Merge pull request #4634 from MicrosoftDocs/master

Publish 01/28/21, 3:30 PM
2025-05-12 13:27:23 +00:00 · 2021-01-28 15:39:01 -08:00 · 2021-01-28 15:39:01 -08:00 · 97ce87abba
commit 97ce87abba
parent 02ea379dd0 2930a4dcd9
13 changed files with 652 additions and 280 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -526,6 +526,7 @@
 ##### [Microsoft Defender for Endpoint APIs Schema]()
 ###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
 ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@ -69,44 +69,144 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
 category| String | Category of the alert.
 detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
 threatName | String | Threat name.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
 computerDnsName | String | [machine](machine.md) fully qualified name.
 aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+detectorId | String | The ID of the detector that triggered the alert.
 comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
 Evidence | List of Alert evidence | Evidence related to the alert. See example below.
 ### Response example for getting single alert:
-```
+```http
-GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499
+GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
 ```
 ```json
 {
-    "id": "da637084217856368682_-292920499",
+	"id": "da637472900382838869_1364969609",
-    "incidentId": 66860,
+	"incidentId": 1126093,
-    "investigationId": 4416234,
+	"investigationId": null,
-    "investigationState": "Running",
+	"assignedTo": null,
    "assignedTo": "secop@contoso.com",
 	"severity": "Low",
 	"status": "New",
-    "classification": "TruePositive",
+	"classification": null,
 	"determination": null,
 	"investigationState": "Queued",
 	"detectionSource": "WindowsDefenderAtp",
-    "category": "CommandAndControl",
+	"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
 	"category": "Execution",
 	"threatFamilyName": null,
-    "title": "Network connection to a risky host",
+	"title": "Low-reputation arbitrary code executed by signed executable",
-    "description": "A network connection was made to a risky host which has exhibited malicious activity.",
+	"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
-    "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+	"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
-    "firstEventTime": "2019-11-03T23:47:16.2288822Z",
+	"firstEventTime": "2021-01-26T20:31:32.9562661Z",
-    "lastEventTime": "2019-11-03T23:47:51.2966758Z",
+	"lastEventTime": "2021-01-26T20:31:33.0577322Z",
-    "lastUpdateTime": "2019-11-03T23:55:52.6Z",
+	"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 	"resolvedTime": null,
-    "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+	"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
 	"computerDnsName": "temp123.middleeast.corp.microsoft.com",
 	"rbacGroupName": "A",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 	"threatName": null,
 	"mitreTechniques": [
 		"T1064",
 		"T1085",
 		"T1220"
 	],
 	"relatedUser": {
        "userName": "temp123",
        "domainName": "MIDDLEEAST"
    },
 	"comments": [
 		{
 			"comment": "test comment for docs",
-            "createdBy": "secop@contoso.com",
+			"createdBy": "secop123@contoso.com",
-            "createdTime": "2019-11-05T14:08:37.8404534Z"
+			"createdTime": "2021-01-26T01:00:37.8404534Z"
 		}
 	],
 	"evidence": [
 		{
 			"entityType": "User",
 			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 			"sha1": null,
 			"sha256": null,
 			"fileName": null,
 			"filePath": null,
 			"processId": null,
 			"processCommandLine": null,
 			"processCreationTime": null,
 			"parentProcessId": null,
 			"parentProcessCreationTime": null,
 			"parentProcessFileName": null,
 			"parentProcessFilePath": null,
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": "eranb",
 			"domainName": "MIDDLEEAST",
 			"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
 			"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
 			"userPrincipalName": "temp123@microsoft.com",
 			"detectionStatus": null
 		},
 		{
 			"entityType": "Process",
 			"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
 			"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
 			"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
 			"fileName": "rundll32.exe",
 			"filePath": "C:\\Windows\\SysWOW64",
 			"processId": 3276,
 			"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
 			"processCreationTime": "2021-01-26T20:31:32.9581596Z",
 			"parentProcessId": 8420,
 			"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
 			"parentProcessFileName": "rundll32.exe",
 			"parentProcessFilePath": "C:\\Windows\\System32",
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": null,
 			"domainName": null,
 			"userSid": null,
 			"aadUserId": null,
 			"userPrincipalName": null,
 			"detectionStatus": "Detected"
 		},
 		{
 			"entityType": "File",
 			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 			"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
 			"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
 			"fileName": "suspicious.dll",
 			"filePath": "c:\\temp",
 			"processId": null,
 			"processCommandLine": null,
 			"processCreationTime": null,
 			"parentProcessId": null,
 			"parentProcessCreationTime": null,
 			"parentProcessFileName": null,
 			"parentProcessFilePath": null,
 			"ipAddress": null,
 			"url": null,
 			"registryKey": null,
 			"registryHive": null,
 			"registryValueType": null,
 			"registryValue": null,
 			"accountName": null,
 			"domainName": null,
 			"userSid": null,
 			"aadUserId": null,
 			"userPrincipalName": null,
 			"detectionStatus": "Detected"
 		}
 	]
 }
--- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@ -0,0 +1,68 @@
 ---
 title: API release notes
 description: Release notes for anything that is new in the API.
