From fc3bc30603bc09f1b49561627bab1f2336de2427 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Wed, 24 Jul 2019 15:39:02 -0400
Subject: [PATCH 01/22] adapted page to list tables, not columns

---
 .../advanced-hunting-reference.md             | 115 ++++--------------
 1 file changed, 22 insertions(+), 93 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 0233da71e9..3b8081addb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 06/01/2018
+ms.date: 07/24/2019
 ---
 
 # Advanced hunting reference in Microsoft Defender ATP
@@ -26,100 +26,29 @@ ms.date: 06/01/2018
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-## Advanced hunting column reference
-To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
+## Advanced hunting table reference
 
-| Column name | Data type | Description
-:---|:--- |:---                                                            
-| AccountDomain | string | Domain of the account |
-| AccountName | string | User name of the account |
-| AccountSid | string | Security Identifier (SID) of the account |
-| ActionType | string | Type of activity that triggered the event |
-| AdditionalFields | string | Additional information about the event in JSON array format |
-| AlertId | string | Unique identifier for the alert |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| Category | string | Type of threat indicator or breach activity identified by the alert |
-| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
-| DefaultGateways | string | Default gateway addresses in JSON array format |
-| DnsAddresses | string | DNS server addresses in JSON array format |
-| EventTime | datetime | Date and time when the event was recorded |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FileOriginIp | string | IP address where the file was downloaded from |
-| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
-| FileOriginUrl | string | URL where the file was downloaded from |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
-| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
-| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-| Ipv4Dhcp | string | IPv4 address of DHCP server |
-| Ipv6Dhcp | string | IPv6 address of DHCP server |
-| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
-| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-| LocalIP | string | IP address assigned to the local machine used during communication |
-| LocalPort | int | TCP port on the local machine used during communication |
-| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
-| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
-| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> 
-| MacAddress | string | MAC address of the network adapter |
-| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
-| MachineId | string | Unique identifier for the machine in the service |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| NetworkAdapterName | string | Name of the network adapter |
-| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
-| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
-| OSBuild | string | Build version of the operating system running on the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| OsVersion | string | Version of the operating system running on the machine |
-| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
-| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
-| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
-| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
-| ProcessCommandline | string | Command line used to create the new process |
-| ProcessCreationTime | datetime | Date and time the process was created |
-| ProcessId | int | Process ID (PID) of the newly created process |
-| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
-| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| Protocol | string | IP protocol used, whether TCP or UDP |
-| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
-| RegistryKey | string | Registry key that the recorded action was applied to |
-| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
-| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
-| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
-| RemoteIP | string | IP address that was being connected to |
-| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| RemotePort | int | TCP port on the remote device that was being connected to |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
-| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
-| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| RegistryMachineTag | string | Machine tag added through the registry |
-| Table | string | Table that contains the details of the event |
-| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
+The advanced hunting schema comprise multiple tables that provide either event information or information about certain entities.
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
+To effectively build queries that span multiple tables, you need to understand the columns, or fields, in the Advanced hunting schema. The following reference lists all tables used by Advanced hunting. It also links to pages describing the tables' contents, including official column names.
+
+ all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
+
+| Table name | Description |
+|------------|-------------|
+| **[AlertEvents]()** | Alerts on Microsoft Defender Security Center |
+| **[MachineInfo]()** | Machine information, including OS information |
+| **[MachineNetworkInfo]()** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
+| **[ProcessCreationEvents]()** | Process creation and related events |
+| **[NetworkCommunicationEvents]()** | Network connection and related events |
+| **[FileCreationEvents]()** | File creation, modification, and other file system events |
+| **[RegistryEvents]()** | Creation and modification of registry entries |
+| **[LogonEvents]()** | Sign-ins and other authentication events |
+| **[ImageLoadEvents]()** | DLL loading events |
+| **[MiscEvents]()** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[SoftwareVulnerabilityInfo]()** | Information about software in use, including version information as well as known vulnerabilities |
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
 
 ## Related topics
 - [Query data using Advanced hunting](advanced-hunting.md)

From 27894e16c3acd5ddd384d09233782145b6b0a18e Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Wed, 24 Jul 2019 15:40:23 -0400
Subject: [PATCH 02/22] amended sentence that was cut off

---
 .../microsoft-defender-atp/advanced-hunting-reference.md      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 3b8081addb..554c80e95f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -30,9 +30,7 @@ ms.date: 07/24/2019
 
 The advanced hunting schema comprise multiple tables that provide either event information or information about certain entities.
 
