Merged PR 2075: Merge master to live

windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -27,14 +27,25 @@ Turn on the following advanced features to get better protected from potentially
 ## Block file
 This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
 
-If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
 
-## Office 365 Security Center integration
+## Show user details
+When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
+- Dashboard
+- Alert queue
+- Machine details page
+
+For more information, see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
+
+## Skype for Business integration
+Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
+
+## Office 365 Threat Intelligence connection
 This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
 
 When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
 
-
+## Enable advanced features
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
 3. Click **Save preferences**.
@@ -43,3 +54,5 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -71,3 +71,5 @@ This section lists various issues that you may encounter when using email notifi
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md

@@ -36,3 +36,5 @@ During the onboarding process, a wizard takes you through the general settings o
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md

@@ -56,7 +56,7 @@ Windows Defender ATP lets you create suppression rules so you can limit the aler
 
 Suppression rules can be created from an existing alert.
 
-When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
 
 There are two contexts for a suppression rule that you can choose from:
 
@@ -65,20 +65,38 @@ There are two contexts for a suppression rule that you can choose from:
 
 The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
 
-**Context** | **Definition** |**Example scenarios**
+| **Context**                           | **Definition**                                                                                                                                              | **Example scenarios**                                                                                                                                                                                                  |
----|---|---
+|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>
+| **Suppress alert on this machine**    | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
-**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>
+| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed.                                                                                         | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>                                                                                                                               |
 
 
-**Suppress an alert and create a suppression rule:**
+### Suppress an alert and create a new suppression rule:
+Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert. 
 
 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
-2. Scroll down to the **Supression rules** section.
+
+2. Scroll down to the **Create a supression rule** section.
+
+    ![Image of alert status](images/atp-create-suppression-rule.png)
+
 3. Choose the context for suppressing the alert.
   
+    ![Image of alert status](images/atp-new-suppression-rule.png)
+
   > [!NOTE]
   > You cannot create a custom or blank suppression rule. You must start from an existing alert.
+4. Specify the conditions for when the rule is applied:
+  - Alert title
+  - Indicator of compromise (IOC)
+  - Suppression conditions
+
+    > [!NOTE]
+    > The SHA1 of the alert cannot be modified
+5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
+
+6. Click **Save and close**.
+
 
 **See the list of suppression rules:**
 

windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md

@@ -29,3 +29,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)