From 9015f43e8a7de7e978e847124d5ee226a652be8f Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 11:33:05 +0200
Subject: [PATCH 01/14] add new api page

---
 ...defender-advanced-threat-protection-new.md | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..01ea055332
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,102 @@
+---
+title: Initiate AutoIR Investigation API
+description: Use this API to create calls related to the collecting an investigation package from a machine.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 12/08/2017
+---
+
+# Initiate AutoIR Investigation API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Collect investigation package from a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+Content-type: application/json
+{
+  "Comment": "Collect forensics due to alert 1234"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+    "type": "CollectInvestigationPackage",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": " Collect forensics due to alert 1234",
+    "status": "InProgress",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+	"relatedFileInfo": null
+}
+
+```

From c564acbe98fcc7356dd83885db7e1de5df3c24b7 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:20:58 +0200
Subject: [PATCH 02/14] .

---
 ...defender-advanced-threat-protection-new.md | 32 +++++++------------
 1 file changed, 12 insertions(+), 20 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 01ea055332..60d3711c99 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -1,7 +1,7 @@
 ---
 title: Initiate AutoIR Investigation API
-description: Use this API to create calls related to the collecting an investigation package from a machine.
-keywords: apis, graph api, supported apis, collect investigation package
+description: Use this API to create calls related to initiating an investigation on a machine.
+keywords: apis, graph api, supported apis, initiate AutoIR investigation
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -23,7 +23,7 @@ ms.date: 12/08/2017
 
 [!include[Prerelease information](prerelease.md)]
 
-Collect investigation package from a machine.
+Initiate AutoIR investigation on a machine.
 
 [!include[Machine actions note](machineactionsnote.md)]
 
@@ -32,8 +32,8 @@ One of the following permissions is required to call this API. To learn more, in
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
-Application |	Machine.CollectForensics |	'Collect forensics'
-Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
+Application |	Alert.ReadWrite.All	 |	'Read and write all alerts'
+Delegated (work or school account) |	Alert.ReadWrite |	'Read and write alerts'
 
 >[!Note]
 > When obtaining a token using user credentials:
@@ -42,7 +42,7 @@ Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensi
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateAutoIRInvestigation
 ```
 
 ## Request headers
@@ -60,7 +60,7 @@ Parameter |	Type	| Description
 Comment |	String |	Comment to associate with the action. **Required**.
 
 ## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+If successful, this method returns 200 - Created response code and investigation id in the response body.
 
 
 ## Example
@@ -72,10 +72,10 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateAutoIRInvestigation
 Content-type: application/json
 {
-  "Comment": "Collect forensics due to alert 1234"
+  "Comment": "Initiate AutoIR investigation on machine f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f"
 }
 ```
 
@@ -84,19 +84,11 @@ Content-type: application/json
 Here is an example of the response.
 
 ```
-HTTP/1.1 201 Created
+HTTP/1.1 200 Created
 Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
-    "type": "CollectInvestigationPackage",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": " Collect forensics due to alert 1234",
-    "status": "InProgress",
-    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
-    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-	"relatedFileInfo": null
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
+    "value": 52
 }
 
 ```

From 6c932a5d0b492c8dd699b969b619c2a7e4e9c091 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:38:52 +0200
Subject: [PATCH 03/14] .

---
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 60d3711c99..e700170263 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -25,8 +25,6 @@ ms.date: 12/08/2017
 
 Initiate AutoIR investigation on a machine.
 
-[!include[Machine actions note](machineactionsnote.md)]
-
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
 

From b5243c8cf2d11a770e44f64124c128abb0838ee2 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:39:41 +0200
Subject: [PATCH 04/14] .

---
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index e700170263..60d3711c99 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -25,6 +25,8 @@ ms.date: 12/08/2017
 
 Initiate AutoIR investigation on a machine.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
 

From fb95b9f99b0e7ff4040afb0558d8b33780122330 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:42:20 +0200
Subject: [PATCH 05/14] .

