Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

2025-06-18 11:53:37 +00:00 · 2019-10-09 17:59:33 +00:00
parent 8435756986 2e5a32cbbc
commit 6ae6541110
49 changed files with 238 additions and 166 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -877,7 +877,7 @@
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language",
 "redirect_document_id": true
 },
 {
@ -887,10 +887,25 @@
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
@ -1573,7 +1588,7 @@
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-hunting",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": true
 },
 {
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@ -20,6 +20,9 @@ ms.localizationpriority: medium
 > Applies to: Windows 10
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites open in Internet Explorer 11 automatically. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to automatically open using IE11 with the **Send all intranet sites to IE** group policy.
 Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
--- a/browsers/edge/group-policies/address-bar-settings-gp.md
+++ b/browsers/edge/group-policies/address-bar-settings-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Address bar 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list.
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
--- a/browsers/edge/group-policies/adobe-settings-gp.md
+++ b/browsers/edge/group-policies/adobe-settings-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Adobe Flash 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
 To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). 
--- a/browsers/edge/group-policies/books-library-management-gp.md
+++ b/browsers/edge/group-policies/books-library-management-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Books Library 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. 
--- a/browsers/edge/group-policies/browser-settings-management-gp.md
+++ b/browsers/edge/group-policies/browser-settings-management-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Browser experience 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences.  For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users.
--- a/browsers/edge/group-policies/developer-settings-gp.md
+++ b/browsers/edge/group-policies/developer-settings-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Developer tools 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page.  You can prevent users from using the F12 developer tools or from accessing the about:flags page.
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
--- a/browsers/edge/group-policies/extensions-management-gp.md
+++ b/browsers/edge/group-policies/extensions-management-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Extensions 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions.  
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
--- a/browsers/edge/group-policies/favorites-management-gp.md
+++ b/browsers/edge/group-policies/favorites-management-gp.md
@ -18,6 +18,9 @@ ms.sitesec: library
 # Favorites 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages.  Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. 
 >[!TIP]
--- a/browsers/edge/group-policies/home-button-gp.md
+++ b/browsers/edge/group-policies/home-button-gp.md
@ -16,6 +16,9 @@ ms.topic: reference
 # Home button 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. 
 ## Relevant group policies
--- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
+++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
@ -16,6 +16,9 @@ ms.topic: reference
 # Interoperability and enterprise mode guidance
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
 >[!TIP] 
--- a/browsers/edge/group-policies/new-tab-page-settings-gp.md
+++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md
@ -17,6 +17,9 @@ ms.topic: reference
 # New Tab page  
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge loads the default New tab page by default.  With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes.  You can also load a blank page instead or let the users choose what loads. 
 >[!NOTE]
--- a/browsers/edge/group-policies/prelaunch-preload-gp.md
+++ b/browsers/edge/group-policies/prelaunch-preload-gp.md
@ -13,6 +13,9 @@ ms.topic: reference
 # Prelaunch Microsoft Edge and preload tabs in the background 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user.  Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching.  
 Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab.  You can also configure Microsoft Edge to prevent preloading of tabs. 
--- a/browsers/edge/group-policies/search-engine-customization-gp.md
+++ b/browsers/edge/group-policies/search-engine-customization-gp.md
@ -13,6 +13,9 @@ ms.topic: reference
 # Search engine customization 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. 
 ## Relevant group policies
--- a/browsers/edge/group-policies/security-privacy-management-gp.md
+++ b/browsers/edge/group-policies/security-privacy-management-gp.md
@ -13,6 +13,9 @@ ms.topic: reference
 # Security and privacy 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. 
 Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. 
--- a/browsers/edge/group-policies/start-pages-gp.md
+++ b/browsers/edge/group-policies/start-pages-gp.md
@ -16,6 +16,9 @@ ms.topic: reference
 # Start pages 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. 
 ## Relevant group policies
--- a/browsers/edge/group-policies/sync-browser-settings-gp.md
+++ b/browsers/edge/group-policies/sync-browser-settings-gp.md
@ -13,6 +13,8 @@ ms.topic: reference
 # Sync browser settings  
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. 
--- a/browsers/edge/group-policies/telemetry-management-gp.md
+++ b/browsers/edge/group-policies/telemetry-management-gp.md
@ -13,6 +13,9 @@ ms.topic: reference
 # Telemetry and data collection 
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information.
