Merge branch 'machines' into machines2

windows/security/threat-protection/microsoft-defender-atp/TOC.md

@@ -39,25 +39,23 @@
 ##### [Investigate a domain](investigate-domain.md)
 ##### [Investigate a user account](investigate-user.md)
  
-#### Machines list
+#### [Machines list](machines-view-overview.md)
-##### [View and organize the Machines list](machines-view-overview.md)
+##### [Investigate machines](investigate-machines.md#machine-timeline)
-##### [Manage machine group and tags](machine-tags.md)
+###### [Machine details](investigate-machines.md#machine-details)
-##### [Alerts related to this machine](investigate-machines.md#alerts-related-to-this-machine)
+###### [Response actions](investigate-machines.md#response-actions)
-##### [Machine timeline](investigate-machines.md#machine-timeline)
+###### [Cards](investigate-machines.md#cards)
-###### [Search for specific events](investigate-machines.md#search-for-specific-events)
+###### [Tabs](investigate-machines.md#tabs)
-###### [Filter events from a specific date](investigate-machines.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](investigate-machines.md#export-machine-timeline-events)
-###### [Navigate between pages](investigate-machines.md#navigate-between-pages)
 
 
 #### [Take response actions](response-actions.md)
 ##### [Take response actions on a machine](respond-machine-alerts.md)
-###### [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
+###### [Manage tags](respond-machine-alerts.md#manage-tags)
-###### [Run antivirus scan](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session)
+###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines)
+###### [Run Windows Defender Antivirus scan on machines](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
 ###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution)
-###### [Remove app restriction](respond-machine-alerts.md#remove-app-restriction)
 ###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](respond-machine-alerts.md#release-machine-from-isolation)
 ###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center)
  
 ##### [Take response actions on a file](respond-file-alerts.md)
@@ -71,6 +69,7 @@
 ###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
 ###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
 
+
 ##### [Investigate entities using Live response](live-response.md)
 ###### [Live response command examples](live-response-command-examples.md)
 

windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md

@@ -26,7 +26,7 @@ The Microsoft Defender ATP service has a wide breadth of visibility on multiple
 
 To address this challenge, Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
 
-The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. 
+The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
 
 ## Understand the Automated investigation flow
 
@@ -43,6 +43,7 @@ Entities are the starting point for Automated investigations. When an alert cont
 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
 
 ### Details of an Automated investigation
+
 As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs.
 
 In the **Alerts** tab, you'll see the alert that started the investigation. 
@@ -64,11 +65,12 @@ While an investigation is running, any other alert generated from the machine wi
 If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
 
 ### How threats are remediated
+
 Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
 
 You can configure the following levels of automation:
 
-Automation level | Description 
+Automation level | Description
 :---|:---
 Not protected | Machines will not get any automated investigations run on them.
 Semi - require approval for any remediation | This is the default automation level.<br><br>  An approval is needed for any remediation action. 
@@ -83,10 +85,4 @@ The default machine group is configured for semi-automatic remediation. This mea
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
 
 ## Related topic
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
-
-
-
-
-
-

windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md

@@ -1,7 +1,7 @@
 ---
 title: Investigate machines in the Microsoft Defender ATP Machines list
 description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
-keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
+keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/18/2018
 ---
 
 # Investigate machines in the Microsoft Defender ATP Machines list
@@ -25,152 +24,142 @@ ms.date: 09/18/2018
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) 
 
-## Investigate machines
 Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
 
 You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
 
-- The [Machines list](investigate-machines.md)
+- [Machines list](investigate-machines.md)
-- The [Alerts queue](alerts-queue.md)
+- [Alerts queue](alerts-queue.md)
-- The [Security operations dashboard](security-operations-dashboard.md)
+- [Security operations dashboard](security-operations-dashboard.md)
 - Any individual alert
 - Any individual file details view
 - Any IP address or domain details view
 
