diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 7887ecbbbd..24c4d8dfd2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -82,15 +82,15 @@ DeviceEvents
 | where Timestamp > ago(7d)
 |project DeviceId,                               // the device ID where the audit block happened
 FileName,                                        // The audit blocked app's filename
-FolderPath,                                      // The audit blocked app's device path
+FolderPath,                                      // The audit blocked app's system path without the FileName
 InitiatingProcessFileName,                       // The file name of the parent process loading the executable
 InitiatingProcessVersionInfoCompanyName,         // The company name of the parent process loading the executable
 InitiatingProcessVersionInfoOriginalFileName,    // The original file name of the parent process loading the executable
 InitiatingProcessVersionInfoProductName,         // The product name of the parent process loading the executable
-InitiatingProcessSHA256,                         // The SHA256 of the parent process loading the executable
-Timestamp,                                       // The timestamp
-ReportId,                                        // The report ID
+InitiatingProcessSHA256,                         // The SHA256 flat hash of the parent process loading the executable
+Timestamp,                                       // The event creation timestamp
+ReportId,                                        // The report ID - randomly generated by MDE AH
 InitiatingProcessVersionInfoProductVersion,      // The product version of the parent process loading the executable
 InitiatingProcessVersionInfoFileDescription,     // The file description of the parent process loading the executable
-AdditionalFields
+AdditionalFields                                 // Additional fields contains FQBN for signed binaries.  These contain the CN of the leaf certificate, product name, original filename and version of the audited binary
 ```