Adding Windows Defender Advanced Threat Protection

windows/keep-secure/TOC.md

@@ -405,6 +405,15 @@
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+### [Windows Defender Advanced Threat Protection](windows-defender-in-windows-10.md)
+#### [Requirements for Windows Defender ATP](requirements-windows-defender-atp.md)
+#### [Onboard and configure Windows Defender ATP](onboard-configure-windows-defender-atp.md)
+#### [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-atp.md)
+#### [Windows Defender ATP portal overview](portal-overview-windows-defender-atp.md)
+#### [Windows Defender ATP icons](icons-windows-atp.md)
+#### [Use Windows Defender ATP Portal](use-windows-defender-atp.md)
+#### [Windows Defender ATP settings](settings-windows-defender-atp.md)
+#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-atp.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 ### [Device Guard deployment guide](device-guard-deployment-guide.md)

windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md

@@ -0,0 +1,49 @@
+---
+title: Additional Windows Defender ATP configuration settings
+description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
+keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, 
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Additional Windows Defender ATP configuration settings
+
+**Applies to**
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
+
+## Configure sample collection settings with Group Policy
+1.  On your GP management machine, copy the following files from the
+    configuration package:
+
+    a.  Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
+    
+    b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
+
+2.  Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+4.  Click **Policies**, then **Administrative templates**.
+
+5.  Click **Windows components** and then **Windows Advanced Threat Protection**.
+
+6.  Choose to enable or disable sample sharing from your endpoints.
+
+## Configure sample collection settings with Configuration Manager
+
+TBA
+
+
+## Related topics
+- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
+- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)

windows/keep-secure/alerts-queue-windows-advanced-threat-protection.md

@@ -0,0 +1,64 @@
+---
+title: View and organize the Windows Defender ATP Alerts queue
+description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
+keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# View and organize the Windows Defender Advanced Threat Protection Alerts queue
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in the respective queues according to their current status.
+
+To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
+
+> **Note**&nbsp;&nbsp;By default, the queues are sorted from newest to oldest.
+
+The following table and screenshot demonstrate the main areas of the **Alerts queue**.
+
+![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png)
+
+Highlighted area|Area name|Description
+:---|:---|:---
+(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
+(2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a coloured bar</li><li>A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)</li><li>The last occurence of the alert on any machine</li><li>The number of days the alert has been in the queue</li><li>The general category or type of alert, or the alert's kill-chain stage</li><li>The affected machine (if there are multiple machines, the number of affected machines will be shown)</li><li>A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to update the alert's status and add comments</li></ul>Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
+(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+
+##Sort and filter the Alerts queue
+You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
+There are three mechanisms to pivot the queue against:
+
+1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
+
+  - **Newest** - Sorts alerts by when the alert was last seen on an endpoint. 
+  - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
+  - **Severity** - Sorts alerts by their level of severity.
+
+2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes:
+
+  - High (Red) - Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints.
+  - Medium (Orange) - Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files.
+  - Low (Yellow) - Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints.
+
+3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**):
+
+  - **1 day**
+  - **3 days**
+  - **7 days**
+  - **30 days**
+  - **6 months**
+
+  > **Note**&nbsp;&nbsp;You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
+  
+### Related topics
+  
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
+- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)

windows/keep-secure/configure-endpoints-windows-advanced-threat-protection.md

@@ -0,0 +1,98 @@
+---
+title: Configure Windows Defender ATP endpoints (client onboarding)
+description: Use Group Policy to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
+keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Configure Windows Defender ATP endpoints (client onboarding)
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can use a Group Policy (GP) configuration package or an automated script to configure endpoints. You can deploy the GP configuration package or script with a GP update, or manually through the command line.
+
+## Configure with Group Policy
+Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service.
+
+> **Note**&nbsp;&nbsp; To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 TAP.
+
+1.  Open the GP configuration package .zip file (*WindowsATPOnboardingPackage.zip*) that you downloaded during the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://seville.windows.com):
+
+    a.  Click **Client onboarding** on the **Navigation pane**.
+    
+    b.  Select **GP**, click **Download package** and save the .zip file.
+    
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called _*OptionalParamsPolicy*_ and the file _*WindowsATPOnboardingPackage.cmd*_.
+
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+4. In the **Group Policy Management Editor***, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
+
+5. Right-click **Scheduled tasks**, point to **New** and then click **Immediate task**.
+
+6. In the  **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+
+7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+
+8. Go to the **Actions** tab and click **New…** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared _*WindowsATPOnboardingPackage.cmd*_ file.
+
+9. Click **OK** and close any open GPMC windows.
+
+For additional settings, see the [Additional configuration settings section](additional-configuration-windows-advanced-threat-protection.md).
+
+## Configure with System Center Configuration Manager (SCCM)
+
+1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage.zip*) that you downloaded during the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://seville.windows.com):  <span style="background-color: yellow;">Naama: Confirm package name</span>
+
+  a. Click **Client onboarding** on the **Navigation pane**.
+  
+  b. Select **SCCM**, click **Download package** and save the .zip file. <span style="background-color: yellow;">Iaan: Need to confirm the UI for this</span>
+
+2.	Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will be deploying the package.
+
+<span style="background-color: yellow;">Iaan: Will confirm ui for this</span>
+
+3. In the SCCM console, go to **Software Library**.
+4. Under **Application Management**, right click **Packages** and select **Import**.
+5. Click Browse and choose the package that was downloaded from the portal (zip file).
+6. The package will appear under the Packages page.
+7. Right click the Package and choose deploy.
+8. Choose a predefined device collection to deploy the package to.
+
+<span style="background-color: yellow;">Naama note: If it’s a package we create then we’ll set the necessary privileges, otherwise provide guidance (Omri: what is the necessary privileges?)</span>
+
+## Configure endpoints manually with registry changes 
+You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this when first testing the service before you commit to onboarding all endpoints in your network.
+
+1.  Extract the contents of the configuration package to a location on
+    the endpoint you want to onboard (for example, the Desktop).
+
+2.  Open an elevated command line prompt on the endpoint and run the
+    script:
+
+    a.  Click **Start** and type **cmd**.
+    
+    b.  Right-click Command prompt and select **Run as administrator**.
+    
+    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+
+3.  Type the location of the script file. If you copied the file the
+    desktop, type:
+```*%userprofile%\Desktop\WindowsATPOnboardingScript.sc*```
+
+4.  Press the  **Enter ** key or click  **OK**.
+
+See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reporting telemetry.
+
+## Related topics
+- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
+