 When you investigate a specific machine, you'll see:
-- Machine details, Logged on users, Machine risk, and Machine Reporting
-- Alerts related to this machine
-- Machine timeline
 
-![Image of machine view](images/atp-azure-atp-machine.png)
+- Machine details
+- Response actions
+- Cards (active alerts, logged on users, security assessment)
+- Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities)
 
-The machine details, logged on users, machine risk, and machine reporting sections display various attributes about the machine.
+![Image of machine view](images/specific-machine.png)
 
-**Machine details**</br>
+## Machine details
-The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
 
-For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md).
+The machine details section provides information such as the domain, OS, and health state of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
 
+## Response actions
 
-**Logged on users**</br>
+Response actions run along the top of a specific machine page and include:
-Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
 
--	Interactive and remote interactive logins
+- Manage tags
--	Network, batch, and system logins
+- Initiate Automated Investigation
+- Initiate Live Response Session
 
-![Image of user details pane](images/atp-azure-atp-machine-user.png)
+Other actions are enabled if there is an investigation happening on that machine:
 
-You'll also see details such as logon types for each user account, the user group, and when the account logon occurred.
+- Collect investigation package
+- Run antivirus scan
+- Restrict app execution
+- Isolate machine
+- Action center
+
+You can take response actions in the action center, in a specific machine page, or in a specific file page.
+
+For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
 
  For more information, see [Investigate user entities](investigate-user.md).
+## Cards
 
-**Machine risk**</br>
+### Active alerts
-The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
 
-**Azure Advanced Threat Protection**</br> 
+If you have enabled the Azure ATP feature and there are alerts related to the machine, you can view a high level overview of the alerts and risk level. More information is available in the "Alerts" drill down.
-If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. 
+
+![Image of active alerts tile](images/active-alerts-risk-level.png)
 
 >[!NOTE]
 >You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
 
-**Machine reporting**</br>
+### Logged on users
-Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service. 
 
-## Alerts related to this machine
+The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane that displays information such as user type, logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
-The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
 
-![Image of alerts related to machine](images/atp-alerts-related-to-machine.png)
+![Image of user details pane](images/logged-on-users.png)
 
-This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+### Security assessments
 
-You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
+The Security assessments tile shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of it's pending security recommendations.
 
-## Machine timeline
+![Image of security assessments tile](images/security-assessments.png)
-The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
 
-This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.  
+## Tabs
 
-![Image of machine timeline with events](images/atp-machines-timeline.png)
+The five tabs under the cards section show relevant security and threat prevention information related to the machine. In every tab, you can customize the columns that are shown.
 
-Microsoft Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
+### Alerts
 
+The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts and customize the columns.
 
-### Search for specific events
+![Image of alerts related to the machine](images/alerts-machine.png)
-Use the search bar to look for specific timeline events. Harness the power of using the following defined search queries based on type:value pairs and event filter types to sift through the search results:
 
--	**Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.<br>
+When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related machines. Multiple alerts can be selected at a time.
-  You can use any of the following values:<br>
-    - Hash: Sha1 or MD5
-    - File name
-    - File extension
-    - Path
-    - Command line
-    - User
-    - IP
-    - URL
 
--	**Informational level** – Click the drop-down button to filter by the following levels:
+To see a full page view of an alert including incident graph and process tree, select the title of the alert.
-    - Detections mode: displays Windows ATP Alerts and detections
-    -	Behaviors mode: displays "detections" and selected events of interest
-    -	Verbose mode: displays all raw events without aggregation or filtering
 
-- **Event type** - Click the drop-down button to filter by events such as Windows     - Microsoft Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others. 
+### Timeline
-    
-    Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
 
+The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.
+
+Timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
 
 >[!NOTE]
 > For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
->Firewall covers the following events:
+>Firewall covers the following events
 >- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network 
+>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
->-  [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
+>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
 
+![Image of machine timeline with events](images/timeline-machine.png)
 
+Some of the functionality includes:
 
+- Search for specific events
+  - Use the search bar to look for specific timeline events.
+- Filter events from a specific date
+  - Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the machine timeline is set to display the events from the past 30 days.
+  - Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
+- Export detailed machine timeline events
+  - Export the machine timeline for the current date or a specified date range up to seven days.
 