-To effectively build queries that span multiple tables, you need to understand the columns, or fields, in the Advanced hunting schema. The following reference lists all tables used by Advanced hunting. It also links to pages describing the tables' contents, including official column names.
-
- all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
+To effectively build queries that span multiple tables, you need to understand the columns, or fields, in the Advanced hunting schema. The following reference lists all tables used by Advanced hunting. It also links to pages describing the tables' contents, including official column names. This information is also available in the schema representation in the Advanced hunting screen.
 
 | Table name | Description |
 |------------|-------------|

From f2e9280d3659056ae546127c4d982436923394cf Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 10:42:00 -0400
Subject: [PATCH 03/22] revised language

---
 .../advanced-hunting-reference.md                      | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 554c80e95f..db6c6acd5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -28,9 +28,11 @@ ms.date: 07/24/2019
 
 ## Advanced hunting table reference
 
-The advanced hunting schema comprise multiple tables that provide either event information or information about certain entities.
+The Advanced hunting schema is made up of multiple tables, which provide either event information or information about certain entities. Table and column names are used for calling information about specific events or entities in queries.
 
-To effectively build queries that span multiple tables, you need to understand the columns, or fields, in the Advanced hunting schema. The following reference lists all tables used by Advanced hunting. It also links to pages describing the tables' contents, including official column names. This information is also available in the schema representation in the Advanced hunting screen.
+The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
+
+Table and column names are also listed within the Security center, in the schema representation on the Advanced hunting screen.
 
 | Table name | Description |
 |------------|-------------|
@@ -46,8 +48,6 @@ To effectively build queries that span multiple tables, you need to understand t
 | **[MiscEvents]()** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
 | **[SoftwareVulnerabilityInfo]()** | Information about software in use, including version information as well as known vulnerabilities |
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
-
 ## Related topics
 - [Query data using Advanced hunting](advanced-hunting.md)
-- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
\ No newline at end of file
+- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
\ No newline at end of file

From f6afb7952c35a0da417b97ced879a5913416e7c0 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 11:00:59 -0400
Subject: [PATCH 04/22] alertevents-table created & filled out

---
 .../alertevents-table.md                      | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md
new file mode 100644
index 0000000000..37e742b7b1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md
@@ -0,0 +1,55 @@
+---
+title: AlertEvents
+description: Learn about Advanced hunting table AlertEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# AlertEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+## Table description
+
+AlertEvents is a table in the Advanced hunting schema, which contains information about events on Microsoft Defender Security Center. You can use the reference below to construct queries that return information from this table.
+
+## Advanced hunting column reference
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| AlertId | string | Unique identifier for the alert |
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| Category | string | Type of threat indicator or breach activity identified by the alert |
+| Title | string | Title of the alert |
+| FileName | string | Name of the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| RemoteIP | string | IP address that was being connected to |
+|ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| Table | string | Table that contains the details of the event |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 21450ce7b23cac2b1f621e93243ea9805bb06f8c Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 13:37:34 -0400
Subject: [PATCH 05/22] added machineinfo, changed last page's name

---
 ... => advanced-hunting-alertevents-table.md} |  8 ++-
 .../advanced-hunting-machineinfo-table.md     | 54 +++++++++++++++++++
 2 files changed, 57 insertions(+), 5 deletions(-)
 rename windows/security/threat-protection/microsoft-defender-atp/{alertevents-table.md => advanced-hunting-alertevents-table.md} (80%)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
similarity index 80%
rename from windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md
rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index 37e742b7b1..b233cdf455 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -26,11 +26,9 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-## Table description
+AlertEvents is a table in the Advanced hunting schema. It contains information about alerts on Microsoft Defender Security Center. You can use the reference below to construct queries that return information from this table.
 
-AlertEvents is a table in the Advanced hunting schema, which contains information about events on Microsoft Defender Security Center. You can use the reference below to construct queries that return information from this table.
-
-## Advanced hunting column reference
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@@ -45,7 +43,7 @@ AlertEvents is a table in the Advanced hunting schema, which contains informatio
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | RemoteIP | string | IP address that was being connected to |
-|ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | Table | string | Table that contains the details of the event |
 
 ## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
new file mode 100644
index 0000000000..5b29c9be66
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -0,0 +1,54 @@
+---
+title: MachineInfo
+description: Learn about Advanced hunting table MachineInfo, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MachineInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+MachineInfo is a table in the Advanced hunting schema. It contains information about machines in the organization, including OS information. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
+| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
+| OSArchitecture | string | Architecture of the operating system running on the machine |
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
+| OSBuild | string | Build version of the operating system running on the machine |
+| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
+| RegistryMachineTag | string | Machine tag added through the registry |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| OSVersion | string | Version of the operating system running on the machine |
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From d441e94c256f7cfb2203a10bfd4b47e3c612954e Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 14:22:03 -0400
Subject: [PATCH 06/22] added machinenetworkinfo

---
 ...vanced-hunting-machinenetworkinfo-table.md | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
new file mode 100644
index 0000000000..c66389a339
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -0,0 +1,55 @@
+---
+title: MachineNetworkInfo
+description: Learn about Advanced hunting table MachineNetworkInfo, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MachineNetworkInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+MachineNetworkInfo is a table in the Advanced hunting schema. It contains information about network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| NetworkAdapterName | string | Name of the network adapter |
+| MacAddress | string | MAC address of the network adapter |
+| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
+| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
+| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
+| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
+| DnsAddresses | string | DNS server addresses in JSON array format |
+| IPv4Dhcp | string | IPv4 address of DHCP server |
+| IPv6Dhcp | string | IPv6 address of DHCP server |
+| DefaultGateways | string | Default gateway addresses in JSON array format |
+| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 15b4ca81d94e74bf86c41b1ff609e83e8a92c006 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 15:12:38 -0400
Subject: [PATCH 07/22] added processcreationevents

---
 ...ced-hunting-processcreationevents-table.md | 77 +++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
new file mode 100644
index 0000000000..2ce2287fec
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -0,0 +1,77 @@
+---
+title: ProcessCreationEvents
+description: Learn about Advanced hunting table ProcessCreationEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# ProcessCreationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+ProcessCreationEvents is a table in the Advanced hunting schema. It contains information about process creation and related events. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| ProcessId | int | Process ID (PID) of the newly created process |
+| ProcessCommandLine | string | Command line used to create the new process |
+| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
+| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| ProcessCreationTime | datetime | Date and time the process was created |
+| AccountDomain | string | Domain of the account |
+| AccountName | string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From ba1ea3fac5d23625e459c553290bd979dcc4c5a1 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 16:33:56 -0400
Subject: [PATCH 08/22] added networkcommunicationevents

---
 ...unting-networkcommunicationevents-table.md | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
new file mode 100644
index 0000000000..52e46b633a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -0,0 +1,69 @@
+---
+title: NetworkCommunicationEvents
+description: Learn about Advanced hunting table NetworkCommunicationEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# NetworkCommunicationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+NetworkCommunicationEvents is a table in the Advanced hunting schema. It contains information about network connections and related events. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| RemoteIP | string | IP address that was being connected to |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| LocalIP | string | IP address assigned to the local machine used during communication |
+| LocalPort | int | TCP port on the local machine used during communication |
+| Protocol | string | IP protocol used, whether TCP or UDP |
+| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 5254c2c2908405e9f2780b06c56fdedfeb16bdf3 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 16:52:18 -0400
Subject: [PATCH 09/22] added filecreationevents

---
 ...vanced-hunting-filecreationevents-table.md | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
new file mode 100644
index 0000000000..f27d1f5445
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -0,0 +1,74 @@
+---
+title: FileCreationEvents
+description: Learn about Advanced hunting table FileCreationEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# FileCreationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+FileCreationEvents is a table in the Advanced hunting schema. It contains information about file creation, modification, and other file system events. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| FileOriginUrl | string | URL where the file was downloaded from |
+| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
+| FileOriginIP | string | IP address where the file was downloaded from |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
+| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
+| IsWindowsInfoProtectionApplied | N/A | N/A |
+| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 644ddb309013d692fcd0508013ada2ff5a9e3b0a Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Thu, 25 Jul 2019 17:23:01 -0400
Subject: [PATCH 10/22] added registryevents

---
 ...vanced-hunting-filecreationevents-table.md |  1 -
 .../advanced-hunting-registryevents-table.md  | 67 +++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index f27d1f5445..fb65ba4ecc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -66,7 +66,6 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 | IsWindowsInfoProtectionApplied | N/A | N/A |
 | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 
-
 ## Related topics
 
 - [All Advanced hunting tables](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
new file mode 100644
index 0000000000..6472ef185c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -0,0 +1,67 @@
+---
+title: RegistryEvents
+description: Learn about Advanced hunting table RegistryEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# RegistryEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+RegistryEvents is a table in the Advanced hunting schema. It contains information about the creation and modification of registry entries. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| RegistryKey | string | Registry key that the recorded action was applied to |
+| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
+| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
+| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
+| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
+| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an | internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From e8bfe0fd685423b60977f8b9bd0b01bb375d60de Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 11:19:19 -0400
Subject: [PATCH 11/22] added logon events

