Merge pull request #815 from MicrosoftDocs/master

updating v-jowirt with Master
2025-06-25 07:13:37 +00:00 · 2019-08-01 12:38:52 -07:00
parent 4255c4b4ff a75dc4b844
commit fd31dec3d8
475 changed files with 7139 additions and 4044 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -1,436 +1,539 @@
 # [Threat protection](index.md)

-## [Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
-
-### [Overview](microsoft-defender-atp/overview.md)
-#### [Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-##### [Hardware-based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
-###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
-####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
-###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-##### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
-##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
-##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
-
-##### [Incidents queue](microsoft-defender-atp/incidents-queue.md)
-###### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-###### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-###### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+## [Overview]()
+### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
+### [Threat & Vulnerability Management]()
+#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
+#### [Configuration score](microsoft-defender-atp/configuration-score.md)
+#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
+#### [Remediation](microsoft-defender-atp/tvm-remediation.md)
+#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)



-##### Alerts queue
-###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-###### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-###### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-###### [Investigate files](microsoft-defender-atp/investigate-files.md)
-###### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
-###### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-###### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-###### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
+### [Attack surface reduction]()
+#### [Hardware-based isolation]()
+##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
+
+##### [Application isolation]()
+###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
+###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
+
+##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
+
+#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
+
+### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+
+### [Endpoint detection and response]()
+#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
+#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
+
+#### [Incidents queue]()
+##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
+##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
+##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+
+#### [Alerts queue]()
+##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
+##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
+##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
+##### [Investigate files](microsoft-defender-atp/investigate-files.md)
+##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
+##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
+##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
+##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
 
-##### Machines list
-###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
-###### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-###### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
-###### [Machine timeline](microsoft-defender-atp/investigate-machines.md#machine-timeline)
-####### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
-####### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
-####### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
-####### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
+#### [Machines list]()
+##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
+##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
+##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)

+##### [Machine timeline]()
+###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
+###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
+###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
+###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)

-##### [Take response actions](microsoft-defender-atp/response-actions.md)
-###### [Take response actions on a machine](microsoft-defender-atp/respond-machine-alerts.md)
-####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
-####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
-####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-####### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
-####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-####### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
+#### [Take response actions]()
+##### [Take response actions on a machine]()
+###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
+###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
+###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
 ####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
 
-###### [Take response actions on a file](microsoft-defender-atp/respond-file-alerts.md)
-####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-####### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
-####### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
-####### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
-####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-####### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
+##### [Take response actions on a file]()
+###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
+###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
+###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
+###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
+###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
+###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
 ####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
- 
-###### [Investigate entities using Live response](microsoft-defender-atp/live-response.md)
-#######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)

-#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
-##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+##### [Investigate entities using Live response]()
+###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
+######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+
+### [Automated investigation and remediation]()
+#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
+#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
 #####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)

+### [Secure score](microsoft-defender-atp/overview-secure-score.md)
+### [Threat analytics](microsoft-defender-atp/threat-analytics.md)

-#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
-#### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+### [Advanced hunting]()
+#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
+#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)

-#### [Advanced hunting](microsoft-defender-atp/overview-hunting.md)
-##### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-###### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
-###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-##### [Custom detections](microsoft-defender-atp/overview-custom-detections.md)
-###### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Advanced hunting schema reference]()
+###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)

- 
+##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)

-#### [Management and APIs](microsoft-defender-atp/management-apis.md)
+#### [Custom detections]()
+##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
+
+#### [Management and APIs]()
+##### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
 ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
 ##### [Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ##### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)

-#### [Microsoft threat protection](microsoft-defender-atp/threat-protection-integration.md)
+#### [Integrations]()
+##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
 #####  [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
 ##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
-##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md)
-###### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
+
+#### [Information protection in Windows overview]()
+##### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
+##### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
+
+### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
+
+### [Portal overview](microsoft-defender-atp/portal-overview.md)
+### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
+
+## [Get started]()
+### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
+### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
+### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
+### [Evaluation lab](microsoft-defender-atp/evaluation-lab.md)
+### [Preview features](microsoft-defender-atp/preview.md)
+### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
+### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)



-#### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)

-
-
-#### [Portal overview](microsoft-defender-atp/portal-overview.md)
-
-
-
-### [Get started](microsoft-defender-atp/get-started.md)
-#### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
-#### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
-#### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
-#### [Preview features](microsoft-defender-atp/preview.md)
-#### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
-#### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
-
-#### [Evaluate Microsoft Defender ATP](microsoft-defender-atp/evaluate-atp.md)
-#####Evaluate attack surface reduction
-###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-###### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-###### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-###### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-###### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+### [Evaluate Microsoft Defender ATP]()
+#### [Attack surface reduction and next-generation capability evaluation]()
+##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
+##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
+##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
+##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
+##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 ##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)

