diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 86387e8e7c..d6b7bdf766 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -586,7 +586,7 @@ Now that you have created your Microsoft Store for Business portal, you’re rea
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
-For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business).
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business).
### Summary
@@ -1282,4 +1282,4 @@ Now, you have identified the tasks you need to perform monthly, at the end of an
Try it out: Windows 10 deployment (for educational institutions)
Try it out: Windows 10 in the classroom
Chromebook migration guide
-
\ No newline at end of file
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
index 685cb29710..881293505c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@@ -70,9 +70,6 @@
###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response](live-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 46f0887e3f..a49b614738 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -29,35 +29,51 @@ Depending on the Microsoft security products that you use, some advanced feature
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Automated investigation
+
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
## Live response
-When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
-For more information on role assignments see, [Create and manage roles](user-roles.md).
+When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
+
+For more information on role assignments see, [Create and manage roles](user-roles.md).
## Live response unsigned script execution
-Enabling this feature allows you to run unsigned scripts in a live response session.
-
+Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
+
For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
->[!TIP]
+>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-
## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
-If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
+
+This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
+
+To turn **Block or allow** files on:
+
+1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+
+1. Toggle the setting between **On** and **Off**.
+
+ 
+
+1. Select **Save preferences** at the bottom of the page.
+
+Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
## Show user details
+
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
+
- Security operations dashboard
- Alert queue
- Machine details page
@@ -65,20 +81,21 @@ When you enable this feature, you'll be able to see user details stored in Azure
For more information, see [Investigate a user account](investigate-user.md).
## Skype for Business integration
+
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
>[!NOTE]
-> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
-
+> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
## Azure Advanced Threat Protection integration
+
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
-
>[!NOTE]
->You'll need to have the appropriate license to enable this feature.
+>You'll need to have the appropriate license to enable this feature.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@@ -90,6 +107,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection
+
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
@@ -100,41 +118,46 @@ When you enable this feature, you'll be able to incorporate data from Office 365
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Threat Experts
+
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
## Microsoft Cloud App Security
-Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
+
+Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
>[!NOTE]
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
## Azure Information Protection
+
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
-
## Microsoft Intune connection
-This feature is only available if you have an active Microsoft Intune (Intune) license.
-When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
+This feature is only available if you have an active Microsoft Intune (Intune) license.
+
+When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
>[!NOTE]
->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
-
+>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
## Preview features
+
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features
+
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
+
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
index 44e20add28..4ca2aebb87 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
@@ -23,7 +23,7 @@ ms.date: 08/15/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
@@ -109,7 +109,7 @@ You can create or modify a query and save it as your own query or share it with
### Update a query
These steps guide you on modifying and overwriting an existing query.
-1. Edit an existing query.
+1. Edit an existing query.
2. Click the **Save**.
@@ -151,6 +151,3 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index 5d013d5737..a3455dcc67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -93,6 +93,9 @@ You can choose to limit the list of alerts based on their status.
### Investigation state
Corresponds to the automated investigation state.
+### Category
+You can choose to filter the queue to display specific types of malicious activity.
+
### Assigned to
You can choose between showing alerts that are assigned to you or automation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index ba81f53c58..4c97c07b2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -39,19 +39,19 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
-> | 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
-> | 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
-> | 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
-> | 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
+> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
+> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
-> | 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
-> | 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
-> | 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
@@ -60,7 +60,7 @@ Field numbers match the numbers in the images below.
