updates

2025-07-03 03:03:43 +00:00 · 2019-05-15 11:28:42 -07:00
parent adea69932d
commit 04a6b90c8e
16 changed files with 118 additions and 145 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@ -249,43 +249,43 @@

 ###### [Advanced Hunting](run-advanced-query-api.md)

-###### [Alert](alerts-.md)
-####### [List alerts](get-alerts-.md)
-####### [Create alert](create-alert-by-reference-.md)
-####### [Update Alert](update-alert-.md)
-####### [Get alert information by ID](get-alert-info-by-id-.md)
-####### [Get alert related domains information](get-alert-related-domain-info-.md)
-####### [Get alert related file information](get-alert-related-files-info-.md)
-####### [Get alert related IPs information](get-alert-related-ip-info-.md)
-####### [Get alert related machine information](get-alert-related-machine-info-.md)
-####### [Get alert related user information](get-alert-related-user-info-.md)
+###### [Alert](alerts.md)
+####### [List alerts](get-alerts.md)
+####### [Create alert](create-alert-by-reference.md)
+####### [Update Alert](update-alert.md)
+####### [Get alert information by ID](get-alert-info-by-id.md)
+####### [Get alert related domains information](get-alert-related-domain-info.md)
+####### [Get alert related file information](get-alert-related-files-info.md)
+####### [Get alert related IPs information](get-alert-related-ip-info.md)
+####### [Get alert related machine information](get-alert-related-machine-info.md)
+####### [Get alert related user information](get-alert-related-user-info.md)

-###### [Machine](machine-.md)
-####### [List machines](get-machines-.md)
-####### [Get machine by ID](get-machine-by-id-.md)
-####### [Get machine log on users](get-machine-log-on-users-.md)
-####### [Get machine related alerts](get-machine-related-alerts-.md)
-####### [Add or Remove machine tags](add-or-remove-machine-tags-.md)
-####### [Find machines by IP](find-machines-by-ip-.md)
+###### [Machine](machine.md)
+####### [List machines](get-machines.md)
+####### [Get machine by ID](get-machine-by-id.md)
+####### [Get machine log on users](get-machine-log-on-users.md)
+####### [Get machine related alerts](get-machine-related-alerts.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags.md)
+####### [Find machines by IP](find-machines-by-ip.md)

-###### [Machine Action](machineaction-.md)
-####### [List Machine Actions](get-machineactions-collection-.md)
-####### [Get Machine Action](get-machineaction-object-.md)
-####### [Collect investigation package](collect-investigation-package-.md)
-####### [Get investigation package SAS URI](get-package-sas-uri-.md)
-####### [Isolate machine](isolate-machine-.md)
-####### [Release machine from isolation](unisolate-machine-.md)
-####### [Restrict app execution](restrict-code-execution-.md)
-####### [Remove app restriction](unrestrict-code-execution-.md)
-####### [Run antivirus scan](run-av-scan-.md)
-####### [Offboard machine](offboard-machine-api-.md)
-####### [Stop and quarantine file](stop-and-quarantine-file-.md)
-####### [Initiate investigation (preview)](initiate-autoir-investigation-.md)
+###### [Machine Action](machineaction.md)
+####### [List Machine Actions](get-machineactions-collection.md)
+####### [Get Machine Action](get-machineaction-object.md)
+####### [Collect investigation package](collect-investigation-package.md)
+####### [Get investigation package SAS URI](get-package-sas-uri.md)
+####### [Isolate machine](isolate-machine.md)
+####### [Release machine from isolation](unisolate-machine.md)
+####### [Restrict app execution](restrict-code-execution.md)
+####### [Remove app restriction](unrestrict-code-execution.md)
+####### [Run antivirus scan](run-av-scan.md)
+####### [Offboard machine](offboard-machine-api.md)
+####### [Stop and quarantine file](stop-and-quarantine-file.md)
+####### [Initiate investigation (preview)](initiate-autoir-investigation.md)

-###### [Indicators](ti-indicator-.md)
-####### [Submit Indicator](post-ti-indicator-.md)
-####### [List Indicators](get-ti-indicators-collection-.md)
-####### [Delete Indicator](delete-ti-indicator-by-id-.md)
+###### [Indicators](ti-indicator.md)
+####### [Submit Indicator](post-ti-indicator.md)
+####### [List Indicators](get-ti-indicators-collection.md)
+####### [Delete Indicator](delete-ti-indicator-by-id.md)

 ###### Domain
 ####### [Get domain related alerts](get-domain-related-alerts.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -43,7 +43,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga


 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#block-files-in-your-network) for more details.
+This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.

 If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.

--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -22,11 +22,8 @@ ms.date: 04/24/2018

 **Applies to:**

-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)

 ## Performance best practices
@ -68,6 +65,7 @@ There are numerous ways to construct a command line to accomplish a task.
 For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.

 To create more durable queries using command lines, we recommended the following guidelines:
+
 - Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
 - When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
 - Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@ -22,14 +22,10 @@ ms.date: 06/01/2018

 **Applies to:**

-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

-
 ## Advanced hunting column reference
 To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.

@ -126,6 +122,6 @@ To effectively build queries that span multiple tables, you need to understand t

 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        

-## Related topic
+## Related topics
 - [Query data using Advanced hunting](advanced-hunting.md)
 - [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@ -23,8 +23,6 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) 

 The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
@ -38,7 +36,6 @@ On the top navigation you can:
 - Navigate between pages
 - Apply filters

-
 ![Image of alerts queue](images/alerts-queue-list.png)

 ##  Sort, filter, and group the alerts queue
@ -53,7 +50,6 @@ Medium </br>(Orange) | Threats rarely observed in the organization, such as anom
 Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
 Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.