-#### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
+### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
+
+## [Configure and manage capabilities]()
+### [Configure attack surface reduction]()
+#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)

 ### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
-#### [Configure attack surface reduction](microsoft-defender-atp/configure-attack-surface-reduction.md)
-#####Hardware-based isolation
-###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
-####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
-##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-##### Device control
-###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
-##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
-##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
-##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)

+#### [Hardware-based isolation]()
+##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)

+##### [Application isolation]()
+###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+###### [Application control](windows-defender-application-control/windows-defender-application-control.md)

-#### [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
-###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
-##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
-##### [Antivirus compatibility](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
-###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+#### [Device control]()
+##### [Control USB devices](device-control/control-usb-devices-using-intune.md)

-##### [Deploy, manage updates, and report on antivirus](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
-###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
-####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
-###### [Report on antivirus protection](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
-###### [Manage updates and apply baselines](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
-####### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
-####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+##### [Device Guard]()
+###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)

-##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
-###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+###### [Memory integrity]()
+####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
+####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+
+#### [Exploit protection]()
+##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
+##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
+#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
+#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+
+#### [Attack surface reduction controls]()
+##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+### [Configure next generation protection]()
+#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+##### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
+##### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+
+#### [Configure behavioral, heuristic, and real-time protection]()
+##### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+
+#### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+
+#### [Antivirus compatibility]()
+##### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+
+#### [Deploy, manage updates, and report on antivirus]()
+##### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+
+##### [Report on antivirus protection]()
+###### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
+
+##### [Manage updates and apply baselines]()
+###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+#### [Customize, initiate, and review the results of scans and remediation]()
+##### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
+##### [Configure and validate exclusions in antivirus scans]()
+###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+
+##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+
+#### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+
+#### [Manage antivirus in your business]()
+##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+#### [Manage scans and remediation]()
+##### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
+##### [Configure and validate exclusions in antivirus scans]()
+###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+
+##### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+
+#### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
 ##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-##### [Manage antivirus in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)

-##### [Manage scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
-###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
-###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-##### [Manage next generation protection in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+#### [Manage next generation protection in your business]()
+##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
+
+### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+
+### [Management and API support]()
+#### [Onboard devices to the service]()
+##### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
+##### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
+##### [Onboard Windows 10 machines]()
+###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
+###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
+###### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
+###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
+###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
+###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
+
+##### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
+##### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
+##### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
+##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
+##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
+##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+
+##### [Troubleshoot onboarding issues]()
+###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
+###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
+
+#### [Microsoft Defender ATP API]()
+##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
+##### [Get started with Microsoft Defender ATP APIs]()
+###### [Introduction](microsoft-defender-atp/apis-intro.md)
+###### [Hello World](microsoft-defender-atp/api-hello-world.md)
+###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
+###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
+
+##### [APIs]()
+###### [Supported Microsoft Defender ATP query APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
+
+###### [Alert]()
+####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
+####### [List alerts](microsoft-defender-atp/get-alerts.md)
+####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
+####### [Update Alert](microsoft-defender-atp/update-alert.md)
+####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
+####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
+####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
+####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
+####### [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md)
+####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
+
+###### [Machine]()
+####### [Machine methods and properties](microsoft-defender-atp/machine.md)
+####### [List machines](microsoft-defender-atp/get-machines.md)
+####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
+####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
+####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
+####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
+####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
+
+###### [Machine Action]()
+####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
+####### [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
+####### [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
+####### [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
+####### [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
+####### [Isolate machine](microsoft-defender-atp/isolate-machine.md)
+####### [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
+####### [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
+####### [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
+####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
+####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
+####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
+####### [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
+
+###### [Indicators]()
+####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
+####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
+####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
+####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
+
+###### [Domain]()
+####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
+####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
+####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
+####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
+
+###### [File]()
+####### [File methods and properties](microsoft-defender-atp/files.md)
+####### [Get file information](microsoft-defender-atp/get-file-information.md)
+####### [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
+####### [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
+####### [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
+
+###### [IP]()
+####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
+####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
+####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
+####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
+
+###### [User]()
+####### [User methods](microsoft-defender-atp/user.md)
+####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
+####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
+
+##### [How to use APIs - Samples]()
+###### [Advanced Hunting API]()
+####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
+####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
+####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
+####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
+
+###### [Multiple APIs]()
+####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
+
+###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
+
+#### [Windows updates (KB) info]()
+##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
+
+#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
+##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
+
+#### [API for custom alerts (Deprecated)]()
+##### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
+##### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
+##### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
+##### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
+##### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md)
+##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
+##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
+
+#### [Pull alerts to your SIEM tools]()
+##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md)
+##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
+##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
+##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
+##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
+
+#### [Reporting]()
+##### [Create and build Power BI reports using Microsoft Defender ATP data](microsoft-defender-atp/powerbi-reports.md)
+##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
+##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
+
+#### [Interoperability]()
+##### [Partner applications](microsoft-defender-atp/partner-applications.md)
+
+#### [Manage machine configuration]()
+##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
+##### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
+##### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
+##### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)


-#### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) 
+#### [Role-based access control]()
+##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
+##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
+##### [Create and manage machine groups]()
+###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
+###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
+
+#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)


-#### Management and API support
-##### [Onboard machines](microsoft-defender-atp/onboard-configure.md)
-###### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
-###### [Onboard Windows 10 machines](microsoft-defender-atp/configure-endpoints.md)
-####### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
-####### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
-####### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
-######## [Onboard machines using Microsoft Intune](microsoft-defender-atp/configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune)
-####### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
-####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
-###### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
-###### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
-###### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
-###### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
-###### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
-###### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
-###### [Troubleshoot onboarding issues](microsoft-defender-atp/troubleshoot-onboarding.md)
-####### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
-   
-##### [Microsoft Defender ATP API](microsoft-defender-atp/use-apis.md)
-###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
-###### [Get started with Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
-####### [Hello World](microsoft-defender-atp/api-hello-world.md)
-####### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
-####### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
-###### [APIs](microsoft-defender-atp/exposed-apis-list.md)
+### [Configure Microsoft threat protection integration]()
+#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
+#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
+#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)

-####### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
+### [Configure portal settings]()
+#### [General]()
+##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
+##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
+##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
+##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
+##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)

-####### [Alert](microsoft-defender-atp/alerts.md)
-######## [List alerts](microsoft-defender-atp/get-alerts.md)
-######## [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
-######## [Update Alert](microsoft-defender-atp/update-alert.md)
-######## [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
-######## [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
-######## [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
-######## [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
-######## [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md)
-######## [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
+#### [Permissions]()
+##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
+##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
+###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
+###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
+####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)

-####### [Machine](microsoft-defender-atp/machine.md)
-######## [List machines](microsoft-defender-atp/get-machines.md)
-######## [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
-######## [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
-######## [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
-######## [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
-######## [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
-
-####### [Machine Action](microsoft-defender-atp/machineaction.md)
-######## [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
-######## [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
-######## [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
-######## [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
-######## [Isolate machine](microsoft-defender-atp/isolate-machine.md)
-######## [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
-######## [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
-######## [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
-######## [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
-######## [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
-######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
-######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
-
-####### [Indicators](microsoft-defender-atp/ti-indicator.md)
-######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
-######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
-######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
-
-####### Domain
-######## [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
-######## [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
-######## [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
-######## [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
-
-####### [File](microsoft-defender-atp/files.md)
-######## [Get file information](microsoft-defender-atp/get-file-information.md)
-######## [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
-######## [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
-######## [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
-
-####### IP
-######## [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
-######## [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
-######## [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
-######## [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
-
-####### [User](microsoft-defender-atp/user.md)
-######## [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
-######## [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
+#### [APIs]()
+##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
+##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+  
+#### [Rules]()
+##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
+##### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
+##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
+##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
+##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
+  
+#### [Machine management]()
+##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
+##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
+  
+#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)


-###### How to use APIs - Samples
-####### Advanced Hunting API
-######## [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
-######## [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-######## [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-######## [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
-####### Multiple APIs
-######## [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
-####### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
+## [Troubleshoot Microsoft Defender ATP]()
+### [Troubleshoot sensor state]()
+#### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
+#### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
+#### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
+#### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
+#### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)

+### [Troubleshoot Microsoft Defender ATP service issues]()
+#### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
+#### [Check service health](microsoft-defender-atp/service-status.md)

-#####Windows updates (KB) info
-###### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
-#####Common Vulnerabilities and Exposures (CVE) to KB map
-###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
+### [Troubleshoot live response issues]()
+#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
+
+### [Troubleshoot attack surface reduction]()
+#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
+#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
 
-
-##### API for custom alerts (Deprecated)
-###### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
-###### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
-###### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
-###### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
-###### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md)
-###### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
-###### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
- 
-
-##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem.md)
-###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-###### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
-###### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
-###### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
-###### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
-###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
+### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)


