Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into mdt

2025-05-14 06:17:22 +00:00 · 2020-01-10 12:21:13 -08:00 · 2020-01-10 12:21:13 -08:00 · 696a615d3d
commit 696a615d3d
parent a79b99886f 38534923f8
77 changed files with 1451 additions and 1008 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -50,6 +50,11 @@
    "redirect_url": "https://docs.microsoft.com/hololens/holographic-data",
    "redirect_document_id": false
 },
 {
    "source_path": "devices/hololens/hololens-management-overview.md",
    "redirect_url": "https://docs.microsoft.com/hololens",
    "redirect_document_id": false
 },
 {
 "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
 "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",
@ -961,6 +966,11 @@
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": false
@ -971,6 +981,51 @@
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
@ -1662,11 +1717,6 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score",
 "redirect_document_id": true
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -53,15 +53,14 @@
 ## [Spatial mapping on HoloLens](hololens-spaces.md)
 # Update, troubleshoot, or recover HoloLens
 ## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md)
 ## [Update HoloLens](hololens-update-hololens.md)
 ## [Restart, reset, or recover](hololens-recovery.md)
 ## [Troubleshoot HoloLens](hololens-troubleshooting.md)
 ## [Known issues](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 ## [Hololens services status](hololens-status.md)
 # [Release Notes](hololens-release-notes.md)
 # [Hololens status](hololens-status.md)
 # [Give us feedback](hololens-feedback.md)
 # [Join the Windows Insider program](hololens-insider.md)
 # [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@ -3,11 +3,12 @@ title: Insider preview for Microsoft HoloLens (HoloLens)
 description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
 ms.prod: hololens
 ms.sitesec: library
-author: dansimp
+author: scooley
-ms.author: dansimp
+ms.author: scooley
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/23/2018
+audience: ITPro
 ms.date: 1/6/2020
 ms.reviewer: 
 manager: dansimp
 appliesto:
@ -17,38 +18,37 @@ appliesto:
 # Insider preview for Microsoft HoloLens
-Welcome to the latest Insider Preview builds for HoloLens!  It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. 
+Welcome to the latest Insider Preview builds for HoloLens!  It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
 ## How do I install the Insider builds? 
 On a device running the Windows 10 April 2018 Update, go to <strong>Settings -&gt; Update &amp; Security -&gt; Windows Insider Program</strong> and select <strong>Get started</strong>. Link the account you used to register as a Windows Insider. 
-Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. 
+## Start receiving Insider builds
-Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. 
+On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
-## How do I stop receiving Insider builds?
+Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
-If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
+Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
 ## Stop receiving Insider builds
 If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
 To verify that your HoloLens is running a production build:
 - Go to **Settings > System > About**, and find the build number.
- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information)
+- [See the release notes for production build numbers.](hololens-release-notes.md)
 To opt out of Insider builds:
 - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
 - Follow the instructions to opt out your device.
 ## Provide feedback and report issues
 Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem.  Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
 >[!NOTE]
 >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
 ## Note for developers
 You are welcome and encouraged to try developing your applications using Insider builds of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
 ## Provide feedback and report issues
 Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem.  Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
 >[!NOTE]
 >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
--- a/devices/hololens/hololens-management-overview.md
+++ b/devices/hololens/hololens-management-overview.md
@ -1,32 +0,0 @@
 ---
 title: Update, troubleshoot, or recover HoloLens
 description: 
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 11/27/2019
 ms.prod: hololens
 ms.topic: article
 ms.custom: CSSTroubleshooting
 audience: ITPro
 keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
 manager: jarrettr
 ms.localizationpriority: medium
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Update, troubleshoot, or recover HoloLens
 The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter.
 **In this section**
 | Article | Description |
 | --- | --- |
 | [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. |
 | [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. |
 | [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device |
 | [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. |
 | [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. |
 | [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.|
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@ -22,6 +22,10 @@ appliesto:
 > [!Note]
 > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
 ### January Update - build 18362.1043
 - Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
 ### December Update - build 18362.1042
 - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update.
--- a/devices/surface-hub/surface-hub-site-readiness-guide.md
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@ -1,12 +1,12 @@
 ---
 title: Surface Hub Site Readiness Guide
 ms.reviewer: 
-manager: dansimp
+manager: laurawi
 description: Use this Site Readiness Guide to help plan your Surface Hub installation.
 ms.prod: surface-hub
 ms.sitesec: library
-author: dansimp
+author: greg-lindsay
-ms.author: dansimp
+ms.author: greglin
 ms.topic: article
 ms.localizationpriority: medium
 ---
@ -28,7 +28,7 @@ The room needs to be large enough to provide good viewing angles, but small enou
 - The screen is not in direct sunlight, which could affect viewing or damage the screen.
 - Ventilation openings are not blocked.
 - Microphones are not affected by noise sources, such as fans or vents.
-You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub.
+You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at https://www.microsoft.com/surface/support/surface-hub.
 ### Hardware considerations
@ -47,7 +47,7 @@ For details about cable ports, see the [55” Microsoft Surface Hub technical in
 Microsoft Surface Hub has an internal PC and does not require an external computer system. 
-For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub.
+For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at https://www.microsoft.com/surface/support/surface-hub.
 ### Data and other connections
@ -77,7 +77,7 @@ Before you move Surface Hub, make sure that all the doorways, thresholds, hallwa
 ### Unpacking Surface Hub
-For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub
+For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: https://www.microsoft.com/surface/support/surface-hub
 >[!IMPORTANT]
 >Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it
@ -85,17 +85,17 @@ for repairs. For the 84” Surface Hub, retain the lifting handles.
 ### Lifting Surface Hub
-The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub.
+The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at https://www.microsoft.com/surface/support/surface-hub.
 ## Mounting and setup
-See your mounting guide at http://www.microsoft.com/surface/support/surface-hub for detailed instructions. 
+See your mounting guide at https://www.microsoft.com/surface/support/surface-hub for detailed instructions. 
 There are three ways to mount your Surface Hub:
 - **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall.
 - **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall.
- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub.
+- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see https://www.microsoft.com/surface/support/surface-hub.
 For specifications on available mounts for the original Surface Hub, see the following:
@ -129,13 +129,10 @@ For example, to provide audio, video, and touchback capability to all three vide
 When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand.
-For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. 
+For details on Touchback and Inkback, see the user guide at https://www.microsoft.com/surface/support/surface-hub. 
