diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 5745d3864d..ac8117df68 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -49,26 +49,26 @@ Portal label | SIEM field name | Description
7 | Category | Alert category
8 | Status in queue | Alert status in queue
9 | ComputerDnsName| Computer DNS name and machine name
-10 | IoaDefinitionId | (Internal only)
ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.
**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
-10 | UserName | The user context relevant to the activity on the machine which triggered the alert.
-11 | FileName | File name
-12 | FileHash | Sha1 of file observed
-13 | FilePath | File path
-14 | IpAddress | IP of the IOC (when relevant)
-15 | URL | URL of the IOC (when relevant)
-16 | FullId | (Internal only)
Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
-17 | AlertPart | (Internal only)
Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
-18 | LastProccesedTimeUtc | (Internal only)
Time the alert was last processed in Windows Defender ATP.
-19 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP)
-20 | ThreatCategory| Windows Defender AV threat category
-21 | ThreatFamily | Windows Defender AV family name
-22 | RemediationAction | Windows Defender AV threat category |
-23 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field)
-24| RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field)
-25 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
-26 | Md5 | Md5 of file observed (when available)
-27 | Sha256 | Sha256 of file observed (when available)
-28 | ThreatName | Windows Defender AV threat name
+10| IoaDefinitionId | (Internal only)
ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.
**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+11 | UserName | The user context relevant to the activity on the machine which triggered the alert.
+12 | FileName | File name
+13 | FileHash | Sha1 of file observed
+14 | FilePath | File path
+15 | IpAddress | IP of the IOC (when relevant)
+16 | URL | URL of the IOC (when relevant)
+17 | FullId | (Internal only)
Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+18 | AlertPart | (Internal only)
Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+19 | LastProccesedTimeUtc | (Internal only)
Time the alert was last processed in Windows Defender ATP.
+20 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP)
+21 | ThreatCategory| Windows Defender AV threat category
+22 | ThreatFamily | Windows Defender AV family name
+23 | RemediationAction | Windows Defender AV threat category |
+24 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field)
+25| RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field)
+26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
+27 | Md5 | Md5 of file observed (when available)
+28 | Sha256 | Sha256 of file observed (when available)
+29 | ThreatName | Windows Defender AV threat name
>[!NOTE]
>A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender Antivirus alerts.
diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/keep-secure/images/atp-alert-source.png
index a52a00d9b9..c2155cc7ee 100644
Binary files a/windows/keep-secure/images/atp-alert-source.png and b/windows/keep-secure/images/atp-alert-source.png differ
diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/keep-secure/images/atp-alert-timeline-numbered.png
index e654a285ba..42e91034dd 100644
Binary files a/windows/keep-secure/images/atp-alert-timeline-numbered.png and b/windows/keep-secure/images/atp-alert-timeline-numbered.png differ
diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png
index 0a7601f1c5..ad92f3af0c 100644
Binary files a/windows/keep-secure/images/atp-file-details.png and b/windows/keep-secure/images/atp-file-details.png differ
diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png
index 70f5d527d0..d49b681907 100644
Binary files a/windows/keep-secure/images/atp-remediated-alert.png and b/windows/keep-secure/images/atp-remediated-alert.png differ