-##### Reporting
-###### [Create and build Power BI reports using Microsoft Defender ATP data](microsoft-defender-atp/powerbi-reports.md)
-###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
-
-##### Interoperability
-###### [Partner applications](microsoft-defender-atp/partner-applications.md)
-
-
-##### Role-based access control
-###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-####### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
-######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
-
-
-##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
-
-
-#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
-
-
-
-#### Configure Microsoft threat protection integration
-##### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
-##### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-##### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
-
-
-
-
-#### [Configure Windows Defender Security Center settings](microsoft-defender-atp/preferences-setup.md)
-##### General
-###### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
-###### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-###### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-###### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
-###### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
-  
-##### Permissions
-###### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
-###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-####### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
-######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
-  
-##### APIs
-###### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
-###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-  
-#####Rules
-###### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-###### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
-###### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
-###### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
-###### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
-  
-#####Machine management
-###### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
-###### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-  
-##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
-  
-
-### [Troubleshoot Microsoft Defender ATP](microsoft-defender-atp/troubleshoot-overview.md)
-####Troubleshoot sensor state
-##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
-##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
-##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
-##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
-##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
-
-#### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
-##### [Check service health](microsoft-defender-atp/service-status.md)
-
-
-#### [Troubleshoot live response issues]()
-##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
-
-
-####Troubleshoot attack surface reduction
-##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
- 
-#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)

 ## [Security intelligence](intelligence/index.md)
 ### [Understand malware & other threats](intelligence/understanding-malware.md)
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@ -20,24 +20,22 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx).

 Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
 | Member Server     | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
 | Workstation       | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |

 **Events List:**

-## 4665: An attempt was made to create an application client context.
+- 4665: An attempt was made to create an application client context.

-## 4666: An application attempted an operation.
+- 4666: An application attempted an operation.

-## 4667: An application client context was deleted.
-
-## 4668: An application was initialized.
+- 4667: An application client context was deleted.

+- 4668: An application was initialized.
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@ -20,7 +20,6 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.

 [Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx).
@ -33,23 +32,22 @@ Audit Application Group Management subcategory is out of scope of this document,
 | Member Server     | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
 | Workstation       | -               | -               | -                | -                | This subcategory is outside the scope of this document. |

-## 4783(S): A basic application group was created.
+- 4783(S): A basic application group was created.

-## 4784(S): A basic application group was changed.
+- 4784(S): A basic application group was changed.

-## 4785(S): A member was added to a basic application group.
+- 4785(S): A member was added to a basic application group.

-## 4786(S): A member was removed from a basic application group.
+- 4786(S): A member was removed from a basic application group.

-## 4787(S): A non-member was added to a basic application group.
+- 4787(S): A non-member was added to a basic application group.

-## 4788(S): A non-member was removed from a basic application group.
+- 4788(S): A non-member was removed from a basic application group.

-## 4789(S): A basic application group was deleted.
+- 4789(S): A basic application group was deleted.

-## 4790(S): An LDAP query group was created.
+- 4790(S): An LDAP query group was created.

-## 4791(S): An LDAP query group was changed.
-
-## 4792(S): An LDAP query group was deleted.
+- 4791(S): An LDAP query group was changed.

+- 4792(S): An LDAP query group was deleted.
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@ -20,7 +20,6 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.

 Examples of AD CS operations include:
@ -59,65 +58,64 @@ Role-specific subcategories are outside the scope of this document.
 | Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
 | Workstation       | No              | No              | No               | No               | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS.                                                                         |

-## 4868: The certificate manager denied a pending certificate request.
+- 4868: The certificate manager denied a pending certificate request.

-## 4869: Certificate Services received a resubmitted certificate request.
+- 4869: Certificate Services received a resubmitted certificate request.

-## 4870: Certificate Services revoked a certificate.
+- 4870: Certificate Services revoked a certificate.

-## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
+- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).

-## 4872: Certificate Services published the certificate revocation list (CRL).
+- 4872: Certificate Services published the certificate revocation list (CRL).

-## 4873: A certificate request extension changed.
+- 4873: A certificate request extension changed.

-## 4874: One or more certificate request attributes changed.
+- 4874: One or more certificate request attributes changed.

-## 4875: Certificate Services received a request to shut down.
+- 4875: Certificate Services received a request to shut down.

-## 4876: Certificate Services backup started.
+- 4876: Certificate Services backup started.

-## 4877: Certificate Services backup completed.
+- 4877: Certificate Services backup completed.

-## 4878: Certificate Services restore started.
+- 4878: Certificate Services restore started.

-## 4879: Certificate Services restore completed.
+- 4879: Certificate Services restore completed.

-## 4880: Certificate Services started.
+- 4880: Certificate Services started.

-## 4881: Certificate Services stopped.
+- 4881: Certificate Services stopped.

-## 4882: The security permissions for Certificate Services changed.
+- 4882: The security permissions for Certificate Services changed.

-## 4883: Certificate Services retrieved an archived key.
+- 4883: Certificate Services retrieved an archived key.

-## 4884: Certificate Services imported a certificate into its database.
+- 4884: Certificate Services imported a certificate into its database.

-## 4885: The audit filter for Certificate Services changed.
+- 4885: The audit filter for Certificate Services changed.

-## 4886: Certificate Services received a certificate request.
+- 4886: Certificate Services received a certificate request.

-## 4887: Certificate Services approved a certificate request and issued a certificate.
+- 4887: Certificate Services approved a certificate request and issued a certificate.

-## 4888: Certificate Services denied a certificate request.
+- 4888: Certificate Services denied a certificate request.

-## 4889: Certificate Services set the status of a certificate request to pending.
+- 4889: Certificate Services set the status of a certificate request to pending.

-## 4890: The certificate manager settings for Certificate Services changed.
+- 4890: The certificate manager settings for Certificate Services changed.

-## 4891: A configuration entry changed in Certificate Services.
+- 4891: A configuration entry changed in Certificate Services.

-## 4892: A property of Certificate Services changed.
+- 4892: A property of Certificate Services changed.

-## 4893: Certificate Services archived a key.
+- 4893: Certificate Services archived a key.

-## 4894: Certificate Services imported and archived a key.
+- 4894: Certificate Services imported and archived a key.

-## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
+- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.

-## 4896: One or more rows have been deleted from the certificate database.
+- 4896: One or more rows have been deleted from the certificate database.

-## 4897: Role separation enabled.
-
-## 4898: Certificate Services loaded a template.
+- 4897: Role separation enabled.

+- 4898: Certificate Services loaded a template.
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@ -20,7 +20,6 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.

 This subcategory generates events only on domain controllers.
@ -29,47 +28,46 @@ This subcategory generates events only on domain controllers.

 This subcategory allows you to audit events generated by changes to distribution groups such as the following:

-   Distribution group is created, changed, or deleted.
+- Distribution group is created, changed, or deleted.

-   Member is added or removed from a distribution group.
+- Member is added or removed from a distribution group.

 If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | No              | IF               | No               | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
+| Domain Controller | IF              | No              | IF               | No               | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.  |
+| Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.  |

 **Events List:**

-   [4749](event-4749.md)(S): A security-disabled global group was created.
+- [4749](event-4749.md)(S): A security-disabled global group was created.

-   [4750](event-4750.md)(S): A security-disabled global group was changed.
+- [4750](event-4750.md)(S): A security-disabled global group was changed.

-   [4751](event-4751.md)(S): A member was added to a security-disabled global group.
+- [4751](event-4751.md)(S): A member was added to a security-disabled global group.

-   [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
+- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.

-   [4753](event-4753.md)(S): A security-disabled global group was deleted.
+- [4753](event-4753.md)(S): A security-disabled global group was deleted.

-**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except  it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

+- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@ -20,16 +20,15 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:

-   IPsec services status.
+- IPsec services status.

-   Changes to IPsec policy settings.
+- Changes to IPsec policy settings.

-   Changes to Windows Filtering Platform Base Filtering Engine policy settings.
+- Changes to Windows Filtering Platform Base Filtering Engine policy settings.

-   Changes to WFP providers and engine.
+- Changes to WFP providers and engine.

 Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).

@ -41,83 +40,82 @@ This subcategory is outside the scope of this document.
 | Member Server     | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
 | Workstation       | -               | -               | -                | -                | This subcategory is outside the scope of this document. |

-## 4709(S): IPsec Services was started.
+- 4709(S): IPsec Services was started.

-## 4710(S): IPsec Services was disabled.
+- 4710(S): IPsec Services was disabled.

-## 4711(S): May contain any one of the following: 
+- 4711(S): May contain any one of the following: 

-## 4712(F): IPsec Services encountered a potentially serious failure.
+- 4712(F): IPsec Services encountered a potentially serious failure.

-## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
+- 5040(S): A change has been made to IPsec settings. An Authentication Set was added.

-## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
+- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.

-## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
+- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.

-## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
+- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.

-## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
+- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.

-## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
+- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.

-## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
+- 5046(S): A change has been made to IPsec settings. A Crypto Set was added.

-## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
+- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.

-## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
+- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.

-## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
+- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

-## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
+- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

-## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
+- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

-## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
+- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

-## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
+- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

-## 5446(S): A Windows Filtering Platform callout has been changed.
+- 5446(S): A Windows Filtering Platform callout has been changed.

-## 5448(S): A Windows Filtering Platform provider has been changed.
+- 5448(S): A Windows Filtering Platform provider has been changed.