 ## See also
-[Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
+[Watch the video (opens in a pop-up media player)](https://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@ -182,7 +182,3 @@ This example shows a link to a website and a link to a .pdf file. The secondary
 >[!NOTE]
 >The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
 ## More information
 - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@ -442,7 +442,7 @@ This update brings the Windows 10 Team Anniversary Update to Surface Hub and inc
 * General
  * Enabled Audio Device Selection (for Surface Hubs attached using external audio devices)
  * Enabled support for HDCP on DisplayPort output connector
-  * System UI changes to settings for usability optimization (refer to [User and Admin Guides](http://www.microsoft.com/surface/support/surface-hub) for additional details)
+  * System UI changes to settings for usability optimization (refer to [User and Admin Guides](https://www.microsoft.com/surface/support/surface-hub) for additional details)
  * Bug fixes and performance optimizations to speed up the Azure Active Directory sign-in flow
  * Significantly improved time needed to reset and restore Surface Hub
  * Windows Defender UI has been added within settings
@ -520,9 +520,9 @@ This update to the Surface Hub includes quality improvements and security fixes.
 ## Related topics
-* [Windows 10 feature road map](http://go.microsoft.com/fwlink/p/?LinkId=785967)
+* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967)
-* [Windows 10 release information](http://go.microsoft.com/fwlink/p/?LinkId=724328)
+* [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328)
-* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
+* [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq)
-* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
+* [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327)
-* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
+* [Microsoft Lumia update history](https://go.microsoft.com/fwlink/p/?LinkId=785968)
-* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
+* [Get Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=616447)
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@ -31,5 +31,6 @@
 #### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
 #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
 #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 #### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th
 If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
 ## Kernel Phase
 If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@ -228,8 +227,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
 -   A Stop error appears after the splash screen (Windows Logo screen).
 -   Specific error code is displayed.
-    For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
+    For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.  
-    [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+    - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
    - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
 -   The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 12/13/2019
+ms.date: 12/27/2019
 ms.reviewer: 
 manager: dansimp
 ms.topic: article
@ -24,6 +24,7 @@ This topic lists new and updated topics in the [Client management](index.md) doc
 New or changed topic | Description
 --- | ---
 [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
 [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
 ## December 2018
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 - **Change history in MDM documentation**
    - [January 2020](#january-2020)
    - [November 2019](#november-2019)
    - [October 2019](#october-2019)
    - [September 2019](#september-2019)
@ -1935,6 +1936,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 ## Change history in MDM documentation
 ### January 2020
 |New or updated topic | Description|
 |--- | ---|
 |[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
 ### November 2019
 |New or updated topic | Description|
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -3068,7 +3068,7 @@ The following list shows the supported values:
 Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-This value is a list of threat severity level IDs and corresponding actions, separated by a<strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+This value is a list of threat severity level IDs and corresponding actions, separated by a <strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3".
 The following list shows the supported values for threat severity levels:
@ -3079,12 +3079,12 @@ The following list shows the supported values for threat severity levels:
 The following list shows the supported values for possible actions:
-   1 – Clean
+-   1 – Clean. Service tries to recover files and try to disinfect.
-   2 – Quarantine
+-   2 – Quarantine. Moves files to quarantine.
-   3 – Remove
+-   3 – Remove. Removes files from system.
-   6 – Allow
+-   6 – Allow. Allows file/does none of the above actions.
-   8 – User defined
+-   8 – User defined. Requires user to make a decision on which action to take.
-   10 – Block
+-   10 – Block. Blocks file execution.
 <!--/Description-->
 <!--ADMXMapped-->
--- a/windows/client-management/troubleshoot-event-id-41-restart.md
+++ b/windows/client-management/troubleshoot-event-id-41-restart.md
@ -0,0 +1,121 @@
 ---
 title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first"
 description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 12/27/2019
 ms.prod: w10
 ms.topic: article
 ms.custom: 
 - CI 111437
 - CSSTroubleshooting
 audience: ITPro
 ms.localizationpriority: medium
 keywords: event id 41, reboot, restart, stop error, bug check code
 manager: kaushika
 ---
 # Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first"
 > **Home users**
 > This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors).
 The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. When you use this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaved data to disk and flush any active caches.
 If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following:
 > Event ID: 41  
 > Description: The system has rebooted without cleanly shutting down first.
 This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41.
 > EventData  
 > BugcheckCode 159  
 > BugcheckParameter1 0x3  
 > BugcheckParameter2 0xfffffa80029c5060  
 > BugcheckParameter3 0xfffff8000403d518  
 > BugcheckParameter4 0xfffffa800208c010  
 > SleepInProgress false  
 > PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010)  
 ## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart
 By itself, Event ID 41 might not contain sufficient information to explicitly define what occurred. Typically, you have to also consider what was occurring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances:
 - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code
 - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button
 - [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not logged or the Event ID 41 entry lists error code values of zero
 ### <a name="scen1"></a>Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code
 When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example:
 > EventData  
 > BugcheckCode 159  
 > BugcheckParameter1 0x3  
 > BugcheckParameter2 0xfffffa80029c5060  
 > BugcheckParameter3 0xfffff8000403d518  
 > BugcheckParameter4 0xfffffa800208c010  
 > [!NOTE]  
 > Event ID 41 includes the bug check code in decimal format. Most documentation that describes bug check codes refers to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps:
 >  
 > 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**.
 > 1. In the **Calculator** window, select **View** > **Programmer**.
 > 1. On the left side of calculator, verify that **Dec** is highlighted.
 > 1. Use the keyboard to enter the decimal value of the bug check code.
 > 1. On the left side of the calculator, select **Hex**.  
 > The value that the calculator displays is now the hexadecimal code.
 >  
 > When you convert a bug check code to hexadecimal format, verify that the “0x” designation is followed by eight digits (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f.  
 After you identify the hexadecimal value, use the following references to continue troubleshooting:
 - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md).
 - [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes.
 - [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/).
 ### <a name="scen2"></a>Scenario 2: The computer restarts because you pressed and held the power button
 Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the computer logs an Event ID 41 that includes a non-zero value for the **PowerButtonTimestamp** entry.
 For help when troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen."
 ### <a name="scen3"></a>Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero
 This scenario includes the following circumstances:
 - You shut off power to an unresponsive computer, and then you restart the computer.  
   To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also known as a *hard hang*).  
 - The computer restarts, but it does not generate Event ID 41.
 - The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero.
 In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error.
 The information in Event ID 41 provides some indication of where to start checking for problems:
 - **Event ID 41 is not recorded or the bug check code is zero**. This behavior might indicate a power supply problem. If the power to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41. Or, if it does, the bug check code is zero. Conditions such as the following might be the cause:
  - In the case of a portable computer, the battery was removed or completely drained.
  - In the case of a desktop computer, the computer was unplugged or experienced a power outage.
  - The power supply is underpowered or faulty.