windows/keep-secure/dashboard-windows-advanced-threat-protection.md

@@ -0,0 +1,87 @@
+---
+title: View the Windows Defender Advanced Threat Protection Dashboard 
+description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
+keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active threats, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# View the Windows Defender Advanced Threat Protection Dashboard 
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+The **Dashboard** displays a snapshot of:
+
+- The latest active alerts on your network
+- Top machines with active alerts
+- Alert trends
+- Alert mapping
+- Machines reporting
+- The overall status of Windows Defender ATP for the past 30 days
+
+You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
+
+From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
+
+## View ATP alerts
+You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. 
+
+![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp.png)
+
+Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). 
+
+See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) topic for more information.
+
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) topics for more information.
+
+## View machines at risk
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+
+![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
+
+Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-advanced-threat-protection.md#investigate-a-machine) topic for more information.
+
+You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](machines-view-windows-advanced-threat-protection.md) topic for more information.
+
+## Keep track of the overall status of your network
+The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+
+![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
+
+## See total number of reporting machines
+The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day. 
+
+![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png)
+
+## Investigate machines with active threats
+The **Active malware** tile will only appear if your endpoints are using Windows Defender.
+
+Active malware is defined as threats that were actively executing at the time of detection.
+
+Hover over each bar to see the number of active detections (as **Threats**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
+
+![The Machines with active threats tile shows the number of threats and machines for each threat category](images/machines-active-threats-tile.png)
+
+The chart is sorted into five categories:
+
+- **Password stealer** - threats that attempt to steal credentials.
+- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access.
+- **Exploit** - threats that use software vulnerabilities to infect machines.
+- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses.
+- **Low severity** - threats with a low severity, including adware and potentially unwanted software such as browser modifiers.
+
+Threats are considered "Active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
+
+Clicking on any one of these categories will navigate to the [Machines view](machines-view-windows-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active threats, and how many threats were detected per machine. 
+
+> **Note**&nbsp;&nbsp;The **Active malware** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+### Related topics
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
+- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)

windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,70 @@
+---
+title: Windows Defender ATP data storage and privacy 
+description: Learn about how Windows Defender ATP handles privacy and data that it collects.
+keywords: Windows Defender ATP data storage and privacy, storage, privacy
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: DulceMV 
+---
+
+# Windows Defender ATP data storage and privacy 
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
+
+## What data does Windows Defender ATP collect?
+
+Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes.
+
+Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
+
+Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/43). 
+
+Microsoft uses this data to: 
+- Proactively identify indicators of attack (IOAs) in your organization 
+- Generate alerts if a possible attack was detected
+- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. 
+
+We do not mine your data for advertising or for any other purpose other than providing you the service.
+
+## Do I have flexibility to select where to store my data?
+
+Yes. Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties you specify when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the TAP stage (see the question [Is there a difference between how you handle data for the TAP program and for General Availability?](Is-there-a-difference-between-how-Microsoft-handles-data-for-the-TAP-program-and-foR-General-Availability?). If you have concerns about storage of data in a particular country, please contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+## Is my data isolated from other customer data?
+Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
+
+## How do you prevent malicious insider activities and abuse of high privilege roles?
+
+Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
+
+- Tight access control to sensitive data 
+- Combinations of controls that greatly enhance independent detection of malicious activity 
+- Multiple levels of monitoring, logging, and reporting 
+
+Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties. 
+
+## Is data shared with other customers?
+No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing (for example, deep file analysis processing), and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
+
+## How long will Microsoft store my data? What is Microsoft’s data retention policy?
+Your data privacy is one of our key commitments for the cloud. For this service, at contract termination or expiration your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days from contract termination or expiration. 
+
+## Can you help us maintain regulatory compliance?
+By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service. 
+Microsoft provides customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001.The service is designed, implemented and maintained according to the compliance and privacy principles of ISO 27001 as well as Microsoft’s compliance standards.
+
+## Is there a difference between how Microsoft handles data for the TAP program and for General Availability?
+When you onboard your service during TAP, you will be asked to choose to store your data in either a European or US datacenter. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
+
+1.	You choose Europe as your datacenter, and
+2.	You [submit a file for deep analysis](deep-analysis-windows-advanced-threat-protection.md).
+
+In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
+ 
+This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).

