Merge branch 'master' into MDBranchUpdateWhatsNew

windows/security/threat-protection/TOC.md

@@ -448,7 +448,7 @@
 ##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
 ##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
  
-#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
+#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
 #### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
 #### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
 #### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md

@@ -0,0 +1,80 @@
+---
+title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
+description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device 
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# AssignedIPAddresses()
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
+
+This function returns a table with the following columns:
+
+Column | Data type | Description
+-|-|-
+`Timestamp` | datetime | Latest time when the device was observed using the IP address
+`IPAddress` | string | IP address used by the device
+`IPType` | string | Indicates whether the IP address is a public or private address
+`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
+`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
+
+## Syntax
+
+```kusto
+AssignedIPAddresses(x, y)
+```
+
+## Arguments
+
+- **x**—`DeviceId` or `DeviceName` value identifying the device
+- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
+
+## Examples
+
+### Get the list of IP addresses used by a device 24 hours ago
+
+```kusto
+AssignedIPAddresses('example-device-name', ago(1d))
+```
+
+### Get IP addresses used by a device and find devices communicating with it
+
+This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices. 
+
+```kusto
+let Date = datetime(example-date);
+let DeviceName = "example-device-name";
+// List IP addresses used on or before the specified date
+AssignedIPAddresses(DeviceName, Date)
+| project DeviceName, IPAddress, AssignedTime = Timestamp 
+// Get all network events on devices with the assigned IP addresses as the destination addresses
+| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
+// Get only network events around the time the IP address was assigned
+| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -21,14 +21,16 @@ ms.topic: article
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
 
 ## Optimize query performance
-Apply these recommendations to get results faster and avoid timeouts while running complex queries. 
+
+Apply these recommendations to get results faster and avoid timeouts while running complex queries.
+
 - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
 - Use time filters first. Ideally, limit your queries to seven days.
 - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
@@ -43,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni
 ## Query tips and pitfalls
 
 ### Queries with process IDs
+
 Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
 
 The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
@@ -57,6 +60,7 @@ DeviceNetworkEvents
 The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
 
 ### Queries with command lines
+
 Command lines can vary. When applicable, filter on file names and do fuzzy matching.
 
 There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
@@ -87,9 +91,12 @@ DeviceProcessEvents
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
 
 ## Related topics
+
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Custom detections overview](overview-custom-detections.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md

@@ -0,0 +1,48 @@
+---
+title: Extend advanced hunting coverage with the right settings 
+description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting  
+keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection 
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/10/2020
+---
+
+# Extend advanced hunting coverage with the right settings
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
+
+## Advanced security auditing on Windows devices
+
+Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
+
+Data | Description | Schema table | How to configure
+-|-|-|-
+Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md

@@ -0,0 +1,85 @@
+---
+title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
+description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results 
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# FileProfile()
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
+
+Column | Data type | Description
+-|-|-
+SHA1 | string | SHA-1 of the file that the recorded action was applied to
+SHA256 | string | SHA-256 of the file that the recorded action was applied to
+MD5 | string | MD5 hash of the file that the recorded action was applied to
+FileSize | int | Size of the file in bytes
+GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
+GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
+GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
+Signer | string | Information about the signer of the file
+Issuer | string | Information about the issuing certificate authority (CA)
+SignerHash | string | Unique hash value identifying the signer
+IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
+IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
+IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
+ThreatName | string | Detection name for any malware or other threats found
+Publisher | string | Name of the organization that published the file
+SoftwareName | string | Name of the software product
+
+## Syntax
+
+```kusto
+invoke FileProfile(x,y)
+```
+
+## Arguments
+
+- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
+- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
+
+## Examples
+
+### Project only the SHA1 column and enrich it
+
+```kusto
+DeviceFileEvents
+| where isnotempty(SHA1) and Timestamp > ago(1d)
+| take 10
+| project SHA1
+| invoke FileProfile()
+```
+
+### Enrich the first 500 records and list low-prevalence files
+
+```kusto
+DeviceFileEvents
+| where ActionType == "FileCreated" and Timestamp > ago(1d)
+| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
+| invoke FileProfile("SHA1", 500) 
+| where GlobalPrevalence < 15
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md

