Merge branch 'atp-FEB' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-FEB

windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md

@@ -38,7 +38,7 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti
 > By default, the queues are sorted from newest to oldest.
 
 ## Sort and filter the alerts
-You can sort and filter the alerts by using the available filters or clicking columns that allow you to sort the view in ascending or descending order.
+You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
 
 ![Alerts queue with numbers](images/alerts-queue-numbered.png)
 
@@ -77,7 +77,7 @@ Reviewing the various alerts and their severity can help you decide on the appro
 - 6 months
 
 **View**</br>
-- **Flat view** - Lists alerts individually with alerts that has the latest activity displayed at the top surfaces.
+- **Flat view** - Lists alerts individually with alerts that has the latest activity displayed at the top.
 - **Grouped view** - Groups alerts by alert ID, file hash, malware family and others to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating categories together.
 
 The group view allows for efficient alert triage and management.

windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -23,12 +23,12 @@ localizationpriority: high
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-You can define custom alert definitions and indicators of compromise (IOC) using the available APIs. Creating custom TI’s allows you to create specific alerts that are applicable to your organization.
+You can define custom alert definitions and indicators of compromise (IOC) using the available APIs. Creating custom TIs allows you to create specific alerts that are applicable to your organization.
 
 ## Before you begin
-Before creating custom TI's, you'll need to enable the custom TI application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+Before creating custom TIs, you'll need to enable the custom TI application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
 
-### Use the available REST API to create custom TI's
+### Use the available REST APIs to create custom TIs
 You can call and specify the resource URLs using one of the following operations to access and manipulate a custom TI resource, you call and specify the resource URLs using one of the following operations:
 
 -	GET
@@ -70,9 +70,9 @@ You can use the metadata to understand the relationships between entities in cus
 The following sections show a few basic programming pattern calls to the custom TI API.
 
 ## Create new resource
-Typically, you would start creating custom threat intelligence by first creating an alert definition.
+Typically, you should create an alert definition to start creating custom threat intelligence.
 
-An ID is created for that alert definition. You would then create an Indicator Of Compromise and associate it to the ID of the alert definition.
+An ID is created for that alert definition. Then, create an Indicator Of Compromise and associate it to the ID of the alert definition.
 
 ### Create a new alert definition
 
@@ -105,7 +105,7 @@ Highlighted section | JSON Value
 4 | UX description
 5 | Recommended Action
 
-If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition for example:
+If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition, for example:
 
 ```json
 

windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md

@@ -29,7 +29,7 @@ Alerts attributed to an adversary or actor display a colored tile with the actor
 
 ![A detailed view of an alert when clicked](images/alert-details.png)
 
-Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
+Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as locations where it's active worldwide. You will also see a set of recommended actions to take.
 
 Some actor profiles include a link to download a more comprehensive threat intelligence report.
 

windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md

@@ -160,7 +160,7 @@ The  **Action center** provides information on actions that were taken on a mach
 Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
 
 The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
-Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
+Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
 
 Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
 
@@ -192,7 +192,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 
 ![You can only submit PE files in the file details seciton](images/submit-file.png)
 
->**Note**  Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files
+>**Note**  Only PE files are supported, including _.exe_ and _.dll_ files
 
 A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
 
@@ -221,7 +221,7 @@ The details provided can help you investigate if there are indications of a pote
 If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
 
 
-1. Ensure the file is a PE. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
 4. Verify the policy setting enables sample collection and try to submit the file again.

windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -52,7 +52,7 @@ Clicking on the number of total logged on users in the Logged on user tile opens
 
 ![Image of user details pane](images/atp-user-details-pane.png)
 
- For more information see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md).
+ For more information, see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md).
 
 The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
 
@@ -86,7 +86,7 @@ Using the slider updates the listed alerts to the date that you select. Displaye
 The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
 
 ### Export machine timeline events
-You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to 7 days of data and specify the specific time between the two dates.
+You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates.
 
 ![Image of export machine timeline events](images/atp-export-machine-timeline-events.png)
 
@@ -164,11 +164,11 @@ Folder | Description
 :---|:---
 Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
 Installed program | This CSV file contains the list of installed program that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
-Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs/attacker’s command & control or any lateral movement/remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
+Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
 Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
-Processes | Contains a CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identify if there is a suspicious process and its state.
+Processes | Contains a CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when trying to identify if there is a suspicious process and its state.
 Scheduled tasks | Contains a CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for a suspicious code set to run automatically.
-Security event log | Contains the security event log which contains records of login/logout activity or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer.
+Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.
 Services | Contains the services.txt file which lists services and their states.
 SMB sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
 Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.

windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md

@@ -33,7 +33,7 @@ Before creating custom threat intelligence, it's important to know the concepts
 Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
 
 ## Indicators of compromise (IOC)
-IOCs are individual known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
+IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
 
 ## Relationship between alert definitions and IOCs
 In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Custom TI API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#custom-ti-api-metadata).