Merge branch 'master' into jreeds-sharedPC

.openpublishing.redirection.json

@@ -1352,6 +1352,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection",
 "redirect_document_id": true

devices/hololens/hololens2-autopilot.md

@@ -71,7 +71,7 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
 Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
 
 - The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
-- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. 
 - Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
   - Advanced Recovery Companion (ARC)
   - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)

mdop/mbam-v1/evaluating-mbam-10.md

@@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi
 <td align="left"><p></p>
 <p>Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.</p>
 <div class="alert">
-<strong>Note</strong><br/><p>You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of <em>C:\Backup&lt;/em&gt;. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.</p>
+<strong>Note</strong><br/><p>You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of <em>C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.</p>
 </div>
 <div>
 
 </div>
 <pre class="syntax" space="preserve"><code>USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;amp;#39;P@55w0rd&#39;;
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = &#39;P@55w0rd&#39;;
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = &#39;TDE Certificate&#39;;
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = &#39;C:\Backup\TDECertificate.cer&#39;
    WITH PRIVATE KEY (
          FILE = &#39;C:\Backup\TDECertificateKey.pvk&#39;,
-         ENCRYPTION BY PASSWORD = &amp;amp;#39;P@55w0rd&#39;);
+         ENCRYPTION BY PASSWORD = &#39;P@55w0rd&#39;);
 GO</code></pre></td>
 <td align="left"><p><a href="mbam-10-deployment-prerequisites.md" data-raw-source="[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)">MBAM 1.0 Deployment Prerequisites</a></p>
 <p><a href="https://go.microsoft.com/fwlink/?LinkId=269703" data-raw-source="[Database Encryption in SQL Server 2008 Enterprise Edition](https://go.microsoft.com/fwlink/?LinkId=269703)">Database Encryption in SQL Server 2008 Enterprise Edition</a></p></td>

windows/configuration/cortana-at-work/cortana-at-work-feedback.md

@@ -16,10 +16,10 @@ manager: dansimp
 
 To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues.
 
-:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
 
 To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided.
 
-:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
+:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
 
 In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.

windows/configuration/cortana-at-work/cortana-at-work-overview.md

@@ -17,7 +17,7 @@ ms.author: dansimp
 
 Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
 
-:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
 
 ## Where is Cortana available for use in my organization?
 
@@ -30,7 +30,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store
 Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization.
 
 >[!NOTE]
->A microphone is not required to use Cortana.
+>A microphone isn't required to use Cortana.
 
 |**Software**  |**Minimum version**  |
 |---------|---------|
@@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 
@@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
 
 The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
 
-:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
 
 At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md

@@ -22,9 +22,9 @@ manager: dansimp
 
 4. Say **Cortana, what can you do?**.
 
-When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word.
+When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
 
-:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
 
 Once you finish saying your query, Cortana will open with the result.
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md

@@ -20,7 +20,7 @@ manager: dansimp
 
 Cortana will respond with the information from Bing.
 
-:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
+:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
 
 >[!NOTE]
->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
+>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).

windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md

@@ -16,11 +16,10 @@ manager: dansimp
 
 This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
 
-1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**.
+1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
 
 Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
 
-:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-
-:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
+:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
 
+:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::

windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md

@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 4 - Use Cortana to find free time on your calendar
 
-This process helps you find out if a time slot is free on your calendar.
+This scenario helps you find out if a time slot is free on your calendar.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar.
 
 Cortana will respond with your availability for that time, as well as nearby meetings.
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
+:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::

windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md

@@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart.
 
 2. Type or select the mic and say, **Who is name of person in your organization's?**
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
+:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
 
-Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search.
+Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.

windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md

@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 6 – Change your language and perform a quick search with Cortana
 
-Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another.
+Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li
 
 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
 
-:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
+:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::

windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md

@@ -33,7 +33,7 @@ Sign in to the [Office Configuration Admin tool](https://config.office.com/).
 
 Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
 
-:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example":::
+:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
 
 ## How does Microsoft handle customer data for Bing Answers?
 
@@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 
 2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
 
-Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization.
+Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
 Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.

windows/security/threat-protection/TOC.md

@@ -417,8 +417,6 @@
 ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
 
-#### [APIs]()
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
 
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
@@ -441,7 +439,6 @@
 ## Reference
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-
 #### [Microsoft Defender ATP API]()
 ##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)

windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md

@@ -28,8 +28,9 @@ ms.topic: article
 Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Detections API fields and portal mapping
 The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
@@ -91,7 +92,6 @@ Field numbers match the numbers in the images below.
 
