diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
new file mode 100644
index 0000000000..b6250bc237
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
@@ -0,0 +1,50 @@
+---
+title: Extend advanced hunting coverage with the right settings
+description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
+keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 09/20/2020
+---
+
+# Extend advanced hunting coverage with the right settings
+
+## Create custom detection rules
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[Advanced hunting](advanced-hunting-overview.md) relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Azure ATP. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
+
+## Advanced security auditing on Windows devices
+
+Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
+
+Data | Description | Schema table | How to configure
+-|-|-|-
+Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
- [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Work with query results](advanced-hunting-query-results.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
index d12e51c9d8..f915252f17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
@@ -4,7 +4,7 @@ description: Quickly address threats and affected assets in your advanced huntin
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.prod: microsoft-365-enterprise
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -17,6 +17,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/20/2020
---
# Take action on advanced hunting query results
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 6021933e52..947c8c38b5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -16,10 +16,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/20/2020
---
# Create custom detection rules
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.