update user entity update toc to include preview topic

windows/keep-secure/TOC.md

@@ -722,6 +722,7 @@
 #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
 ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Preview features and updates](preview-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)

windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -51,7 +51,7 @@ Clicking on the number of total logged on users in the Logged on user tile opens
 
 ![Image of user details pane](images/atp-user-details-pane.png)
 
-You'll also see details such as days seen, first seen, last seen, and user type.
+You'll also see details such as logon types for each user account, the user group, and when the account was logged in. 
 
  For more information, see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md).
 

windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md

@@ -30,7 +30,7 @@ You can find user account information from the following views:
 - Alerts queue
 - Machine details page
 
-A clickable user account link is available from all these views. You'll be taken to the user account details page where more details about the account is shown.
+A clickable user account link is available from these views. You'll be taken to the user account details page where more details about the account is shown.
 
 When you investigate a user entity, you'll see:
 - User account details and Logged on machines
@@ -39,13 +39,27 @@ When you investigate a user entity, you'll see:
 
 ![Image of the user entity details page](images/atp-user-details-view.png)
 
-The user entity details and logged on machines section display various attributes about the user entity. You'll see details such as when the user was first and last seen and the total number of machines the user logged in to.
+The user entity details and logged on machines section display various attributes about the user entity. You'll see details such as when the user was first and last seen and the total number of machines the user logged in to. You'll also see the machines that the user was most and least frequently logged in to.
 
 The **Alerts related to this user** section provides a list of alerts that are associated with the user. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
 
 The **Observed in organization** section allows you to specify a date range to see the total number of observed users logged in to specific machine and which machines the user most frequently and least frequently logged in to.
 
+You'll also be able to determine the machine health state from the machine icon and color as well as the description of the machine health state. Clicking on the icon displays more details regarding machine health.
+
 ![Image of observed in organization section](images/atp-observed-in-organization.png)
 
 ## Search for specific user accounts
-Use the search bar to look for specific user accounts:
+
+1. Select **User** from the **Search bar** drop-down menu.
+2. Enter the user account in the **Search** field.
+3. Click the search icon or press **Enter**.
+
+A list of users with matches are displayed in a list. You'll see the username, when the user was last seen, and the total number of machines it was observed on in the last 30 days.
+
+You can filter the results by the following days:
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months

windows/keep-secure/preview-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,63 @@
+---
+title: Windows Defender Advanced Threat Protection preview features and updates
+description: Learn how to access Windows Defender Advanced Threat Protection preview features and updates.
+keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender Advanced Threat Protection preview features and updates
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP continuously updates the portal to include feature enhancements and updates. You can choose to take part in the preview experience by selecting the option during onboarding or enabling the preview experience from the **Preferences setup** menu.
+
+Windows Defender ATP adds various feature enhancements and capabilities in the February 2017 preview release.
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+## Preview features
+In this release, new features enable you to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
+
+Actions such as isolate a machine, stop and quarantine files, and add file to the blocked list are made conveniently available within the file or machine views. Actions taken are aggregated in the Action center for future reference.
+
+These set of new features also include the ability to collect forensic data from a compromised machine to identify the machines state and indicator of attacks.
+
+You'll also see the sensor health feature which helps you keep track and identify machines that might be encountering issues reporting sensor data to the service.
+
+The following links take you to the topics that provide information on how to use these features:
+
+>[!NOTE]
+> All response features require machines to be on the latest Windows 10 Insider Preview build and above.
+
+- [Respond to machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+  - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+  - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
+  - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+
+- [Respond to file related alerts](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+  - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+  - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+  - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+
+## Enhancements
+The following topics have been added to enhance the Windows Defender ATP experience:
+
+- [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md)
+  - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+  - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+  - [Create custom threat intelligence using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+  - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)