diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 29f873260a..5745d3864d 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -25,30 +25,31 @@ Understand how the SIEM schema maps to the values in the Windows Defender ATP po
 
 Field numbers match the numbers in the images.
 
-(BORON image)
+![Image of actor profile with numbers](images/atp-actor.png)
 
 ![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
 
 ![Image of new alerts with numbers](images/atp-alert-source.png)
 
-(INSERT MACHINE TIMELINE WITH REMEDIATION ACTION)
+![Image of machine timeline with numbers](images/atp-remediated-alert.png)
 
 ![Image of file details](images/atp-file-details.png)
 
 
 #	SIEM fields and portal mapping
 
-Portal label | SIEM field name | Description
+Portal label  | SIEM field name | Description
 :---|:---|:---
-1	| Actor |	Actor name
+1	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP
 2	|	Alert ID	| Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
-3	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP portal |
-4	|Severity |	Alert severity
-5	| AlertTitle | Alert	title
-6	| Category |	Alert category
-7	| ComputerDnsName|	Computer DNS name and machine name
-8	| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
-9	|	AlertTime |	Last time the alert was observed
+3	| AlertTitle | Alert	title
+4	| Actor |	Actor name
+5	| AlertTime |	Last time the alert was observed
+6 | Severity |	Alert severity
+7	| Category |	Alert category
+8 | Status in queue | Alert status in queue
+9	| ComputerDnsName|	Computer DNS name and machine name
+10	| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
 10 | UserName	| The user context relevant to the activity on the machine which triggered the alert.
 11 | FileName	| File name
 12 | FileHash	| Sha1 of file observed
@@ -61,13 +62,13 @@ Portal label | SIEM field name | Description
 19 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP)
 20 | ThreatCategory| Windows Defender AV threat category
 21 | ThreatFamily |	Windows Defender AV family name
-22	|	ThreatName	| Windows Defender AV threat name
-23 | RemediationAction |	Windows Defender AV threat category	 |
-24 |	RemediationIsSuccess	| Indicates if an alert was successfully remediated. (Windows Defender AV field)
-25 | WasExecutingWhileDetected	| Indicates if a file was running while being detected. (Windows Defender AV field)
-26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
+22 | RemediationAction |	Windows Defender AV threat category	 |
+23 | WasExecutingWhileDetected	| Indicates if a file was running while being detected. (Windows Defender AV field)
+24|	RemediationIsSuccess	| Indicates if an alert was successfully remediated. (Windows Defender AV field)
+25 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
+26 | Md5 | Md5 of file observed	(when available)
 27 | Sha256 |	Sha256 of file observed	(when available)
-28 | Md5	| Md5 of file observed	(when available)
+28	|	ThreatName	| Windows Defender AV threat name
 
 >[!NOTE]
->A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender AV alerts.
+>A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender Antivirus alerts.
diff --git a/windows/keep-secure/images/atp-actor.png b/windows/keep-secure/images/atp-actor.png
new file mode 100644
index 0000000000..dc9c9dd6fc
Binary files /dev/null and b/windows/keep-secure/images/atp-actor.png differ
diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png
index c6d9f0d76d..0a7601f1c5 100644
Binary files a/windows/keep-secure/images/atp-file-details.png and b/windows/keep-secure/images/atp-file-details.png differ
diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png
new file mode 100644
index 0000000000..70f5d527d0
Binary files /dev/null and b/windows/keep-secure/images/atp-remediated-alert.png differ