 - **The PowerButtonTimestamp value is zero**. This behavior might occur if you disconnected the power to a computer that was not responding to input. Conditions such as the following might be the cause:
  - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds.
  - You disconnected the power to an unresponsive computer.
 Typically, the symptoms described in this scenario indicate a hardware problem. To help isolate the problem, do the following:
 - **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify that the issue occurs when the system runs at the correct speed.
 - **Check the memory**. Use a memory checker to determine the memory health and configuration. Verify that all memory chips run at the same speed and that every chip is configured correctly in the system.
 - **Check the power supply**. Verify that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because the power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply.
 - **Check for overheating**. Examine the internal temperature of the hardware and check for any overheating components.
 If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs.
 > [!NOTE]  
 > If you see a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps:
 >  
 > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**.
 > 1. In the **Startup and Recovery** section, select **Settings**.
 > 1. Clear the **Automatically restart** check box.
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@ -20,39 +20,33 @@ ms.custom:
 # VAMT known issues
-The following list and the section that follows contain the current known issues regarding the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
+The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
 - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
- When opening a Computer Information List (CIL file) that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
+- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
- The remaining activation count can only be retrieved for MAKs.
+- The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
-## Can't add CSVLKs for Windows 10 activation to VAMT 3.1
+## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
-When you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message:
+Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
 > The specified product key is invalid, or is unsupported by this version of VAMT. An update to support additional products may be available online.
 ![VAMT error message](./images/vamt-known-issue-message.png)
-This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key.
+This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
-### Workaround
+### Method 1
-To work around this issue, use one of the following methods.
+Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
-**Method 1**
+### Method 2
-Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command-line tool to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
+On the KMS host computer, perform the following steps:
 **Method 2**
 On the KMS host computer, follow these steps:
 1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
-1. In Windows Explorer, right-click **485392_intl_x64_zip**, and then extract the hotfix to **C:\KB3058168**.
+1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
-1. To extract the contents of the update, open a Command Prompt window and run the following command:
+1. To extract the contents of the update, run the following command:
   ```cmd
   expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
@ -64,6 +58,6 @@ On the KMS host computer, follow these steps:
   expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
   ```
-1. In the "C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716\" folder, copy the **pkeyconfig-csvlk.xrm-ms** file. Paste this file to the "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig" folder.
+1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
 1. Restart VAMT.
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -42,6 +42,7 @@
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
 ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
 #### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
 ### [Endpoint detection and response]()
 #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
@ -114,21 +115,21 @@
 #### [Advanced hunting schema reference]()
 ##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
 ##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
-##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
-##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
-##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
-##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
-##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
-##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
-##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
-##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
 ##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
 ##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
 ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
 ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
 #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
 #### [Custom detections]()
 ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@ -367,6 +368,7 @@
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
 ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 ##### [APIs]()
 ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@ -1,6 +1,6 @@
 ---
-title: AlertEvents table in the Advanced hunting schema
+title: AlertEvents table in the advanced hunting schema
-description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema
+description: Learn about alert generation events in the AlertEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -26,25 +26,25 @@ ms.date: 10/08/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
+The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| AlertId | string | Unique identifier for the alert |
+| `AlertId` | string | Unique identifier for the alert |
-| EventTime | datetime | Date and time when the event was recorded |
+| `Timestamp` | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
+| `DeviceId` | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
-| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| Category | string | Type of threat indicator or breach activity identified by the alert |
+| `Category` | string | Type of threat indicator or breach activity identified by the alert |
-| Title | string | Title of the alert |
+| `Title` | string | Title of the alert |
-| FileName | string | Name of the file that the recorded action was applied to |
+| `FileName` | string | Name of the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| RemoteIP | string | IP address that was being connected to |
+| `RemoteIP` | string | IP address that was being connected to |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| Table | string | Table that contains the details of the event |
+| `Table` | string | Table that contains the details of the event |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -1,6 +1,6 @@
 ---
-title: Query best practices for Advanced hunting
+title: Query best practices for advanced hunting
-description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting
+description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -41,14 +41,14 @@ Apply these recommendations to get results faster and avoid timeouts while runni
 ## Query tips and pitfalls
 ### Queries with process IDs
-Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
+Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
 The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
-```
+```kusto
-NetworkCommunicationEvents
+DeviceNetworkEvents
-| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
+| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
-| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
+| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
 | where RemoteIPCount > 10
 ```
@ -68,19 +68,19 @@ To create more durable queries using command lines, apply the following practice
 The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
-```
+```kusto
 // Non-durable query - do not use
-ProcessCreationEvents
+DeviceProcessEvents
 | where ProcessCommandLine == "net stop MpsSvc"
 | limit 10
 // Better query - filters on filename, does case-insensitive matches
-ProcessCreationEvents
+DeviceProcessEvents
-| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
+| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
 // Best query also ignores quotes
-ProcessCreationEvents
+DeviceProcessEvents
-| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
+| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
 | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@ -0,0 +1,86 @@
 ---
 title: DeviceEvents table in the advanced hunting schema
 description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` |string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
 | `ProcessId` | int | Process ID (PID) of the newly created process |
 | `ProcessCommandLine` | string | Command line used to create the new process |
 | `ProcessCreationTime` | datetime | Date and time the process was created |
 | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | `RegistryKey` | string | Registry key that the recorded action was applied to |
 | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `LocalIP` | string | IP address assigned to the local machine used during communication |
 | `LocalPort` | int | TCP port on the local machine used during communication |
 | `FileOriginUrl` | string | URL where the file was downloaded from |
 | `FileOriginIP` | string | IP address where the file was downloaded from |
 | `AdditionalFields` | string | Additional information about the event in JSON array format |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@ -0,0 +1,78 @@
 ---
 title: DeviceFileEvents table in the advanced hunting schema 
 description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceFileEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see  [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `FileOriginUrl` | string | URL where the file was downloaded from |
 | `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
 | `FileOriginIP` | string | IP address where the file was downloaded from |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
 | `ShareName` | string | Name of shared folder containing the file |
 | `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
 | `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
 | `RequestAccountName` | string | User name of account used to remotely initiate the activity |
 | `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
 | `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
 | `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@ -0,0 +1,64 @@
 ---
 title: DeviceImageLoadEvents table in the advanced hunting schema
 description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceImageLoadEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceImageLoadEvents table` in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@ -0,0 +1,53 @@
 ---
 title: DeviceInfo table in the advanced hunting schema
 description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceInfo
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine |
 | `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
 | `OSArchitecture` | string | Architecture of the operating system running on the machine |
 | `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
 | `OSBuild` | string | Build version of the operating system running on the machine |
 | `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
 | `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format |