--	**User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
+Along with event time and users, one of the main categories on the timeline is "Details". They describe what happened in the events. The list of possible details are:
-    -	Logon users
-    -	System
-    -	Network
-    -	Local service
 
-The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type:
+- Contained by Application Guard
+- Active threat detected - when the detection happened, the threat was executing (i.e. it was running)
+- Remediation unsuccessful - remediation was invoked but failed
+- Remediation successful - the threat was stopped and cleaned up
+- Warning bypassed by user - SmartScreen warning appeared but the user dismissed it
+- Suspicious script detected
+- Alert category (e.g. lateral movement)- if the event is correlated to an alert, the tag will show the alert category
 
-![Image of events filtered by user and event type](images/atp-machine-timeline-filter.png)
+You can also use the [Artifact timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
 
-The results in the timeline only show network communication events run in the defined user context.
+### Security recommendations
 
-### Filter events from a specific date
+**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it.
-Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
 
-Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
+![Image of security recommendations tab](images/security-recommendations-machine.png)
 
-The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
+### Software inventory
 
-### Export machine timeline events
+The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution.
-You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates.
 
-![Image of export machine timeline events](images/atp-machine-timeline-export.png)
+![Image of software inventory tab](images/software-inventory-machine.png)
-
-### Navigate between pages
-Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**.
-
-From the **Machines list**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
-
-From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
-
-![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png)
-
-
-You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
-
-Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of meta data on the file or IP address.
-
-The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
 
+### Discovered vulnerabilities
 
+The **Discovered vulnerabilities** section shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
 
+![Image of discovered vulnerabilities tab](images/discovered-vulnerabilities-machine.png)
 
 ## Related topics
 - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)

windows/security/threat-protection/microsoft-defender-atp/machine-groups.md

@@ -17,21 +17,23 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Create and manage machine groups in Microsoft Defender ATP
+# Create and manage machine groups
-**Applies to:**
 
+**Applies to:**
 
 - Azure Active Directory
 - Office 365
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
-
 In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
 
 In Microsoft Defender ATP, you can create machine groups and use them to:
 - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md) 
 - Configure different auto-remediation settings for different sets of machines
+- Assign specific remediation levels to apply during automated investigations
+- In an investigation, filter the **Machines list** to just specific machine groups by using the **Group** filter.
+
+You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the machine group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
 
 >[!TIP]
 > For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015).
@@ -45,43 +47,28 @@ As part of the process of creating a machine group, you'll:
 >[!NOTE]
 >A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
 
-
-
 ## Create a machine group
 
-1.	In the navigation pane, select **Settings** > **Machine groups**.
+1. In the navigation pane, select **Settings** > **Machine groups**.
 
-2.	Click **Add machine group**. 
+2. Click **Add machine group**.
 
-3.	Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group.
+3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations.md#understand-the-automated-investigation-flow).
-
-    - **Machine group name**
-    - **Automation level**
-	  - **Semi - require approval for any remediation**
-      - **Semi - require approval for non-temp folders remediation**
-      - **Semi - require approval for core folders remediation**
-      - **Full - remediate threats automatically**
-        
-        >[!NOTE]
-        > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations.md#understand-the-automated-investigation-flow).        
-
-	 - **Description**
-	 - **Members**      
 
     >[!TIP]
-    >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
+    >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md).
 
-4.	Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab.
+4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
 
-5.	Assign the user groups that can access the machine group you created. 
+5. Assign the user groups that can access the machine group you created.
 
     >[!NOTE]
-    >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. 
+    >You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
-
-6.	Click **Close**. The configuration changes are applied.
 
+6. Click **Close**. The configuration changes are applied.
 