windows/keep-secure/deep-analysis-windows-advanced-threat-protection.md

@@ -0,0 +1,99 @@
+---
+title: Submit files to the Windows Defender ATP Deep analysis feature
+description: Submit a file to the deep analysis feature to see a detailed report on what the file does, associated artefacts, and changes it makes to machines.
+keywords: analysis, deep analysis, analyze, submit, submission, file, malware, threats, infection, executable, report, troubleshoot, sample, sample collection, behaviors, .exe, .dll, .scr
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Submit files to the Windows Defender ATP Deep analysis feature
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data relating to the file you can submit the file for deep analysis. 
+
+The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. 
+Deep analysis currently supports extensive analysis of PE (portable executable) files (including .exe and .dll files). 
+
+Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
+Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. 
+
+## Submit files for analysis
+
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view. 
+
+In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. 
+
+> **Note**&nbsp;&nbsp;Only files from Windows 10 can be automatically collected.
+
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. 
+
+> **Note**&nbsp;&nbsp;Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+
+When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
+
+**Submit files for deep analysis:**
+
+1. Select the file you want to submit for deep analysis. You can select or search a file from any of the following views: 
+  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline 
+  - **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section 
+  - Search box - select **File** from the drop-down menu and enter the file name 
+2. In the **Deep analysis** section of the file view, click **Submit**. 
+
+![You can only submit PE files in the file details seciton](images/submit-file.png)
+
+>**Note**&nbsp;&nbsp;Only portable executable (PE) files are supported, including .exe and .dll files
+
+A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. 
+
+> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file. 
+
+## View deep analysis report
+
+View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. 
+
+You can view the comprehensive report that provides details on: 
+
+- Observed behaviors
+- Associated artifacts
+
+The details provided can help you investigate if there are indications of a potential attack. 
+
+**View deep analysis reports:**
+
+1. Select the file you submitted for deep analysis.
+2. Click **See the report below**. Information on the analysis is displayed.
+
+![The deep analysis report shows detailed information across a number of categories](images/analysis-results.png)
+
+## Troubleshooting deep analysis
+
+If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. 
+
+**Troubleshoot deep analysis:**
+
+1. Ensure the file is a PE. PE files typically have .exe or .dll extensions (executable programs or applications).
+2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+4. Verify the policy setting enables sample collection and try to submit the file again: 
+  1. Change the following registry entry and values to change the policy on specific endpoints:
+ ```
+HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
+  Value = 0 - block sample collection
+  Value = 1 - allow sample collection
+```
+6. Change the organizational unit through the GPO. See [Configure with Group Policy](additional-configuration-windows-advanced-threat-protection.md#configure-with-group-policy).
+7. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. 
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)

windows/keep-secure/investigate-alerts-windows-advanced-threat-protection.md

@@ -0,0 +1,183 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection alerts
+description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
+keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Investigate Windows Defender Advanced Threat Protection alerts
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization. The **Dashboard** provides a quick view of active alerts, their severity levels, and information on the machines with the most active alerts. 
+
+You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-advanced-threat-protection.md).
+
+Reviewing the various alerts and their severity can help you take the appropriate action to protect your organization's endpoints.
+
+## Investigate a machine
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. 
+
+You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
+
+- The [Machines view](machines-view-windows-advanced-threat-protection.md)
+- The [Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- The [Dashboard](dashboard-windows-advanced-threat-protection.md)
+- Any individual alert
+- Any individual file details view
+- Any IP address or domain details view
+
+When you investigate a specific machine, you'll see:
+
+- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
+- **Alerts related to this machine**
+- **Machine timeline**
+
+The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
+
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
+
+The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
+
+You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](Windows-Defender-ATP-icons).
+
+This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
+
+![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
+
+Use the search bar to look for specific alerts or files associated with the machine.
+
+You can also filter by:
+
+- Signed or unsigned files
+- Detections mode: displays Windows ATP Alerts and detections
+- Behaviors mode: displays "detections" and selected events of interest
+- Verbose mode: displays "behaviors" (including "detections"), and all reported events 
+- Logged on users, System, Network, or Local service
+
+Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day. 
+
+Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
+
+The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
+
+From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
+
+From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
+
+Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. 
+
+![The process tree shows you a hierarchical history of processes and events on the machine](images/machine-investigation.png)
+ 
+**Investigate a machine:**
+
+1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
+  - **Dashboard** - click the machine name from the **Top machines with active alerts** section
+  - **Alerts queue** - click the machine name beside the machine icon
+  - **Machines view** - click the heading of the machine name 
+  - **Search box** - select **Machine** from the drop-down menu and enter the machine name 
+2. Information about the specific machine is displayed. 
+
+
+**Use the machine timeline**
+
+1. Use the sort and filter feature to narrow down the search results. 
+2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
+3. Click the expand icon ![The expand icon looks like a plus symbol](images/expand.png) in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event. 
+
+## Investigate a file
+Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. 
+
+You can get information from the following sections in the file view:
+
+- File details
+- Deep analysis
+- File in organization
+- Observed in organization
+
+The file details section shows attributes of the file such as its MD5 and its prevalence worldwide.
+
+The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
+
+The **File in organization** section provides details on the prevalence of the file and the name observed in the organization. 
+
+The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file. 
+
+You'll see a list of machines associated with the file and a description of the action taken by the file.
+
+**Investigate a file**
+
+1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
+  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+  - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section 
+  - Search box - select **File** from the drop-down menu and enter the file name 
+2. View the file details.
+3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.
+
+## Investigate an IP address
+
+Examine possible communication between your machines and external internet protocol (IP) addresses.
+
+Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
+
+You can information from the following sections in the IP address view:
+
+- IP address details
+- IP in organization
+- Communication with IP from organization
+
+The IP address details section shows attributes of the IP address such as its ASN and its reverse IPs.
+
+The **IP in organization** section provides details on the prevalence of the IP address in the organization. 
+
+The **Communication with IP in organization** section provides a chronological view on the events and associated alerts that were observed on the IP address. 
+
+**Investigate an external IP:**
+
+1. Select **IP** from the **Search bar** drop-down menu.
+2. Enter the IP address in the **Search** field. 
+3. Click the search icon or press **Enter**. 
+
+Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address. 
+
+> **Note**&nbsp;&nbsp;Search results will only be returned for IP addresses observed in communication with machines in the organization.
+
+Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
+
+Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. 
+
+## Investigate a domain
+
+Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. 
+
+You can see information from the following sections in the URL view:
+
+- URL details
+- URL in organization
+- Prevalence in organization
+- Communication with URL from organization
+
+The URL address details section shows attributes of the URL such as its contacts and nameservers.
+