---
 .../advanced-hunting-logonevents-table.md     | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
new file mode 100644
index 0000000000..7bb35627d0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -0,0 +1,73 @@
+---
+title: LogonEvents
+description: Learn about Advanced hunting table LogonEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# LogonEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+LogonEvents is a table in the Advanced hunting schema. It contains information about user logons and other authentication events. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string	| Fully qualified domain name (FQDN) of the machine |
+| ActionType | string |Type of activity that triggered the event |
+| AccountDomain | string | Domain of the account |
+| AccountName | string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
+| RemoteIP | string | IP address that was being connected to |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| AdditionalFields | string | Additional information about the event in JSON array format |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 94ff29a4d80cdef3014502a3777ca5a10ddb9a4a Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 11:29:14 -0400
Subject: [PATCH 12/22] added imageloadevents

---
 .../advanced-hunting=imageloadevents-table.md | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md
new file mode 100644
index 0000000000..951b5f83ea
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md
@@ -0,0 +1,65 @@
+---
+title: ImageLoadEvents
+description: Learn about Advanced hunting table ImageLoadEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# ImageLoadEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+ImageLoadEvents is a table in the Advanced hunting schema. It contains information about DLL loading events. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From d7858b469e359ccac0b40c67963ff418eb591338 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 11:46:17 -0400
Subject: [PATCH 13/22] added miscevents

---
 .../advanced-hunting=miscevents-table.md      | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md
new file mode 100644
index 0000000000..acc1394b7d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md
@@ -0,0 +1,86 @@
+---
+title: MiscEvents
+description: Learn about Advanced hunting table MiscEvents, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MiscEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+MiscEvents is a table in the Advanced hunting schema. It contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| AccountDomain | string | Domain of the account |
+| AccountName |string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine | Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
+| ProcessId | int | Process ID (PID) of the newly created process |
+| ProcessCommandLine | string | Command line used to create the new process |
+| ProcessCreationTime | datetime | Date and time the process was created |
+| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| RegistryKey | string | Registry key that the recorded action was applied to |
+| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
+| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
+| RemoteIP | string | IP address that was being connected to |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| LocalIP | string | IP address assigned to the local machine used during communication |
+| LocalPort | int | TCP port on the local machine used during communication |
+| FileOriginUrl | string | URL where the file was downloaded from |
+| FileOriginIP | string | IP address where the file was downloaded from |
+| AdditionalFields | string | Additional information about the event in JSON array format |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 160e3c475ee9499624a2b603c90bd3d253c3a282 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 11:52:36 -0400
Subject: [PATCH 14/22] added softwarevulnerabilityinfo

---
 ...hunting-softwarevulnerabilityinfo-table.md | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
new file mode 100644
index 0000000000..a4a587aa1f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
@@ -0,0 +1,52 @@
+---
+title: SoftwareVulnerabilityInfo
+description: Learn about Advanced hunting table SoftwareVulnerabilityInfo, such as column names, data types, and description
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, softwarevulnerabilityinfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# SoftwareVulnerabilityInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+SoftwareVulnerabilityInfo is a table in the Advanced hunting schema. It contains information about software in use, including version number, as well as any known vulnerabilities. You can use the reference below to construct queries that return information from this table.
+
+For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
+| OsVersion | string | Version of the operating system running on the machine |
+| OSArchitecture | string | Architecture of the operating system running on the machine |
+| SoftwareVendor | N/A | N/A |
+| SoftwareName | N/A | N/A |
+| SoftwareVersion | N/A | N/A |
+| CveId | N/A | N/A |
+| CvssScore | N/A | N/A |
+| VulnerabilitySeverityLevel | N/A | N/A |
+| IsExploitAvailable | N/A | | N/A |
+
+## Related topics
+
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)

From 4d48a7a860f20e4334b6b9fb6be54bc94fc9d7df Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 12:06:13 -0400
Subject: [PATCH 15/22] updated ah reference table to link to new pages