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
-> | 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
+> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index ac4575e88d..8057947dc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -25,7 +25,7 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
@@ -44,7 +44,7 @@ You can filter the health state list by the following status:
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
-You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+You can view the machine details when you click on a misconfigured or inactive machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index 05c041475c..133f0ecb0a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -69,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em
Here's an example email notification:
-
+
## Edit a notification rule
1. Select the notification rule you'd like to edit.
@@ -101,4 +101,4 @@ This section lists various issues that you may encounter when using email notifi
- [Update data retention settings](data-retention-settings.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Enable Secure Score security controls](enable-secure-score.md)
-- [Configure advanced features](advanced-features.md)
\ No newline at end of file
+- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1.png
deleted file mode 100644
index 70ce314c00..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png
deleted file mode 100644
index 51f4335265..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png
index 19428a4156..849bacfa44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
index d7e7d092eb..57337cd9ab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG
index 2da889163c..4c6352b1e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png
deleted file mode 100644
index 39c6a467aa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png
new file mode 100644
index 0000000000..39c4236d7c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png
index c4a23269f5..5f7148efcf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png
index 9d46d16055..43394cf2aa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png
index a23b78fd2f..1db12b6733 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png
deleted file mode 100644
index c7c4d60928..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG
new file mode 100644
index 0000000000..c2b346d926
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG
new file mode 100644
index 0000000000..a9d6418d30
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png
new file mode 100644
index 0000000000..b894538426
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG
index 40d4cf3b5c..47264c9f3c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png
index e023ffdfd6..c8c053fd44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png
deleted file mode 100644
index f98240f439..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png
index cb4a38b529..1f95169ebf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png
index 7ae7d3aa20..f6ae75b2cd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png
index b6ff98567a..a768200aab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png
deleted file mode 100644
index c2155cc7ee..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png
index b34d5f4779..04078d3be3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png
index 1d9c37de33..3480437d09 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png
deleted file mode 100644
index e3bf3d41f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png
deleted file mode 100644
index 1131ead044..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png
deleted file mode 100644
index 00185b3daa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png
deleted file mode 100644
index 5bf942065e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png
index ecfb56f1a8..7423e63ab9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png
index ec05ebcd1f..3290ef44c9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png
deleted file mode 100644
index 22a72d1306..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png
deleted file mode 100644
index 7d65413066..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png
index ec8235b996..a80f24b421 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png
deleted file mode 100644
index f96acc7694..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png
index 2ac2a20e91..da9b66063b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png
index 8951659d17..dbcb2fee94 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png
index fc628073fc..2b0a0be8d6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png
deleted file mode 100644
index f40dff2c63..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png
deleted file mode 100644
index e4ec0ca34e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png
deleted file mode 100644
index 4f738b77ae..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png
index fed14b65f4..9f868ac29e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png
index 3495a90989..0df653a018 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png
deleted file mode 100644
index 7b9454924e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png
index 703204c040..5e19d47b57 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png
index 3df0eccc18..c1a4e36c75 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png
index fc1a15b8e1..763a218960 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png
new file mode 100644
index 0000000000..8e878d29a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG
new file mode 100644
index 0000000000..5cc1b1457b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG
new file mode 100644
index 0000000000..06dcfc796c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG
new file mode 100644
index 0000000000..bb483bad25
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png
new file mode 100644
index 0000000000..f553b74b89
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG
new file mode 100644
index 0000000000..b70aee3333
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png
index 78290030a9..11e72fc6a9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png
index 12f980de0a..7e343cce7a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png
index ea5619c545..56e2d7dcf0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG
new file mode 100644
index 0000000000..3bf537a3ea
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png
index 2787e7d147..b87ce58fcd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
deleted file mode 100644
index bf39e4b81e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png
deleted file mode 100644
index 9533a07777..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png
deleted file mode 100644
index 18e8861973..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png
index 5f7bdc83b7..48f6c597a6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png
index 043255312e..b8117dc41d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png
index bb11c88b62..c937e8fd04 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png
index 0b52a39faa..ffb98eef37 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png
index 5875c6fdb3..a952df593f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png
index 7944809cde..4a5462d01a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png
index 1dd7f28817..35d1d00d6b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png
