diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index fdb2c392fa..eceb1d2833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -18,7 +18,9 @@ ms.topic: article
 
 # View details and results of automated investigations
 
-Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. 
+
+If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
 
 >[!NOTE]
 >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
@@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia
 
 ![Action center page](images/action-center.png)
 
-The action center consists of two main tabs, as described in the following table.
-
-|Tab  |Description  |
-|---------|---------|
-|Pending actions     |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. <br/><br/>**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected).        |
-|History     |Acts as an audit log for all of the following: <br/>- All actions taken by automated investigation and remediation in Microsoft Defender ATP <br/>Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) <br/>- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone) <br/>- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
+The action center consists of two main tabs: **Pending actions** and **History**.
+- **Pending actions**  Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). 
+- **History**  Acts as an audit log for all of the following items: <br/>
+   - Remediation actions that were taken as a result of an automated investigation
+   - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) 
+   - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
+   - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) 
 
 Use the **Customize columns** menu to select columns that you'd like to show or hide. 
 
@@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on
 |---------|---------|
 |**Status**     |(See [Automated investigation status](#automated-investigation-status))         |
 |**Triggering alert** | The alert that initiated the automated investigation |
-|**Detection source** |The source of the alert that initiated the automated investigation. |
-|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
-|**Threat** |The category of threat detected during the automated investigation. |
-|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
-|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
+|**Detection source** |The source of the alert that initiated the automated investigation |
+|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
+|**Threat** |The category of threat detected during the automated investigation |
+|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
+|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
 
 ## Automated investigation status
 
-An automated investigation can be have one of the following status values:
+An automated investigation can have one of the following status values:
 
 |Status  |Description  |
 |---------|---------|
-| No threats found | No malicious entities found during the investigation. |
-| Failed  | A problem has interrupted the investigation, preventing it from completing.       |
-| Partially remediated  | A problem prevented the remediation of some malicious entities.  |
-| Pending action  | Remediation actions require review and approval.   |
+| Running    | The investigation process has started and is underway. Malicious artifacts that are found are remediated.    |
+| Partially investigated      | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
+| No threats found | The investigation has finished and no threats were identified. <br/>If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
+| Pending action  | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion.  |
+| Remediated   | The investigation finished and all actions were approved (fully remediated). |
+| Partially remediated  | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
+| Terminated by system  | The investigation stopped. An investigation can stop for several reasons:<br/>- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time. <br/>- There are too many actions in the list.<br/>Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions.     |
+| Failed  | At least one investigation analyzer ran into a problem where it could not complete properly. <br/><br/>If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results.      |
+| Queued    | An investigation is being held in a queue. When other investigations complete, queued investigations begin.  |
 | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
-| Queued    |   Investigation has been queued and will resume as soon as other remediation activities are completed.      |
-| Running    | Investigation ongoing. Malicious entities found will be remediated.    |
-| Remediated   | Malicious entities found were successfully remediated.       |
-| Terminated by system  | Investigation was stopped by the system.                 |
 | Terminated by user    | A user stopped the investigation before it could complete.  |
-| Partially investigated      | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
+
 
 ## View details about an automated investigation
 
@@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende
 
 ### Investigation graph
 
-The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
 
 A progress ring shows two status indicators:
 - Orange ring - shows the pending portion of the investigation
@@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat
 
 ### Alerts
 
-The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. 
 
 Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. 
 
@@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and
 
 Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
 
-Clicking on an machine name brings you the machine page.
+Clicking on a machine name brings you the machine page.
 
 ### Evidence
 
@@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in
 
 ### Pending actions
 
-If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. 
+If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. 
 
 ![Image of pending actions](images/pending-actions.png)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index a9250abb97..8ae4bbb815 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -21,39 +21,39 @@ ms.topic: conceptual
 
 ## Remediation actions
 
-When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.  
+When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.  
 
 When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
-- Quarantine file
-- Remove registry key
-- Kill process
-- Stop service
-- Remove registry key
-- Disable driver
-- Remove scheduled task
+- Quarantine a file
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Remove a registry key
+- Disable a driver
+- Remove a scheduled task
 
-Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. 
+Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner. 
 
-No actions are taken when evidence is determined to be *Clean*. 
+No actions are taken when a verdict of *No threats found* is reached for a piece of evidence. 
 
 In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
 
 ## Review pending actions
 
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
 
 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
 
 3. Review any items on the **Pending** tab. 
 
-    Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
+    Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
 
     You can also select multiple investigations to approve or reject actions on multiple investigations. 
 
 
 ## Review completed actions
 
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
 
 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
 
@@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
 
 4. Select an item to view more details about that remediation action.
  
+## Next steps
+
+- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
+
+- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
+
 ## Related articles
 
 - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