---
 .../advanced-hunting-reference.md             | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index db6c6acd5e..6f10ab4b38 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -36,18 +36,19 @@ Table and column names are also listed within the Security center, in the schema
 
 | Table name | Description |
 |------------|-------------|
-| **[AlertEvents]()** | Alerts on Microsoft Defender Security Center |
-| **[MachineInfo]()** | Machine information, including OS information |
-| **[MachineNetworkInfo]()** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[ProcessCreationEvents]()** | Process creation and related events |
-| **[NetworkCommunicationEvents]()** | Network connection and related events |
-| **[FileCreationEvents]()** | File creation, modification, and other file system events |
-| **[RegistryEvents]()** | Creation and modification of registry entries |
-| **[LogonEvents]()** | Sign-ins and other authentication events |
-| **[ImageLoadEvents]()** | DLL loading events |
-| **[MiscEvents]()** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
-| **[SoftwareVulnerabilityInfo]()** | Information about software in use, including version information as well as known vulnerabilities |
+| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
+| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
+| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
+| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
+| **[NetworkCommunicationEvents](advanced-hunting-networkcommunication-table.md)** | Network connection and related events |
+| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
+| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
+| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
+| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
+| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[SoftwareVulnerabilityInfo](advanced-hunting-softwarevulnerabilityinfo-table.md)** | Information about software in use, including version information as well as known vulnerabilities |
 
 ## Related topics
+
 - [Query data using Advanced hunting](advanced-hunting.md)
-- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
\ No newline at end of file
+- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)

From bf5d849f38b9cb79639434f64f43d1b734ed31c3 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 12:22:47 -0400
Subject: [PATCH 16/22] corrected bad links and page names

---
 ...vents-table.md => advanced-hunting-imageloadevents-table.md} | 0
 ...miscevents-table.md => advanced-hunting-miscevents-table.md} | 0
 .../microsoft-defender-atp/advanced-hunting-reference.md        | 2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting=imageloadevents-table.md => advanced-hunting-imageloadevents-table.md} (100%)
 rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting=miscevents-table.md => advanced-hunting-miscevents-table.md} (100%)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=imageloadevents-table.md
rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting=miscevents-table.md
rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 6f10ab4b38..919bb40c3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -40,7 +40,7 @@ Table and column names are also listed within the Security center, in the schema
 | **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
 | **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
 | **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
-| **[NetworkCommunicationEvents](advanced-hunting-networkcommunication-table.md)** | Network connection and related events |
+| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
 | **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
 | **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
 | **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |

From d3c6e0101a6b99b82bd511e494905f2586e6de42 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 12:59:18 -0400
Subject: [PATCH 17/22] improved ah table topics as per lomayor's review

---
 .../advanced-hunting-alertevents-table.md                   | 5 +++--
 .../advanced-hunting-filecreationevents-table.md            | 6 +++---
 .../advanced-hunting-imageloadevents-table.md               | 5 +++--
 .../advanced-hunting-logonevents-table.md                   | 5 +++--
 .../advanced-hunting-machineinfo-table.md                   | 5 +++--
 .../advanced-hunting-machinenetworkinfo-table.md            | 5 +++--
 .../advanced-hunting-miscevents-table.md                    | 5 +++--
 .../advanced-hunting-networkcommunicationevents-table.md    | 5 +++--
 .../advanced-hunting-processcreationevents-table.md         | 5 +++--
 .../microsoft-defender-atp/advanced-hunting-reference.md    | 6 +++---
 .../advanced-hunting-registryevents-table.md                | 5 +++--
 .../advanced-hunting-softwarevulnerabilityinfo-table.md     | 5 +++--
 12 files changed, 36 insertions(+), 26 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index b233cdf455..298c799abc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: AlertEvents
-description: Learn about Advanced hunting table AlertEvents, such as column names, data types, and description
+description: AlertEvents table in the advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-AlertEvents is a table in the Advanced hunting schema. It contains information about alerts on Microsoft Defender Security Center. You can use the reference below to construct queries that return information from this table.
+The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -48,6 +48,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index fb65ba4ecc..e97919ea91 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: FileCreationEvents
-description: Learn about Advanced hunting table FileCreationEvents, such as column names, data types, and description
+description: FileCreationEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-FileCreationEvents is a table in the Advanced hunting schema. It contains information about file creation, modification, and other file system events. You can use the reference below to construct queries that return information from this table.
+The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -63,11 +63,11 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
 | SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| IsWindowsInfoProtectionApplied | N/A | N/A |
 | IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
index 951b5f83ea..c1196b1a58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: ImageLoadEvents
-description: Learn about Advanced hunting table ImageLoadEvents, such as column names, data types, and description
+description: ImageLoadEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-ImageLoadEvents is a table in the Advanced hunting schema. It contains information about DLL loading events. You can use the reference below to construct queries that return information from this table.
+The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -60,6 +60,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
index 7bb35627d0..b775cf471f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: LogonEvents
-description: Learn about Advanced hunting table LogonEvents, such as column names, data types, and description
+description: LogonEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-LogonEvents is a table in the Advanced hunting schema. It contains information about user logons and other authentication events. You can use the reference below to construct queries that return information from this table.
+The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -68,6 +68,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
index 5b29c9be66..0a481f8639 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -1,6 +1,6 @@
 ---
 title: MachineInfo
-description: Learn about Advanced hunting table MachineInfo, such as column names, data types, and description
+description: MachineInfo table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-MachineInfo is a table in the Advanced hunting schema. It contains information about machines in the organization, including OS information. You can use the reference below to construct queries that return information from this table.
+The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -49,6 +49,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
index c66389a339..d31da2b287 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -1,6 +1,6 @@
 ---
 title: MachineNetworkInfo
-description: Learn about Advanced hunting table MachineNetworkInfo, such as column names, data types, and description
+description: MachineNetworkInfo table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-MachineNetworkInfo is a table in the Advanced hunting schema. It contains information about network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains. You can use the reference below to construct queries that return information from this table.
+The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -50,6 +50,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index acc1394b7d..a264a61fb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: MiscEvents
-description: Learn about Advanced hunting table MiscEvents, such as column names, data types, and description
+description: MiscEvents table in the advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-MiscEvents is a table in the Advanced hunting schema. It contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. You can use the reference below to construct queries that return information from this table.
+The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -81,6 +81,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
index 52e46b633a..238acf2ee9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: NetworkCommunicationEvents
-description: Learn about Advanced hunting table NetworkCommunicationEvents, such as column names, data types, and description
+description: NetworkCommunicationEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-NetworkCommunicationEvents is a table in the Advanced hunting schema. It contains information about network connections and related events. You can use the reference below to construct queries that return information from this table.
+The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -64,6 +64,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
index 2ce2287fec..efa1c51ed6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: ProcessCreationEvents
-description: Learn about Advanced hunting table ProcessCreationEvents, such as column names, data types, and description
+description: ProcessCreationEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-ProcessCreationEvents is a table in the Advanced hunting schema. It contains information about process creation and related events. You can use the reference below to construct queries that return information from this table.
+The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -72,6 +72,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 919bb40c3f..5c0941650a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -1,6 +1,6 @@
 ---
-title: Advanced hunting reference in Microsoft Defender ATP
-description: Learn about Advanced hunting table reference such as column name, data type, and description
+title: Advanced hunting schema reference
+description: Learn about the tables in the advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 ## Advanced hunting table reference
 
-The Advanced hunting schema is made up of multiple tables, which provide either event information or information about certain entities. Table and column names are used for calling information about specific events or entities in queries.
+The Advanced hunting schema is made up of multiple tables that provide either event information, or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
 
 The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 6472ef185c..043d87e790 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -1,6 +1,6 @@
 ---
 title: RegistryEvents
-description: Learn about Advanced hunting table RegistryEvents, such as column names, data types, and description
+description: RegistryEvents table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-RegistryEvents is a table in the Advanced hunting schema. It contains information about the creation and modification of registry entries. You can use the reference below to construct queries that return information from this table.
+The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -62,6 +62,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
index a4a587aa1f..27628c9bd1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
@@ -1,6 +1,6 @@
 ---
 title: SoftwareVulnerabilityInfo
-description: Learn about Advanced hunting table SoftwareVulnerabilityInfo, such as column names, data types, and description
+description: SoftwareVulnerabilityInfo table in the Advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, softwarevulnerabilityinfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-SoftwareVulnerabilityInfo is a table in the Advanced hunting schema. It contains information about software in use, including version number, as well as any known vulnerabilities. You can use the reference below to construct queries that return information from this table.
+The SoftwareVulnerabilityInfo table in the Advanced hunting schema contains information about software in use, including version number, as well as any known vulnerabilities. Use this reference to construct queries that return information from this table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
@@ -47,6 +47,7 @@ For information on other tables in the Advanced hunting schema, see our [Advance
 
 ## Related topics
 
+- [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
 - [Advanced hunting query best practices](advanced-hunting-best-practices.md)
 - [Query data using Advanced hunting](advanced-hunting.md)

From ca6e89846bca3dfcb7da23fbeb08a76bc9ec5674 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 15:43:31 -0400
Subject: [PATCH 18/22] toc update, rm svevents table, updated table titles

---
 windows/security/threat-protection/TOC.md     | 13 ++++-
 .../advanced-hunting-alertevents-table.md     |  6 +--
 ...vanced-hunting-filecreationevents-table.md |  8 +--
 .../advanced-hunting-imageloadevents-table.md |  6 +--
 .../advanced-hunting-logonevents-table.md     |  6 +--
 .../advanced-hunting-machineinfo-table.md     |  6 +--
 ...vanced-hunting-machinenetworkinfo-table.md |  6 +--
 .../advanced-hunting-miscevents-table.md      |  6 +--
 ...unting-networkcommunicationevents-table.md |  6 +--
 ...ced-hunting-processcreationevents-table.md |  6 +--
 .../advanced-hunting-reference.md             |  1 -
 .../advanced-hunting-registryevents-table.md  |  6 +--
 ...hunting-softwarevulnerabilityinfo-table.md | 53 -------------------
 13 files changed, 43 insertions(+), 86 deletions(-)
 delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index d42055564e..b22f43a08f 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -104,7 +104,18 @@
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
 #### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [Advanced hunting reference]()
+###### [All tables in Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
 ##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
 
 #### [Custom detections]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index 298c799abc..ea1feefdad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: AlertEvents
-description: AlertEvents table in the advanced hunting schema
+title: AlertEvents table in the advanced hunting schema
+description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from this table.
+The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index e97919ea91..58c4a28614 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: FileCreationEvents
-description: FileCreationEvents table in the Advanced hunting schema
+title: FileCreationEvents table in the Advanced hunting schema 
+description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,9 +26,9 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table.
+The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see  [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
index c1196b1a58..9c2ffcbef0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: ImageLoadEvents
-description: ImageLoadEvents table in the Advanced hunting schema
+title: ImageLoadEvents table in the Advanced hunting schema
+description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from this table.
+The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
index b775cf471f..004409e8c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: LogonEvents
-description: LogonEvents table in the Advanced hunting schema
+title: LogonEvents table in the Advanced hunting schema
+description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from this table.
+The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
index 0a481f8639..33a911730b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -1,6 +1,6 @@
 ---
-title: MachineInfo
-description: MachineInfo table in the Advanced hunting schema
+title: MachineInfo table in the Advanced hunting schema
+description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from this table.
+The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
index d31da2b287..d3ea68e5fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -1,6 +1,6 @@
 ---
-title: MachineNetworkInfo
-description: MachineNetworkInfo table in the Advanced hunting schema
+title: MachineNetworkInfo table in the Advanced hunting schema
+description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from this table.
+The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index a264a61fb7..6b1268fb69 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: MiscEvents
-description: MiscEvents table in the advanced hunting schema
+title: MiscEvents table in the advanced hunting schema
+description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table.
+The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
index 238acf2ee9..ef6d2e7ff2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: NetworkCommunicationEvents
-description: NetworkCommunicationEvents table in the Advanced hunting schema
+title: NetworkCommunicationEvents table in the Advanced hunting schema
+description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from this table.
+The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
index efa1c51ed6..530a4bca2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: ProcessCreationEvents
-description: ProcessCreationEvents table in the Advanced hunting schema
+title: ProcessCreationEvents table in the Advanced hunting schema
+description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from this table.
+The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 5c0941650a..59079e0550 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -46,7 +46,6 @@ Table and column names are also listed within the Security center, in the schema
 | **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
 | **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
 | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
-| **[SoftwareVulnerabilityInfo](advanced-hunting-softwarevulnerabilityinfo-table.md)** | Information about software in use, including version information as well as known vulnerabilities |
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 043d87e790..717734a492 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -1,6 +1,6 @@
 ---
-title: RegistryEvents
-description: RegistryEvents table in the Advanced hunting schema
+title: RegistryEvents table in the Advanced hunting schema
+description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -26,7 +26,7 @@ ms.date: 07/24/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from this table.
+The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
deleted file mode 100644
index 27628c9bd1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-softwarevulnerabilityinfo-table.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: SoftwareVulnerabilityInfo
-description: SoftwareVulnerabilityInfo table in the Advanced hunting schema
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, softwarevulnerabilityinfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: v-maave
-author: martyav
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 07/24/2019
----
-
-# SoftwareVulnerabilityInfo
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The SoftwareVulnerabilityInfo table in the Advanced hunting schema contains information about software in use, including version number, as well as any known vulnerabilities. Use this reference to construct queries that return information from this table.
-
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
-| OsVersion | string | Version of the operating system running on the machine |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
-| SoftwareVendor | N/A | N/A |
-| SoftwareName | N/A | N/A |
-| SoftwareVersion | N/A | N/A |
-| CveId | N/A | N/A |
-| CvssScore | N/A | N/A |
-| VulnerabilitySeverityLevel | N/A | N/A |
-| IsExploitAvailable | N/A | | N/A |
-
-## Related topics
-
-- [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)