index ffac35fc9b..62f5f70047 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png
index 1e4d52ff8d..dc353f8c25 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png
index a2a61cb49b..89bc5c8f90 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png
index 7fcdfcc834..f0dcb7626b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png
index 7d02d3d6ed..5292a0a77f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png
deleted file mode 100644
index e53106da3e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png
deleted file mode 100644
index 97529ae015..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png
deleted file mode 100644
index 5ce3e0d034..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png
index 9dd1e801dd..d628c4780a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png
deleted file mode 100644
index 5e2258d16d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png
deleted file mode 100644
index 3de8f88a28..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png
deleted file mode 100644
index 6145c08a4c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png
deleted file mode 100644
index 692b21869f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png
deleted file mode 100644
index ac38039f3a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png
deleted file mode 100644
index 3336f8a1ac..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png
deleted file mode 100644
index b34e915132..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png
index d3291b5cd5..3074e07daa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png
index 8e5589a6ca..e65ee2668a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png
deleted file mode 100644
index 11e12c2890..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png
deleted file mode 100644
index 2645ee2e58..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png
deleted file mode 100644
index b9a758e159..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png
index b538946141..d3d0ce1fbf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png
index 738c1470e7..8ed854fe5f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png
index b4865884d3..d4e9f24da9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png
index 845b97a82a..c835d12524 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
deleted file mode 100644
index 8a88c16936..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
index 02cc1bbc0f..edd651d7db 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png
deleted file mode 100644
index 36d21b5ebe..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png
deleted file mode 100644
index 18b70c8c27..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png
deleted file mode 100644
index e7e69034f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png
index 006d7c1a3f..96c32ee9a8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png
index 8da2532df7..d8ea23b4f2 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png
deleted file mode 100644
index 06147c025e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png
deleted file mode 100644
index fda9bac914..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png
deleted file mode 100644
index 0dc5215ce4..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png
index d36fb7296c..78de2711e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png
index 881c69c22c..39e48e2f4f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png
index eb02b6627a..865594531d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png
deleted file mode 100644
index 2c2c75ac33..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png
index f271f16509..06c902871b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png
deleted file mode 100644
index 8055212471..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png
index 0908f75e43..d053776856 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png
deleted file mode 100644
index d49b681907..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png
index 3df94c2e4d..be213c2acd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png
deleted file mode 100644
index ae8d72d307..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png
index 56a204ca39..b8d078d435 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png
deleted file mode 100644
index 1b3c80e762..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png
deleted file mode 100644
index e7f8d974bf..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png
deleted file mode 100644
index f80648993e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png
deleted file mode 100644
index 9ce191083b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png
deleted file mode 100644
index 023881cd9b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png
deleted file mode 100644
index 0c0f7d0eec..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png
deleted file mode 100644
index 8e2da99e51..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png
deleted file mode 100644
index e59480d960..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png
deleted file mode 100644
index 067d26d957..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png
deleted file mode 100644
index 1c3154f188..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png
deleted file mode 100644
index 07fa544f73..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png
index 68d57863d9..a730bd0ba7 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png
deleted file mode 100644
index 8ca66b33cc..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png
index 554c69e2a6..0d0ebde222 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png
index 6b88b46227..eaf5e89d60 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png
index bdcc1997eb..d3b6a7b64b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png
deleted file mode 100644
index c59c3c04c0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png
index 7a8d78a19e..fddaf0076c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png
index 1f09d12343..55730d43ee 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png
index db6082c4e1..85d190c821 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png
index a66341935b..3cc33d038b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png
index 8fc24beeab..26dc2a5bb3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png
index 4c4e057756..6202dd62e0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png
index ddda52b1f0..f64c755ac6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png
index e39ee3c1ed..e5c1b21246 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png
new file mode 100644
index 0000000000..430d6ce99e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png
deleted file mode 100644
index b08381baed..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png
index e3f37f7626..7d9ac1d36d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png
deleted file mode 100644
index 8822bdf62d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png
deleted file mode 100644
index b0732653d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png
deleted file mode 100644
index 94c0f5cd1f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png
deleted file mode 100644
index 2bea8cb48d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png
deleted file mode 100644
index 990f12c3c8..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/components.png b/windows/security/threat-protection/microsoft-defender-atp/images/components.png