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@ -138,6 +138,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
 1. **Windows Defender**
   1. [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** 
   1. [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
   1. [Defender/EnableSmartScreenInShell](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
   1. Windows Defender Smartscreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender Smartscreen. **Set to 0 (zero)**
   1. Windows Defender Smartscreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** 
   1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
@ -164,6 +165,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
 |client.wns.windows.com|
 |crl.microsoft.com/pki/crl/*|
 |ctldl.windowsupdate.com|
 |*displaycatalog.mp.microsoft.com|
 |dm3p.wns.windows.com|
 |\*microsoft.com/pkiops/\*|
 |ocsp.digicert.com/*|
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -1437,15 +1437,15 @@ To turn this Off in the UI:
 -OR-
- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
     -and-
- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
     -and-
- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
 ### <a href="" id="bkmk-voice-act"></a>18.23 Voice Activation
@ -1466,11 +1466,11 @@ To turn this Off in the UI:
 -OR-
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoice** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **LetAppsActivateWithVoice** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**
     -and-
- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@ -60,7 +60,7 @@ If the error occurs again, check the error code against the following table to s
 <tr class="odd">
 <td align="left">0x80090036</td>
-<td align="left">User cancelled an interactive dialog</td>
+<td align="left">User canceled an interactive dialog</td>
 <td align="left">User will be asked to try again</td>
 </tr>
 <tr class="even">
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -107,11 +107,11 @@
 ### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
 ### [Advanced hunting]()
-#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
+#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-#### [Learn the query language](microsoft-defender-atp/advanced-hunting.md)
+#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
 #### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
 #### [Advanced hunting schema reference]()
-##### [Understand the schema](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
 ##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
 ##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
 ##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@ -1,21 +1,21 @@
 ---
-title: AlertEvents table in the advanced hunting schema
+title: AlertEvents table in the Advanced hunting schema
-description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # AlertEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The AlertEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
+The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -47,6 +47,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | Table | string | Table that contains the details of the event |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -1,7 +1,7 @@
 ---
-title: Advanced hunting best practices in Microsoft Defender ATP
+title: Query best practices for Advanced hunting
-description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
+description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting
-keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/25/2019
+ms.date: 10/08/2019
 ---
 # Advanced hunting query best practices
@ -88,6 +88,6 @@ ProcessCreationEvents
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@ -1,21 +1,21 @@
 ---
 title: FileCreationEvents table in the Advanced hunting schema 
-description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # FileCreationEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The FileCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
+The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see  [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see  [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -73,6 +73,6 @@ For information on other tables in the Advanced hunting schema, see  [the Advanc
 | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@ -1,21 +1,21 @@
 ---
 title: ImageLoadEvents table in the Advanced hunting schema
-description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # ImageLoadEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The ImageLoadEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
+The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -59,6 +59,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@ -1,21 +1,21 @@
 ---
 title: LogonEvents table in the Advanced hunting schema
-description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # LogonEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The LogonEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
+The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -67,6 +67,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@ -1,21 +1,21 @@
 ---
 title: MachineInfo table in the Advanced hunting schema
-description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # MachineInfo
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The MachineInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
+The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -48,6 +48,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@ -1,21 +1,21 @@
 ---
 title: MachineNetworkInfo table in the Advanced hunting schema
-description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # MachineNetworkInfo
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The MachineNetworkInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
+The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -49,6 +49,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@ -1,21 +1,21 @@
 ---
 title: MiscEvents table in the advanced hunting schema
-description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # MiscEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The MiscEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
+The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -80,6 +80,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@ -1,21 +1,21 @@
 ---
 title: NetworkCommunicationEvents table in the Advanced hunting schema
-description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # NetworkCommunicationEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The NetworkCommunicationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
+The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -63,6 +63,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@ -1,7 +1,7 @@
 ---
 title: Overview of Advanced hunting
-description: Hunt for possible threats across your organization using a powerful search and query tool
+description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, hunting, search, query, tool, telemetry, custom detection, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 10/08/2019
 ---
 # Proactively hunt for threats with Advanced hunting
@ -33,8 +34,8 @@ We recommend going through several steps to quickly get up and running with Adva
 | Learning goal | Description | Resource |
 |--|--|--|
-| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) |
+| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
-| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) |
+| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
 | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
 | **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |  
@ -65,8 +66,8 @@ Refine your query by selecting the "+" or "-" buttons next to the values that yo
 Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
 ## Related topics
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 - [Custom detections overview](overview-custom-detections.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@ -1,21 +1,21 @@
 ---
 title: ProcessCreationEvents table in the Advanced hunting schema
-description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # ProcessCreationEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The ProcessCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
+The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -71,6 +71,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@ -1,7 +1,7 @@
 ---
 title: Learn the Advanced hunting query language
-description: Get an overview of the common operators and other aspects of the Advanced hunting query language you can use to formulate queries
+description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language
-keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/25/2019
+ms.date: 10/08/2019
 ---
 # Learn the Advanced hunting query language
@ -25,7 +25,7 @@ ms.date: 09/25/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
+Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
 ## Try your first query
@ -138,6 +138,6 @@ For more information on Kusto query language and supported operators, see  [Quer
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@ -1,21 +1,21 @@
 ---
 title: RegistryEvents table in the Advanced hunting schema
-description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: v-maave
+ms.author: lomayor
-author: martyav
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 10/08/2019
 ---
 # RegistryEvents
@ -26,9 +26,9 @@ ms.date: 07/24/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The RegistryEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
+The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@ -61,6 +61,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-reference.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@ -1,7 +1,7 @@
 ---
 title: Advanced hunting schema reference
-description: Learn about the tables in the advanced hunting schema
+description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on 
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/25/2019
+ms.date: 10/08/2019
 ---
 # Understand the Advanced hunting schema
@ -27,7 +27,7 @@ ms.date: 09/25/2019
 ## Schema tables
-The [Advanced hunting](overview-hunting.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
+The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
 The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
@ -47,5 +47,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce
 | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@ -1,7 +1,7 @@
 ---
-title: Use shared queries in advanced hunting
+title: Use shared queries in Advanced hunting
-description: Take advantage of shared advanced hunting queries. Share your queries to the public or to your organization.