+The **URL in organization** section provides details on the prevalence of the URL in the organization. 
+
+The **Communication with URL in organization** section provides a chronological view on the events and associated alerts that were observed on the URL.
+
+**Investigate a domain:**
+
+1. Select **URL** from the **Search bar** drop-down menu. 
+2. Enter the URL in the **Search** field. 
+3. Click the search icon   or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
+4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
+5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)

windows/keep-secure/machines-view-windows-advanced-threat-protection.md

@@ -0,0 +1,74 @@
+---
+title: Investigate machines in the Windows Defender ATP Machines view
+description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
+keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active threats, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Investigate machines in the Windows Defender ATP Machines view
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of threats. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network. 
+
+Use the Machines view in these two main scenarios: 
+
+- **During onboarding**
+  - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis. 
+- **Day-to-day work**
+  - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them. 
+
+The Machines view contains the following columns: 
+
+- **Machine name** - the name or GUID of the machine 
+- **Domain** - the domain the machine belongs to
+- **Last seen** - when the machine last reported telemetry 
+- **Internal IP** - the local internal Internet Protocol (IP) address of the machine 
+- **Active Alerts** - the number of alerts reported by the machine by severity
+- **Active threats** - the number of active threats reported by the machine
+
+> **Note**&nbsp;&nbsp;The **Active threats** and **Threat category** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. 
+
+Click any column header to sort the view in ascending or descending order. 
+
+![Screenshot of the Machines view on the portal](images/machines-view.png)
+
+You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Alerts**, and **Active threats**. Scroll down the **Machines view** to see additional machines. 
+
+The view contains two filters: time and threat category.
+
+You can filter the view by the following time periods: 
+
+- 1 day 
+- 3 days 
+- 7 days 
+- 30 days 
+- 6 months 
+
+> **Note**&nbsp;&nbsp;When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period. 
+
+The threat category filter lets you filter the view by the following categories: 
+
+- Password stealer
+- Ransomware
+- Exploit
+- Threat
+- Low severity
+
+See the [Investigate machines with active alerts](dashboard-windows-advanced-threat-protection.md#investigate-machines-with-active-threats) topic for a description of each category.
+
+You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file. 
+
+ **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is. 
+Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. 
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)

windows/keep-secure/manage-alerts-windows-advanced-threat-protection.md

@@ -0,0 +1,134 @@
+---
+title: Manage Windows Defender Advanced Threat Protection alerts
+description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
+keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Manage Windows Defender Advanced Threat Protection alerts
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu. 
+
+See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
+
+Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts. 
+
+![The manage alert menu lets you change the status of an alert, create suppression rules, or enter comments](images/manage-alert-menu.png)
+
+The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts. 
+
+You can use the **Manage Alert** menu to:
+
+- Change the status of an alert
+- Resolve an alert
+- Suppress alerts so they won't show up in the **Alerts queue** from this point onwards
+- View the history and comments of an alert
+
+## Change the status of an alert
+
+You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
+
+For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
+
+Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
+
+**Change an alert's status:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert.
+2. Choose the new status for the alert (the current status is highlighted in bold and appears on the alert).
+
+## Resolve an alert
+
+You can resolve an alert by changing the status of the alert to **Resolved**. This causes the **Resolve conclusion** window to appear, where you can indicate why the alert was resolved and enter any additional comments.
+
+![You can resolve an alert as valid, valid - allowed, or false alarm](images/resolve-alert.png)
+
+The comments and change of status are recorded in the [Comments and history window](#view-history-and-comments).
+
+![The comments window will display a history of status changes](images/comments.png)
+
+
+## Suppress alerts
+
+Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**. 
+
+Suppression rules can be created from an existing alert. 
+
+When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+
+There are two contexts for a suppression rule that you can choose from: 
+
+- **Suppress alert on this machine**
+- **Suppress alert in my organization**
+
+The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule: 
+
+**Context** | **Definition** |**Example scenarios**
+---|---|---
+**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>
+**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>
+
+**Suppress an alert and create a suppression rule:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert.
+2. Choose the context for suppressing the alert.
+
+> **Note**&nbsp;&nbsp;You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
+**See the list of suppression rules:**
+
+1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen.
+2. Click **Suppression rules**.
+
+![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png)
+
+> **Note**&nbsp;&nbsp;You can also click **See rules** in the confirmation window that appears when you suppress an alert. 
+
+The list of suppression rules shows all the rules that users in your organization have created.
+Each rule shows: 
+
+- (1) The title of the alert that is suppressed
+- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
+- (3) The date when the alert was suppressed 
+- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
+
+![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
+
+## View the history and comments of an alert
+You can use the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to see a list of previous changes and comments made to the alert and to add new comments. You can also use the menu to open multiple alerts in different tabs so you can compare several alerts at the same time.
+
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** window.
+
+**See the history of an alert and its comments:**
+
+1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert.
+2. Click **Comments and history** to view related comments and history on the alert.
+
+Comments are indicated by a message box icon (![The comments icon looks like a speech bubble](images/comments-icon.png)) and include the username of the commenter and the time the comment was made. 
+
+**Add a new comment:**
+
+1. Type your comment into the field.
+2. Click **Post Comment**.
+
+The comment will appear instantly.
+
+You will also be prompted to enter a comment if you change the status of an alert to **Resolved**.
+
+Changes are indicated by a clock icon (![The changes icon looks like an analog clock face](images/changes-icon.png)), and are automatically recorded when: 
+
+- The alert is created
+- The status of the alert is changed 
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
+- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)

windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,73 @@
+---
+title: Minimum requirements for Windows Defender Advanced Threat Protection
+description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
+keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Minimum requirements for Windows Defender ATP
+
+**Applies to**
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+There are some minimum requirements for onboarding your network and endpoints.
+
+## Minimum requirements
+
+### Network and data storage and configuration requirements
+Your organization must use Azure Active Directory (AAD) to manage users. AAD is used during
+service onboarding to manage user-based access to the [Windows Defender ATP portal](https://seville.windows.com/).
+
+If you’d like help with using AAD to set up user access, contact the
+[Windows Defender ATP Yammer group](https://www.yammer.com/wsscengineering/#/threads/inGroup?type=in_group&feedId=6869350&view=all) 
+https://www.yammer.com/wsscengineering/\#/threads/inGroup?type=in\_group&feedId=7108776&view=all
+or email [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+When you run the onboarding wizard for the first time, you must choose
+where your Windows Defender ATP-related information is stored: in either
+a European or United States datacenter.
+
+> **Notes**&nbsp;&nbsp;
+-   You cannot change your data storage location after the
+    first-time setup.
+-   Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how
+    Microsoft stores your data.
+
+### Endpoint hardware and software requirements
+Endpoints on your network must run the Testing and Adoption Program
+version of Windows 10 (Windows 10 TAP). The hardware requirements for
+Windows Defender ATP on endpoints is the same as those for Windows 10
+TAP.
+
+> **Note**&nbsp;&nbsp; Endpoints that are running Windows
+Server and mobile versions of Windows are not supported.
+
+Internet connectivity on endpoints is also required. See the
+[Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
