From 93b2bc88b745112558a4e7e7182bb3f0729872bc Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 20 Sep 2017 14:39:40 -0700
Subject: [PATCH] general updates

---
 ...-windows-defender-advanced-threat-protection.md |  2 +-
 ...-windows-defender-advanced-threat-protection.md | 14 ++------------
 ...-windows-defender-advanced-threat-protection.md | 12 +++---------
 3 files changed, 6 insertions(+), 22 deletions(-)

diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index f775017c4c..e9c01a20cf 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -77,7 +77,7 @@ Field numbers match the numbers in the images below.
 
 ![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
 
-![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
+![Image of artifact timeline with numbers](images/atp-siem-mapping4.png)
 
 ![Image machine view](images/atp-mapping6.png)
 
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index f437a524b9..4581751734 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -93,18 +93,8 @@ Use the search bar to look for specific timeline events. Harness the power of us
     -	Behaviors mode: displays "detections" and selected events of interest
     -	Verbose mode: displays all raw events without aggregation or filtering
 
-- **Event type** - Click the drop-down button to filter by the following levels:
-    - Windows Defender ATP alerts
-    - Windows Defender AV alerts
-    - Response actions
-    - AppGuard related events
-    - Windows Defender Device Guard events
-    - Process events
-    - Network events
-    - File events
-    - Registry events
-    - Load DLL events
-    - Other events <br><br>
+- **Event type** - Click the drop-down button to filter by events such as Windows     - Windows Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others. 
+    
     Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
 
 -	**User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 70660d58f9..ca3569887b 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -60,19 +60,14 @@ You can use the following filters to limit the list of machines displayed during
 - Mac OS
 - Other
 
-**Health**</br>
-- All
-- Well configure
-- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
- 
 
 **Sensor health state**</br>
 Filter the list to view specific machines grouped together by the following machine health states:
 
 - **Active** – Machines that are actively reporting sensor data to the service.
 -	**Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
-  - Impaired communications
   - No sensor data
+  - Impaired communications
 
   For more information on how to address issues on misconfigured machines see,  [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
 -	**Inactive** – Machines that have completely stopped sending signals for more than 7 days.
@@ -85,6 +80,7 @@ Filter the list to view specific machines that are well configured or require at
 - **Well configured** - Machines have the Windows Defender security controls well configured. 
 - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
 
+For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
 
 **Malware category alerts**</br>
 Filter the list to view specific machines grouped together by the following malware categories:
@@ -109,13 +105,11 @@ Exporting the list in CSV format displays the data in an unfiltered manner. The
 You can sort the **Machines list** by the following columns:
 
 - **Machine name** - Name or GUID of the machine
-- **Domain** - Domain where the machine is joined in
-- **OS Platform** - Indicates the OS of the machine
 - **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
 - **Last seen** - Date and time when the machine last reported sensor data
 - **Internal IP** - Local internal Internet Protocol (IP) address of the machine
 - **Active Alerts** - Number of alerts reported by the machine by severity
-- **Active malware detections** - Number of active malware detections reported by the machine
+- **Active malware alerts** - Number of active malware detections reported by the machine
 
 > [!NOTE]
 > The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.