Merge pull request #1088 from MicrosoftDocs/MTE-EOD-PublicPreview

MTE EOD public preview

windows/security/threat-protection/TOC.md

@@ -71,13 +71,15 @@
 ###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
 ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
 ###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
+###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
  
 ##### [Take response actions on a file]()
 ###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
 ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
 ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
 ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
 ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
 ###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
 ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
@@ -85,6 +87,7 @@
 ###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
 ###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
 
+
 ##### [Investigate entities using Live response]()
 ###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
 ###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)

windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md

@@ -23,10 +23,10 @@ ms.topic: article
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[!Include[Prerelease information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
 
 ## Before you begin 
-To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in preview, but for the generally available capability, there will be charges.
+To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, or try the the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in trial, but for the generally available capability, there will be charges.
 
 Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. 
 
@@ -64,48 +64,32 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
 2. From the dashboard, select the same alert topic that you got from the email, to view the details.  
 
 
-## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization 
+## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization 
 >[!NOTE]
 >The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
 
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. 
+You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. 
 
 >[!NOTE]
 >Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
 
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an inquiry. 
-2. From the upper right-hand menu, click **?**. Then, select **Ask a threat expert**.
-3. Asking a threat expert is a two-step process: provide the necessary information and open a support ticket. 
+1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. 
 
-    **Step 1: Provide information**    
-    a.  Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu. <br>      
+2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**. 
 
-    b.  Enter the additional details to give the threat experts more context of what you’d like to investigate. Click **Next**, and it takes you to the **Open support ticket** tab. <br>
+>![Image of Microsoft Threat Experts Experts on Demand from the menu](images/MTE_EOD_Menu.png)
 
-    c.  Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages. <br>
+>A flyout screen opens.
 
-    **Step 2: Open a support ticket**    
-    >[!NOTE]
-    >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need a Premier customer service and support account.  However, you will not be charged for the Experts-on-demand service during the preview.
+>![Image of Microsoft Threat Experts Experts on Demand screen](images/MTE_EOD.png)
 
-    a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**: <br>
+>The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
 
-    **Select the product family**: **Security**<br>
-    **Select a product**: **Microsoft Threat Experts**<br>
-    **Select a category that best describes the issue**: **Microsoft Defender ATP**<br>
-    **Select a problem that best describes the issue**: Choose according to your inquiry category<br>  
+3.  In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
   
-    b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.  <br>
+4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
    
-    c. In the **Select a support plan** page, select **Professional No Charge**. <br>
-
-    d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**. <br>
-    
-    e. Verify your contact details and add another if necessary. Then, click **Next**. <br>
-
-    f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. A confirmation page indicating the response time and your support request number shows. <br>
-
-## Sample questions to ask Microsoft Threat Experts
+## Sample investigation topics that you can consult with Microsoft Threat Experts
 
 **Alert information**
 - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
@@ -118,7 +102,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
 - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
 
 **Threat intelligence details**
-- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
 - I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? 
 
 **Microsoft Threat Experts’ alert communications** 
@@ -132,10 +116,14 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
 ## Scenario
 
 ### Receive a progress report about your managed hunting inquiry 
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: 
+Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories: 
 - More information is needed to continue with the investigation 
 - A file or several file samples are needed to determine the technical context 
 - Investigation requires more time   
 - Initial information was enough to conclude the investigation 
 
 It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details.  
+
+## Related topic
+- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
+

windows/security/threat-protection/microsoft-defender-atp/investigate-files.md

@@ -52,6 +52,7 @@ Along the top of the profile page, above the file information cards. Actions you
 - Stop and quarantine
 - Add/edit indicator
 - Download file
+- Consult a threat expert
 - Action center
 
 For more information on these actions, see [Take response action on a file](respond-file-alerts.md).

windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md

@@ -60,6 +60,7 @@ Response actions run along the top of a specific machine page and include:
 - Run antivirus scan
 - Restrict app execution
 - Isolate machine
+- Consult a threat expert
 - Action center
 
 You can take response actions in the Action center, in a specific machine page, or in a specific file page.

windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md

@@ -1,8 +1,8 @@
 ---
 title: Microsoft Threat Experts 
 ms.reviewer: 
-description: Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. 
-keywords: managed threat hunting service, managed threat hunting, MTE, Microsoft Threat Experts
+description: Microsoft Threat Experts is the new managed detection and response (MDR) service in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. 
+keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts
 search.product: Windows 10
 search.appverid: met150
 ms.prod: w10
@@ -24,8 +24,7 @@ ms.topic: conceptual
 
 [!include[Prerelease information](prerelease.md)]
 
-
-Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
+Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
   
 This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. 
  
@@ -47,6 +46,19 @@ Customers can engage our security experts directly from within Microsoft Defende
 - Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques 
 - Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary 
 
+The option to **Consult a threat expert** is available in several places in the portal so you can engage with experts in the context of your investigation:
+
+- <i>**Help and support menu**</i><BR>
+![Screenshot of MTE-EOD menu option](images/MTE_EOD_Menu.png)
+
+- <i>**Machine page actions menu**</i><BR>
+![Screenshot of MTE-EOD machine page action menu option](images/MTE_EOD_machines.png)
+
+- <i>**Alerts page Actions menu**</i><BR>
+![Screenshot of MTE-EOD alert page action menu option](images/MTE_EOD_alerts.png)
+
+- <i>**File page actions menu**</i><BR>
+![Screenshot of MTE-EOD file page action menu option](images/MTE_EOD_file.png)
 
 ## Related topic
 - [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 
+- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.   
+
 - [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence. 
 
 - [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can

windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md

@@ -169,6 +169,12 @@ When you select this action, a fly-out will appear. From the fly-out, you can re
 
 If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
 
+## Consult a threat expert
+
+You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
+
+See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
+
 ## Check activity details in Action center
 
 The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:

windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md

@@ -35,6 +35,7 @@ Response actions run along the top of a specific machine page and include:
 - Run antivirus scan
 - Restrict app execution
 - Isolate machine
+- Consult a threat expert
 - Action center
 
 ![Image of response actions](images/response-actions.png)
@@ -173,6 +174,13 @@ When a machine is being isolated, the following notification is displayed to inf
 
 ![Image of no network connection](images/atp-notification-isolate.png)
 
+## Consult a threat expert
+
+You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
+
+See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
+
+
 ## Check activity details in Action center
 
 The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: