diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 73a3a396b1..76ea17db0e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -103,6 +103,7 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
+#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
#### [Advanced hunting schema reference]()
##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
@@ -117,6 +118,7 @@
##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index b8a49e500b..584f376ee3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -26,8 +26,6 @@ ms.topic: article
[!include[Prerelease information](prerelease.md)]
## Before you begin
-To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, or try the the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in trial, but for the generally available capability, there will be charges.
-
Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
## Register to Microsoft Threat Experts managed threat hunting service
@@ -36,13 +34,13 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
2. Click **Apply**.
-
+
3. Enter your name and email address so that Microsoft can get back to you on your application.
-
+
4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.
-
+
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
@@ -77,11 +75,11 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
->
+>
>A flyout screen opens.
->
+>
>The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png
new file mode 100644
index 0000000000..2c04ad2fc8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png
new file mode 100644
index 0000000000..a7096ee4aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png
new file mode 100644
index 0000000000..862c5ffbd7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png
new file mode 100644
index 0000000000..895a4973e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png
new file mode 100644
index 0000000000..ec891e1e3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png
new file mode 100644
index 0000000000..5d227c08c3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png
new file mode 100644
index 0000000000..455de5a2ab
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png
new file mode 100644
index 0000000000..2bd08bd9fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
index f7bcff5265..7578bad95e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -57,9 +57,6 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
->[!NOTE]
-> The event side pane now provides additional insight to the WIP and AIP protection status.
-
>[!TIP]
>These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index 549441bb72..71b44a53e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -49,16 +49,16 @@ Customers can engage our security experts directly from within Microsoft Defende
The option to **Consult a threat expert** is available in several places in the portal so you can engage with experts in the context of your investigation:
- **Help and support menu**
-
+
- **Machine page actions menu**
-
+
-- **Alerts page Actions menu**
-
+- **Alerts page actions menu**
+
- **File page actions menu**
-
+
## Related topic
- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 35737ea931..22be565559 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -36,6 +36,7 @@ Response actions run along the top of the file page, and include:
- Stop and Quarantine File
- Add Indicator
- Download file
+- Consult a threat expert
- Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
@@ -173,7 +174,7 @@ If a file is not already stored by Microsoft Defender ATP, you cannot download i
You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
+See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index ed0f28f577..60e3dbd5ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -178,7 +178,7 @@ When a machine is being isolated, the following notification is displayed to inf
You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
+See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center