@@ -0,0 +1,107 @@
+---
+title: Get relevant info about an entity with go hunt 
+description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting.
+keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Quickly hunt for entity or event information with go hunt
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
+
+The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
+
+- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
+
+    ![Image showing device details with the go hunt option](./images/go-hunt-device.png)
+
+- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
+
+    ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png)
+
+- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
+
+    ![Image showing event details with the go hunt option](./images/go-hunt-event.png)
+
+Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
+
+## Query for entity information
+
+When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
+
+Here is an example of the go hunt query for a device:
+
+```kusto
+let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
+let deviceName = "fv-az770.example.com";
+let deviceId = "device-guid";
+search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
+Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
+and DeviceName == deviceName
+// or RemoteDeviceName == deviceName
+// or DeviceId == deviceId
+| take 100
+```
+
+### Supported entity types
+
+You can use *go hunt* after selecting any of these entity types:
+
+- Files
+- Users
+- Devices
+- IP addresses
+- URLs
+
+## Query for event information
+
+When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
+
+```kusto
+// List relevant events 30 minutes before and after selected RegistryValueSet event
+let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
+search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
+    Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
+    and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
+| sort by Timestamp desc
+| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
+| project-reorder Relevance
+```
+
+## Adjust the query
+
+With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
+
+```kusto
+Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
+```
+
+In addition to modifying the query to get more relevant results, you can also:
+
+- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
+- [Create a custom detection rule](custom-detection-rules.md)
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Custom detection rules](custom-detection-rules.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md

@@ -28,18 +28,20 @@ ms.topic: article
 
 Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
 
+Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
+<br />
+<br />
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
+
 You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
 
 >[!TIP]
 >Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
 
 ## Get started with advanced hunting
-Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
-<p></p>
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
-
-You can also go through each of the following steps to ramp up your advanced hunting knowledge.
+Go through the following steps to ramp up your advanced hunting knowledge.
 
 We recommend going through several steps to quickly get up and running with advanced hunting.
 
@@ -50,18 +52,24 @@ We recommend going through several steps to quickly get up and running with adva
 | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
 | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
 | **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
+| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
+| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
+| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
 | **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
 
 ## Data freshness and update frequency
+
 Advanced hunting data can be categorized into two distinct types, each consolidated differently.
 
 - **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
 - **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
 
 ## Time zone
+
 Time information in advanced hunting is currently in the UTC time zone.
 
 ## Related topics
+
 - [Learn the query language](advanced-hunting-query-language.md)
 - [Work with query results](advanced-hunting-query-results.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -24,7 +24,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
 Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
 
@@ -176,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Work with query results](advanced-hunting-query-results.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md

@@ -116,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your
 ## Drill down from query results
 To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
 
+To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
+
+- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
+- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
+- **All details** — Lists all the values from the columns in the record
+
 ## Tweak your queries from the results
 Right-click a value in the result set to quickly enhance your query. You can use the options to:
 
@@ -126,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use
 ![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
 
 ## Filter the query results
-The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
+The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
 
-Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
+Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
 
 ![Image of advanced hunting filter](images/advanced-hunting-filter.png)
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md

@@ -69,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce
 | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
 | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
 
+
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
-- [Work with query results](advanced-hunting-query-results.md)
 - [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md

@@ -43,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha
    ![Image of saving a query](images/advanced-hunting-save-query.png)
 
 4. Select the folder where you'd like to save the query.
-    - **Shared queries** — shared to all users in the your organization
+    - **Shared queries** — shared to all users in your organization
     - **My queries** — accessible only to you
     
 5. Select **Save**.
@@ -67,3 +67,7 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md

@@ -0,0 +1,82 @@
+---
+title: Take action on advanced hunting query results in Microsoft Threat Protection
+description: Quickly address threats and affected assets in your advanced hunting query results
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# Take action on advanced hunting query results
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
+
+- Take various actions on devices
+- Quarantine files
+
+## Required permissions
+
+To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
+
+*Active remediation actions > Threat and vulnerability management - Remediation handling*
+
+## Take various actions on devices
+
+You can take the following actions on devices identified by the `DeviceId` column in your query results:
+
+- Isolate affected devices to contain an infection or prevent attacks from moving laterally
+- Collect investigation package to obtain more forensic information
+- Run an antivirus scan to find and remove threats using the latest security intelligence updates
+- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
+- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
+
+To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md).
+
+## Quarantine files
+
+You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
+
+- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
+- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. 
+- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
+- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
+
+To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
+
+>[!NOTE]
+>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.  
+
+## Take action
+
+To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
+
+![Image of selected record with panel for inspecting the record](images/ah-take-actions.png)
+
+## Review actions taken
+
+Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
+ 
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)

windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md

@@ -37,14 +37,6 @@ ms.topic: article
 
 Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
 
-The service supports the onboarding of the following Windows servers:
-- Windows Server 2008 R2 SP1
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server (SAC) version 1803 and later
-- Windows Server 2019 and later
-- Windows Server 2019 core edition
-
 For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
 
 For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
@@ -54,16 +46,36 @@ For guidance on how to download and use Windows Security Baselines for Windows s
 
 You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:
 
-- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center)
+- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)
 - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
-- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
+- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
+
+
+After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+
 