 ## Related topics
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md

@@ -92,12 +92,12 @@ This example shows that with behavioral blocking and containment capabilities, t
 
 ## Next steps
 
-- [Learn more about recent global threat activity](https://www.microsoft.com/wdsi/threats)
-
 - [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
 
 - [Configure your attack surface reduction rules](attack-surface-reduction.md)
 
 - [Enable EDR in block mode](edr-in-block-mode.md)
 
+- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
+
 - [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)

windows/security/threat-protection/microsoft-defender-atp/configure-siem.md

@@ -28,30 +28,28 @@ ms.topic: article
 ## Pull detections using security information and events management (SIEM) tools
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
 
-Microsoft Defender ATP currently supports the following SIEM tools:
+Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
 
-- Splunk
-- HP ArcSight
+- IBM QRadar
+- Micro Focus ArcSight
+
+Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
 
 To use either of these supported SIEM tools you'll need to:
 
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
 - Configure the supported SIEM tool:
-    - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
      - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+     - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
 
 
-## Pull Microsoft Defender ATP detections using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-
-For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
-
 

windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md

@@ -1,133 +0,0 @@
----
-title: Configure Splunk to pull Microsoft Defender ATP detections
-description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
-keywords: configure splunk, security information and events management tools, splunk
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Configure Splunk to pull Microsoft Defender ATP detections
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) 
-
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
-
-## Before you begin
-
-- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
-- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-
-- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
-   - Tenant ID
-   - Client ID
-   - Client Secret
-   - Resource URL
-
-
-## Configure Splunk
-
-1. Login in to Splunk.
-
-2. Go to **Settings** > **Data inputs**.
-
-3. Select **Windows Defender ATP alerts** under **Local inputs**.
-
-   >[!NOTE]
-   > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
-   > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
-
-
-4. Click **New**.
-
-5. Type the following values in the required fields, then click **Save**:
-
-   NOTE:
-   All other values in the form are optional and can be left blank.
-
-   <table>
-   <tbody style="vertical-align:top;">
-   <tr>
-   <th>Field</th>
-   <th>Value</th>
-   </tr>
-   <tr>
-   <td>Name</td>
-   <td>Name for the Data Input</td>
-   </tr>
-    <td>Login URL</td>
-   <td>URL to authenticate the azure app (Default : https://login.microsoftonline.com)</td>
-   </tr>
-   <td>Endpoint</td>
-   <td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>:  <code>https://wdatp-alertexporter-eu.securitycenter.windows.com</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com</code>
-   </tr>
-   <tr>
-   <td>Tenant ID</td>
-   <td>Azure Tenant ID</td>
-   </tr>
-   <td>Resource</td>
-   <td>Value from the SIEM integration feature page</td>
-   <tr>
-   <td>Client ID</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   <tr>
-   <td>Client Secret</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   
-   </tr>
-   </table>
-
-After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-
-## View detections using Splunk solution explorer
-Use the solution explorer to view detections in Splunk.
-
-1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
-
-2. Select **New**.
-
-3. Enter the following details:
-   - Search: Enter a query, for example:</br>
-     `sourcetype="wdatp:alerts" |spath|table*`
-   - App: Add-on for Windows Defender (TA_Windows-defender)
-
-     Other values are optional and can be left with the default values.
-
-4. Click **Save**. The query is saved in the list of searches.
-
-5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
-
-
->[!TIP]
-> To minimize Detection duplications, you can use the following query:
->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` 
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md

@@ -27,9 +27,10 @@ ms.topic: article
 
 Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
 
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>[!NOTE]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Prerequisites
 - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det
 You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 ## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)

windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md

@@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t
     sudo yum install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ yum repolist
+    ...
+    packages-microsoft-com-prod               packages-microsoft-com-prod        316
+    packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins      2
+    ...
+
+    # install the package from the production repository
+    $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+    ```
+
 - SLES and variants:
 
     ```bash
     sudo zypper install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ zypper repos
+    ...
+    #  | Alias | Name | ...
+    XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
+    XX | packages-microsoft-com-prod | microsoft-prod | ...
+    ...
+
+    # install the package from the production repository
+    $ sudo zypper install packages-microsoft-com-prod:mdatp
+    ```
+
 - Ubuntu and Debian system:
 
     ```bash
     sudo apt-get install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ cat /etc/apt/sources.list.d/*
+    deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
+    deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
+
+    # install the package from the production repository
+    $ sudo apt -t bionic install mdatp
+    ```
+
 ## Download the onboarding package
 
 Download the onboarding package from Microsoft Defender Security Center:

windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md

@@ -41,7 +41,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
-    ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png)
+    ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-page.png)
 
 5. From a command prompt, verify that you have the two files.
     

windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md

@@ -27,8 +27,9 @@ ms.topic: article
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) 
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.