deleted file mode 100644
index 0ddc52f5d3..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png b/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png
deleted file mode 100644
index 54599d4b99..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png
index a91410b6a2..01aa4c4ac4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
new file mode 100644
index 0000000000..c6b68739d7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
@@ -0,0 +1,4 @@
+[LocalizedFileNames]
+atp-mapping7.png=@atp-mapping7,0
+atp-machine-health-details.PNG=@atp-machine-health-details,0
+email-notification.png=@email-notification,0
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG
new file mode 100644
index 0000000000..fdbbc1cd18
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png
deleted file mode 100644
index 1b9875fcad..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
deleted file mode 100644
index 5e14e15378..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png
index 2114b14c4d..a2f05155dd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png
index b302d30f54..ca19ec82c4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png
index 8cb0f643a6..74f55f62f5 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png
index 773447a838..39895c6e01 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png
index f5166b77bc..784902b963 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png
deleted file mode 100644
index f858a4664a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png
index b1b9ba11c9..1b5f4378e8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png
index 083f3a098d..ed1c3f4f2c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png b/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png
deleted file mode 100644
index ebd17712d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png
index 309fd3074c..fea2bf16f9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
index db89f750a7..95ad384e50 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
index e971ada5d6..4da702615b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png
index eaaa01d3c0..b77c2cb10a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
index 8961a08115..ec4fa8bc44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png
index 3dd9ada0c9..ee0608e4b0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png
index 1ae6f4320d..50736dfe6d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png
deleted file mode 100644
index 06ad5e6ed2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png
deleted file mode 100644
index 3cd583ed74..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png
index 8123965c84..84672bbe4a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png
index 40f15eb65a..24bb4d1854 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png
deleted file mode 100644
index 1b8396b50e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png
deleted file mode 100644
index 103081f82c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png
index 7a52f49989..98886ae426 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png
deleted file mode 100644
index 1761e2e539..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png
deleted file mode 100644
index fbd6a798b0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 72a68df56d..ee65c7302f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -53,7 +53,7 @@ Default sensitive information types include information such as bank account num
Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-When a file is created or edited on a Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information.
+When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index a70b53af9f..11e43b707c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -28,15 +28,14 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
+Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-Click an alert to see the alert details view and the various tiles that provide information about the alert.
+Click an alert to see the alert details view and the various tiles that provide information about the alert.
-You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
+You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
-
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
@@ -49,7 +48,7 @@ Alerts attributed to an adversary or actor display a colored tile with the actor
-Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
+Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
@@ -86,7 +85,7 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
## Artifact timeline
-The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
+The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 0df367e9d4..8268c3ce96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -39,17 +39,31 @@ You can see information from the following sections in the URL view:
- URL in organization
- Most recent observed machines with URL
-## URL Worldwide
-The URL details, contacts, and nameservers sections display various attributes about the URL.
+## URL worldwide
-## Alerts related to this URL
-The **Alerts related to this URL** section provides a list of alerts that are associated with the URL.
+The **URL Worldwide** section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.
-## URL in organization
-The **URL in organization** section provides details on the prevalence of the URL in the organization.
+## Incident
-## Most recent observed machinew with URL
-The **Most recent observed machinew with URL** section provides a chronological view on the events and associated alerts that were observed on the URL.
+The **Incident** card displays a bar chart of all active alerts in incidents over the past 180 days.
+
+## Prevalence
+
+The **Prevalence** card provides details on the prevalence of the URL within the organization, over a specified period of time.
+
+Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past 6 months.
+
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.
+
+The Alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting **items per page** on the same menu.
+
+## Observed in organization
+
+The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, machine, and a brief description of what happened.
+
+You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
**Investigate a domain:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index cf7f97c744..aa344ebf81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -17,58 +17,89 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate a file associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-You can investigate files by using the search feature, clicking on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or from an event listed in the **Machine timeline**.
+There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Machine timeline**.
+
+Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
You can get information from the following sections in the file view:
-- File details, Malware detection, Prevalence worldwide
+- File details, Malware detection, File prevalence
- Deep analysis
-- Alerts related to this file
-- File in organization
-- Most recent observed machines with file
+- Alerts
+- Observed in organization
+- Deep analysis
+- File names
-## File worldwide and Deep analysis
-The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts.md).