 | `RegistryDeviceTag` | string | Machine tag added through the registry |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
 | `OSVersion` | string | Version of the operating system running on the machine |
 | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@ -0,0 +1,72 @@
 ---
 title: DeviceLogonEvents table in the advanced hunting schema
 description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceLogonEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string	| Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string |Type of activity that triggered the event |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` | string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `AdditionalFields` | string | Additional information about the event in JSON array format |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@ -0,0 +1,68 @@
 ---
 title: DeviceNetworkEvents table in the advanced hunting schema
 description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceNetworkEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `RemoteIP` | string | IP address that was being connected to |
 | `RemotePort` | int | TCP port on the remote device that was being connected to |
 | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | `LocalIP` | string | IP address assigned to the local machine used during communication |
 | `LocalPort` | int | TCP port on the local machine used during communication |
 | `Protocol` | string | IP protocol used, whether TCP or UDP |
 | `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@ -0,0 +1,54 @@
 ---
 title: DeviceNetworkInfo table in the advanced hunting schema
 description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceNetworkInfo
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `NetworkAdapterName` | string | Name of the network adapter |
 | `MacAddress` | string | MAC address of the network adapter |
 | `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
 | `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
 | `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 | `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
 | `DnsAddresses` | string | DNS server addresses in JSON array format |
 | `IPv4Dhcp` | string | IPv4 address of DHCP server |
 | `IPv6Dhcp` | string | IPv6 address of DHCP server |
 | `DefaultGateways` | string | Default gateway addresses in JSON array format |
 | `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@ -0,0 +1,76 @@
 ---
 title: DeviceProcessEvents table in the advanced hunting schema
 description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceProcessEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `FileName` | string | Name of the file that the recorded action was applied to |
 | `FolderPath` | string | Folder containing the file that the recorded action was applied to |
 | `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
 | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
 | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
 | `ProcessId` | int | Process ID (PID) of the newly created process |
 | `ProcessCommandLine` | string | Command line used to create the new process |
 | `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
 | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | `ProcessCreationTime` | datetime | Date and time the process was created |
 | `AccountDomain` | string | Domain of the account |
 | `AccountName` | string | User name of the account |
 | `AccountSid` | string | Security Identifier (SID) of the account |
 | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@ -0,0 +1,66 @@
 ---
 title: DeviceRegistryEvents table in the advanced hunting schema
 description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # DeviceRegistryEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
 For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` | datetime | Date and time when the event was recorded |
 | `DeviceId` | string | Unique identifier for the machine in the service |
 | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
 | `ActionType` | string | Type of activity that triggered the event |
 | `RegistryKey` | string | Registry key that the recorded action was applied to |
 | `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
 | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
 | `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
 | `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
 | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
 | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
 | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
 | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
 | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
 | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
 | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
 | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
 | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
 | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
 | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@ -1,78 +0,0 @@
 ---
 title: FileCreationEvents table in the Advanced hunting schema 
 description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # FileCreationEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see  [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FolderPath | string | Folder containing the file that the recorded action was applied to |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | MD5 | string | MD5 hash of the file that the recorded action was applied to |
 | FileOriginUrl | string | URL where the file was downloaded from |
 | FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
 | FileOriginIP | string | IP address where the file was downloaded from |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
 | ShareName | string | Name of shared folder containing the file |
 | RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
 | RequestSourcePort | string | Source port on the remote device that initiated the activity |
 | RequestAccountName | string | User name of account used to remotely initiate the activity |
 | RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
 | RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
 | SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@ -1,64 +0,0 @@
 ---
 title: ImageLoadEvents table in the Advanced hunting schema
 description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # ImageLoadEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FolderPath | string | Folder containing the file that the recorded action was applied to |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | MD5 | string | MD5 hash of the file that the recorded action was applied to |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@ -1,72 +0,0 @@
 ---
 title: LogonEvents table in the Advanced hunting schema
 description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # LogonEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string	| Fully qualified domain name (FQDN) of the machine |
 | ActionType | string |Type of activity that triggered the event |
 | AccountDomain | string | Domain of the account |
 | AccountName | string | User name of the account |
 | AccountSid | string | Security Identifier (SID) of the account |
 | LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
 | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
 | RemoteIP | string | IP address that was being connected to |
 | RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@ -1,53 +0,0 @@
 ---
 title: MachineInfo table in the Advanced hunting schema
 description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # MachineInfo
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
 | PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
 | OSArchitecture | string | Architecture of the operating system running on the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
 | OSBuild | string | Build version of the operating system running on the machine |
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
 | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
 | RegistryMachineTag | string | Machine tag added through the registry |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | OSVersion | string | Version of the operating system running on the machine |
 | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@ -1,54 +0,0 @@
 ---
 title: MachineNetworkInfo table in the Advanced hunting schema
 description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # MachineNetworkInfo
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | NetworkAdapterName | string | Name of the network adapter |
 | MacAddress | string | MAC address of the network adapter |
 | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
 | NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
 | TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
 | DnsAddresses | string | DNS server addresses in JSON array format |
 | IPv4Dhcp | string | IPv4 address of DHCP server |
 | IPv6Dhcp | string | IPv6 address of DHCP server |
 | DefaultGateways | string | Default gateway addresses in JSON array format |
 | IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@ -1,85 +0,0 @@
 ---
 title: MiscEvents table in the advanced hunting schema
 description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # MiscEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FolderPath | string | Folder containing the file that the recorded action was applied to |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | MD5 | string | MD5 hash of the file that the recorded action was applied to |
 | AccountDomain | string | Domain of the account |
 | AccountName |string | User name of the account |
 | AccountSid | string | Security Identifier (SID) of the account |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
 | ProcessId | int | Process ID (PID) of the newly created process |
 | ProcessCommandLine | string | Command line used to create the new process |
 | ProcessCreationTime | datetime | Date and time the process was created |
 | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | RegistryKey | string | Registry key that the recorded action was applied to |
 | RegistryValueName | string | Name of the registry value that the recorded action was applied to |
 | RegistryValueData | string | Data of the registry value that the recorded action was applied to |
 | RemoteIP | string | IP address that was being connected to |
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
 | FileOriginUrl | string | URL where the file was downloaded from |
 | FileOriginIP | string | IP address where the file was downloaded from |
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@ -1,68 +0,0 @@
 ---
 title: NetworkCommunicationEvents table in the Advanced hunting schema
 description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # NetworkCommunicationEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | RemoteIP | string | IP address that was being connected to |
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
 | Protocol | string | IP protocol used, whether TCP or UDP |
 | LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@ -1,5 +1,5 @@
 ---
-title: Overview of Advanced hunting
+title: Overview of advanced hunting
 description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
 search.product: eADQiWindows 10XVcnh
@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
-# Proactively hunt for threats with Advanced hunting
+# Proactively hunt for threats with advanced hunting
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -28,9 +28,9 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t
 You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
-## Get started with Advanced hunting
+## Get started with advanced hunting
-We recommend going through several steps to quickly get up and running with Advanced hunting.
+We recommend going through several steps to quickly get up and running with advanced hunting.
 | Learning goal | Description | Resource |
 |--|--|--|
@ -41,7 +41,7 @@ We recommend going through several steps to quickly get up and running with Adva
 ## Get help as you write queries
 Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, Advanced hunting provides suggestions. 
+- **Autosuggest** — as you write queries, advanced hunting provides suggestions. 
 - **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
 ## Drilldown from query results
@ -54,14 +54,14 @@ Right-click a value in the result set to quickly enhance your query. You can use
 - Exclude the selected value from the query (`!=`)
 - Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
-![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
+![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
 ## Filter the query results
 The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
 Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
-![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
+![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
 Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@ -1,76 +0,0 @@
 ---
 title: ProcessCreationEvents table in the Advanced hunting schema
 description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # ProcessCreationEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FolderPath | string | Folder containing the file that the recorded action was applied to |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
 | MD5 | string | MD5 hash of the file that the recorded action was applied to |
 | ProcessId | int | Process ID (PID) of the newly created process |
 | ProcessCommandLine | string | Command line used to create the new process |
 | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
 | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
 | ProcessCreationTime | datetime | Date and time the process was created |
 | AccountDomain | string | Domain of the account |
 | AccountName | string | User name of the account |
 | AccountSid | string | Security Identifier (SID) of the account |
 | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@ -1,6 +1,6 @@
 ---
-title: Learn the Advanced hunting query language
+title: Learn the advanced hunting query language
-description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language
+description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -18,14 +18,15 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
-# Learn the Advanced hunting query language
+# Learn the advanced hunting query language
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 > [!TIP]
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
+Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
 ## Try your first query
@ -33,37 +34,37 @@ In Microsoft Defender Security Center, go to **Advanced hunting** to run your fi
 ```kusto
 // Finds PowerShell execution events that could involve a download.
-ProcessCreationEvents  
+DeviceProcessEvents  
-| where EventTime > ago(7d)
+| where Timestamp > ago(7d)
 | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
 | where ProcessCommandLine has "Net.WebClient"
        or ProcessCommandLine has "DownloadFile"
        or ProcessCommandLine has "Invoke-WebRequest"
        or ProcessCommandLine has "Invoke-Shellcode"
        or ProcessCommandLine contains "http:"
-| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime
+| top 100 by Timestamp
 ```
-This is how it will look like in Advanced hunting.
+This is how it will look like in advanced hunting.
-![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
+![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
 ### Describe the query and specify the table to search
 The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
 ```kusto
 // Finds PowerShell execution events that could involve a download.
-ProcessCreationEvents
+DeviceProcessEvents
 ```
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `ProcessCreationEvents` and add piped elements as needed.
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `DeviceProcessEvents` and add piped elements as needed.
 ### Set the time range
 The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 ```kusto
-| where EventTime > ago(7d)
+| where Timestamp > ago(7d)
 ```
 ### Search for specific executable files
 The time range is immediately followed by a search for files representing the PowerShell application.
@ -85,48 +86,48 @@ Afterwards, the query looks for command lines that are typically used with Power
 Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
 ```kusto
-| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime
+| top 100 by Timestamp
 ```
 Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
-## Learn common query operators for Advanced hunting
+## Learn common query operators for advanced hunting
-Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
+Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
 | Operator | Description and usage |
 |--|--|
-| **`where`** | Filter a table to the subset of rows that satisfy a predicate. |
+| `where` | Filter a table to the subset of rows that satisfy a predicate. |
-| **`summarize`** | Produce a table that aggregates the content of the input table. |
+| `summarize` | Produce a table that aggregates the content of the input table. |
-| **`join`** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
+| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
-| **`count`** | Return the number of records in the input record set. |
+| `count` | Return the number of records in the input record set. |
-| **`top`** | Return the first N records sorted by the specified columns. |
+| `top` | Return the first N records sorted by the specified columns. |
-| **`limit`** | Return up to the specified number of rows. |
+| `limit` | Return up to the specified number of rows. |
-| **`project`** | Select the columns to include, rename or drop, and insert new computed columns. |
+| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
-| **`extend`** | Create calculated columns and append them to the result set. |
+| `extend` | Create calculated columns and append them to the result set. |
-| **`makeset`** |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
+| `makeset` |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
-| **`find`** | Find rows that match a predicate across a set of tables. |
+| `find` | Find rows that match a predicate across a set of tables. |
-To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
+To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
 ## Understand data types
-Data in Advanced hunting tables are generally classified into the following data types.
+Data in advanced hunting tables are generally classified into the following data types.
 | Data type | Description and query implications |
 |--|--|
-| **datetime** | Data and time information typically representing event timestamps |
+| `datetime` | Data and time information typically representing event timestamps |
-| **string** | Character string |
+| `string` | Character string |
-| **bool** | True or false |
+| `bool` | True or false |
-| **int** | 32-bit numeric value  |
+| `int` | 32-bit numeric value  |
-| **long** | 64-bit numeric value |
+| `long` | 64-bit numeric value |
 ## Use sample queries
 The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-![Image of Advanced hunting window](images/atp-advanced-hunting.png)
+![Image of advanced hunting window](images/atp-advanced-hunting.png)
 > [!NOTE]
 > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
@ -140,4 +141,5 @@ For detailed information about the query language, see [Kusto query language doc
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 > [!TIP]
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@ -1,66 +0,0 @@
 ---
 title: RegistryEvents table in the Advanced hunting schema
 description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # RegistryEvents
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | EventTime | datetime | Date and time when the event was recorded |
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ActionType | string | Type of activity that triggered the event |
 | RegistryKey | string | Registry key that the recorded action was applied to |
 | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
 | RegistryValueName | string | Name of the registry value that the recorded action was applied to |
 | RegistryValueData | string | Data of the registry value that the recorded action was applied to |
 | PreviousRegistryValueName | string | Original name of the registry value before it was modified |
 | PreviousRegistryValueData | string | Original data of the registry value before it was modified |
 | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
 | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
 | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
 | InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessFileName | string | Name of the process that initiated the event |
 | InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
 | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
 | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
 | InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@ -1,6 +1,6 @@
 ---
 title: Advanced hunting schema reference
-description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on 
+description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on 
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
-# Understand the Advanced hunting schema
+# Understand the advanced hunting schema
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -27,26 +27,26 @@ ms.date: 10/08/2019
 [!include[Prerelease information](../../includes/prerelease.md)]
-The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
+The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
 ## Schema tables
-The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
+The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
-Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
+Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
 | Table name | Description |
 |------------|-------------|
 | **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
-| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
+| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information |
-| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
+| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
+| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
-| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
+| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
-| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
+| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
-| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
+| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
-| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
+| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
-| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
+| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
-| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
 | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
 | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
 | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@ -1,5 +1,5 @@
 ---
-title: Use shared queries in Advanced hunting
+title: Use shared queries in advanced hunting
 description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
 search.product: eADQiWindows 10XVcnh
@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
-# Use shared queries in Advanced hunting
+# Use shared queries in advanced hunting
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -54,10 +54,10 @@ You can save a new or existing query so that it is only accessible to you or sha
 2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
 ## Access queries in the GitHub repository  
-Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
+Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
 >[!TIP]
->Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
+>Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
@ -1,5 +1,5 @@
 ---
-title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
+title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
 description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. 