-## 5449(S): A Windows Filtering Platform provider context has been changed.
+- 5449(S): A Windows Filtering Platform provider context has been changed.

-## 5450(S): A Windows Filtering Platform sub-layer has been changed.
+- 5450(S): A Windows Filtering Platform sub-layer has been changed.

-## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
+- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.

-## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
+- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.

-## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
+- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.

-## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
+- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

-## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
+- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.

-## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
+- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.

-## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
+- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

-## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
+- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.

-## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
+- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

-## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
+- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

-## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
+- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

-## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
+- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

-## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
+- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

-## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
+- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.

-## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
+- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.

-## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
+- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.

-## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
-
-## 5477(F): PAStore Engine failed to add quick mode filter.
+- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.

+- 5477(F): PAStore Engine failed to add quick mode filter.
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@ -20,24 +20,20 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.

 **Event volume**: High.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
 | Member Server     | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
 | Workstation       | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |

 **Events List:**

-   [4658](event-4658.md)(S): The handle to an object was closed.
+- [4658](event-4658.md)(S): The handle to an object was closed.

-   [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
-
-## 4658(S): The handle to an object was closed.
-
-This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
+- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.

+- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesn’t generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@ -20,7 +20,6 @@ ms.date: 10/02/2018
 -   Windows 10
 -   Windows Server 2016

-
 Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:

 -   Startup and shutdown of the IPsec services.
@ -37,9 +36,11 @@ Audit IPsec Driver allows you to audit events generated by IPSec driver such as

 A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.

-Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
+Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.

-This subcategory is outside the scope of this document.
+**Event volume:** Medium
+
+**Default:** Not configured

 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                  |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
@ -47,25 +48,26 @@ This subcategory is outside the scope of this document.
 | Member Server     | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
 | Workstation       | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |

-## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
+**Events List:**

-## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
+- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

-## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
+- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

-## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
+- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

-## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
+- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

-## 5478(S): IPsec Services has started successfully.
+- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

-## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+- 5478(S): IPsec Services has started successfully.

-## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
+- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

-## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
+- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

-## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.

-## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
+- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

+- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@ -25,23 +25,22 @@ Audit IPsec Extended Mode allows you to audit events generated by Internet Key E

 Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |

-## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

-## 4979(S): IPsec Main Mode and Extended Mode security associations were established.
+- 4979(S): IPsec Main Mode and Extended Mode security associations were established.

-## 4980(S): IPsec Main Mode and Extended Mode security associations were established.
+- 4980(S): IPsec Main Mode and Extended Mode security associations were established.

-## 4981(S): IPsec Main Mode and Extended Mode security associations were established.
+- 4981(S): IPsec Main Mode and Extended Mode security associations were established.

-## 4982(S): IPsec Main Mode and Extended Mode security associations were established.
+- 4982(S): IPsec Main Mode and Extended Mode security associations were established.

-## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
-
-## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
+- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

+- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@ -20,32 +20,30 @@ ms.date: 10/02/2018
 -   Windows 10
 -   Windows Server 2016

-
 Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.

 Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                           |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |

-## 4646(S): Security ID: %1
+- 4646(S): Security ID: %1

-## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
+- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.

-## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
+- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.

-## 4652(F): An IPsec Main Mode negotiation failed.
+- 4652(F): An IPsec Main Mode negotiation failed.

-## 4653(F): An IPsec Main Mode negotiation failed.
+- 4653(F): An IPsec Main Mode negotiation failed.

-## 4655(S): An IPsec Main Mode security association ended.
+- 4655(S): An IPsec Main Mode security association ended.

-## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

-## 5049(S): An IPsec Security Association was deleted.
-
-## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
+- 5049(S): An IPsec Security Association was deleted.

+- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@ -20,20 +20,18 @@ ms.date: 10/02/2018
 -   Windows 10
 -   Windows Server 2016

-
 Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.

 Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                             |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |

-## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

-## 5451(S): An IPsec Quick Mode security association was established.
-
-## 5452(S): An IPsec Quick Mode security association ended.
+- 5451(S): An IPsec Quick Mode security association was established.

+- 5452(S): An IPsec Quick Mode security association ended.
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@ -20,7 +20,6 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016

-
 Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.

 If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
@ -33,27 +32,26 @@ NAP events can be used to help understand the overall health of the network.

 Role-specific subcategories are outside the scope of this document.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
 | Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| Workstation       | No              | No              | No               | No               | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS.                                                                                                 |
+| Workstation       | No              | No              | No               | No               | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |

-## 6272: Network Policy Server granted access to a user.
+- 6272: Network Policy Server granted access to a user.

-## 6273: Network Policy Server denied access to a user.
+- 6273: Network Policy Server denied access to a user.

