diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index eaedfb4d15..5f34f47d44 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -102,21 +102,22 @@
 
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
-#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+#### [Learn the query language](advanced-hunting.md)
+#### [Use shared queries](advanced-hunting-shared-queries.md)
 #### [Advanced hunting schema reference]()
-##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
-##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
-#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+##### [Understand the schema](advanced-hunting-reference.md)
+##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+#### [Apply query best practices](advanced-hunting-best-practices.md)
+#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
 
 
 #### [Custom detections]()