commit

windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -30,11 +30,13 @@ ms.date: 05/01/2018
 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
 
 > [!NOTE]
-> Only users with full access can configure email notifications. If you've chosen to use role-based access control (RBAC), users with Security Administrator or Global Administrator roles can configure email notifications.
+> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
 
 You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
 
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine group that they are a part of. 
+If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule.
+Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope.
+Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups.
 
 The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
 
@@ -49,7 +51,7 @@ You can create rules that determine the machines and alert severities to send em
 
 3.	Specify the General information:
     - **Rule name**
-    - **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
+    - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
     - **Alert severity** - Choose the alert severity level
 
 4. Click **Next**.

windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md

@@ -34,12 +34,12 @@ In Windows Defender ATP, you can create machine groups and use them to:
 
 As part of the process of creating a machine group, you'll:
 - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md).
-- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
-- Select the Azure AD user group that should have access to the machine group.
-- Rank the machine group relative to other groups after it is created .
+- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
+- Determine access to machine group
+- Rank the machine group relative to other groups after it is created 
 
 >[!NOTE]
->All machine groups are accessible to all users if you don’t assign any Azure AD groups to them.
+>A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
 
 
 ## Add a machine group
@@ -48,12 +48,17 @@ As part of the process of creating a machine group, you'll:
 
 2.	Click **Add machine group**. 
 
-3.	Enter machine group details, specify the matching rule, preview the results, then assign the group to an Azure AD user group.
+3.	Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group:
 
-	>[!TIP]
-	>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
+	 - **Name**
+	 - **Remediation level for automated investigations**
+     - **Description**
+	 - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. 
 
-4.	Review the result of the preview of matched machines. If you are satisfied with the rules, click the **User access** tab.
+		>[!TIP]
+		>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
+
+4.	Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab.
 
 5.	Assign the user groups that can access the machine group you created. 
 
@@ -63,15 +68,15 @@ As part of the process of creating a machine group, you'll:
 6.	Click **Close**. The configuration changes are applied.
 
 
-## Manage machine groups
+## Understand matching and manage groups
 You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
 
 >[!WARNING]
->Deleting a machine group may affect email notification rules. If a machine group that's part of an email notification rule is the only machine group in that rule, that email notification rule will be deleted along with the machine group.
+>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group.
 
 By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group.
 
-Machines that are not matched to any groups are added to grouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
+Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
 
 >[!NOTE]
 > - Applying changes to machine group configuration may take up to several minutes.

windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md

@@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
 
 2.	Click **Add role**. 
 
-3.	Enter the role name, description, and active permissions you’d like to assign to the role.
+3.	Enter the role name, description, and permissions you’d like to assign to the role.
 
 	 - **Role name**
 
 	 - **Description**
 
-	 - **Active permissions**
+	 - **Permissions**
 		  - **View data** - Users can view information in the portal.
 		  - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
 		  - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
 		  - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
+		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
 		  
 4.	Click **Next** to assign the role to an Azure AD group.
 
@@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
 
 2.	Click **Edit**.
 
-3.	Modify the details or the groups that the role is a part of. 
+3.	Modify the details or the groups that are assigned to the role. 
 
 4.	Click **Save and close**.
 
 ## Delete roles
 
-1.	Select the role row you'd like to delete.
+1.	Select the role you'd like to delete.
 
 2.	Click the drop-down button and select **Delete role**.