 keywords: apis, mdatp api, updates, notes, release
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Release Notes
 <br>
 <hr>
 ### 25.01.2021
 <hr>
 - Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute. 
 <br>
 ### 21.01.2021
 <hr>
 - Added new API: [Find devices by tag](machine-tags.md). 
 - Added new API: [Import Indicators](import-ti-indicators.md). 
 <br>
 ### 03.01.2021
 <hr>
 - Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
 - Updated [Alert entity](alerts.md): added ***detectorId*** property.
 <br>
 ### 15.12.2020
 <hr>
 - Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
 <br>
 ### 04.11.2020
 <hr>
 - Added new API: [Set device value](set-device-value.md).
 - Updated [Device](machine.md) entity: added ***deviceValue*** property.
 <br>
 ### 01.09.2020
 <hr>
 - Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
 <br>
 <br>
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@ -99,7 +99,7 @@ Example:
 `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-`Value: c:\path|e:\path|c:\Whitelisted.exe`
+`Value: c:\path|e:\path|c:\Exclusions.exe`
 > [!NOTE]
 > Be sure to enter OMA-URI values without spaces.
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@ -44,7 +44,7 @@ Not all properties are filterable.
 ### Example 1
-Get 10 latest Alerts with related Evidence
+Get 10 latest Alerts with related Evidence:
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
@ -57,75 +57,51 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
    "value": [
 		{
-			"id": "da637306396589640224_1753239473",
+			"id": "da637472900382838869_1364969609",
-			"incidentId": 875832,
+			"incidentId": 1126093,
-			"investigationId": 478434,
+			"investigationId": null,
 			"assignedTo": null,
 			"severity": "Low",
 			"status": "New",
 			"classification": null,
 			"determination": null,
-			"investigationState": "PendingApproval",
+			"investigationState": "Queued",
-			"detectionSource": "WindowsDefenderAv",
+			"detectionSource": "WindowsDefenderAtp",
-			"category": "UnwantedSoftware",
+			"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
-			"threatFamilyName": "InstallCore",
+			"category": "Execution",
-			"title": "An active 'InstallCore' unwanted software was detected",
+			"threatFamilyName": null,
-			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+			"title": "Low-reputation arbitrary code executed by signed executable",
-			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+			"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
-			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
+			"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
-			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
+			"firstEventTime": "2021-01-26T20:31:32.9562661Z",
-			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"lastEventTime": "2021-01-26T20:31:33.0577322Z",
 			"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 			"resolvedTime": null,
-			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
-			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"computerDnsName": "temp123.middleeast.corp.microsoft.com",
-			"rbacGroupName": "Ring0",
+			"rbacGroupName": "A",
-			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 			"threatName": null,
 			"mitreTechniques": [
 				"T1064",
 				"T1085",
 				"T1220"
 			],
 			"relatedUser": {
-				"userName": "temp2",
+                "userName": "temp123",
-				"domainName": "REDMOND"
+                "domainName": "MIDDLEEAST"
            },
-			"comments": [],
+			"comments": [
 				{
 					"comment": "test comment for docs",
 					"createdBy": "secop123@contoso.com",
 					"createdTime": "2021-01-26T01:00:37.8404534Z"
 				}
 			],
 			"evidence": [
 				{
 					"entityType": "File",
 					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
 					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
 					"fileName": "Your File Is Ready To Download_1911150169.exe",
 					"filePath": "C:\\Users\\temp2\\Downloads",
 					"processId": null,
 					"processCommandLine": null,
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"ipAddress": null,
 					"url": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null
 				},
 				{
 					"entityType": "Process",
 					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
 					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
 					"fileName": "Your File Is Ready To Download_1911150169.exe",
 					"filePath": "C:\\Users\\temp2\\Downloads",
 					"processId": 24348,
 					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
 					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
 					"parentProcessId": 16840,