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment  
 search.product: eADQiWindows 10XVcnh
@ -28,21 +28,21 @@ ms.date: 11/12/2019
 [!include[Prerelease information](../../includes/prerelease.md)]
-Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
+Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| MachineId | string | Unique identifier for the machine in the service |
+| `DeviceId` | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| Timestamp | datetime |Date and time when the record was generated |
+| `Timestamp` | datetime |Date and time when the record was generated |
-| ConfigurationId | string | Unique identifier for a specific configuration |
+| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
+| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
-| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
+| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
+| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
+| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
@ -1,5 +1,5 @@
 ---
-title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
+title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
 description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. 
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
 search.product: eADQiWindows 10XVcnh
@ -28,22 +28,22 @@ ms.date: 11/12/2019
 [!include[Prerelease information](../../includes/prerelease.md)]
-The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| ConfigurationId | string | Unique identifier for a specific configuration |
+| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
+| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| ConfigurationName | string | Display name of the configuration |
+| `ConfigurationName` | string | Display name of the configuration |
-| ConfigurationDescription | string | Description of the configuration |
+| `ConfigurationDescription` | string | Description of the configuration |
-| RiskDescription | string | Description of the associated risk |
+| `RiskDescription` | string | Description of the associated risk |
-| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
+| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
-| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
+| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
+| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
-| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
+| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| RelatedMitreTactics  | string | List of Mitre ATT&CK framework tactics related to the configuration |
+| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
@ -1,6 +1,6 @@
 ---
-title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
+title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
-description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema.
+description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -29,22 +29,22 @@ ms.date: 11/12/2019
 [!include[Prerelease information](../../includes/prerelease.md)]
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| MachineId | string | Unique identifier for the machine in the service |
+| `DeviceId` | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| OSVersion | string | Version of the operating system running on the machine |
+| `OSVersion` | string | Version of the operating system running on the machine |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
+| `OSArchitecture` | string | Architecture of the operating system running on the machine |
-| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| SoftwareName | string | Name of the software product |
+| `SoftwareName` | string | Name of the software product |
-| SoftwareVersion | string | Version number of the software product |
+| `SoftwareVersion` | string | Version number of the software product |
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
@ -1,6 +1,6 @@
 ---
-title: DeviceTvmSoftwareVulnerabilitiesKB  table in the Advanced hunting schema
+title: DeviceTvmSoftwareVulnerabilitiesKB  table in the advanced hunting schema
-description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. 
+description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. 
 keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -28,20 +28,20 @@ ms.date: 11/12/2019
 [!include[Prerelease information](../../includes/prerelease.md)]
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
+| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
-| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available |
+| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| LastModifiedTime | datetime | Date and time the item or related metadata was last modified |
+| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
-| PublishedDate | datetime | Date vulnerability was disclosed to public |
+| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
-| VulnerabilityDescription | string | Description of vulnerability and associated risks |
+| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
-| AffectedSoftware | string | List of all software products affected by the vulnerability |
+| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Microsoft Defender ATP Flow connector
+# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@ -43,7 +43,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
 ```
 	let 
-		AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
+		AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",
 		HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@ -46,12 +46,12 @@ For information about configuring attack surface reduction rules, see [Enable at
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
 Here is an example query:
-```PowerShell
+```kusto
-MiscEvents
+DeviceEvents
 | where ActionType startswith 'Asr'
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@ -35,6 +35,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
 >[!NOTE]
 >Currently, automated investigation only supports the following OS versions:
 >- Windows Server 2019
 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
 >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 >- Later versions of Windows 10
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@ -69,6 +69,9 @@ The following steps will guide you through onboarding VDI machines and will high
 4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
    >[!NOTE]
    >Domain Group Policy may also be used for onboarding non-persistent VDI machines.
 5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
  **For single entry for each machine**:<br>
  Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@ -51,12 +51,12 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
 Here is an example query
 ```PowerShell
-MiscEvents
+DeviceEvents
 | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@ -34,17 +34,17 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
 #### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. 
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. 
-The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
-```
+```kusto
-MiscEvents
+DeviceEvents
-| where EventTime > ago(7d)
+| where Timestamp > ago(7d)
 | where ActionType == "AntivirusDetection"
-| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
 | where count_ > 5
 ```
@ -76,7 +76,7 @@ Whenever a rule runs, similar detections on the same machine could be aggregated
 Your custom detection rule can automatically take actions on files or machines that are returned by the query.
 #### Actions on machines
-These actions are applied to machines in the `MachineId` column of the query results:
+These actions are applied to machines in the `DeviceId` column of the query results:
 - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
 - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
 - **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
@ -117,7 +117,7 @@ You can also take the following actions on the rule from this page:
 - **Run** — run the rule immediately. This also resets the interval for the next run.
 - **Edit** — modify the rule without changing the query
- **Modify query** — edit the query in Advanced hunting
+- **Modify query** — edit the query in advanced hunting
 - **Turn on** / **Turn off** — enable the rule or stop it from running
 - **Delete** — turn off the rule and remove it
@ -127,5 +127,5 @@ You can also take the following actions on the rule from this page:
 ## Related topic
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
+- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
 - [View and organize alerts](alerts-queue.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@ -10,9 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
+author: denisebmsft
-ms.author: ellevin
+ms.author: deniseb
-ms.date: 05/09/2019
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -23,51 +23,50 @@ manager: dansimp
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
 > [!IMPORTANT]
 > .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
 You can enable each mitigation separately by using any of these methods:
-* [Windows Security app](#windows-security-app)
+- [Windows Security app](#windows-security-app)
-* [Microsoft Intune](#intune)
+- [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+- [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+- [System Center Configuration Manager (SCCM)](#sccm)
-* [Group Policy](#group-policy)
+- [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [PowerShell](#powershell)
-They are configured by default in Windows 10.
+Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
 You can set each mitigation to on, off, or to its default value.
 Some mitigations have additional options.
 You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
 You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
 ## Windows Security app
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
+3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
    - If the app you want to configure is already listed, click it and then click **Edit**.
    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-    1. If the app you want to configure is already listed, click it and then click **Edit**
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
-5. Repeat this for all the apps and mitigations you want to configure.
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
    - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
    * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@ -78,51 +77,45 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
-**Example 1**
+### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
-Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
-**Example 2**
+### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
-Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
 The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
 CFG will be enabled for *miles.exe*.
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
+3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
-
+    - If the app you want to configure is already listed, click it and then click **Edit**.
-    1. If the app you want to configure is already listed, click it and then click **Edit**
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 ## Intune
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
   ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
   ![Enable network protection in Intune](../images/enable-ep-intune.png)
-1. Click **OK** to save each open blade and click **Create**.
+6. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 ## MDM
@ -131,21 +124,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## SCCM
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
+2. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
+4. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
+5. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+6. After the policy is created, click **Close**.
 ## Group Policy
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
+2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 ## PowerShell
@ -230,7 +221,7 @@ Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
 Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
-<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
+<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@ -152,7 +152,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
-Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
+Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
 ## Simulation results
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@ -49,12 +49,12 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment.
 Here is an example query:
-```PowerShell
+```kusto
-MiscEvents
+DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@ -0,0 +1,239 @@
 ---
 title: Create an Application to access Microsoft Defender ATP without a user
 ms.reviewer: 
 description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
 keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Partner access through Microsoft Defender ATP APIs
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
 This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on behalf of your customers.
 Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 In general, you’ll need to take the following steps to use the APIs:
 - Create a **multi-tenant** AAD application.
 - Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP resources it needs.
 - Get an access token using this application.
 - Use the token to access Microsoft Defender ATP API.
 The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
 <br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
 ## Create the multi-tenant app
 1. Log on to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. 
   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
 3. In the registration form:
 	- Choose a name for your application.
 	- Supported account types - accounts in any organizational directory.
 	- Redirect URI - type: Web, URI: https://portal.azure.com
 	![Image of Microsoft Azure partner application registration](images/atp-api-new-app-partner.png)
 4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions required to complete the integration.
   - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
   - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
   ![Image of API access and API selection](images/add-permission.png)
   ### Request API permissions
   To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. For instance:
   - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
   - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
   In the following example we will use **'Read all alerts'** permission:
   Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
   ![Image of API access and API selection](images/application-permissions.png)
 5. Click **Grant consent**
 	- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
 	![Image of Grant permissions](images/grant-consent.png)
 6. Add a secret to the application.
 	- Click **Certificates & secrets**, add description to the secret and click **Add**.
    **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
    ![Image of create app key](images/webapp-create-key2.png)
 7. Write down your application ID:
   - On your application page, go to **Overview** and copy the following:
   ![Image of created app id](images/app-id.png)
 8. Add the application to your customer's tenant.
    You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
    A user with **Global Administrator** from your customer's tenant need to click the consent link and approve your application.
    Consent link is of the form:
    ```
    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
    ```
    Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
 	After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent the application.
 	![Image of consent](images/app-consent-partner.png)
 	In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token.
 - **Done!** You have successfully registered an application! 
 - See examples below for token acquisition and validation.
 ## Get an access token examples:
 **Note:** to get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.
 <br>For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
 ### Using PowerShell
 ```
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
 # Paste below your Tenant ID, App ID and App Secret (App key).
 $tenantId = '' ### Paste your tenant ID here
 $appId = '' ### Paste your Application ID here
 $appSecret = '' ### Paste your Application key here
 $resourceAppIdUri = 'https://api.securitycenter.windows.com'
 $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
    resource = "$resourceAppIdUri"
    client_id = "$appId"
    client_secret = "$appSecret"
    grant_type = 'client_credentials'
 }
 $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
 $token = $authResponse.access_token
 Out-File -FilePath "./Latest-token.txt" -InputObject $token
 return $token
 ```
 ### Using C#:
 >The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
 - Create a new Console Application
 - Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
 - Add the below using
    ```
    using Microsoft.IdentityModel.Clients.ActiveDirectory;
    ```
 - Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
    ```
    string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
    string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
    string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
    const string authority = "https://login.windows.net";
    const string wdatpResourceId = "https://api.securitycenter.windows.com";
    AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
    ClientCredential clientCredential = new ClientCredential(appId, appSecret);
    AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
    string token = authenticationResult.AccessToken;
    ```
 ### Using Python
 Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
 ### Using Curl
 > [!NOTE]
 > The below procedure supposed Curl for Windows is already installed on your computer
 - Open a command window
 - Set CLIENT_ID to your Azure application ID
 - Set CLIENT_SECRET to your Azure application secret
 - Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
 - Run the below command:
 ```
 curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
 ```
 You will get an answer of the form:
 ```
 {"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
 ```
 ## Validate the token
 Sanity check to make sure you got a correct token:
 - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
 - Validate you get a 'roles' claim with the desired permissions
 - In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender ATP:
 - The "tid" claim is the tenant ID the token belongs to.
 ![Image of token validation](images/webapp-decoded-token.png)
 ## Use the token to access Microsoft Defender ATP API
 - Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
 - Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
 - The Expiration time of the token is 1 hour (you can send more then one request with the same token)
 - Example of sending a request to get a list of alerts **using C#** 
    ```
    var httpClient = new HttpClient();
    var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
    var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
    // Do something useful with the response
    ```
 ## Related topics
 - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
 - [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@ -32,7 +32,7 @@ In this section we share PowerShell samples to
 **Prerequisite**: You first need to [create an app](apis-intro.md).
-## Preparation Instructions
+## Preparation instructions
 - Open a PowerShell window.
 - If your policy does not allow you to run the PowerShell commands, you can run the below command:
--- a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/app-consent-partner.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/app-consent-partner.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/app-id.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/app-id.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/atp-api-new-app-partner.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/atp-api-new-app-partner.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_securityrecommendation-graph.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_securityrecommendation-graph.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@ -59,4 +59,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
 >[!TIP]
->These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. 
+>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. 
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@ -60,12 +60,12 @@ Event's information:
 ## Hunt for connection events using advanced hunting 
-All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
+All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type.