 ## Manage machine groups
+
 You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
 
 >[!WARNING]
@@ -92,9 +79,11 @@ By default, machine groups are accessible to all users with portal access. You c
 Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
 
 >[!NOTE]
-> - Applying changes to machine group configuration may take up to several minutes.
+> Applying changes to machine group configuration may take up to several minutes.
 
+## Related topics
 
 ## Related topic
 - [Manage portal access using role-based based access control](rbac.md)
-- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md)
+- [Create and manage machine tags](machine-tags.md)
+- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md)

windows/security/threat-protection/microsoft-defender-atp/machine-tags.md

@@ -18,73 +18,56 @@ ms.topic: article
 ---
 
 # Create and manage machine tags
-Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others.
 
-You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac.md).
+Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Machines list** view, or to group machines. For more information on machine grouping, see [Create and manage machine groups](machine-groups.md).
-
-You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups.md).
-
-In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. 
-
-
-Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. 
 
 You can add tags on machines using the following ways:
-- By setting a registry key value
+
-- By using the portal
+- Using the portal
+- Setting a registry key value
+
+To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md).
+
+## Add and manage machine tags using the portal
+
+1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
+
+    - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+    - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+    - **Machines list** - Select the machine name from the list of machines.
+    - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+    You can also get to the alert page through the file and IP views.
+
+2. Select **Manage Tags** from the row of Response actions.
+
+    ![Image of manage tags button](images/manage-tags.png)
+
+3. Type to find or create tags
+
+    ![Image of adding tags on a machine](images/new-tags.png)
+
+Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
+
+You can also delete tags from this view.
+
+![Image of adding tags on a machine](images/more-manage-tags.png)
 
 ## Add machine tags by setting a registry key value
-Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
 
 >[!NOTE]
 > Applicable only on the following machines:
 >- Windows 10, version 1709 or later
 >- Windows Server, version 1803 or later
 >- Windows Server 2016
->- Windows Server 2012 R2 
+>- Windows Server 2012 R2
 
-Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. 
+Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
 
 Use the following registry key entry to add a tag on a machine:
 
--	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
+- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
--	Registry key value (string): Group
+- Registry key value (string): Group
 
 >[!NOTE]
->The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. 
+>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
-
-
-## Add machine tags using the portal
-Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
-
-1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
-
-    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-    -	**Machines list** - Select the machine name from the list of machines.
-    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
-
-    You can also get to the alert page through the file and IP views.
-
-2.	Open the **Actions** menu and select **Manage tags**.
-
-    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
-
-3. Enter tags on the machine. To add more tags, click the + icon.
-4. Click **Save and close**. 
-
-    ![Image of adding tags on a machine](images/atp-save-tag.png)
-
-    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
-
-### Manage machine tags
-You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
-
-![Image of adding tags on a machine](images/atp-tag-management.png)
-
-## Add machine tags using APIs
-For more information, see [Add or remove machine tags API](add-or-remove-machine-tags.md).
-
-
-
-

windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md

@@ -21,76 +21,79 @@ ms.topic: article
 
 **Applies to:**
 
-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
 
 The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days.  
 
-At a glance you'll see information such as domain, risk level, OS platform, and other details. 
+At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of machines most at risk.
 
+There are several options you can choose from to customize the machines list view. On the top navigation you can:
 
-There are several options you can choose from to customize the machines list view. 
+- Add or remove columns
-On the top navigation you can:
-- Customize columns to add or remove columns 
 - Export the entire list in CSV format
-- Select the items to show per page
+- Select the number of items to show per page
-- Navigate between pages
 - Apply filters
 
+During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
 
-Use the machine list in these main scenarios:
+>[!NOTE]
+> If you export the machine list, it will contain every machine in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
 
-- **During onboarding**<br>
+![Image of machines list with list of machines](images/machine-list.png)
-  During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
-    
-    >[NOTE]
-    > Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
-Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
-
-- **Day-to-day work** <br>
-  The list enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts. Sorting machines by **Active alerts**, helps identify the most vulnerable machines and take action on them.
-
-
-![Image of machines list with list of machines](images/machines-list.png)
 
 ## Sort and filter the machine list
-You can apply the following filters to limit the list of alerts and get a more focused view. 
 