 					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
 					"ipAddress": null,
 					"url": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null
 				},
 				{
 					"entityType": "User",
 					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": null,
 					"sha256": null,
 					"fileName": null,
@ -135,13 +111,74 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"parentProcessFileName": null,
 					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
-					"accountName": "temp2",
+					"registryKey": null,
-					"domainName": "REDMOND",
+					"registryHive": null,
-					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"registryValueType": null,
-					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"registryValue": null,
-					"userPrincipalName": "temp2@microsoft.com"
+					"accountName": "eranb",
 					"domainName": "MIDDLEEAST",
 					"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
 					"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
 					"userPrincipalName": "temp123@microsoft.com",
 					"detectionStatus": null
 				},
 				{
 					"entityType": "Process",
 					"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
 					"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
 					"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
 					"fileName": "rundll32.exe",
 					"filePath": "C:\\Windows\\SysWOW64",
 					"processId": 3276,
 					"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
 					"processCreationTime": "2021-01-26T20:31:32.9581596Z",
 					"parentProcessId": 8420,
 					"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
 					"parentProcessFileName": "rundll32.exe",
 					"parentProcessFilePath": "C:\\Windows\\System32",
 					"ipAddress": null,
 					"url": null,
 					"registryKey": null,
 					"registryHive": null,
 					"registryValueType": null,
 					"registryValue": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null,
 					"detectionStatus": "Detected"
 				},
 				{
 					"entityType": "File",
 					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
 					"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
 					"fileName": "suspicious.dll",
 					"filePath": "c:\\temp",
 					"processId": null,
 					"processCommandLine": null,
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"parentProcessFileName": null,
 					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
 					"registryKey": null,
 					"registryHive": null,
 					"registryValueType": null,
 					"registryValue": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null,
 					"detectionStatus": "Detected"
 				}
 			]
 		},
@ -152,7 +189,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
 ### Example 2
-Get all the alerts last updated after 2019-11-22 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00:
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
@ -188,6 +225,12 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
            "rbacGroupName": "MiddleEast",
            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 			"threatName": null,
 			"mitreTechniques": [
 				"T1064",
 				"T1085",
 				"T1220"
 			],
            "relatedUser": {
                "userName": "temp123",
                "domainName": "MIDDLEEAST"
@ -208,7 +251,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
 ### Example 3
-Get all the devices with 'High' 'RiskScore'
+Get all the devices with 'High' 'RiskScore':
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High'
@ -224,21 +267,35 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
 			"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 			"computerDnsName": "mymachine1.contoso.com",
 			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2021-01-25T07:27:36.052313Z",
 			"osPlatform": "Windows10",
 			"version": "1709",
 			"osProcessor": "x64",
-			"lastIpAddress": "172.17.230.209",
+			"version": "1901",
-			"lastExternalIpAddress": "167.220.196.71",
+			"lastIpAddress": "10.166.113.46",
-			"osBuild": 18209,
+			"lastExternalIpAddress": "167.220.203.175",
 			"osBuild": 19042,
 			"healthStatus": "Active",
-			"rbacGroupId": 140,
+			"deviceValue": "Normal",
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "High",
-			"exposureLevel": "Medium",
+			"exposureLevel": "Low",
-			"isAadJoined": true,
+			"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [
-			"machineTags": [ "test tag 1", "ExampleTag" ]
+				"Tag1",
 				"Tag2"
 			],
 			"ipAddresses": [
 				{
 					"ipAddress": "10.166.113.47",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				},
 				{
 					"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				}
 			]
 		},
        ...
    ]
@ -247,7 +304,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
 ### Example 4
-Get top 100 devices with 'HealthStatus' not equals to 'Active'
+Get top 100 devices with 'HealthStatus' not equals to 'Active':
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 
@ -263,21 +320,35 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
 			"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 			"computerDnsName": "mymachine1.contoso.com",
 			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2021-01-25T07:27:36.052313Z",
 			"osPlatform": "Windows10",
 			"version": "1709",
 			"osProcessor": "x64",
-			"lastIpAddress": "172.17.230.209",
+			"version": "1901",
-			"lastExternalIpAddress": "167.220.196.71",
+			"lastIpAddress": "10.166.113.46",
-			"osBuild": 18209,
+			"lastExternalIpAddress": "167.220.203.175",
-			"healthStatus": "ImpairedCommunication",
+			"osBuild": 19042,
-			"rbacGroupId": 140,
+			"healthStatus": "Active",
 			"deviceValue": "Normal",
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-			"exposureLevel": "Medium",
+			"exposureLevel": "Low",
-			"isAadJoined": true,
+			"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [
-			"machineTags": [ "test tag 1", "ExampleTag" ]
+				"Tag1",
 				"Tag2"
 			],
 			"ipAddresses": [
 				{
 					"ipAddress": "10.166.113.47",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				},
 				{
 					"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				}
 			]
 		},
        ...
    ]
@ -286,7 +357,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
 ### Example 5
-Get all the devices that last seen after 2018-10-20
+Get all the devices that last seen after 2018-10-20:
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@ -302,21 +373,35 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
 			"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 			"computerDnsName": "mymachine1.contoso.com",
 			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2021-01-25T07:27:36.052313Z",
 			"osPlatform": "Windows10",
 			"version": "1709",
 			"osProcessor": "x64",
-			"lastIpAddress": "172.17.230.209",
+			"version": "1901",
-			"lastExternalIpAddress": "167.220.196.71",
+			"lastIpAddress": "10.166.113.46",
-			"osBuild": 18209,
+			"lastExternalIpAddress": "167.220.203.175",
-			"healthStatus": "ImpairedCommunication",
+			"osBuild": 19042,
-			"rbacGroupId": 140,
+			"healthStatus": "Active",
 			"deviceValue": "Normal",
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-			"exposureLevel": "Medium",
+			"exposureLevel": "Low",
-			"isAadJoined": true,
+			"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [
-			"machineTags": [ "test tag 1", "ExampleTag" ]
+				"Tag1",
 				"Tag2"
 			],
 			"ipAddresses": [
 				{
 					"ipAddress": "10.166.113.47",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				},
 				{
 					"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				}
 			]
 		},
        ...
    ]
@ -325,7 +410,7 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
 ### Example 6
-Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint
+Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint:
 ```http
 HTTP GET  https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
@ -387,21 +472,35 @@ json{
 			"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 			"computerDnsName": "mymachine1.contoso.com",
 			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-	    "lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2021-01-25T07:27:36.052313Z",
 			"osPlatform": "Windows10",
 	    "version": "1709",
 			"osProcessor": "x64",
-	    "lastIpAddress": "172.17.230.209",
+			"version": "1901",
-	    "lastExternalIpAddress": "167.220.196.71",
+			"lastIpAddress": "10.166.113.46",
-	    "osBuild": 18209,
+			"lastExternalIpAddress": "167.220.203.175",
-	    "healthStatus": "ImpairedCommunication",
+			"osBuild": 19042,
-	    "rbacGroupId": 140,
+			"healthStatus": "Active",
 			"deviceValue": "Normal",
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-	    "exposureLevel": "Medium",
+			"exposureLevel": "Low",
-	    "isAadJoined": true,
+			"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-	    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [
-	    "machineTags": [ "test tag 1", "ExampleTag" ]
+				"Tag1",
 				"Tag2"
 			],
 			"ipAddresses": [
 				{
 					"ipAddress": "10.166.113.47",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				},
 				{
 					"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				}
 			]
 		},
        ...