---
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 60d3711c99..e700170263 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -25,8 +25,6 @@ ms.date: 12/08/2017
 
 Initiate AutoIR investigation on a machine.
 
-[!include[Machine actions note](machineactionsnote.md)]
-
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
 

From 81c502f2dd93d8f348150105a3b2598a2348db4d Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:44:30 +0200
Subject: [PATCH 06/14] .

---
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index e700170263..68c2543c1e 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -58,7 +58,7 @@ Parameter |	Type	| Description
 Comment |	String |	Comment to associate with the action. **Required**.
 
 ## Response
-If successful, this method returns 200 - Created response code and investigation id in the response body.
+If successful, this method returns 200 OK with investigation id in the body. If machine was not found - 404 Not Found.
 
 
 ## Example

From 08ea1d66d68d6dbe8767ba837df38c3c65618301 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 14:45:40 +0200
Subject: [PATCH 07/14] .

---
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 68c2543c1e..25ca1dc830 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -73,7 +73,7 @@ Here is an example of the request.
 POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateAutoIRInvestigation
 Content-type: application/json
 {
-  "Comment": "Initiate AutoIR investigation on machine f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f"
+  "Comment": "Initiate AutoIR investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
 }
 ```
 

From ae83bfd6cdfb8393af486c6bf72138c7ac297eb0 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 15:36:05 +0200
Subject: [PATCH 08/14] .

---
 ...on-windows-defender-advanced-threat-protection-new.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 25ca1dc830..9766c16b85 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -25,6 +25,9 @@ ms.date: 12/08/2017
 
 Initiate AutoIR investigation on a machine.
 
+>[!Note]
+> This page focuses on performing an automated investigation on a machine. (See [automated investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information)
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
 
@@ -58,8 +61,8 @@ Parameter |	Type	| Description
 Comment |	String |	Comment to associate with the action. **Required**.
 
 ## Response
-If successful, this method returns 200 OK with investigation id in the body. If machine was not found - 404 Not Found.
-
+If successful, this method returns 200 OK response code with object that holds the investigation id in the “value” parameter. If machine was not found - 404 Not Found.
+See example below.
 
 ## Example
 
@@ -86,7 +89,7 @@ HTTP/1.1 200 Created
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
-    "value": 52
+    "value": 5146
 }
 
 ```

From 191991c3dadedf9174284ca9246aa4f401904d8d Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 15:54:16 +0200
Subject: [PATCH 09/14] .

---
 ...ion-windows-defender-advanced-threat-protection-new.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 9766c16b85..5d52e53dc5 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -21,12 +21,13 @@ ms.date: 12/08/2017
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-[!include[Prerelease information](prerelease.md)]
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 Initiate AutoIR investigation on a machine.
 
 >[!Note]
-> This page focuses on performing an automated investigation on a machine. (See [automated investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information)
+> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -61,8 +62,7 @@ Parameter |	Type	| Description
 Comment |	String |	Comment to associate with the action. **Required**.
 
 ## Response
-If successful, this method returns 200 OK response code with object that holds the investigation id in the “value” parameter. If machine was not found - 404 Not Found.
-See example below.
+If successful, this method returns 200 OK response code with object that holds the investigation id in the "value" parameter. If machine was not found - 404 Not Found.
 
 ## Example
 

From bebaefde42999e368a72dd22cb380ec79f0014a6 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 16:41:48 +0200
Subject: [PATCH 10/14] .

---
 ...ation-windows-defender-advanced-threat-protection-new.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 5d52e53dc5..d089c5623b 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -27,7 +27,11 @@ ms.date: 12/08/2017
 Initiate AutoIR investigation on a machine.
 
