From d28d072d7c2b90175cb5c407c0d5ae7d64d4aba1 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 10 Mar 2020 12:15:23 -0700
Subject: [PATCH] Update TOC

---
 windows/security/threat-protection/TOC.md | 212 +++++++++++-----------
 1 file changed, 108 insertions(+), 104 deletions(-)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index d82b58f5c9..83f2059f68 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -23,117 +23,121 @@
 ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
 
 
-## [Operations]()
-### [Security operations]()
-#### [Portal overview](microsoft-defender-atp/portal-overview.md)
-#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
 
 
-#### [Incidents queue]()
-##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
-
-#### [Alerts queue]()
-##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-##### [Investigate files](microsoft-defender-atp/investigate-files.md)
-##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
-##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
-##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
-
-#### [Machines list]()
-##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
-##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-
-#### [Take response actions]()
-##### [Take response actions on a machine]()
-###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
-###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
-###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
-
-##### [Take response actions on a file]()
-###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
-###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
-###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
-###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
-
-#### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
-
-
-#### [Investigate entities using Live response]()
-##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
-
-#### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
-
-#### [Advanced hunting]()
-##### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
-##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
-##### [Advanced hunting schema reference]()
-###### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
-###### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
-###### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
-###### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
-###### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
-###### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
-###### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
-###### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
-###### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
-###### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
-###### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
-###### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
-###### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
-###### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
-###### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
-###### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
-##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-
-#### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
-
-#### [Reporting]()
-##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
-##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
+## [Security administration]()
+### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
+### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
+### [Configuration score](microsoft-defender-atp/configuration-score.md)
+### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
+### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
+### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
 
 
 
-#### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
 
 
-### [Security administration]()
-#### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
-#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-#### [Configuration score](microsoft-defender-atp/configuration-score.md)
-#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
-#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
-#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
+## [Security operations]()
+### [Portal overview](microsoft-defender-atp/portal-overview.md)
+### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
+
+
+### [Incidents queue]()
+#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
+#### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
+#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+
+### [Alerts queue]()
+#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
+#### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
+#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
+#### [Investigate files](microsoft-defender-atp/investigate-files.md)
+#### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
+#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
+#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
+##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
+#### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
+
+### [Machines list]()
+#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
+#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
+
+### [Take response actions]()
+#### [Take response actions on a machine]()
+##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
+##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
+##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
+##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
+##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
+##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
+
+#### [Take response actions on a file]()
+##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
+##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
+##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
+##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
+##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
+##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
+##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
+##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+
+### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+#### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+
+
+### [Investigate entities using Live response]()
+#### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
+#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+
+### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+
+### [Advanced hunting]()
+#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
+#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
+#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
+#### [Advanced hunting schema reference]()
+##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
+##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
+##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
+##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
+##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
+##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
+##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
+##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
+##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
+##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
+##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
+##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
+##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
+##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
+##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
+##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
+#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+
+### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
+
+### [Reporting]()
+#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
+#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
+#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
+#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
+
+
+
+### [Custom detections]()
+#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
+#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)