    ]
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@ -56,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 ## HTTP request
-```
+
 ```http
 GET /api/alerts/{id}/machine
 ```
@ -90,24 +91,37 @@ Here is an example of the response.
 ```json
 {
    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity",
 	"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 	"computerDnsName": "mymachine1.contoso.com",
 	"firstSeen": "2018-08-02T14:55:03.7791856Z",
-	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2021-01-25T07:27:36.052313Z",
 	"osPlatform": "Windows10",
    "version": "1709",
 	"osProcessor": "x64",
-    "lastIpAddress": "172.17.230.209",
+	"version": "1901",
-    "lastExternalIpAddress": "167.220.196.71",
+	"lastIpAddress": "10.166.113.46",
-    "osBuild": 18209,
+	"lastExternalIpAddress": "167.220.203.175",
 	"osBuild": 19042,
 	"healthStatus": "Active",
-    "rbacGroupId": 140,
+	"deviceValue": "Normal",
 	"rbacGroupName": "The-A-Team",
 	"riskScore": "Low",
-	"exposureLevel": "Medium",
+	"exposureLevel": "Low",
-	"isAadJoined": true,
+	"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [
-	"machineTags": [ "test tag 1", "test tag 2" ]
+		"Tag1",
 		"Tag2"
 	],
 	"ipAddresses": [
 		{
 			"ipAddress": "10.166.113.47",
 			"macAddress": "8CEC4B897E73",
 			"operationalStatus": "Up"
 		},
 		{
 			"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 			"macAddress": "8CEC4B897E73",
 			"operationalStatus": "Up"
 		}
 	]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@ -128,6 +128,12 @@ Here is an example of the response.
            "computerDnsName": "temp123.middleeast.corp.microsoft.com",
            "rbacGroupName": "MiddleEast",
            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 			"threatName": null,
 			"mitreTechniques": [
 				"T1064",
 				"T1085",
 				"T1220"
 			],
            "relatedUser": {
                "userName": "temp123",
                "domainName": "MIDDLEEAST"
@ -170,75 +176,51 @@ Here is an example of the response.
    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
    "value": [
 		{
-			"id": "da637306396589640224_1753239473",
+			"id": "da637472900382838869_1364969609",
-			"incidentId": 875832,
+			"incidentId": 1126093,
-			"investigationId": 478434,
+			"investigationId": null,
 			"assignedTo": null,
 			"severity": "Low",
 			"status": "New",
 			"classification": null,
 			"determination": null,
-			"investigationState": "PendingApproval",
+			"investigationState": "Queued",
-			"detectionSource": "WindowsDefenderAv",
+			"detectionSource": "WindowsDefenderAtp",
-			"category": "UnwantedSoftware",
+			"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
-			"threatFamilyName": "InstallCore",
+			"category": "Execution",
-			"title": "An active 'InstallCore' unwanted software was detected",
+			"threatFamilyName": null,
-			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+			"title": "Low-reputation arbitrary code executed by signed executable",
-			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+			"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
-			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
+			"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
-			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
+			"firstEventTime": "2021-01-26T20:31:32.9562661Z",
-			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"lastEventTime": "2021-01-26T20:31:33.0577322Z",
 			"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 			"resolvedTime": null,
-			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+			"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
-			"computerDnsName": "temp2.redmond.corp.microsoft.com",
+			"computerDnsName": "temp123.middleeast.corp.microsoft.com",
-			"rbacGroupName": "Ring0",
+			"rbacGroupName": "A",
-			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
 			"threatName": null,
 			"mitreTechniques": [
 				"T1064",
 				"T1085",
 				"T1220"
 			],
 			"relatedUser": {
-				"userName": "temp2",
+                "userName": "temp123",
-				"domainName": "REDMOND"