+section for additional proxy configuration settings.
+
+Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10 TAP, but if it has been
+disabled you can turn it on by following the instructions in the
+[Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) section.
+
+### Deployment channel operating system requirements
+
+You can choose to onboard endpoints with a scheduled Group Policy
+(GP) update (using a GP package that you
+download from the portal or during the service onboarding wizard) or
+manual registry changes.
+
+The following describes the minimum operating system or software version
+required for each deployment channel.
+
+Deployment channel | Minimum server requirements 
+:---|:---
+Group Policy settings | Windows Server 2008 R2
+Manual registry modifications | No minimum requirements
+

windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md

@@ -0,0 +1,95 @@
+---
+title: Monitor the Windows Defender ATP onboarding 
+description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Monitor the Windows Defender Advanced Threat Protection onboarding
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+
+You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
+
+Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
+
+## Monitor with the portal
+
+1.  Go to the [Windows Defender ATP portal](https://seville.windows.com).
+
+2.  Click **Machines view**.
+
+3.  Verify that endpoints are appearing.
+
+
+> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the Group Policy (GP) update to be distributed to the endpoint, the time it takes before the user logs on or initiates a GP update, and the time it takes for the endpoint to start reporting to the portal.
+
+## Monitoring with System Center Configuration Manager 
+
+Monitoring with SCCM consists of two parts: 
+
+1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
+
+2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
+
+**To confirm the configuration package has been correctly deployed:**
+
+1. In the SCCM console, click on **Monitoring** at the bottom of the navigation pane.
+
+2. Click on **Overview** and then **Deployments**.
+
+3. Click on the deployment with the package name. <span style="background-color: yellow;">What is the name of the deployment, will it always be the same for every user/installation?</span>
+
+4. Review the status indicators under **Completion Statistics** and **Content Status**.
+
+If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to perform troubleshooting steps on the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for more information.
+
+<span style="background-color: yellow;">Naama: Is this a correct process for idendtifying/resolving issues?</span>
+
+![image](images/sccm-deployment.png)
+
+**To check that your endpoints are compliant:**
+
+1. Get the *compliance.cab* file from the SCCM configuration package .zip file (*WindowsATPOnboardingPackage.zip*) that you downloaded during the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://seville.windows.com):
+
+  1. Click **Client onboarding** on the **Navigation pane**.
+  2. Select **SCCM**, click **Download package** and save the .zip file. <span style="background-color: yellow;">Iaan: Need to confirm the UI for this</span>
+  3. Extract the *compliance.cab* file from the package.
+
+2. In the SCCM console, click on **Assets and Compliance** at the bottom of the navigation pane.
+
+3. Click on **Overview** and then **Compliance Settings**. 
+
+4. In the main area of the SCCM console, click on **Configuration Baselines** and import the provided cab. <span style="background-color: yellow;">Iaan: Need to confirm that 'import' is available/ UI is correct</span> 
+ 
+5. Right click the imported baseline and deploy to a predefined device collection. <span style="background-color: yellow;">Naama: Is this 'export' as in the screenshot, or is that showing something else?</span> 
+ 
+  ![image](images/export-sccm.png)  
+  
+  <span style="background-color: yellow;">Iaan: Need to confirm this is what it looks like</span>
+
+6. In the SCCM console, click on **Monitoring** at the bottom of the navigation pane. 
+
+7. Click on **Overview** and then **Deployments**. 
+
+8. Click on the deployment with the package name <span style="background-color: yellow;">Naama: What is the name of the deployment, will it always be the same for every user/installation?</span>
+
+<span style="background-color: yellow;">Naama: How does one know if there is an issue?</span>
+
+If there are non-compliant endpoints (endpoints with ?????), you may need to perform troubleshooting steps on the endpoints. See the [Troubleshoot Windows Defender ATP onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for more information.
+
+<span style="background-color: yellow;">Naama: Is this a correct process for resolving issues?</span>
+
+## Related topics
+- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
+- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)

windows/keep-secure/onboard-configure-windows-advanced-threat-protection.md

@@ -0,0 +1,37 @@
+---
+title: Onboard endpoints and set up the Windows Defender ATP user access
+description: Set up user access in Azure Active Directory and use Group Policy or do manual registry changes to onboard endpoints to the service.
+keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Onboard endpoints and set up the Windows Defender ATP user access 
+
+**Applies to**
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You need to onboard to Windows Defender ATP before you can use the service.
+
+There are two stages to onboarding:
+
+1.  Set up user access in AAD and use a wizard to create a dedicated
+    cloud instance for your network (known as “service onboarding”).
+
+2.  Add endpoints to the service with scheduled GP updates or manual
+    registry changes (known as “endpoint onboarding”).
+
+## In this section
+Topic | Description 
+:---|:---
+[Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md) | Learn about managing user access to the Windows Defender ATP portal by assigning users to the Windows Defender ATP service application in ADD.
+[Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports. 
+[Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md) | This topic describes the steps you need to take to configure settings for sample sharing used in the deep analysis feature.
+[Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) | This topic contains information on how you can resolve issues that might arise during onboarding.

windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,64 @@
+---
+title: Windows Defender Advanced Threat Protection portal overview
+description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection portal overview
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+
+Enterprise security teams can use the portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. 
+
+You can use the [Windows Defender ATP portal](https://seville.windows.com/) to:
+- View, sort, and triage alerts from your endpoints
+- Search for more information on observed indicators such as files and IP Addresses
+- Change Windows Defender ATP settings, including time zone and alert suppression rules
+
+## Windows Defender ATP portal 
+When you open the portal, you’ll see the main areas of the application:
+- (1) Settings
+- (2) Navigation pane
+- (3) Main portal
+- (4) Search bar
+ 
+ 
+ ![Windows Defender Advanced Threat Protection portal](images/portal.png)
+ 
+You can navigate through the portal using the menu options available in all sections. Refer to Table 3 for a description of each section.
+
+Area | Description 
+:---|:---
+(1) Launcher |	Use the launcher to quickly go to your Windows Security Center portal and select from available services.
+(2) Windows Security Center home | Opens the Windows Security Center home.
+(3) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
+(4) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+|**Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. 
+|**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
+|**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
+|**Preferences setup**|	Shows the settings you selected during [service onboarding](service-onboarding-windows-advanced-threat-protection.md), and lets you update your industry preferences and retention policy period.
+|**Client onboarding**|	Allows you to download the onboarding configuration package.
+(5) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.|
+(6) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.|
+
+## Windows Defender ATP icons
+The following table provides information on the icons used all throughout the portal:
+
+Icon | Description 
+:---|:---
+|![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks.
+| ![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection. 
+| ![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection. 
+| ![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the machine
+|![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine. 
+
+### Related topic
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)

windows/keep-secure/service-onboarding-windows-advanced-threat-protection.md

@@ -0,0 +1,119 @@
+---
+title: Windows Defender ATP service onboarding
+description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
+keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender ATP service onboarding
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You have to assign users to the Windows ATP Service application in Azure Active Directory (AAD) before they can access the portal.
+
+**Manage user access to the Windows Defender ATP portal**:
+
+1.  When you first go to the [Windows Defender ATP
+    portal](https://seville.windows.com/) and your directory does not
+    have users assigned to the Windows ATP Service application, you will
+    be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access. 