+You can also take action on a file from this page.
-You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts.md#deep-analysis).
+## File actions
+
+Along the top of the profile page, above the file information cards. Actions you can perform here include:
+
+- Stop and quarantine
+- Add/edit indicator
+- Download file
+- Action center
+
+For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
+
+## File details, Malware detection, and File prevalence
+
+The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
+
+You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.
-## Alerts related to this file
-The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-## File in organization
-The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
+## Observed in organization
-
+The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
-## Most recent observed machines with the file
-The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
+>[!NOTE]
+>This tab will show a maximum number of 100 machines. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+
+## Deep analysis
+
+The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
+
+
+
+## File names
+
+The **File names** tab lists all names the file has been observed to use, within your organizations.
+
+
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
\ No newline at end of file
+- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
+- [Take response actions on a file](respond-file-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index cddaa7e5f6..acff32cc9b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -25,6 +25,11 @@ ms.topic: article
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
+When you investigate an incident, you'll see:
+- Incident details
+- Incident comments and actions
+- Tabs (alerts, machines, investigations, evidence, graph)
+
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
@@ -40,8 +45,6 @@ Alerts are grouped into incidents based on the following reasons:
- Same file - The files associated with the alert are exactly the same
- Same URL - The URL that triggered the alert is exactly the same
-
-
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index eaabada51a..4f3711af17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate an IP address associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
@@ -34,22 +32,31 @@ Identifying all machines in the organization that communicated with a suspected
You can find information from the following sections in the IP address view:
-- IP worldwide, Reverse DNS names
+- IP worldwide
+- Reverse DNS names
- Alerts related to this IP
- IP in organization
-- Most recent observed machines with IP
+- Prevalence
## IP Worldwide and Reverse DNS names
+
The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
## Alerts related to this IP
-The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
+
+The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
## IP in organization
+
The **IP in organization** section provides details on the prevalence of the IP address in the organization.
+## Prevalence
+
+The **Prevalence** section displays how many machines have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
+
## Most recent observed machines with IP
-The **Most recent observed machines with IP** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+
+The **Most recent observed machines** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
@@ -67,6 +74,7 @@ Use the search filters to define the search criteria. You can also use the timel
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index c026aa3f0a..216cc284d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -20,11 +20,12 @@ ms.topic: article
# Investigate machines in the Microsoft Defender ATP Machines list
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
@@ -61,41 +62,42 @@ Response actions run along the top of a specific machine page and include:
- Isolate machine
- Action center
-You can take response actions in the action center, in a specific machine page, or in a specific file page.
+You can take response actions in the Action center, in a specific machine page, or in a specific file page.
For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md).
- For more information, see [Investigate user entities](investigate-user.md).
+For more information, see [Investigate user entities](investigate-user.md).
+
## Cards
### Active alerts
-If you have enabled the Azure ATP feature and there are alerts related to the machine, you can view a high level overview of the alerts and risk level. More information is available in the "Alerts" drill down.
+The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-
+
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
### Logged on users
-The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane that displays information such as user type, logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user.md).
+The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
### Security assessments
-The Security assessments tile shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of it's pending security recommendations.
+The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations.
-
+
## Tabs
-The five tabs under the cards section show relevant security and threat prevention information related to the machine. In every tab, you can customize the columns that are shown.
+The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
### Alerts
-The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts and customize the columns.
+The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
@@ -112,6 +114,7 @@ Timeline also enables you to selectively drill down into events that occurred wi
>[!NOTE]
> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
>Firewall covers the following events
+>
>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
@@ -159,6 +162,7 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index f4570512ea..4ef33de1cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -23,14 +23,14 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
+
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
+
- Dashboard
- Alert queue
- Machine details page
@@ -38,34 +38,39 @@ You can find user account information in the following views:
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
+
- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
-**User details**
-The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account.
+The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the user account.
