microsoft Threat Experts capabilities
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 [!include[Prerelease information](prerelease.md)]
-## Before you begin 
+## Before you begin
 To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges.
 You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. 
- 
+To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges.
-## Register to Microsoft Threat Experts preview 
+
-If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. 
+You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
 ## Register to Microsoft Threat Experts preview
 If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
-2. Click **Apply**. 
+2. Click **Apply**.
 ![Image of Microsoft Threat Experts settings](images/MTE_collaboratewithmte.png)
-3. Enter your name and email address so that Microsoft can get back to you on your application. 
+3. Enter your name and email address so that Microsoft can get back to you on your application.
 ![Image of Microsoft Threat Experts application](images/MTE_apply.png)
-4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.   
+4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.
 ![Image of Microsoft Threat Experts application confirmation](images/MTE_applicationconfirmation.png)
-6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. 
+6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
 ## Receive targeted attack notification from Microsoft Threat Experts
 You can receive targeted attack notification from Microsoft Threat Experts through the following:
 ## Receive targeted attack notification from Microsoft Threat Experts 
 You can receive targeted attack notification from Microsoft Threat Experts through the following:  
 - The Microsoft Defender ATP portal's **Alerts** dashboard  
- Your email, if you choose to configure it 
+- Your email, if you choose to configure it
 To receive targeted attack notifications through email, you need to create an email notification rule.
-### Create an email notification rule 
+### Create an email notification rule
 You can create rules to send email notifications for notification recipients. See  [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) to create, edit, delete, or troubleshoot email notification, for details.
 You can create rules to send email notifications for notification recipients. See  [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
 ## View the targeted attack notification
 ## View the targeted attack notification  
 You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.  
-1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**. 
+1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
 2. From the dashboard, select the same alert topic that you got from the email, to view the details.  
 ## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization
 ## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization 
 >[!NOTE]
->The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. 
+>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. 
+You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. 
+1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry.
 2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**.
-3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket. 
+3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket.
-    **Step 1: Provide information**    
+    **Step 1: Provide information**
-    a.  Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu. <br>      
+    a.  Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu. <br>
    b.  Enter the additional details to give the threat experts more context of what you’d like to investigate. Click **Next**, and it takes you to the **Open support ticket** tab. <br>
@ -93,48 +98,54 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
    **Select a product**: **Microsoft Threat Experts**<br>
    **Select a category that best describes the issue**: **Microsoft Defender ATP**<br>
    **Select a problem that best describes the issue**: Choose according to your inquiry category<br>  
-       
+
    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.  <br>
-    
+
    c. In the **Select a support plan** page, select **Professional No Charge**. <br>
    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**. <br>
-    
+
    e. Verify your contact details and add another if necessary. Then, click **Next**. <br>
    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. <br>
 ## Sample questions to ask Microsoft Threat Experts
 **Alert information**
 - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
 - We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
 - I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. 
+- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
 **Possible machine compromise**
 - Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
 - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
 **Threat intelligence details**
 - This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
 - I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Windows Defender ATP provides against this threat actor? 
-**Microsoft Threat Experts’ alert communications** 
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
 - I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Windows Defender ATP provides against this threat actor?
 **Microsoft Threat Experts’ alert communications**
 - Can your incident response team help us address the targeted attack notification that we got?
 - I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
 - I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
 >[!NOTE]
- >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
+ >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
 ## Scenario
-### Receive a progress report about your managed hunting inquiry 
+### Receive a progress report about your managed hunting inquiry
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: 
+
 Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories:
 - More information is needed to continue with the investigation 
- A file or several file samples are needed to determine the technical context 
+- A file or several file samples are needed to determine the technical context
- Investigation requires more time   
+- Investigation requires more time
- Initial information was enough to conclude the investigation 
+- Initial information was enough to conclude the investigation
 It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details.  
 It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details.  
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@ -22,25 +22,25 @@ ms.topic: article
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
 Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
 On the top navigation you can:
 - Import a list
- Add an indicator 
+- Add an indicator
- Customize columns to add or remove columns 
+- Customize columns to add or remove columns
 - Export the entire list in CSV format
 - Select the items to show per page
 - Navigate between pages
- Apply filters 
+- Apply filters
 ## Create an indicator
 1. In the navigation pane, select **Settings** > **Indicators**.  
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: 
+2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
   - File hash
   - IP address
   - URLs/Domains
@ -51,33 +51,29 @@ On the top navigation you can:
   - Indicator - Specify the entity details and define the expiration of the indicator.
   - Action - Specify the action to be taken and provide a description.
   - Scope - Define the scope of the machine group.
-    
+
 5. Review the details in the Summary tab, then click **Save**.
 >[!NOTE]
 >Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon. 
+>This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
 >As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
 ## Manage indicators
-1. In the navigation pane, select **Settings** > **Indicators**.  
+
 1. In the navigation pane, select **Settings** > **Indicators**.
 2. Select the tab of the entity type you'd like to manage.  
 3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
 ## Import a list
 You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. 
 Download the sample CSV to know the supported column attributes. 
 ## Related topics
 - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
 Download the sample CSV to know the supported column attributes.
 ## Related topic
 - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@ -24,12 +24,11 @@ ms.topic: article
 To onboard machines without Internet access, you'll need to take the following general steps:
 ## On-premise machines
 - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
  - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
-  - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+  - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
 - Offline machines in the same network of Azure Log Analytics
  -  Configure MMA to point to:
@ -41,7 +40,7 @@ To onboard machines without Internet access, you'll need to take the following g
    - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
      - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
-      - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+      - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
    - Offline Azure VMs in the same network of OMS Gateway
      - Configure Azure Log Analytics IP as a proxy
      - Azure Log Analytics Workspace Key & ID
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@ -31,7 +31,7 @@ The support for third-party solutions help to further streamline, integrate, and
 Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. 
 ## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration.md).
 ## Ticketing and IT service management 
 Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. 
@ -54,11 +54,4 @@ Microsoft Defender ATP allows you to integrate with such solutions and act on Io
 Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.  
 ## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
+Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@ -22,8 +22,6 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink) 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
@ -263,7 +261,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
      Value = 0 – block sample collection
      Value = 1 – allow sample collection
    ```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).