 > [!NOTE]
 > Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
 
 
-### Option 1: Onboard Windows servers through Microsoft Defender Security Center
-Perform the following steps to onboard Windows servers through Microsoft Defender Security Center:
+### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
+You'll need to install and configure MMA for Windows servers to report sensor data to Microsoft Defender ATP. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+
+If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
+
+In general, you'll need to take the following steps:
+1. Fulfill the onboarding requirements outlined in **Before you begin** section.
+2. Turn on server monitoring from Microsoft Defender Security center.
+3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP.
+4. Configure and update System Center Endpoint Protection clients.
+
+
+> [!TIP]
+> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
+
+
+#### Before you begin 
+Perform the following steps to fulfill the onboarding requirements:
 
  - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
     - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
@@ -77,32 +89,6 @@ Perform the following steps to onboard Windows servers through Microsoft Defende
     > [!NOTE]
     > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
 
- - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal).
-
- - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
-
-    Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
-
-### Configure and update System Center Endpoint Protection clients
-
-Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-
-The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
-
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
-
-
-### Turn on Server monitoring from the Microsoft Defender Security Center portal
-
-1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
-
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
 
 <span id="server-mma"/>
 
@@ -115,16 +101,21 @@ The following steps are required to enable this integration:
     On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
     - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
 
-3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
 
-Once completed, you should see onboarded Windows servers in the portal within an hour.
 
 <span id="server-proxy"/>
 
-### Configure Windows server proxy and Internet connectivity settings
+### Configure Windows server proxy and Internet connectivity settings if needed
+If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server:
 
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+
+- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)
+
+- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md)
+
+If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Microsoft Defender ATP service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. 
+
+Once completed, you should see onboarded Windows servers in the portal within an hour.
 
 ### Option 2: Onboard Windows servers through Azure Security Center
 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
@@ -135,9 +126,15 @@ Once completed, you should see onboarded Windows servers in the portal within an
 
 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
 
+After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+
 ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
 You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
 
+After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+
+
+
 ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
 You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
 
@@ -201,6 +198,17 @@ Data collected by Microsoft Defender ATP is stored in the geo-location of the te
 Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
 
 
+## Configure and update System Center Endpoint Protection clients
+
+Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+
+The following steps are required to enable this integration:
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
+
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
+
+
+
 ## Offboard Windows servers
 You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
 

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -16,6 +16,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
+ms.date: 09/20/2020
 ---
 
 # Create custom detection rules
@@ -23,30 +24,36 @@ ms.topic: article
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
-Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). 
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
 
-## 1. Check required permissions
+> [!NOTE]
+> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
 
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## 2. Prepare the query
+## 1. Prepare the query.
 
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
 
 >[!IMPORTANT]
 >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
 
-
 ### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. 
+To use a query for a custom detection rule, the query must return the following columns:
 
-The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+- `Timestamp`
+- `DeviceId`
+- `ReportId`
+
+Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
+
+The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
 
 ```kusto
 DeviceEvents
@@ -56,7 +63,10 @@ DeviceEvents
 | where count_ > 5
 ```
 
-## 3. Create new rule and provide alert details
+> [!TIP]
+> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
+
+## 2. Create a new rule and provide alert details.
 
 With the query in the query editor, select **Create detection rule** and specify the following alert details:
 
@@ -67,36 +77,52 @@ With the query in the query editor, select **Create detection rule** and specify
 - **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
 - **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
 - **Description**—more information about the component or activity identified by the rule 
-- **Recommended actions**—additional actions that responders might take in response to an alert 
+- **Recommended actions**—additional actions that responders might take in response to an alert
 
 For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
 
 ### Rule frequency
-When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
+
+When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
 
 - **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
 - **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
 - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
 - **Every hour**—runs hourly, checking data from the past 2 hours
 
+> [!TIP]
+> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
+
 Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
 
-## 4. Specify actions on files or devices
+## 3. Choose the impacted entities.
+
+Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
+
+You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
+
+## 4. Specify actions.
+
 Your custom detection rule can automatically take actions on files or devices that are returned by the query.
 
 ### Actions on devices
+
 These actions are applied to devices in the `DeviceId` column of the query results:
+
 - **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
 - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
 - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
 - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
 
 ### Actions on files
+
 These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
+
 - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
 - **Quarantine file**—deletes the file from its current location and places a copy in quarantine
 
-## 5. Set the rule scope
+## 5. Set the rule scope.
+
 Set the scope to specify which devices are covered by the rule:
 
 - All devices
@@ -104,12 +130,15 @@ Set the scope to specify which devices are covered by the rule:
 
 Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
 
-## 6. Review and turn on the rule
+## 6. Review and turn on the rule.
+
 After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
 
+You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
 
 ## Related topics
-- [View and manage detection rules](custom-detections-manage.md)
+
+- [View and manage custom detection rules](custom-detections-manage.md)
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the advanced hunting query language](advanced-hunting-query-language.md)

windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md

@@ -46,6 +46,10 @@ ms.topic: conceptual
 ## 101.09.50
 
 - This product version has been validated on macOS Big Sur 11 beta 9
+
+  > [!IMPORTANT]
+  > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue.
+
 - The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line)
 
   > [!NOTE]