+You can apply the following filters to limit the list of alerts and get a more focused view.
 
 ### Risk level
-Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert.
+
+The risk level reflects the overall risk assessment of the machine based on a combination of factors, including the types and severity of active alerts on the machine. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
+
+### Exposure level
+
+The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations.
 
 ### OS Platform
-Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
+
+Select only the OS platforms you're interested in investigating.
 
 ### Health state
-Filter the list to view specific machines grouped together by the following machine health states:
+
+Filter by the following machine health states:
 
 - **Active** – Machines that are actively reporting sensor data to the service.
+- **Inactive** – Machines that have completely stopped sending signals for more than 7 days.
 - **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
   - No sensor data
   - Impaired communications
 
-  For more information on how to address issues on misconfigured machines see,  [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+  For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
--	**Inactive** – Machines that have completely stopped sending signals for more than 7 days.
-
 
 ### Security state
-Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization. 
 
+Filter by machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization. Applies to active Windows 10 machines only.
 
-- **Well configured** - Machines have the Windows Defender security controls well configured. 
+- **Well configured** - Machines have the Windows Defender security controls well configured.
 - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
 
 For more information, see [View the Secure Score dashboard](secure-score-dashboard.md).
 
-### Tags
+### Threat mitigation status
-You can filter the list based on the grouping and tagging that you've added to individual machines. 
 
+To view machines that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
+
+To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md).
+
+### Windows 10 version
+
+Select only the Windows 10 versions you're interested in investigating.
+
+### Tags & Groups
+
+Filter the list based on the grouping and tagging that you've added to individual machines. See [Create and manage machine tags](machine-tags.md) and [Create and manage machine groups](machine-groups.md).
 
 ## Related topics
-- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
-
 
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines.md)

windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md

@@ -32,6 +32,7 @@ Quickly respond to detected attacks by stopping and quarantining files or blocki
 You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
 
 ## Stop and quarantine files in your network
+
 You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
 
 >[!IMPORTANT]
@@ -48,12 +49,13 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
 >You’ll be able to restore the file from quarantine at any time.
 
 ### Stop and quarantine files
-1.	Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
 
-  - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
-  - **Search box** - select File from the drop–down menu and enter the file name
 
-2.	Open the **Actions menu** and select **Stop and Quarantine File**.
+    - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+    - **Search box** - select File from the drop–down menu and enter the file name
+
+2. Open the **Actions menu** and select **Stop and Quarantine File**.
 
     ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
 
@@ -86,15 +88,16 @@ In the machine timeline, a new event is added for each machine where a file was
 For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
 
 ## Remove file from quarantine
+
 You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
 
-1.	Open an elevated command–line prompt on the machine:
+1. Open an elevated command–line prompt on the machine:
 
-    a.	Go to **Start** and type cmd.
+    a. Go to **Start** and type cmd.
 
-    b.	Right–click **Command prompt** and select **Run as administrator**.
+    b. Right–click **Command prompt** and select **Run as administrator**.
 
-2.	Enter the following command, and press **Enter**:
+2. Enter the following command, and press **Enter**:
   ```
   “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
   ```
@@ -103,6 +106,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
 > Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
 
 ## Block files in your network
+
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
 >[!IMPORTANT]
@@ -112,40 +116,40 @@ You can prevent further propagation of an attack in your organization by banning
 >- This response action is available for machines on Windows 10, version 1703 or later.
 >- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
 
-
-
 >[!NOTE]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
 >- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
 
 ### Enable the block file feature
+
 Before you can block files, you'll need to enable the feature.
 
-1.	In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
+1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
+
+2. Toggle the setting between **On** and **Off** and select **Save preferences**.
 