+description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto, github repo
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/25/2019
+ms.date: 10/08/2019
 ---
 # Use shared queries in Advanced hunting
@ -25,7 +25,7 @@ ms.date: 09/25/2019
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-[Advanced hunting](overview-hunting.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
+[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
 ![Image of shared queries](images/atp-advanced-hunting-shared-queries.png)
@ -60,5 +60,5 @@ Microsoft security researchers regularly share Advanced hunting queries in a [de
 >Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
 ## Related topics
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting.md)
+- [Learn the query language](advanced-hunting-query-language.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@ -45,7 +45,7 @@ For information about configuring attack surface reduction rules, see [Enable at
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
 Here is an example query:
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@ -23,7 +23,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
 > [!NOTE]
 > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@ -114,5 +114,5 @@ You can also take the following actions on the rule from this page:
 ## Related topic
 - [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the Advanced hunting query language](advanced-hunting.md)
+- [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@ -112,7 +112,7 @@ Use the test machines to run attack simulations by connecting to them.
 If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience.
-You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
+You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
 >[!NOTE]
 >The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@ -29,4 +29,4 @@ Topic | Description
 [Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center.
 [Machines list](machines-view-overview.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. 
 [Take response actions](response-actions.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats.
-[Query data using advanced hunting](advanced-hunting.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.
+[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@ -105,11 +105,11 @@
 ### [Advanced hunting]()
-#### [Advanced hunting overview](overview-hunting.md)
+#### [Advanced hunting overview](advanced-hunting-overview.md)
 #### [Query data using Advanced hunting]()
-##### [Data querying basics](advanced-hunting.md)
+##### [Data querying basics](advanced-hunting-query-language.md)
-##### [Advanced hunting reference](advanced-hunting-reference.md)
+##### [Advanced hunting reference](advanced-hunting-schema-reference.md)
 ##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
 #### [Custom detections]()
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@ -25,7 +25,7 @@ ms.topic: conceptual
 With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
-Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
 Custom detections provide:
 - Alerts for rule-based detections built from Advanced hunting queries
@ -36,4 +36,4 @@ Custom detections provide:
 ## Related topic
 - [Create and manage custom detection rules](custom-detection-rules.md)
- [Advanced hunting overview](overview-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md
@ -40,7 +40,7 @@ Topic | Description
 [Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
 [Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
 [Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.
-[Advanced hunting](overview-hunting.md) |  Use a powerful search and query language to create custom queries and detection rules.
+[Advanced hunting](advanced-hunting-overview.md) |  Use a powerful search and query language to create custom queries and detection rules.
 [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
 [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. 
 [Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center.
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@ -62,7 +62,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 - Each event hub message in Azure Event Hubs contains list of records.
 - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
 ## Data types mapping:
@ -83,7 +83,7 @@ To get the data types for event properties do the following:
 ![Image of event hub resource Id](images/machine-info-datatype-example.png)
 ## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Microsoft Defender ATP streaming API](raw-data-export.md)
 - [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
 - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@ -62,7 +62,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
 - Each blob contains multiple rows.
 - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
 ## Data types mapping:
@ -83,7 +83,7 @@ In order to get the data types for our events properties do the following:
 ![Image of event hub resource ID](images/machine-info-datatype-example.png)
 ## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
 - [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
 - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@ -27,17 +27,17 @@ ms.topic: article
 ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
-Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
+Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
 ## In this section
 Topic | Description
 :---|:---
-[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
+[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
-[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
+[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
 ## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
 - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@ -145,5 +145,5 @@ If the 'roles' section in the token does not include the necessary permission:
 ## Related topic
 - [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting from Portal](advanced-hunting.md)
+- [Advanced Hunting from Portal](advanced-hunting-query-language.md)
 - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md
@ -20,6 +20,10 @@ ms.topic: conceptual
 # What's new in Microsoft Defender Advanced Threat Protection for Mac
 ## 100.70.99
 - Addressed an issue that prevents some users from upgrading to macOS Catalina when real-time protection is enabled. This problem was caused by Microsoft Defender ATP locking files from the upgrade package (to scan them for antiviruses). In turn this triggered failures in the upgrade sequence.
 ## 100.68.99
 - Added the ability to configure the antivirus functionality to run in [passive mode](microsoft-defender-atp-mac-preferences.md#enable--disable-passive-mode)