diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png b/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png
new file mode 100644
index 0000000000..0da9ac0e88
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png b/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png
new file mode 100644
index 0000000000..36a6a2509c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png
new file mode 100644
index 0000000000..b3e9f9a8ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md
index d9e6e8f49e..6ca6ebd67e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md
@@ -72,8 +72,10 @@ The following event types reflect time-stamped events that impact the score:
 
 The following icons show up next to events:
 
-- ![bug icon](images/tvm_bug_icon.png) New public exploit. A vulnerability became exploitable.
-- [page with caution symbol] New vulnerability was published.
+- ![bug icon](images/tvm_bug_icon.png) New public exploit
+- ![report warning icon](images/report-warning-icon.png) New vulnerability was published
+- ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit
+- ![bug icon](images/bug-caution-icon2.png) Exploit verified
 
 ## Related topics
 
@@ -86,8 +88,6 @@ The following icons show up next to events:
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)
\ No newline at end of file