-2.	Toggle the setting between **On** and **Off** and select **Save preferences**.
-    
     ![Image of advanced settings for block file feature](images/atp-preferences-setup.png)
   
 ### Block a file
-1.	Select the file you want to block. You can select a file from any of the following views or use the Search box:
 
-  - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
-  - **Search box** - select File from the drop–down menu and enter the file name
+
+    - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+    - **Search box** - select File from the drop–down menu and enter the file name
+
+2. Open the **Actions menu** and select **Block**. 
 
-2.	Open the **Actions menu** and select **Block**. 
-    
     ![Image of block action](images/atp-action-block-file.png)
 
 3. Specify a reason and select **Yes, block file** to take action on the file.
-    
+
     ![Image of block file action](images/atp-block-file.png)
 
     The Action center shows the submission information:
     ![Image of block file](images/atp-blockfile.png)
 
-  - **Submission time** - Shows when the action was submitted. <br>
+  - **Submission time** - Shows when the action was submitted.
-  - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
+  - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
   - **Status** - Indicates whether the file was added to or removed from the blacklist.
 
 When the file is blocked, there will be a new event in the machine timeline.</br>
@@ -166,24 +170,24 @@ When a file is being blocked on the machine, the following notification is displ
 For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
 
 ## Remove file from blocked list
-1.	Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
 
-  - **Alerts** - Click the file links from the Description or Details in the Artifact timeline <br>
+1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
-  - **Search box** - Select File from the drop–down menu and enter the file name
 
-2.	Open the **Actions** menu and select **Remove file from blocked list**.
+    - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
+    - **Search box** - Select File from the drop–down menu and enter the file name
+
+2. Open the **Actions** menu and select **Remove file from blocked list**.
 
   ![Image of remove file from blocked list](images/atp-remove-blocked-file.png)
 
 3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
 
-
 ## Check activity details in Action center
+
 The  **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
 
-![Image of action center with information](images/atp-action-center-with-info.png)
-
 ## Deep analysis
+
 Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
 
 The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
@@ -211,10 +215,12 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur
 
 **Submit files for deep analysis:**
 
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: <br>
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
-  - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline <br>
+
-  - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section <br>
+    - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
-  - Search box - select **File** from the drop–down menu and enter the file name <br>
+    - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+    - Search box - select **File** from the drop–down menu and enter the file name
+
 2. In the **Deep analysis** section of the file view, click **Submit**.
 
     ![You can only submit PE files in the file details section](images/submit-file.png)
@@ -237,7 +243,6 @@ You can view the comprehensive report that provides details on the following sec
 
 The details provided can help you investigate if there are indications of a potential attack.
 
-
 1. Select the file you submitted for deep analysis.
 2. Click **See the report below**. Information on the analysis is displayed.
 
@@ -247,7 +252,6 @@ The details provided can help you investigate if there are indications of a pote
 
 If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
 
-
 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
@@ -255,15 +259,14 @@ If you encounter a problem when trying to submit a file, try each of the followi
 
     ```
     Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-    Name: AllowSampleCollection 
+    Name: AllowSampleCollection
     Type: DWORD 
-    Hexadecimal value : 
+    Hexadecimal value :
       Value = 0 – block sample collection
       Value = 1 – allow sample collection
     ```
 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
 
-
 ## Related topic
 - [Take response actions on a machine](respond-machine-alerts.md)

windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md

@@ -22,221 +22,162 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) 
 