 Using this simple query will show you all the relevant events:
 ```
-NetworkCommunicationEvents
+DeviceNetworkEvents
 | where ActionType == "ConnectionSuccess" 
 | take 10
 ```
@ -77,7 +77,7 @@ You can also filter out  events that are related to connection to the proxy itse
 Use the following query to filter out the connections to the proxy:
 ```
-NetworkCommunicationEvents
+DeviceNetworkEvents
 | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"  
 | take 10
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@ -52,12 +52,12 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
 Here is an example query
-```PowerShell
+```kusto
-MiscEvents
+DeviceEvents
 | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@ -341,6 +341,7 @@
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
 ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 ##### [APIs]()
 ###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@ -1,7 +1,7 @@
 ---
 title: Overview of custom detections in Microsoft Defender ATP
 ms.reviewer: 
-description: Understand how you can use Advanced hunting to create custom detections and generate alerts
+description: Understand how you can use advanced hunting to create custom detections and generate alerts
 keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -28,7 +28,7 @@ With custom detections, you can proactively monitor for and respond to various e
 Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 Custom detections provide:
- Alerts for rule-based detections built from Advanced hunting queries
+- Alerts for rule-based detections built from advanced hunting queries
 - Automatic response actions that apply to files and machines
 >[!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@ -43,12 +43,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
 - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
 - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
 - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
 - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@ -159,7 +159,7 @@ When an exception is created for a recommendation, the recommendation is no long
 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). 
 ![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) 
-## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit 
+## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit 
 1. Go to **Advanced hunting** from the left-hand navigation pane.
@ -167,17 +167,17 @@ When an exception is created for a recommendation, the recommendation is no long
 3. Enter the following queries:
-```
+```kusto
 // Search for machines with High active alerts or Critical CVE public exploit 
 DeviceTvmSoftwareInventoryVulnerabilities 
 | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId 
 | where IsExploitAvailable == 1 and CvssScore >= 7
 | summarize NumOfVulnerabilities=dcount(CveId), 
-ComputerName=any(ComputerName) by MachineId 
+DeviceName=any(DeviceName) by DeviceId 
-| join kind =inner(AlertEvents) on MachineId  
+| join kind =inner(AlertEvents) on DeviceId  
 | summarize NumOfVulnerabilities=any(NumOfVulnerabilities), 
-ComputerName=any(ComputerName) by MachineId, AlertId 
+DeviceName=any(DeviceName) by DeviceId, AlertId 
-| project ComputerName, NumOfVulnerabilities, AlertId  
+| project DeviceName, NumOfVulnerabilities, AlertId  
 | order by NumOfVulnerabilities desc 
 ```
@ -210,5 +210,5 @@ After you have identified which software and software versions are vulnerable du
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [All advanced hunting tables](advanced-hunting-reference.md)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@ -21,7 +21,8 @@ ms.date: 04/11/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+> [!TIP]
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
 [!include[Prerelease information](../../includes/prerelease.md)]
@ -43,13 +44,18 @@ Each machine in the organization is scored based on three important factors: thr
 You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. 
-There are security recommendations for application, operating system, network, accounts, and security controls. 
+From the menu, select **Security recommendations** to get an overview of the running list with its weaknesses, related components, application, operating system, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
 ![Screenshot of Security recommendations page](images/tvm_securityrecommendation-graph.png)
 >[!NOTE]
 > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens per change, which means an increase or decrease of even a single machine will change the graph's color.
 In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. 
 The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.   
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
 From that page, you can do any of the following depending on what you need to do:
@ -77,8 +83,8 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 5. Include your machine name for investigation context.
->[!NOTE]
+    >[!TIP]
-> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
+    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@ -98,7 +98,7 @@ For more information preview features, see [Preview features](https://docs.micro
 - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR> Controlled folder access is now supported on Windows Server 2019.
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules. 
 - [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
@ -124,7 +124,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
 ## March 2018
 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
-Query data using Advanced hunting in Microsoft Defender ATP.
+Query data using advanced hunting in Microsoft Defender ATP.
 - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
    New attack surface reduction rules: 
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 10/18/2019
+ms.date: 01/09/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
@ -30,7 +30,7 @@ Keeping your antivirus protection up to date is critical. There are two componen
 - *Where* the updates are downloaded from; and 
 - *When* updates are downloaded and applied. 
-This article describes the *where* - how to specify where updates should be downloaded from (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
+This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
 > [!IMPORTANT]
 > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).  
@ -40,7 +40,7 @@ This article describes the *where* - how to specify where updates should be down
 ## Fallback order
-Typically, you configure endpoints to individually download updates from a primary source, followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
 When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
 - The age of the last update on the device; and 
@ -73,16 +73,13 @@ Each source has typical scenarios that depend on how your network is configured,
 |System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.|
 |Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
 You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
 > [!IMPORTANT]
 > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
 ## Use Group Policy to manage the update location
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
@ -103,7 +100,7 @@ The procedures in this article first describe how to set the order, and then how
   4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
-   5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
+   5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths, then this source will be skipped when the VM downloads updates.
   6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
@ -124,7 +121,7 @@ Use the following PowerShell cmdlets to set the update order.
 Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
 Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
 ```
-See the following for more information:
+See the following articles for more information:
 - [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
 - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
 - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
@ -139,13 +136,21 @@ SignatureFallbackOrder
 SignatureDefinitionUpdateFileSharesSource
 ```
-See the following for more information:
+See the following articles for more information:
 - [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
 ## Use Mobile Device Management (MDM) to manage the update location
 See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
 ## What if we're using a third-party vendor?
 This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks. 
 For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates. 
 > [!NOTE]
 > Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
 ## Related articles
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@ -79,7 +79,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
    - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
    - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
-    - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
+    - Your Windows machines must be running [Windows OS 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later.
    - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above)
    - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
@ -99,7 +99,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
 ### To which Windows OS versions is configuring Tamper Protection is applicable?
-Windows 1903 May release
+[Windows 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later
 ### Is configuring Tamper Protection in Intune supported on servers?
@ -109,7 +109,7 @@ No
 No, third-party antivirus will continue to register with the Windows Security application.
-### What happens if Microsoft Defender Antivirus is not active on a device?
+### What happens if Windows Defender Antivirus is not active on a device?
 Tamper Protection will not have any impact on such devices.
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@ -0,0 +1,58 @@
 ---
 title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
 description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
 keywords: windows defender, antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro 
 ms.topic: article 
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
 ms.date: 01/07/2020
 ms.reviewer: 
 manager: dansimp
 ---
 # Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). 
 Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. 
 ## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
 | |Advantage  |Why it matters |
 |--|--|--|
 |1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
 |2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
 |3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
 |4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
 |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
 |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
 |7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
 |8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
 |9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
 |10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
 ## Learn more
 [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
 [Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
`@ -59,4 +59,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation.`


	`>[!TIP]`	`>[!TIP]`
	`>These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.`	`>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.`