 >[!Note]
-> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information.
+> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information.
+
+## Limitations
+>- The number of executions is limited (up to 5 calls per hour).
+>- For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md).
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

From c85b823ca289dd698a83d33ef89eb75873ef256c Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Mon, 11 Mar 2019 17:05:19 +0200
Subject: [PATCH 11/14] .

---
 ...igation-windows-defender-advanced-threat-protection-new.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index d089c5623b..2e7a20494c 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -30,8 +30,8 @@ Initiate AutoIR investigation on a machine.
 > This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information.
 
 ## Limitations
->- The number of executions is limited (up to 5 calls per hour).
->- For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md).
+1. The number of executions is limited (up to 5 calls per hour).
+2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md).
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

From cd9b3dc8b6cd4012f62b3a8db8b3d1dd9ca615b8 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 11 Mar 2019 15:44:45 -0700
Subject: [PATCH 12/14] update autoir api

---
 ...windows-defender-advanced-threat-protection-new.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 2e7a20494c..4d1cce8475 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -14,12 +14,11 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/08/2017
 ---
 
 # Initiate AutoIR Investigation API
 **Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -48,7 +47,7 @@ Delegated (work or school account) |	Alert.ReadWrite |	'Read and write alerts'
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateAutoIRInvestigation
+POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
 ```
 
 ## Request headers
@@ -66,7 +65,7 @@ Parameter |	Type	| Description
 Comment |	String |	Comment to associate with the action. **Required**.
 
 ## Response
-If successful, this method returns 200 OK response code with object that holds the investigation id in the "value" parameter. If machine was not found - 404 Not Found.
+If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value" parameter. If machine was not found - 404 Not Found.
 
 ## Example
 
@@ -77,10 +76,10 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateAutoIRInvestigation
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
 Content-type: application/json
 {
-  "Comment": "Initiate AutoIR investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
+  "Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
 }
 ```
 

From dc5fd4e9dbe7e3cf36ade74085dd856d2f2c22d4 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 11 Mar 2019 16:09:09 -0700
Subject: [PATCH 13/14] add autoir api to toc and update request name

---
 windows/security/threat-protection/TOC.md                     | 1 +
 .../security/threat-protection/windows-defender-atp/TOC.md    | 1 +
 ...igation-windows-defender-advanced-threat-protection-new.md | 4 ++--
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 177a70d01a..bc438bb6f6 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -292,6 +292,7 @@
 ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+######## [Initiate investigation](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
 
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index ef54564a38..572beeaa89 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -288,6 +288,7 @@
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+####### [Initiate investigation](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 4d1cce8475..8ec922cb8b 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -1,5 +1,5 @@
 ---
-title: Initiate AutoIR Investigation API
+title: Initiate machine investigation API
 description: Use this API to create calls related to initiating an investigation on a machine.
 keywords: apis, graph api, supported apis, initiate AutoIR investigation
 search.product: eADQiWindows 10XVcnh
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Initiate AutoIR Investigation API
+# Initiate machine investigation API
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 

From 7ce812b97039ba0c8f0facc0ddccd45351ab2578 Mon Sep 17 00:00:00 2001
From: Ron Yitzhak <t-royitz@microsoft.com>
Date: Thu, 14 Mar 2019 17:39:05 +0200
Subject: [PATCH 14/14] Add preview tag

---
 windows/security/threat-protection/TOC.md                       | 2 +-
 windows/security/threat-protection/windows-defender-atp/TOC.md  | 2 +-
 ...stigation-windows-defender-advanced-threat-protection-new.md | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index bc438bb6f6..a3ef36d122 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -292,7 +292,7 @@
 ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
-######## [Initiate investigation](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+######## [Initiate investigation (preview)](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
 
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 572beeaa89..662a44c8e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -288,7 +288,7 @@
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
 ####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
-####### [Initiate investigation](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
+####### [Initiate investigation (preview)](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
index 8ec922cb8b..7e91cf5285 100644
--- a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Initiate machine investigation API
+# Initiate machine investigation API (Preview)
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)