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
+Response actions run along the top of a specific machine page and include:
+
+- Manage tags
+- Initiate Automated Investigation
+- Initiate Live Response Session
+
+Other actions are enabled if there is an investigation happening on that machine:
+
+- Collect investigation package
+- Run antivirus scan
+- Restrict app execution
+- Isolate machine
+- Action center
+
+![Image of response actions](images/response-actions.png)
+
+ You can find machine pages from any of the following views:
+
+- **Security operations dashboard** - Select a machine name from the Machines at risk card.
+- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+- **Machines list** - Select the heading of the machine name from the machines list.
+- **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
 >[!IMPORTANT]
 > - These response actions are only available for machines on Windows 10, version  1703 or later. 
-> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities. 
+> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities.
+
+## Manage tags
+
+Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
+
+For more information on machine tagging, see [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md).
+
+## Initiate Automated Investigation
+
+You can start a new general purpose automated investigation on the machine if needed. While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
+
+For more information on automated investigations, see [Overview of Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md).
+
+## Initiate Live Response Session
+
+Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+
+Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+
+For more information on live response, see [Investigate entities on machines using live response](live-response.md)
 
 ## Collect investigation package from machines
+
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
 
->[!IMPORTANT]
+To download the package (Zip file) and investigate the events that occurred on a machine
-> This response action is available for machines on Windows 10, version  1703 or later.
 
-You can download the package (Zip file) and investigate the events that occurred on a machine.
+1. Select **Collect investigation package** from the row of response actions at the top of the machine page.
+2. Specify in the text box why you want to perform this action. Select **Confirm**.
+3. The zip file will download
+
+Alternate way:
+
+1. Select **Action center** from the response actions section of the machine page.
+
+    ![Image of action center button](images/action-center-package-collection.png)
+
+3. In the Action center fly-out, select **Package collection package available** to download the zip file.
+  
+    ![Image of download package button](images/collect-package.png)
 
 The package contains the following folders:
 
-| Folder                                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| Folder | Description |
-|:--------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|:---|:---------|
-| Autoruns                                    | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”                                                                                                                                  |
-| Installed programs                          | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).                                                                                  |
-| Network connections                         | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log                                                                                  |
-| Prefetch files                              | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.                                                                                                      |
-| Processes                                   | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                       |
-| Scheduled tasks                             | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.                                                                                                                                                                                                      |
-| Security event log                          | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.                                                                                      |
-| Services                                    | Contains the services.txt file which lists services and their states.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Services| Contains a .CSV file which lists services and their states.                                                                                      |
-| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.                                                                                                                            |
-| Temp Directories                            | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards.                                                                                     |
-| Users and Groups                            | Provides a list of files that each represent a group and its members.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.                                                                                                                                            |
-| CollectionSummaryReport.xls                 | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Users and Groups| Provides a list of files that each represent a group and its members.                                                                                                                   |
-
+|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab                                                                                                                   |
-1.	Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
+| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
-
-  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  - **Machines list** - Select the heading of the machine name from the machines list.
-  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
-
-2.	Open the **Actions** menu and select **Collect investigation package**.
-
-    ![Image of collect investigation package action](images/atp-actions-collect-investigation-package.png)
-
-3.  Type a comment and select **Yes, collect package** to take action on the machine.
-  
-    ![Image of notification to collect package](images/atp-notification-collect-package.png)
-
-    The Action center shows the submission information:
-
-    ![Image of investigation package in action center](images/atp-action-center-package-collection.png)
-
-    - **Submission time** - Shows when the action was submitted.
-    -	**Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
-
-3.	Select **Package available** to download the package. </br>
-    When the package is available a new event will be added to the machine timeline.</br>
-    You can download the package from the machine page, or the Action center.
-
-    ![Image of investigation package from machine view](images/atp-machine-investigation-package.png)
-
-    You can also search for historical packages in the machine timeline.
 