-The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+### User details
-**Azure Advanced Threat Protection**
-If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
+The **User details** card provides information about the user, such as when the user was first and last seen. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+
+### Azure Advanced Threat Protection
+
+The **Azure Advanced Threat Protection** card will contain a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. This card also provides details such as the last AD site, total group memberships, and login failure associated with the user.
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-**Logged on machines**
-You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+### Logged on machines
+The **Logged on machines** card shows a list of the machines that the user has logged on to. You can expand these to see details of the log-on events for each machine.
## Alerts related to this user
-This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
+
+The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
## Observed in organization
-This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines.
-The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health.
+The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these machines, and total observed users on each machine.
+
+Selecting an item on the Observed in organization table will expand the item, revealing more details about the machine. Directly selecting a link within an item will send you to the corresponding page.
@@ -78,6 +83,7 @@ The machine health state is displayed in the machine icon and color as well as i
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
+
- 1 day
- 3 days
- 7 days
@@ -85,6 +91,7 @@ You can filter the results by the following time periods:
- 6 months
## Related topics
+
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
@@ -92,4 +99,3 @@ You can filter the results by the following time periods:
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index 934b929def..d96d8546ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -30,15 +30,16 @@ ms.topic: article
Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
-1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
+1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ 
+
+1. Alternately, in the **Office 365 admin center**, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
-2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
## Cloud Service Provider validation
@@ -103,8 +104,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
- 
-
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
@@ -119,8 +118,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
- 
-
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 093f9b62b0..9a0cc2d05f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -26,11 +26,11 @@ ms.topic: article
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
-You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
+You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Machine page for an individual device.
Selecting an alert in either of those places brings up the **Alert management pane**.
-
+
## Link to another incident
You can create a new incident from the alert or link to an existing incident.
@@ -40,11 +40,11 @@ If an alert is no yet assigned, you can select **Assign to me** to assign the al
## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
+There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
-When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
@@ -60,7 +60,6 @@ You can use the examples in the following table to help you choose the context f
| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
|
| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
|
-
### Suppress an alert and create a new suppression rule:
Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 1edf8dcca8..1521bb3b89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -102,7 +102,7 @@ You'll also have access to the following sections that help you see details of t
- Investigation graph
- Alerts
- Machines
-- Threats
+- Key findings
- Entities
- Log
- Pending actions
@@ -138,7 +138,7 @@ Selecting a machine using the checkbox brings up the machine details pane where
Clicking on an machine name brings you the machine page.
-### Threats
+### Key findings
Shows details related to threats associated with this investigation.
### Entities
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 31fb4bb075..6f2cd9df63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -23,11 +23,15 @@ ms.date: 010/08/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
+Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
+
+
+Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
@@ -35,28 +39,26 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-## Change the incident status
+## Set status and classification
+### Incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
-## Classify the incident
+### Classification
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-## Rename incident
-By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
-
-
-
-## Add comments and view the history of an incident
+### Add comments
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
+
+
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index 9d743faca2..cb57adc063 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -41,7 +41,7 @@ The Microsoft secure score tile is reflective of the sum of all the Windows Defe
-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
+Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Microsoft Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
@@ -74,7 +74,7 @@ Clicking on the affected machines link at the top of the table takes you to the
Within the tile, you can click on each control to see the recommended optimizations.
-Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
+Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
## Related topic
- [Threat analytics](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 200d144ad9..be5e22d9d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -49,17 +49,22 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**.
-**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
+**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**.
+**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
**Incidents** | View alerts that have been aggregated as incidents.
-**Alerts** | View alerts generated from machines in your organizations.
+**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Alerts queue** | View alerts generated from machines in your organizations.
**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach
+**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender.
+**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
+**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
+**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines.
+**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
## Microsoft Defender ATP icons
The following table provides information on the icons used all throughout the portal:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index c70bb4f029..31ca59c206 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -175,14 +175,10 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
- 
-
2. Click **Connect**.
3. On the Preview Connector windows, click **Continue**.
- 
-
4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
@@ -191,8 +187,6 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
- 
-
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 80f4ea3708..e2db21f7ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -20,30 +20,40 @@ ms.topic: article
# Take response actions on a file
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
+Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
->[!IMPORTANT]
->These response actions are only available for machines on Windows 10, version 1703 or later.
+Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
+Response actions run along the top of the file page, and include:
+
+- Stop and Quarantine File
+- Add Indicator
+- Download file
+- Action center
+
+You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
## Stop and quarantine files in your network
-You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
+You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
>[!IMPORTANT]
>You can only take this action if:
+>
> - The machine you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
-The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
+This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
>You’ll be able to restore the file from quarantine at any time.
@@ -55,13 +65,13 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select File from the drop–down menu and enter the file name
-2. Open the **Actions menu** and select **Stop and Quarantine File**.
+2. Go to the top bar and select **Stop and Quarantine File**.
-3. Specify a reason, then click **Yes, stop and quarantine**.
+3. Specify a reason, then click **Confirm**.
- 
+ 
The Action center shows the submission information:
@@ -80,14 +90,9 @@ When the file is being removed from a machine, the following notification is sho
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
->[!IMPORTANT]
->The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
+For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from quarantine
+## Restore file from quarantine
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
@@ -98,118 +103,84 @@ You can roll back and remove a file from quarantine if you’ve determined that
b. Right–click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
- ```
+
+ ```Powershell
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
```
> [!NOTE]
> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
-## Block files in your network
+## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!IMPORTANT]
+>
>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>
>- The Antimalware client version must be 4.18.1901.x or later.
->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>- This response action is available for machines on Windows 10, version 1703 or later.
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
>[!NOTE]
-> The PE file needs to be in the machine timeline for you to be able to take this action.
->- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+> The PE file needs to be in the machine timeline for you to be able to take this action.
+>
+> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
### Enable the block file feature
-Before you can block files, you'll need to enable the feature.
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
- 
+To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-### Block a file
+### Allow or block file
-1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
+When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select File from the drop–down menu and enter the file name
+Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
-2. Open the **Actions menu** and select **Block**.
+ See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
- 
+To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
-3. Specify a reason and select **Yes, block file** to take action on the file.
+You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
- 
+## Download or collect file
- The Action center shows the submission information:
- 
+Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
- - **Submission time** - Shows when the action was submitted.
- - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- - **Status** - Indicates whether the file was added to or removed from the blacklist.
+
-When the file is blocked, there will be a new event in the machine timeline.
+When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
->[!NOTE]
->-If a file was scanned before the action was taken, it may take longer to be effective on the device.
+
-**Notification on machine user**:
-When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
-
-
-
->[!NOTE]
->The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system.
-
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from blocked list
-
-1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
-
- - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
- - **Search box** - Select File from the drop–down menu and enter the file name
-
-2. Open the **Actions** menu and select **Remove file from blocked list**.
-
- 
-
-3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
+If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
-The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
+
+The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-### Submit files for analysis
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the the file's profile page.
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
-
-In the file's page, **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
-> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
+> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
@@ -221,7 +192,7 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- Search box - select **File** from the drop–down menu and enter the file name
-2. In the **Deep analysis** section of the file view, click **Submit**.
+2. In the **Deep analysis** tab of the file view, click **Submit**.
@@ -232,7 +203,7 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-### View deep analysis reports
+**View deep analysis reports**
View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@@ -244,29 +215,32 @@ You can view the comprehensive report that provides details on the following sec
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
-2. Click **See the report below**. Information on the analysis is displayed.
+2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
- 
+ 
-### Troubleshoot deep analysis
+**Troubleshoot deep analysis**
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
+1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
- ```
+ ```Powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
- Type: DWORD
+ Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection
```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
-6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-## Related topic
+1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
+1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+## Related topics
+
- [Take response actions on a machine](respond-machine-alerts.md)
+- [Investigate files](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 5dbaa71b01..f7c9eff384 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -116,13 +116,6 @@ The tile shows you a list of user accounts with the most active alerts and the n
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
-## Suspicious activities
-This tile shows audit events based on detections from various security components.
