Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4

windows/security/threat-protection/TOC.md

@@ -34,6 +34,7 @@
 #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
 #### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
 #### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Run simulated attacks](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
 #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md

@@ -86,9 +86,17 @@ The following tables are exposed as part of advanced hunting:
 The results set has several capabilities to provide you with effective investigation, including:
 
 - Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
-- If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include** or **exclude**; these cell values are part of the row set. 
+- If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides you additional filtering options on the cell value; these cell values are part of the row set. 
  
 ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)
 
+## Filters on results in advanced hunting
+In Advanced Hunting, you have an advanced filter on the output results set of the query - 
+The filters provide an overview of the result set - 
+each column has it's own section, which shows the distict values that appear in the column and their prevalence.
+you can refine your query based on the filters - 
+simply click the "+" or "-" buttons on the values you want to include or exclude and click on the **"Run query"** button.
+your filter selections will resolve into additional query term and the results will be updated accordingly.
+
 ## Related topics
 

windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,55 @@
+---
+title: Experience Windows Defender ATP through simulated attacks
+description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches.
+keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: high
+ms.date: 28/02/2018
+---
+
+# Experience Windows Defender ATP through simulated attacks 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
+
+## Before you begin
+
+To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). 
+
+Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
+
+## Run a simulation
+
+1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
+
+  - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
+
+  - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
+    
+  - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+
+2. Download and read the corresponding walkthrough document provided with your selected scenario.
+
+3. Use the onboarded test machine to access then the Windows Defender ATP portal and go to **Help** > **Simulations & tutorials**. From there, download the simulation file or copy the simulation script.
+
+4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
+
+>[!NOTE]
+>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
+
+## Related topics
+- [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md)
+- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)