From fb4267e643dfb000f612e35de13e3947589c49aa Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 15:55:09 -0400
Subject: [PATCH 19/22] revised sentence linking to overview; added missing
 pipe

---
 .../advanced-hunting-alertevents-table.md                       | 2 +-
 .../advanced-hunting-filecreationevents-table.md                | 2 +-
 .../advanced-hunting-imageloadevents-table.md                   | 2 +-
 .../advanced-hunting-logonevents-table.md                       | 2 +-
 .../advanced-hunting-machineinfo-table.md                       | 2 +-
 .../advanced-hunting-machinenetworkinfo-table.md                | 2 +-
 .../microsoft-defender-atp/advanced-hunting-miscevents-table.md | 2 +-
 .../advanced-hunting-networkcommunicationevents-table.md        | 2 +-
 .../advanced-hunting-processcreationevents-table.md             | 2 +-
 .../advanced-hunting-registryevents-table.md                    | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index ea1feefdad..9544001b7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index 58c4a28614..a82f47f963 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -38,7 +38,7 @@ For information on other tables in the Advanced hunting schema, see  [the Advanc
 | ActionType | string | Type of activity that triggered the event |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FolderPath | string | Folder containing the file that the recorded action was applied to |
-| SHA1 | string SHA-1 of the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
 | MD5 | string | MD5 hash of the file that the recorded action was applied to |
 | FileOriginUrl | string | URL where the file was downloaded from |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
index 9c2ffcbef0..d7e0521472 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
index 004409e8c2..1e8a0cfcc7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
index 33a911730b..fa58a67cdd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
index d3ea68e5fa..3ec3dfd8f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index 6b1268fb69..856696baf8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
index ef6d2e7ff2..fb18d453d7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
index 530a4bca2d..d6ef50a878 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 717734a492..02cf24c213 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -28,7 +28,7 @@ ms.date: 07/24/2019
 
 The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see our [Advanced hunting reference](advanced-hunting-reference.md) page.
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|

From e91e4443600d324040c9e1c6607a757f0682e246 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Fri, 26 Jul 2019 16:47:04 -0400
Subject: [PATCH 20/22] topic rename in toc

---
 windows/security/threat-protection/TOC.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index b22f43a08f..c99ae83d12 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -104,8 +104,9 @@
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
 #### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-##### [Advanced hunting reference]()
-###### [All tables in Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+
+##### [Advanced hunting schema reference]()
+###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
 ###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
 ###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
 ###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
@@ -116,6 +117,7 @@
 ###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
 ###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
 ###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+
 ##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
 
 #### [Custom detections]()

From 75c9e82122ec76cce3c3b460c5f4c053e619cdd4 Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Mon, 29 Jul 2019 10:41:49 -0400
Subject: [PATCH 21/22] removed extra pipes

---
 .../microsoft-defender-atp/advanced-hunting-miscevents-table.md | 2 +-
 .../advanced-hunting-registryevents-table.md                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index 856696baf8..01c38628be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -45,7 +45,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | AccountName |string | User name of the account |
 | AccountSid | string | Security Identifier (SID) of the account |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine | Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
 | ProcessId | int | Process ID (PID) of the newly created process |
 | ProcessCommandLine | string | Command line used to create the new process |
 | ProcessCreationTime | datetime | Date and time the process was created |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 02cf24c213..75b7b12ee6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -55,7 +55,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an | internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |

From 7af2b879a3e88a3f5e66c62069b1f49f38ba382f Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Mon, 29 Jul 2019 16:27:51 -0400
Subject: [PATCH 22/22] updated ah reference as per lomayor's advice

---
 .../microsoft-defender-atp/advanced-hunting-reference.md      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 59079e0550..40810a2f12 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -28,11 +28,11 @@ ms.date: 07/24/2019
 
 ## Advanced hunting table reference
 
-The Advanced hunting schema is made up of multiple tables that provide either event information, or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
+The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
 
 The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
 
-Table and column names are also listed within the Security center, in the schema representation on the Advanced hunting screen.
+Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
 
 | Table name | Description |
 |------------|-------------|