Merge pull request #3635 from MicrosoftDocs/lomayor-ah-timezone

AH - time zone & more

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Overview of advanced hunting in Microsoft Defender ATP
 description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -43,10 +43,14 @@ You can also go through each of the following steps to ramp up your advanced hun
 | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
 | **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
 
-## Get help as you write queries
+## Data freshness and update frequency
-Take advantage of the following functionality to write queries faster:
+Advanced hunting data can be categorized into two distinct types, each consolidated differently:
-- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense. 
+
-- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
+- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+
+## Time zone
+All time information in advanced hunting is currently in the UTC time zone.
 
 ## Related topics
 - [Learn the query language](advanced-hunting-query-language.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -144,11 +144,28 @@ Data in advanced hunting tables are generally classified into the following data
 | `int` | 32-bit numeric value  |
 | `long` | 64-bit numeric value |
 
+## Get help as you write queries
+Take advantage of the following functionality to write queries faster:
+
+- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
+- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
+
+## Work with multiple queries in the editor
+The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
+
+- Separate each query with an empty line.
+- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
+
+![Image of the advanced hunting query editor with multiple queries](images/ah-multi-query.png)
+_Query editor with multiple queries_
+
+
 ## Use sample queries
 
 The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
 
-![Image of advanced hunting window](images/atp-advanced-hunting.png)
+![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png)
 
 > [!NOTE]
 > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md

@@ -24,8 +24,6 @@ ms.topic: article
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
-[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
-
 While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
 
 - View results as a table or chart

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md

@@ -29,7 +29,20 @@ ms.date: 01/14/2020
 
 The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
 
-## Schema tables
+## Get schema information in the security center
+While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
+
+- **Tables description**—type of data contained in the table and the source of that data.
+- **Columns**—all the columns in the table.
+- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
+- **Sample query**—example queries that feature how the table can be utilized.
+
+### Access the schema reference
+To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
+
+![Image showing how to access in-portal schema reference](images/ah-reference.png)
+
+## Learn the schema tables
 
 The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.