+
+    > **Note**&nbsp;&nbsp; In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
+    
+2.  Ensure you have logged in to Microsoft Azure with an account that
+    has permissions to assign users to an application in AAD. You might
+    need to sign out of Microsoft Azure and then sign back in again if
+    you used a different account to sign in to the Windows Defender ATP
+    portal:
+
+    a.  On the top menu, click the signed-in user’s name.
+    
+    b.  Click **Sign out**. 
+    
+    ![Azure sign out](images/azure-signout.png)
+    
+    c.	Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
+    
+    d.	Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
+
+3. On the ** Microsoft Azure Dashboard**, click ** Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/). 
+
+    ![Azure Active Directory menu](images/azure-browse.png)
+
+4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
+
+    a.  Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
+    
+    ![Azure organization menu](images/azure-org-directory.png)
+    
+    b. Scroll down in the navigation pane and click **Active Directory**.
+    
+    ![Azure active directory](images/azure-active-directory.png)
+        
+5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
+    called **Contoso**.
+    
+     ![Azure active directory list](images/azure-active-directory-list.png)
+    
+    > **Note**&nbsp;&nbsp;You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
+
+6. Click **Applications** from the top menu bar.
+
+    ![Example organization in Azure Active Directory](images/contoso.png)
+
+7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
+
+    ![Example selected organization in Azure Active Directory](images/contoso-application.png)
+
+    > **Note**&nbsp;&nbsp; The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
+
+8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
+
+    ![Example windows atp service users](images/windows-atp-service.png)
+    
+    ![Example user assignment to the windows atp service](images/assign-users.png)
+    
+    > **Note**&nbsp;&nbsp; If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) section for instructions on adding users to a directory.
+
+9. Select the user you want manage.
+
+10. Click **Assign**.
+
+11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal.  One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages; they will go away after a short period of time.
+
+    ![Confirmation page to enable access to users](images/confirm-user-access.png)
+
+12. To remove the user's access, click **Remove**.
+
+13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
+
+    ![Remove menu](images/remove-menu.png)
+
+14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory. 
+
+    > **Note**&nbsp;&nbsp; If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md). 
+
+15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
+
+    > **Note**&nbsp;&nbsp; You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory** and then finding your directory in the list and following the steps above.
+
+When you have finished assigning roles, return to the [Windows Defender ATP portal](https://seville.windows.com) and refresh the
+page.
+
+Follow the steps in the onboarding wizard to complete the onboarding process.
+
+At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
+
+## Related topics
+- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
+
+

windows/keep-secure/settings-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,54 @@
+---
+title: Windows Defender Advanced Threat Protection settings
+description: Use the menu to configure the time zone, suppression rules, and view license information.
+keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection settings
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Use the **Settings** menu ![Settings icon](images/settings-icon.png) to configure the time zone, suppression rules, and view license information.
+
+## Time zone settings
+The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
+
+Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings.
+
+Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
+
+Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu ![Settings icon](images/settings-icon.png).
+
+### UTC time zone
+Windows Defender ATP uses UTC time by default.
+
+Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, etc.) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
+
+### Local time zone
+You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
+
+The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Windows Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Windows Defender ATP will be aligned to local time for all Windows Defender ATP users. Analysts located in different global locations will now see the Windows Defender ATP alerts according to their regional settings.
+
+Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
+
+### Set the time zone
+The Windows Defender ATP time zone is set by default to UTC.
+Setting the time zone also changes the times for all Windows Defender ATP views.
+To set the time zone:
+
+1.	Click the **Settings** menu ![Settings icon](images/settings-icon.png).
+2.	Select the **Timezone:UTC** indicator.
+3.	The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
+
+## Suppression rules
+The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-advanced-threat-protection.md#suppress-alerts).
+
+## License
+Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.

windows/keep-secure/troubleshoot-onboarding-windows-advanced-threat-protection.md

@@ -0,0 +1,101 @@
+---
+title: Troubleshoot Windows Defender ATP onboarding issues
+description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
+keywords: troubleshoot onboarding, onboarding issues, event viewer, azure management portal, data collection and preview builds
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues 
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+You might need to troubleshoot the onboarding process if you encounter issues.
+
+## Add users to an Azure Active Directory
+If you don’t see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
+
+1.  Go to the Azure Management Portal and select the directory you want to manage.
+
+2.  Click **Users** from the top menu bar.
+    
+    ![Example Azure Management Portal organization](images/contoso-users.png)
+
+3.  Click **Add user** from the menu bar at the bottom.
+
+    ![Add user menu](images/add-user.png)
+
+4.  Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you’re done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
+
+5.  Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://seville.windows.com/).
+
+## Manage access for all users in Azure Active Directory
+If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
+
+Gain access to the application in the Azure Management Portal again:
+
+1.  Sign in to the [Windows Defender ATP portal](https://seville.windows.com/) with the user account you want to give access to.
+
+2.  Confirm you have signed in with the correct details, and click **Accept**.
+
+3.  Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
+
+## Ensure the telemetry and diagnostics service is enabled
+
+If the endpoints aren’t reporting correctly, you might need to check that the Windows 10 TAP telemetry and diagnostics service is enabled on the endpoint.
+
+1.  Follow the instructions at
+    [https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx\#BKMK\_UTC] (https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx#BKMK_UTC)
+
+2.  Attempt to [onboard the endpoint](onboard-configure-windows-advanced-threat-protection.md#onboard-endpoints-and-set-up-the-windows-defender-atp-user-access).
+
+## Configure proxy and Internet connectivity
+
+The endpoints must be able to connect to the Internet and send their data outside of your organization’s network. You might need to set additional proxy configurations to ensure endpoints can report correctly.
+
+1.  Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+3.  Click **Policies**, then **Administrative templates**.
+
+4.  Click **Windows components** and then **Data Collection and Preview Builds**.
+
+5.  Click **Configure connected user experiences and telemetry** and then
+    configure the GP. The GP accepts a string in the following format:
+    ```<server name or IP>:<port>```
+
+## Review errors on endpoints with Event Viewer
+
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints, or check the status of machines from the [Windows Defender ATP portal](https://seville.windows.com/).
+
+For example, if endpoints are not appearing in the **Machines view** list,you might need to look for event IDs on the endpoints.
+
+> **Note**&nbsp;&nbsp; It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+
+1.  Click **Start** and type **Event Viewer**.
+
+2.  In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
+    open the log.
+
+    > **Note**&nbsp;&nbsp; SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3.  Events recorded by the service will appear in the log. See following table for a list of solutions to common errors.
+
+Message | Action
+:---|:---
+Windows Advanced Threat Protection Service failed to connect to server at ```<variable>``` | Check the connection to the URL. See [Configure proxy and Internet connectivity](Configure-proxy-and-Internet-connectivity). |
+  Windows Advanced Threat Protection Service failed to read onboarding parameters. Failure code: ```<variable>``` | Check that GP settings are correct and there are not settings impacting permissions in the policy. |
+Windows Advanced Threat Protection Service failed to persist onboarding information. Failure code: ```<variable>``` | Check that GP settings are correct and there are not settings impacting permissions in the policy.|
+
+
+## Related topics
+- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
+- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)

windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,24 @@
+---
+title: Troubleshoot Windows Defender Advanced Threat Protection
+description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
+keywords: troubleshoot Windows Defender Adavanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+# Troubleshoot Windows Defender Advanced Threat Protection
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+This section addresses issues that might arise as you use the service.
+
+###Server error - Access is denied due to invalid credentials 
+If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
+Configure your browser to allow cookies. 
+
+### Related topic
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)

windows/keep-secure/use-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,57 @@
+---
+title: Use the Windows Defender Advanced Threat Protection portal
+description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
+keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, 
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+---
+
+# Use the Windows Defender Advanced Threat Protection portal
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+A typical security breach investigation requires a member of a security operations team to:
+
+1. View an alert on the **Dashboard** or **Alerts queue**
+2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
+3. Review a timeline of alerts, behaviors, and events from the machine
+4. Manage alerts, understand the threat/potential breach, collect information to support taking action, and resolve the alert
+
+![Flowchart describing the four stages of investigation](images/overview.png)
+ 
+Security operation teams can use Windows Defender ATP Portal to carry out this end-to-end process without having to leave the portal.
+Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
+
+## Windows Defender ATP alerts
+Alerts in the portal help to notify you of detected threat behaviors or activities on your endpoints.
+The **Dashboard** and **Alerts queue** provide important information about your endpoints that can help you address alerts.
+The **Dashboard** groups active alerts into **New** or **In progress** queues, and supports filtering by severity levels. It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
+Alerts are organized in three queues, by their workflow status: 
+
+- **New**
+- **In progress**
+- **Resolved**
+
+There are three alert severity levels, described in the following table.
+
+Alert severity | Description
+:---|:---
+High (Red) | Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints.
+Medium (Orange) | Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files.
+Low (Yellow) | Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints.
+
+
+### In this section
+
+Topic | Description 
+:---|:---
+[View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md) | The **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues.
+[Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md) | The Manage Alert menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
+[Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md) | You can submit files for deep analysis to see detailed information about the file’s activities, observed behaviors, and associated artifacts (such as dropped files, registry modifications, and communications with IPs). 
+