+                "domainName": "MIDDLEEAST"
            },
-			"comments": [],
+			"comments": [
 				{
 					"comment": "test comment for docs",
 					"createdBy": "secop123@contoso.com",
 					"createdTime": "2021-01-26T01:00:37.8404534Z"
 				}
 			],
 			"evidence": [
 				{
 					"entityType": "File",
 					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
 					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
 					"fileName": "Your File Is Ready To Download_1911150169.exe",
 					"filePath": "C:\\Users\\temp2\\Downloads",
 					"processId": null,
 					"processCommandLine": null,
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"ipAddress": null,
 					"url": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null
 				},
 				{
 					"entityType": "Process",
 					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
 					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
 					"fileName": "Your File Is Ready To Download_1911150169.exe",
 					"filePath": "C:\\Users\\temp2\\Downloads",
 					"processId": 24348,
 					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
 					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
 					"parentProcessId": 16840,
 					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
 					"ipAddress": null,
 					"url": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null
 				},
 				{
 					"entityType": "User",
 					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": null,
 					"sha256": null,
 					"fileName": null,
@ -248,13 +230,74 @@ Here is an example of the response.
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"parentProcessFileName": null,
 					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
-					"accountName": "temp2",
+					"registryKey": null,
-					"domainName": "REDMOND",
+					"registryHive": null,
-					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+					"registryValueType": null,
-					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+					"registryValue": null,
-					"userPrincipalName": "temp2@microsoft.com"
+					"accountName": "eranb",
 					"domainName": "MIDDLEEAST",
 					"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
 					"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
 					"userPrincipalName": "temp123@microsoft.com",
 					"detectionStatus": null
 				},
 				{
 					"entityType": "Process",
 					"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
 					"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
 					"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
 					"fileName": "rundll32.exe",
 					"filePath": "C:\\Windows\\SysWOW64",
 					"processId": 3276,
 					"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
 					"processCreationTime": "2021-01-26T20:31:32.9581596Z",
 					"parentProcessId": 8420,
 					"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
 					"parentProcessFileName": "rundll32.exe",
 					"parentProcessFilePath": "C:\\Windows\\System32",
 					"ipAddress": null,
 					"url": null,
 					"registryKey": null,
 					"registryHive": null,
 					"registryValueType": null,
 					"registryValue": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null,
 					"detectionStatus": "Detected"
 				},
 				{
 					"entityType": "File",
 					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
 					"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
 					"fileName": "suspicious.dll",
 					"filePath": "c:\\temp",
 					"processId": null,
 					"processCommandLine": null,
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
 					"parentProcessFileName": null,
 					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
 					"registryKey": null,
 					"registryHive": null,
 					"registryValueType": null,
 					"registryValue": null,
 					"accountName": null,
 					"domainName": null,
 					"userSid": null,
 					"aadUserId": null,
 					"userPrincipalName": null,
 					"detectionStatus": "Detected"
 				}
 			]
 		},
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
 ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
@ -93,25 +93,37 @@ Here is an example of the response.