 ## Run Windows Defender Antivirus scan on machines
+
 As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
 
 >[!IMPORTANT]
 >- This action is available for machines on Windows 10, version  1709 or later.
 >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 
+One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
 
-1.	Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
+![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png)
 
-  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
-  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  - **Machines list** - Select the machine name from the list of machines.
-  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
-2.	Open the **Actions** menu and select **Run antivirus scan**.
-
-    ![Image of run antivirus scan](images/atp-actions-run-av.png)
-    
-3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
-
-    ![Image of notification to select quick scan or full scan and add comment](images/atp-av-scan-notification.png)
-    
-
-4. Type a comment and select **Yes, run scan** to start the scan.<br>
-
-    The Action center shows the scan information:
-
-    ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png)
-
-    - **Submission time** - Shows when the action was submitted.
-    - **Status** - Indicates any pending actions or the results of completed actions.
-
-The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
 
 ## Restrict app execution
-In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+
+In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
 
 >[!IMPORTANT]
 > - This action is available for machines on Windows 10, version  1709 or later.
-> - This feature is available if your organization uses Windows Defender Antivirus. 
+> - This feature is available if your organization uses Windows Defender Antivirus.
 > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
 
-
+To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
-The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
 
 >[!NOTE]
->You’ll be able to reverse the restriction of applications from running at any time.
+>You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
 
-1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
+Once you have selected **Restrict app execution** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.
-
-  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  - **Machines list** - Select the machine name from the list of machines.
-  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
-
-2.	Open the **Actions** menu and select **Restrict app execution**.
-
-    ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
-
-3. Type a comment and select **Yes, restict app execution** to take action on the file.
-
-   ![Image of app restriction notification](images/atp-notification-restrict.png)
-
-    The Action center shows the submission information:
-    ![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
-
-
-  - **Submission time** - Shows when the action was submitted.
-  - **Status** - Indicates any pending actions or the results of completed actions.
-
-When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
 
+![Image of app restriction notification](images/restrict-app-execution.png)
 
 **Notification on machine user**:</br>
 When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
 
-![Image of app restriction](images/atp-app-restriction.png) 
+![Image of app restriction](images/atp-app-restriction.png)
-
-## Remove app restriction 
-Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
-
-1.	Select the machine where you restricted an application from running from.
-
-2.	Open the **Actions** menu and select **Remove app restrictions**. 
-
-    ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
-
-3.	Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.  
-
 
 ## Isolate machines from the network
+
 Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
 
 >[!IMPORTANT]
 >- Full isolation is available for machines on Windows 10, version 1703.
 >- Selective isolation is available for machines on Windows 10, version 1709 or later.
 
-
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
 
 On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
 
 >[!NOTE]
->You’ll be able to reconnect the machine back to the network at any time.
+>You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine.
 
-1.	Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
+Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.
 
-  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+![Image of isolate machine](images/isolate-machine.png)
-  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  - **Machines list** - Select the machine name from the list of machines.
-  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-2.	Open the **Actions** menu and select **Isolate machine**.
+>[!NOTE]
-
+>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
-    ![Image of isolate machine](images/atp-actions-isolate-machine.png)
-
-3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
-
-    ![Image of isolation confirmation](images/atp-confirm-isolate.png)
-
-4. Type a comment and select **Yes, isolate machine** to take action on the machine.
-  
-    >[!NOTE]
-    >The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
-
-   The Action center shows the submission information:
-    ![Image of machine isolation](images/atp-machine-isolation.png)
-
-   - **Submission time** - Shows when the action was submitted.
-   - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.  
-
-When the isolation configuration is applied, a new event is reflected in the machine timeline.
 
 **Notification on machine user**:</br>
 When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
 
 ![Image of no network connection](images/atp-notification-isolate.png)
 
-## Release machine from isolation
-Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
-
-1.	Select a machine that was previously isolated.
-
-2.	Open the **Actions** menu and select **Release from isolation**.
-
-    ![Image of release from isolation](images/atp-actions-release-from-isolation.png)
-
-3.	Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
-
-
 ## Check activity details in Action center
+
 The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
 
 - Investigation package collection
@@ -244,9 +185,9 @@ The **Action center** provides information on actions that were taken on a machi
 - App restriction
 - Machine isolation
 
-All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
 
-![Image of action center with information](images/atp-action-center-with-info.png)
+![Image of action center with information](images/action-center-details.png)
 
 ## Related topic
 - [Take response actions on a file](respond-file-alerts.md)