diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 2e982d04c6..7bf9cc9483 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -102,7 +102,7 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
 
 - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
 - [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated)
-- [Manage automated investigations](microsoft-defender-atp/manage-auto-investigation.md)
+- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
 - [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations)
 
 <a name="ss"></a>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 85ea675b5d..bf486af90d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -30,7 +30,7 @@ Use the following advanced features to get better protected from potentially mal
 
 ## Automated investigation
 
-When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
+When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
 
 ## Live response
 
@@ -44,7 +44,7 @@ Enabling this feature allows you to run unsigned scripts in a live response sess
 
 ## Auto-resolve remediated alerts
 
-For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
 
 >[!TIP]
 >For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index ce50cf47b1..26f0706b19 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -46,7 +46,7 @@ Read the walkthrough document provided with each attack scenario. Each document
 
    - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
     
-   - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+   - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
 
 2. Download and read the corresponding walkthrough document provided with your selected scenario.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index 8945fc0931..67192e12e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -29,9 +29,6 @@ The action center consists of two main tabs:
 	- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
 	- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
 
-
-
-
 Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
 
 From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index a8e4541750..28d3920de1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,5 +1,5 @@
 ---
-title: Use Automated investigations to investigate and remediate threats
+title: Use automated investigations to investigate and remediate threats
 description: View the list of automated investigations, its status, detection source and other details.
 keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
 search.product: eADQiWindows 10XVcnh
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -17,72 +17,70 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Overview of Automated investigations
+# Overview of automated investigations
+
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. 
+
+The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
 
-The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
 
+## Understand the automated investigation flow
 
-To address this challenge, Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
+### How the automated investigation starts
 
-The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
-
-## Understand the Automated investigation flow
-
-### How the Automated investigation starts
-
-Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation.
 
 >[!NOTE]
->Currently, Automated investigation only supports the following OS versions:
->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later
->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later
+>Currently, automated investigation only supports the following OS versions:
+>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
+>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 >- Later versions of Windows 10
 
-The Automated investigation starts by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
+### Details of an automated investigation
 
-### Details of an Automated investigation
+During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
 
-As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
+|Tab |Description |
+|--|--|
+|**Alerts**| Shows the alert that started the investigation.|
+|**Machines** |Shows where the alert was seen.|
+|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
+|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). |
+|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
 
-In the **Alerts** tab, you'll see the alert that started the investigation. 
+> [!IMPORTANT]
+> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. 
 
-The **Machines** tab shows where the alert was seen.
+### How an automated investigation expands its scope
 
-The **Evidence** tab shows the entities that were found to be malicious during the investigation.
+While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
 
-During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean.
-
-The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
-
-If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions. 
-
-### How an Automated investigation expands its scope
-
-While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
-
-If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
 
 ### How threats are remediated
 
-Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
+Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
 
 You can configure the following levels of automation:
 
-Automation level | Description
-:---|:---
-Not protected | Machines will not get any automated investigations run on them.
-Semi - require approval for any remediation | This is the default automation level.<br><br>  An approval is needed for any remediation action. 
-Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
-Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will  automatically be remediated if needed.
-Full - remediate threats automatically | All remediation actions will be performed automatically.
+|Automation level | Description|
+|---|---|
+|Not protected | Machines do not get any automated investigations run on them. |
+|Semi - require approval for any remediation | This is the default automation level.<br><br>  An approval is needed for any remediation action. |
+|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
+|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will  automatically be remediated if needed.|
+|Full - remediate threats automatically | All remediation actions will be performed automatically.|
 
-For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
+> [!TIP]
+> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
 
-The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. 
+The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed. 
 
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
 
-## Related topic
+## Next step
+
 - [Learn about the automated investigations dashboard](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index 16b8d8a428..7c6f7bbc93 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -26,7 +26,7 @@ ms.topic: article
 Initiate AutoIR investigation on a machine.
 
 >[!Note]
-> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations.md) for more information.
+> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations.md) for more information.
 
 ## Limitations
 1. The number of executions is limited (up to 5 calls per hour).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 56539b10cf..fe9095c926 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -54,7 +54,7 @@ The machine details section provides information such as the domain, OS, and hea
 Response actions run along the top of a specific machine page and include:
 
 - Manage tags
-- Initiate Automated Investigation
+- Initiate automated investigation
 - Initiate Live Response Session
 - Collect investigation package
 - Run antivirus scan
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 4b1bc1f541..87208d5142 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
 ---
 
 # Learn about the automated investigations dashboard
-By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
+By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
 
 >[!NOTE]
 >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
@@ -31,14 +31,14 @@ From this view, you can also download the entire list in CSV format using the **
 
  
 **Filters**</br>
-You can use the following operations to customize the list of Automated investigations displayed:
+You can use the following operations to customize the list of automated investigations displayed:
 
 
 **Triggering alert**</br>
-The alert the initiated the Automated investigation.
+The alert the initiated the automated investigation.
 
 **Status**</br>
-An Automated investigation can be in one of the following status:
+An automated investigation can be in one of the following status:
 
 Status | Description
 :---|:---
@@ -57,26 +57,26 @@ Status | Description
 
 
 **Detection source**</br>
-Source of the alert that initiated the Automated investigation. 
+Source of the alert that initiated the automated investigation. 
 
 **Threat**</br>
-The category of threat detected during the Automated investigation.
+The category of threat detected during the automated investigation.
 
 
 **Tags**</br>
-Filter using manually added tags that capture the context of an Automated investigation.
+Filter using manually added tags that capture the context of an automated investigation.
 
 **Machines**</br>
-You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
+You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
 
 **Machine groups**</br>
 Apply this filter to see specific machine groups that you might have created.
 
 **Comments**</br>
-Select between filtering the list between Automated investigations that have comments and those that don't.
+Select between filtering the list between automated investigations that have comments and those that don't.
 
-## Analyze Automated investigations 
-You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+## Analyze automated investigations 
+You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
 
 In this view, you'll see the name of the investigation, when it started and ended. 
 
@@ -118,14 +118,14 @@ You'll also have access to the following sections that help you see details of t
 In any of the sections, you can customize columns to further expand to limit the details you see in a section.
 
 ### Investigation graph
-The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
 
 ### Alerts
-Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
 
-Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. 
+Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. 
 
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. 
+Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. 
 
 Clicking on an alert title brings you the alert page.
 
@@ -158,11 +158,11 @@ This tab is only displayed when an investigation is complete and shows all pendi
 
 
 ## Pending actions
-If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. 
+If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. 
 
 ![Image of pending actions](images/pending-actions.png)
 
-When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
 
  
 ## Related topic