 ```json
 {
    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
 	"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 	"computerDnsName": "mymachine1.contoso.com",
 	"firstSeen": "2018-08-02T14:55:03.7791856Z",
-	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2021-01-25T07:27:36.052313Z",
 	"osPlatform": "Windows10",
 	"version": "1709",
 	"osProcessor": "x64",
-	"lastIpAddress": "172.17.230.209",
+	"version": "1901",
-	"lastExternalIpAddress": "167.220.196.71",
+	"lastIpAddress": "10.166.113.46",
-	"osBuild": 18209,
+	"lastExternalIpAddress": "167.220.203.175",
 	"osBuild": 19042,
 	"healthStatus": "Active",
-	"rbacGroupId": 140,
+	"deviceValue": "Normal",
 	"rbacGroupName": "The-A-Team",
 	"riskScore": "Low",
-	"exposureLevel": "Medium",
+	"exposureLevel": "Low",
-	"isAadJoined": true,
+	"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-	"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [
-	"machineTags": [ "test tag 1", "test tag 2" ]
+		"Tag1",
 		"Tag2"
 	],
 	"ipAddresses": [
 		{
 			"ipAddress": "10.166.113.47",
 			"macAddress": "8CEC4B897E73",
 			"operationalStatus": "Up"
 		},
 		{
 			"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 			"macAddress": "8CEC4B897E73",
 			"operationalStatus": "Up"
 		}
 	]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@ -33,9 +33,12 @@ ms.technology: mde
 ## API description
 Retrieves a collection of [Machines](machine.md) that have communicated with  Microsoft Defender for Endpoint cloud.
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
+
-<br>The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
+
 The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
 See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
 ## Limitations
@ -55,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 >[!Note]
 > When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
 ## HTTP request
@ -100,22 +103,36 @@ Here is an example of the response.
 			"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 			"computerDnsName": "mymachine1.contoso.com",
 			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2021-01-25T07:27:36.052313Z",
 			"osPlatform": "Windows10",
 			"version": "1709",
 			"osProcessor": "x64",
-			"lastIpAddress": "172.17.230.209",
+			"version": "1901",
-			"lastExternalIpAddress": "167.220.196.71",
+			"lastIpAddress": "10.166.113.46",
-			"osBuild": 18209,
+			"lastExternalIpAddress": "167.220.203.175",
 			"osBuild": 19042,
 			"healthStatus": "Active",
-			"rbacGroupId": 140,
+			"deviceValue": "Normal",
 			"rbacGroupName": "The-A-Team",
 			"riskScore": "Low",
-			"exposureLevel": "Medium",
+			"exposureLevel": "Low",
-			"isAadJoined": true,
+			"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [
-			"machineTags": [ "test tag 1", "test tag 2" ]
+				"Tag1",
 				"Tag2"
 			],
 			"ipAddresses": [
 				{
 					"ipAddress": "10.166.113.47",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				},
 				{
 					"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
 					"macAddress": "8CEC4B897E73",
 					"operationalStatus": "Up"
 				}
 			]
 		},
 		...
    ]
 }
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@ -2,7 +2,7 @@
 title: Create indicators for files
 ms.reviewer: 
 description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
-keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
@ -39,7 +39,7 @@ There are two ways you can create indicators for files:
 ### Before you begin
 It's important to understand the following prerequisites prior to creating indicators for files:
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
 - The Antimalware client version must be 4.18.1901.x or later.
 - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
 - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@ -2,7 +2,7 @@
 title: Create indicators for IPs and URLs/domains
 ms.reviewer: 
 description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
-keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@ -58,17 +58,19 @@ computerDnsName | String | [machine](machine.md) fully qualified name.
 firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
 lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours.
 osPlatform | String | Operating system platform.
 osProcessor | String | Operating system processor.
 version | String | Operating system Version.
 osBuild | Nullable long | Operating system build number.
 lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
 lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
 healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". 
 rbacGroupName | String | Machine group Name.
 rbacGroupId | Int | Machine group unique ID.
 riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
 exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
 aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
 machineTags | String collection | Set of [machine](machine.md) tags.
 exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
 deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
 ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@ -73,12 +73,28 @@ Content-Type | string | application/json. **Required**.
 ## Request body
-```json
+In the request body, supply a JSON object with the following parameters:
-{
+
-  "DeviceValue": "{device value}"
+Parameter |    Type    | Description
-}
+:---|:---|:---
-```
+DeviceValue |    Enum |    Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**.
 ## Response
 If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
 ## Example
 **Request**
 Here is an example of a request that adds machine tag.
 ```http
 POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
 ```
 ```json
 {
  "DeviceValue" : "High"
 }
 ```