windows/keep-secure/windows-defender-advanced-threat-protection.md

@@ -0,0 +1,84 @@
+---
+title: Windows Defender Advanced Threat Protection - Windows Defender
+description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
+keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl:
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender Advanced Threat Protection
+
+**Applies to**
+
+- Windows 10 Insider Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks. The service is composed of four main features:
+
+-   **Advanced attack detection**: Actionable alerts with real-time
+    visibility into cybersecurity threat incident details
+
+-   **File deep analysis**: Dynamic cloud analysis to provide visibility
+    into a file’s underlying behaviors
+
+-   **Footprint service**: Proactive exploration of potential attacks, and
+    the ability to map them to specific machines
+
+-   **Threat intelligence**: Insights that are validated and enriched by
+    security experts using telemetry gathered from resources worldwide
+
+The following diagram shows these Windows Defender ATP service
+components:
+
+![Windows Defender ATP service components](images/service-components.png)
+
+Investigating these alerts provides additional information and insight
+into known attackers, their goals, and actionable recommendations.
+
+Endpoint investigation capabilities in this service let you drill down
+into security alerts and understand the scope and nature of a potential
+breach. You can submit files for deep analysis and receive the results
+without leaving the [Windows Defender ATP portal](https://seville.windows.com).
+
+Windows Defender ATP works with existing Windows security technologies
+on endpoints, such as Windows Defender, AppLocker, and Device Guard. It
+can also work side-by-side with third-party security solutions and
+antimalware products.
+
+Windows Defender ATP leverages Microsoft technology and expertise to
+detect sophisticated cyber-attacks, providing:
+
+-   **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+    collect and process behavioral signals from the operating system
+    (for example, process, registry, file, and network communications)
+    and sends this telemetry to your Azure Active Directory (AAD)
+    subscription.
+
+-   **Cloud security analytics**: Leveraging big-data, machine-learning, and
+    unique Microsoft optics across the Windows ecosystem (such as the
+    [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx),
+    enterprise cloud products (such as Office 365), and online assets
+    (such as Bing and SmartScreen URL reputation), behavioral signals
+    are translated into insights, detections, and recommended responses
+    to advanced threats.
+
+-   **Threat intelligence**: Generated by Microsoft hunters, security teams,
+    and augmented by threat intelligence provided by partners, threat
+    intelligence enables Windows Defender ATP to identify attacker
+    tools, techniques, and procedures, and generate alerts when these
+    are observed in collected telemetry.
+
+## In this section
+
+Topic | Description 
+:---|:---
+[Minimum requirements for Windows Defender ATP](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender Advanced Threat Protection such as network and data storage configuration, and endpoint hardware ans software requirements, and deployment channels.
+[Onboard endpoints and set up the Windows Defender ATP user access](onboard-configure-windows-advanced-threat-protection.md) | You'll need to onboard and configure the service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP Service in ADD and using a configuration package to configure endpoints.
+[Windows Defender Advanced Threat Protection portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it levereges Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
+[Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.  
+[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.