updated actions

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -42,7 +42,6 @@
  
 #### Machines list
 ##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](machine-tags-windows-defender-advanced-threat-protection.md)
 ##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
 ##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
 ###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)

windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md

@@ -17,26 +17,29 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Create and manage machine groups in Windows Defender ATP
+# Create and manage machine groups
 **Applies to:**
 
-
 - Azure Active Directory
 - Office 365
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
-
 In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
 
 In Windows Defender ATP, you can create machine groups and use them to:
+
 - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md) 
 - Configure different auto-remediation settings for different sets of machines
+- Assign specific remediation levels to apply during automated investigations
+- In an investigation, filter the **Machines list** to just specific machine groups by using the **Group** filter.
+
+You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the machine group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
 
 >[!TIP]
 > For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015).
 
 As part of the process of creating a machine group, you'll:
+
 - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md).
 - Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
 - Select the Azure AD user group that should have access to the machine group.
@@ -45,43 +48,28 @@ As part of the process of creating a machine group, you'll:
 >[!NOTE]
 >A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
 
-
-
 ## Create a machine group
 
-1.	In the navigation pane, select **Settings** > **Machine groups**.
+1. In the navigation pane, select **Settings** > **Machine groups**.
 
-2.	Click **Add machine group**. 
+2. Click **Add machine group**.
 
-3.	Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group.
+3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow).
-
-    - **Machine group name**
-    - **Automation level**
-	  - **Semi - require approval for any remediation**
-      - **Semi - require approval for non-temp folders remediation**
-      - **Semi - require approval for core folders remediation**
-      - **Full - remediate threats automatically**
-        
-        >[!NOTE]
-        > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow).        
-
-	 - **Description**
-	 - **Members**      
 
     >[!TIP]
-    >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
+    >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md).
 
-4.	Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab.
+4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
 
-5.	Assign the user groups that can access the machine group you created. 
+5. Assign the user groups that can access the machine group you created.
 
     >[!NOTE]
-    >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. 
+    >You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
-
-6.	Click **Close**. The configuration changes are applied.
 
+6. Click **Close**. The configuration changes are applied.
 
 ## Manage machine groups
+
 You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
 
 >[!WARNING]
@@ -92,9 +80,10 @@ By default, machine groups are accessible to all users with portal access. You c
 Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
 
 >[!NOTE]
-> - Applying changes to machine group configuration may take up to several minutes.
+> Applying changes to machine group configuration may take up to several minutes.
 
+## Related topics
 
-## Related topic
 - [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md)
+- [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
 - [Get list of tenant machine groups using Graph API](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md

@@ -19,22 +19,16 @@ ms.topic: article
 
 # Create and manage machine tags
 
-Add tags on machines to create a logical group affiliation.
+Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Machines list** view, or to group machines. For more information on machine grouping, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
-
-You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the machine group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
-
-You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). In an investigation, you can filter the **Machines list** to just specific machine groups by using the **Group** filter.
-
-Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
 
 You can add tags on machines using the following ways:
 
 - Setting a registry key value
 - Using the portal
 
-## Add machine tags by setting a registry key value
+To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md).
 
-Add tags on machines which can be used as a filter in **Machines list** view. You can limit the machines in the list by selecting the Tag filter.
+## Add machine tags by setting a registry key value
 
 >[!NOTE]
 > Applicable only on the following machines:
@@ -53,38 +47,27 @@ Use the following registry key entry to add a tag on a machine:
 >[!NOTE]
 >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
 
-## Add machine tags  using the portal
+## Add and manage machine tags using the portal
 
-Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
+1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
 
-1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
+    - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-
+    - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+    - **Machines list** - Select the machine name from the list of machines.
-    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+    - **Search box** - Select Machine from the drop-down menu and enter the machine name.
-    -	**Machines list** - Select the machine name from the list of machines.
-    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
     You can also get to the alert page through the file and IP views.
 
-2.	Open the **Actions** menu and select **Manage tags**.
+2. Select **Manage Tags** from the row of Response actions.
 
-    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
+    ![Image of manage tags button](images/manage-tags.png)
 
-3. Enter tags on the machine. To add more tags, click the + icon.
+3. Type to find or create tags
-4. Click **Save and close**. 
-
-    ![Image of adding tags on a machine](images/atp-save-tag.png)
-
-    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
-
-### Manage machine tags
-You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
-
-![Image of adding tags on a machine](images/atp-tag-management.png)
-
-## Add machine tags using APIs
-For more information, see [Add or remove machine tags API](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md).
 
+    ![Image of adding tags on a machine](images/new-tags.png)
 
+Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
 
+You can also delete tags from this view.
 
+![Image of adding tags on a machine](images/more-manage-tags.png)