-
 #### Understanding alert severity
 It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.

@ -92,7 +88,6 @@ If you have specific machine groups that you're interested in checking the alert
 ### Associated threat
 Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).

-
 ## Related topics
 - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
 - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@ -20,7 +20,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-Represents an alert entity in Windows Defender ATP.
+Represents an alert entity in Microsoft Defender ATP.

 # Methods
 Method|Return Type |Description
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -22,21 +22,15 @@ ms.date: 10/16/2017

 **Applies to:**

-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)

 Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.

-
 ##	Alert API fields and portal mapping
 The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.

-
 The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).

 Field numbers match the numbers in the images below.
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@ -39,10 +39,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
 >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
 >- After switching to RBAC, you will not be able to switch back to using basic permissions management.

+## Related topics

-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
-
-## Related topic
 - [Use basic permissions to access the portal](basic-permissions.md)
 - [Manage portal access using RBAC](rbac.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@ -22,18 +22,14 @@ ms.date: 11/20/2018

 **Applies to:**

-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)

 >[!TIP]
 >- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
 >- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).

-
 You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.

 ## Before you begin
@ -66,5 +62,6 @@ Read the walkthrough document provided with each attack scenario. Each document


 ## Related topics
+
 - [Onboard machines](onboard-configure.md)
 - [Onboard Windows 10 machines](configure-endpoints.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@ -29,7 +29,9 @@ To address this challenge, Microsoft Defender ATP uses Automated investigations
 The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. 

 ## Understand the Automated investigation flow
+
 ### How the Automated investigation starts
+
 Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.

 >[!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@ -23,13 +23,10 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)

 The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.

-
 There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
 - **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
 - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@ -19,6 +19,7 @@ ms.date: 02/28/2019
 ---

 # Configure and manage Microsoft Threat Experts capabilities
+
 **Applies to:**

 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -26,12 +27,13 @@ ms.date: 02/28/2019
 [!include[Prerelease information](prerelease.md)]

 ## Before you begin
+
 To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges.

 You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.

- 
 ## Register to Microsoft Threat Experts preview
+
 If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.

 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
@ -48,25 +50,28 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
 6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.

 ## Receive targeted attack notification from Microsoft Threat Experts
+
 You can receive targeted attack notification from Microsoft Threat Experts through the following:
+
 - The Microsoft Defender ATP portal's **Alerts** dashboard  
 - Your email, if you choose to configure it

 To receive targeted attack notifications through email, you need to create an email notification rule.

 ### Create an email notification rule
-You can create rules to send email notifications for notification recipients. See  [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) to create, edit, delete, or troubleshoot email notification, for details.

+You can create rules to send email notifications for notification recipients. See  [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.

 ## View the targeted attack notification
+
 You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.  

 1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.

 2. From the dashboard, select the same alert topic that you got from the email, to view the details.  

-
 ## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization
+
 >[!NOTE]
 >The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.

@ -105,21 +110,26 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. <br>

 ## Sample questions to ask Microsoft Threat Experts
+
 **Alert information**
+
 - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
 - We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
 - I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
 - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.

 **Possible machine compromise**
+
 - Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
 - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?

 **Threat intelligence details**
+
 - This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
 - I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Windows Defender ATP provides against this threat actor?

 **Microsoft Threat Experts’ alert communications**
+
 - Can your incident response team help us address the targeted attack notification that we got?
 - I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
 - I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
@ -130,11 +140,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
 ## Scenario

 ### Receive a progress report about your managed hunting inquiry
+
 Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories:
+
 - More information is needed to continue with the investigation 
 - A file or several file samples are needed to determine the technical context
 - Investigation requires more time
 - Initial information was enough to conclude the investigation

 It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details.  
-
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@ -22,13 +22,12 @@ ms.topic: article
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)

-
 Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.

 On the top navigation you can:
+
 - Import a list
 - Add an indicator
 - Customize columns to add or remove columns
@ -38,6 +37,7 @@ On the top navigation you can:
 - Apply filters

 ## Create an indicator
+
 1. In the navigation pane, select **Settings** > **Indicators**.  

 2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
@ -60,8 +60,8 @@ On the top navigation you can:
 >This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
 >As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.

-
 ## Manage indicators
+
 1. In the navigation pane, select **Settings** > **Indicators**.

 2. Select the tab of the entity type you'd like to manage.  
@ -69,15 +69,11 @@ On the top navigation you can:
 3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.

 ## Import a list
+
 You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.

 Download the sample CSV to know the supported column attributes.

+## Related topic

-## Related topics
- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-
-
-
-
-
+- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@ -24,12 +24,11 @@ ms.topic: article

 To onboard machines without Internet access, you'll need to take the following general steps:

-
 ## On-premise machines

 - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
  - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
-  - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+  - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID

 - Offline machines in the same network of Azure Log Analytics
  -  Configure MMA to point to:
@ -41,7 +40,7 @@ To onboard machines without Internet access, you'll need to take the following g

    - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
      - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
-      - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+      - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
    - Offline Azure VMs in the same network of OMS Gateway
      - Configure Azure Log Analytics IP as a proxy
      - Azure Log Analytics Workspace Key & ID
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@ -31,7 +31,7 @@ The support for third-party solutions help to further streamline, integrate, and
 Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. 

 ## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration.md).

 ## Ticketing and IT service management 
 Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. 
@ -55,10 +55,3 @@ Microsoft Defender ATP currently supports IOC matching and remediation for file

 ## Support for non-Windows platforms
 Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
-
-
-
-
-
-
-
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@ -22,8 +22,6 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink) 

 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
@ -263,7 +261,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
      Value = 0 – block sample collection
      Value = 1 – allow sample collection
    ```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).