update content

windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md

@@ -36,14 +36,48 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti
 > [!NOTE]
 > By default, the queues are sorted from newest to oldest.
 
+## Sort and filter the alerts
+You can sort and filter the alerts by using the available filters or clicking columns that allow you to sort the view in ascending or descending order.
+
 The alerts view contains the following columns:
--	Title – [Ask Daniel if we can change this to just Alert] a brief description of the alert
+-	**Title** – A brief description of the alert
--	Machine and user – machine where the alert was seen and the user entity associated with the alert
+-	**Machine and user** – Machine where the alert was seen and the user entity associated with the alert
--	Severity – the alert severity level
+-	**Severity** – Alert severity level
--	Last activity – last seen activity related to the alert
+-	**Last activity** – Last seen activity related to the alert
--	Time in queue – number of days the alert has been in the queue
+-	**Time in queue** – Number of days the alert has been in the queue
--	Status – indicates the queue status
+-	**Status** – Indicates the queue status
--	Assigned to – shows the security operations administrator handling the alert
+-	**Assigned to** – Shows who is addressing the alert
+
+### Filter the alerts list
+You can use the following filters to limit the list of alerts displayed during an investigation:
+
+**Severity**</br>
+- Low
+- Medium
+- High
+- Informational
+
+Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
+
+**Detection source**</br>
+- Windows Defender AV
+- Windows Defender ATP
+
+>[!NOTE] The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
+
+**Time period**</br>
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
+
+**View**</br>
+- Flat view - Shows alerts in a chronological order as an alert surfaces.
+- Grouped view - Groups alerts based on commonalities such as alert ID, file hash, or malware family.
+
+The group view allows for efficient alert triage and management. 
+
 
 
 The following table and screenshot demonstrate the main areas of the **Alerts queue**.

windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md

@@ -39,20 +39,6 @@ You can also download the entire list using the export feature.
 
 ![Image of machines view with list of machines](images/atp-machines-view-list.png)
 
-### Sort the Machines view
-You can sort the **Machines view** by the following columns:
-
-- **Machine name** - Name or GUID of the machine
-- **Domain** - Domain the machine belongs to
-- **Last seen** - Date and time when the machine last reported sensor data
-- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
-- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
-- **Active Alerts** - Number of alerts reported by the machine by severity
-- **Active malware detections** - Number of active malware detections reported by the machine
-
-> [!NOTE]
-> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the default real-time protection antimalware product.
-
 ### Filter the Machines view
 You can use the following filters to limit the list of machines displayed during an investigation:
 
@@ -85,6 +71,21 @@ You can  download a full list of all the machines in your organization, in CSV f
 **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
 Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
 
+### Sort the Machines view
+You can sort the **Machines view** by the following columns:
+
+- **Machine name** - Name or GUID of the machine
+- **Domain** - Domain the machine belongs to
+- **Last seen** - Date and time when the machine last reported sensor data
+- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
+- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
+- **Active Alerts** - Number of alerts reported by the machine by severity
+- **Active malware detections** - Number of active malware detections reported by the machine
+
+> [!NOTE]
+> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the default real-time protection antimalware product.
+
+
 ### Related topics
 - [Understand the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md)