-
-
-
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
@@ -130,4 +123,3 @@ This tile shows audit events based on detections from various security component
- [Portal overview](portal-overview.md)
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 0bafd26ecf..4ba83c3145 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -36,9 +36,9 @@ Each threat report provides a summary to describe details such as where the thre
The dashboard shows the impact in your organization through the following tiles:
- Machines with alerts - shows the current distinct number of impacted machines in your organization
- Machines with alerts over time - shows the distinct number of impacted over time
-- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place
- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place.
-- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time
+- Vulnerability patching status - lists any vulnerabilities associated with the threat, and if they have been patched
+- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place
@@ -62,5 +62,3 @@ The **Mitigation status** and **Mitigation status over time** shows the endpoint
>[!NOTE]
>The Unavailable category indicates that there is no data available from the specific machine yet.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 3eb031059d..e3f2bdf6ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -65,7 +65,7 @@ To lower down your threat and vulnerability exposure:
> - Configuration change which refers to recommendations that require a registry or GPO modification
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. A flyout panel opens with the description of what you need to remediate, number of vulnerability, associated exploits in what machines, number of exposed machines and their machine names, business impact, and list of CVEs. Click **Open software page** option from the flyout panel. 
+2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
@@ -83,14 +83,14 @@ You can improve your security configuration when you remediate issues from the s
1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
- >>
+ >
-2. Select the first item on the list. The flyout panel opens with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
- >>.
+ >.
>You will see a confirmation message that the remediation task has been created.
>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 3275739c27..c745b29ece 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -35,7 +35,9 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time.
-Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu .
+Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu.
+
+.
### UTC time zone
Microsoft Defender ATP uses UTC time by default.
@@ -56,7 +58,7 @@ To set the time zone:
1. Click the **Time zone** menu .
2. Select the **Timezone UTC** indicator.
-3. Select **Timezone UTC** or your local time zone, for example -7:00.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.
### Regional settings
To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 3df5dd590d..3cd0504b1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -19,7 +19,7 @@ ms.topic: troubleshooting
# Troubleshoot service issues
-This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
## Server error - Access is denied due to invalid credentials
If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
index 800b62bffd..0cf451828c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
@@ -25,7 +25,7 @@ Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilit
Topic | Description
:---|:---
Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service
+Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index db5357d9f3..b25ce8e1e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -13,7 +13,7 @@ author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Threat & Vulnerability Management dashboard overview
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index f6465788fd..c3753c466c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -42,6 +42,8 @@ On the top navigation you can:
## Sort and filter the incidents queue
You can apply the following filters to limit the list of incidents and get a more focused view.
+### Severity
+
Incident severity | Description
:---|:---
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
@@ -49,27 +51,17 @@ Medium (Orange) | Threats rarely observed in the organization, such as anom
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+## Assigned to
+You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
+
### Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-### Alerts
-Indicates the number of alerts associated with or part of the incidents.
-
-
-### Machines
-You can limit to show only the machines at risk which are associated with incidents.
-
-### Users
-You can limit to show only the users of the machines at risk which are associated with incidents.
-
-### Assigned to
-You can choose to show between unassigned incidents or those which are assigned to you.
-
### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
+You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
-### Classification
-Use this filter to choose between focusing on incidents flagged as true or false incidents.
+### Data sensitivity
+Use this filter to show incidents that contain sensitivity labels.
## Related topics
- [Incidents queue](incidents-queue.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index e1e648f1c9..52e8586de1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -1686,7 +1686,7 @@ The Windows Defender Antivirus client attempted to download and install the late
To troubleshoot this event:
- Restart the computer and try again.
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
- Contact Microsoft Technical Support.
@@ -2757,7 +2757,7 @@ This error indicates that there might be a problem with your security product.
- Update the definitions. Either:
- Click the Update definitions button on the Update tab in Windows Defender Antivirus.
Or,
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
index 3289ace8cf..eac90e96f5 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
index 5bc0f3e22b..67abde13e0 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