Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4

windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md

@@ -28,11 +28,11 @@ ms.date: 04/16/2018
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
 ## Advanced hunting query best practices
-The following best practices serve as a guideline for you to maximize the advanced hunting capability. 
+The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. 
 - Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
 - Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
-- Prefer 'has' keyword over 'contains' when looking for full tokens.
-- Prefer looking in specific column rather than using full text search across all columns.
+- Use 'has' keyword over 'contains' when looking for full tokens.
+- Use looking in specific column rather than using full text search across all columns.
 - When joining between two tables - choose the table with less rows to be the first one (left-most). 
 - When joining between two tables - project only needed columns from both sides of the join.
 

windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md

@@ -39,24 +39,13 @@ To get you started in querying your data, you can use the basic or advanced quer
 
 ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
 
-## Before you begin
-To maximize the advanced hunting capability, it's a good idea to understand the following query best practices.
-
-### Query best practices
-- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
-- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
-- Prefer 'has' keyword over 'contains' when looking for full tokens.
-- Prefer looking in specific column rather than using full text search across all columns.
-- When joining between two tables - choose the table with less rows to be the first one (left-most). 
-- When joining between two tables - project only needed columns from both sides of the join.
-
 ## Use advanced hunting to query data
 
 A typical query starts with a table name followed by a series of operators separated by **|**.
 
 In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
 
-![Image of Windows Defender ATP advanced hunting query](images/atp-advanced-hunting-query.png)
+![Image of Windows Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
 
 First, we define a time filter to review only records from the previous seven days. 
 
@@ -97,7 +86,6 @@ The following tables are exposed as part of advanced hunting:
 - **LogonEvents** - Stores all login events 
 - **ImageLoadEvents** - Stores all load dll events  
 - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events.
-- **SuspiciousEvents** - Stores all events that deviate from typical event behavior
 
 ## Use shared queries
 Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
@@ -160,7 +148,7 @@ The filter selections will resolve as an additional query term and the results w
 
 
 ## Public Advanced Hunting query GitHub repository  
-Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers. 
+Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. 
 
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -62,6 +62,7 @@ You'll also see details such as logon types for each user account, the user grou
 
 **Machine risk**</br>
 The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
+Depending on your connection settings, the risk level can influence enforcement of conditional access and other security policies on Microsoft Intune and other connected solutions. For more information on conditional access, see Enable conditional access (should be linkable)
 
 **Azure Advanced Threat Protection**</br> 
 If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided.