Merge branch master

.openpublishing.redirection.json

@@ -1352,6 +1352,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection",
 "redirect_document_id": true

windows/client-management/mdm/get-seat.md

@@ -1,6 +1,6 @@
 ---
 title: Get seat
-description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
 ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6
 ms.reviewer: 
 manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
 
 # Get seat
 
-The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
 
 ## Request
 

windows/configuration/cortana-at-work/cortana-at-work-feedback.md

@@ -16,10 +16,10 @@ manager: dansimp
 
 To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues.
 
-:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
 
 To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided.
 
-:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
+:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
 
 In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.

windows/configuration/cortana-at-work/cortana-at-work-overview.md

@@ -17,7 +17,7 @@ ms.author: dansimp
 
 Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
 
-:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
 
 ## Where is Cortana available for use in my organization?
 
@@ -30,7 +30,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store
 Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization.
 
 >[!NOTE]
->A microphone is not required to use Cortana.
+>A microphone isn't required to use Cortana.
 
 |**Software**  |**Minimum version**  |
 |---------|---------|
@@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 
@@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
 
 The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
 
-:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
 
 At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md

@@ -22,9 +22,9 @@ manager: dansimp
 
 4. Say **Cortana, what can you do?**.
 
-When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word.
+When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
 
-:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
 
 Once you finish saying your query, Cortana will open with the result.
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md

@@ -20,7 +20,7 @@ manager: dansimp
 
 Cortana will respond with the information from Bing.
 
-:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
+:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
 
 >[!NOTE]
->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
+>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).

windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md

@@ -16,11 +16,10 @@ manager: dansimp
 
 This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
 
-1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**.
+1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
 
 Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
 
-:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
+:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-
-:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
 
+:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::

windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md

@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 4 - Use Cortana to find free time on your calendar
 
-This process helps you find out if a time slot is free on your calendar.
+This scenario helps you find out if a time slot is free on your calendar.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar.
 
 Cortana will respond with your availability for that time, as well as nearby meetings.
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
+:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::

windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md

@@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart.
 
 2. Type or select the mic and say, **Who is name of person in your organization's?**
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
+:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
 
-Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search.
+Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.

windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md

@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 6 – Change your language and perform a quick search with Cortana
 
-Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another.
+Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li
 
 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
 
-:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
+:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::

windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md

@@ -33,7 +33,7 @@ Sign in to the [Office Configuration Admin tool](https://config.office.com/).
 
 Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
 
-:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example":::
+:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
 
 ## How does Microsoft handle customer data for Bing Answers?
 
@@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 
 2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
 
-Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization.
+Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
 Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.

windows/security/threat-protection/TOC.md

@@ -417,8 +417,6 @@
 ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
 
-#### [APIs]()
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
 
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
@@ -441,7 +439,6 @@
 ## Reference
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-
 #### [Microsoft Defender ATP API]()
 ##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)

windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md

@@ -91,7 +91,6 @@ Field numbers match the numbers in the images below.
 
 ## Related topics
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

windows/security/threat-protection/microsoft-defender-atp/configure-siem.md

@@ -28,30 +28,28 @@ ms.topic: article
 ## Pull detections using security information and events management (SIEM) tools
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
 
-Microsoft Defender ATP currently supports the following SIEM tools:
+Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
 
-- Splunk
+- IBM QRadar
-- HP ArcSight
+- Micro Focus ArcSight
+
+Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
 
 To use either of these supported SIEM tools you'll need to:
 
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
 - Configure the supported SIEM tool:
-    - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+     - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-    - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+     - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
 
 
-## Pull Microsoft Defender ATP detections using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-
-For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
-
 

windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md

@@ -1,133 +0,0 @@
----
-title: Configure Splunk to pull Microsoft Defender ATP detections
-description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
-keywords: configure splunk, security information and events management tools, splunk
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Configure Splunk to pull Microsoft Defender ATP detections
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) 
-
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
-
-## Before you begin
-
-- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
-- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-
-- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
-   - Tenant ID
-   - Client ID
-   - Client Secret
-   - Resource URL
-
-
-## Configure Splunk
-
-1. Login in to Splunk.
-
-2. Go to **Settings** > **Data inputs**.
-
-3. Select **Windows Defender ATP alerts** under **Local inputs**.
-
-   >[!NOTE]
-   > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
-   > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
-
-
-4. Click **New**.
-
-5. Type the following values in the required fields, then click **Save**:
-
-   NOTE:
-   All other values in the form are optional and can be left blank.
-
-   <table>
-   <tbody style="vertical-align:top;">
-   <tr>
-   <th>Field</th>
-   <th>Value</th>
-   </tr>
-   <tr>
-   <td>Name</td>
-   <td>Name for the Data Input</td>
-   </tr>
-    <td>Login URL</td>
-   <td>URL to authenticate the azure app (Default : https://login.microsoftonline.com)</td>
-   </tr>
-   <td>Endpoint</td>
-   <td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>:  <code>https://wdatp-alertexporter-eu.securitycenter.windows.com</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com</code>
-   </tr>
-   <tr>
-   <td>Tenant ID</td>
-   <td>Azure Tenant ID</td>
-   </tr>
-   <td>Resource</td>
-   <td>Value from the SIEM integration feature page</td>
-   <tr>
-   <td>Client ID</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   <tr>
-   <td>Client Secret</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   
-   </tr>
-   </table>
-
-After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-
-## View detections using Splunk solution explorer
-Use the solution explorer to view detections in Splunk.
-
-1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
-
-2. Select **New**.
-
-3. Enter the following details:
-   - Search: Enter a query, for example:</br>
-     `sourcetype="wdatp:alerts" |spath|table*`
-   - App: Add-on for Windows Defender (TA_Windows-defender)
-
-     Other values are optional and can be left with the default values.
-
-4. Click **Save**. The query is saved in the list of searches.
-
-5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
-
-
->[!TIP]
-> To minimize Detection duplications, you can use the following query:
->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` 
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md

@@ -27,9 +27,10 @@ ms.topic: article
 
 Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
 
->[!Note]
+>[!NOTE]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Prerequisites
 - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det
 You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 ## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)

windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md

@@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t
     sudo yum install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ yum repolist
+    ...
+    packages-microsoft-com-prod               packages-microsoft-com-prod        316
+    packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins      2
+    ...
+
+    # install the package from the production repository
+    $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+    ```
+
 - SLES and variants:
 
     ```bash
     sudo zypper install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ zypper repos
+    ...
+    #  | Alias | Name | ...
+    XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
+    XX | packages-microsoft-com-prod | microsoft-prod | ...
+    ...
+
+    # install the package from the production repository
+    $ sudo zypper install packages-microsoft-com-prod:mdatp
+    ```
+
 - Ubuntu and Debian system:
 
     ```bash
     sudo apt-get install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ cat /etc/apt/sources.list.d/*
+    deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
+    deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
+
+    # install the package from the production repository
+    $ sudo apt -t bionic install mdatp
+    ```
+
 ## Download the onboarding package
 
 Download the onboarding package from Microsoft Defender Security Center:

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -1,6 +1,6 @@
 ---
-title: Manual deployment for Microsoft Defender ATP for Mac
+title: Manual deployment for Microsoft Defender ATP for macOS
-description: Install Microsoft Defender ATP for Mac manually, from the command line.
+description: Install Microsoft Defender ATP for macOS manually, from the command line.
 keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -17,44 +17,33 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Manual deployment for Microsoft Defender ATP for Mac
+# Manual deployment for Microsoft Defender ATP for macOS
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
 
-This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps:
+This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 - [Application installation](#application-installation)
 - [Client configuration](#client-configuration)
 
 ## Prerequisites and system requirements
 
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender Security Center:
 
 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
+2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
     ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png)
 
 5. From a command prompt, verify that you have the two files.
-    Extract the contents of the .zip files:
-  
-    ```bash
-    $ ls -l
-    total 721152
-    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
-    Archive:  WindowsDefenderATPOnboardingPackage.zip
-    inflating: MicrosoftDefenderATPOnboardingMacOs.py
-    ```
     
 ## Application installation
 
@@ -87,7 +76,7 @@ The installation proceeds.
 
 ## Client configuration
 
-1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac.
+1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS.
 
     The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
 
@@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues)
 
 ## Uninstallation
 
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
+See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices.

windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md

@@ -27,8 +27,9 @@ ms.topic: article
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) 
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
 

windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md

@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 11/16/2018
+ms.date: 05/20/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,15 +23,15 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
+If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
 
 1. Open **Windows Security**.
-2. Click **Virus & threat protection** and then click **Threat History**.
+2. Select **Virus & threat protection** and then click **Protection history**.
-3. Under **Quarantined threats**, click **See full history**.
+3. In the list of all recent items, filter on **Quarantined Items**.
-4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
+4. Select an item you want to keep, and take an action, such as restore.
 
-> [!NOTE]
+> [!TIP]
-> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
+> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). 
 
 ## Related articles