-## 6274: Network Policy Server discarded the request for a user.
+- 6274: Network Policy Server discarded the request for a user.

-## 6275: Network Policy Server discarded the accounting request for a user.
+- 6275: Network Policy Server discarded the accounting request for a user.

-## 6276: Network Policy Server quarantined a user.
+- 6276: Network Policy Server quarantined a user.

-## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
+- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

-## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
+- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.

-## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
-
-## 6280: Network Policy Server unlocked the user account.
+- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.

+- 6280: Network Policy Server unlocked the user account.
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@ -20,78 +20,86 @@ ms.date: 02/28/2019
 -   Windows 10
 -   Windows Server 2016

-
 Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.

 **Event volume**: Low.

 This subcategory allows you to audit events generated by changes to security groups such as the following:

-   Security group is created, changed, or deleted.
+- Security group is created, changed, or deleted.

-   Member is added or removed from a security group.
+- Member is added or removed from a security group.

-   Group type is changed.
+- Group type is changed.

-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
-| Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
-| Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|----------|
+| Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |

 **Events List:**

-   [4731](event-4731.md)(S): A security-enabled local group was created.
+- [4731](event-4731.md)(S): A security-enabled local group was created.

-   [4732](event-4732.md)(S): A member was added to a security-enabled local group.
+- [4732](event-4732.md)(S): A member was added to a security-enabled local group.

-   [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
+- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.

-   [4734](event-4734.md)(S): A security-enabled local group was deleted.
+- [4734](event-4734.md)(S): A security-enabled local group was deleted.

-   [4735](event-4735.md)(S): A security-enabled local group was changed.
+- [4735](event-4735.md)(S): A security-enabled local group was changed.

-   [4764](event-4764.md)(S): A group’s type was changed.
+- [4764](event-4764.md)(S): A group’s type was changed.

-   [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
+- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.

-**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.

-**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. 
+  > [!IMPORTANT]
+  > Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.

-**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.

-**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.

-**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.

-**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.

-**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.

-**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.

-**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
+- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

-**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
+  > [!IMPORTANT]
+  > Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.

-**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
+- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

+  >[!IMPORTANT]
+  > Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@ -39,5 +39,6 @@ Audit Security State Change contains Windows startup, recovery, and shutdown eve

 -   [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.

->**Note**&nbsp;&nbsp;Event **4609(S): Windows is shutting down** currently doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+>[!NOTE]
+>Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.

--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@ -71,6 +71,7 @@ If you configure this policy setting, an audit event is generated when sensitive

 -   [4985](event-4985.md)(S): The state of a transaction has changed.

->**Note**&nbsp;&nbsp;For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
+>[!NOTE] 
+> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.


--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@ -114,7 +114,7 @@ To prevent malware infections or data loss, an organization may restrict USB dri

 All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:

-![Admintemplates](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png)
+![Admintemplates](images/admintemplates.png)

 >[!Note]
 >Using Intune, you can apply device configuration policies to AAD user and/or device groups.
@ -199,13 +199,13 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by

 The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP.  Configuration settings for baseline are located here in the edit profile page of the configuration settings.

-![Baselines](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png)
+![Baselines](images/baselines.png)

 ### Bluetooth

 Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. 

-![Bluetooth](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png)
+![Bluetooth](images/bluetooth.png)

 ## Detect plug and play connected events

--- a/windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png
--- a/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png
--- a/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@ -7,8 +7,13 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: dansimp
+ms.author: dolmont
+author: DulceMontemayor
 ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
 ---

 # Threat Protection
@ -39,9 +44,15 @@ ms.localizationpriority: medium

 **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
+
 - [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) 
 - [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
 - [Configuration score](microsoft-defender-atp/configuration-score.md)
+- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
+- [Remediation](microsoft-defender-atp/tvm-remediation.md)
+- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
 - [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)

 <a name="asr"></a>
@ -56,7 +67,7 @@ The attack surface reduction set of capabilities provide the first line of defen
 - [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
 - [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
 - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)

 <a name="ngp"></a>

@ -97,6 +108,9 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
 <a name="ss"></a>

 **[Secure score](microsoft-defender-atp/overview-secure-score.md)**<br>
+>[!NOTE]
+>  Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)  as [Configuration score](microsoft-defender-atp/configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+
 Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
 - [Asset inventory](microsoft-defender-atp/secure-score-dashboard.md)
 - [Recommended improvement actions](microsoft-defender-atp/secure-score-dashboard.md)
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@ -45,4 +45,6 @@ We've seen macro malware download threats from the following families:

 * Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)

-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). 
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md). 
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@ -23,13 +23,16 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from

 - [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)

-> **NOTE** The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
+> [!NOTE]
+> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).

 Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.

-> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
-> 
-> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
+> [!NOTE]
+> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
+
+> [!NOTE]
+> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.

 ## System requirements

--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -130,7 +130,7 @@ Out of the two Microsoft Threat Expert components, targeted attack notification
 Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.

 >[!NOTE]
->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.

 ## Azure Information Protection

--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@ -0,0 +1,54 @@
+---
+title: AlertEvents table in the advanced hunting schema
+description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# AlertEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| AlertId | string | Unique identifier for the alert |
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| Category | string | Type of threat indicator or breach activity identified by the alert |
+| Title | string | Title of the alert |
+| FileName | string | Name of the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| RemoteIP | string | IP address that was being connected to |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| Table | string | Table that contains the details of the event |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -37,7 +37,7 @@ The following best practices serve as a guideline of query performance best prac
 - When joining between two tables, project only needed columns from both sides of the join.

 >[!Tip]
->For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
+>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).

 ## Query tips and pitfalls

--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@ -0,0 +1,73 @@
+---
+title: FileCreationEvents table in the Advanced hunting schema 
+description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# FileCreationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see  [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| FileOriginUrl | string | URL where the file was downloaded from |
+| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
+| FileOriginIP | string | IP address where the file was downloaded from |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
+| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
+| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@ -0,0 +1,66 @@
+---
+title: ImageLoadEvents table in the Advanced hunting schema
+description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# ImageLoadEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@ -0,0 +1,74 @@
+---
+title: LogonEvents table in the Advanced hunting schema
+description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# LogonEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string	| Fully qualified domain name (FQDN) of the machine |
+| ActionType | string |Type of activity that triggered the event |
+| AccountDomain | string | Domain of the account |
+| AccountName | string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
+| RemoteIP | string | IP address that was being connected to |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| AdditionalFields | string | Additional information about the event in JSON array format |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@ -0,0 +1,55 @@
+---
+title: MachineInfo table in the Advanced hunting schema
+description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MachineInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
+| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
+| OSArchitecture | string | Architecture of the operating system running on the machine |
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
+| OSBuild | string | Build version of the operating system running on the machine |
+| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
+| RegistryMachineTag | string | Machine tag added through the registry |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| OSVersion | string | Version of the operating system running on the machine |
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@ -0,0 +1,56 @@
+---
+title: MachineNetworkInfo table in the Advanced hunting schema
+description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MachineNetworkInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| NetworkAdapterName | string | Name of the network adapter |
+| MacAddress | string | MAC address of the network adapter |
+| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
+| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
+| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
+| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
+| DnsAddresses | string | DNS server addresses in JSON array format |
+| IPv4Dhcp | string | IPv4 address of DHCP server |
+| IPv6Dhcp | string | IPv6 address of DHCP server |
+| DefaultGateways | string | Default gateway addresses in JSON array format |
+| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@ -0,0 +1,87 @@
+---
+title: MiscEvents table in the advanced hunting schema
+description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# MiscEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| AccountDomain | string | Domain of the account |
+| AccountName |string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
+| ProcessId | int | Process ID (PID) of the newly created process |
+| ProcessCommandLine | string | Command line used to create the new process |
+| ProcessCreationTime | datetime | Date and time the process was created |
+| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| RegistryKey | string | Registry key that the recorded action was applied to |
+| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
+| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
+| RemoteIP | string | IP address that was being connected to |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| LocalIP | string | IP address assigned to the local machine used during communication |
+| LocalPort | int | TCP port on the local machine used during communication |
+| FileOriginUrl | string | URL where the file was downloaded from |
+| FileOriginIP | string | IP address where the file was downloaded from |
+| AdditionalFields | string | Additional information about the event in JSON array format |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@ -0,0 +1,70 @@
+---
+title: NetworkCommunicationEvents table in the Advanced hunting schema
+description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# NetworkCommunicationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| RemoteIP | string | IP address that was being connected to |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| LocalIP | string | IP address assigned to the local machine used during communication |
+| LocalPort | int | TCP port on the local machine used during communication |
+| Protocol | string | IP protocol used, whether TCP or UDP |
+| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@ -0,0 +1,78 @@
+---
+title: ProcessCreationEvents table in the Advanced hunting schema
+description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# ProcessCreationEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| ProcessId | int | Process ID (PID) of the newly created process |
+| ProcessCommandLine | string | Command line used to create the new process |
+| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
+| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| ProcessCreationTime | datetime | Date and time the process was created |
+| AccountDomain | string | Domain of the account |
+| AccountName | string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@ -1,6 +1,6 @@
 ---
-title: Advanced hunting reference in Microsoft Defender ATP
-description: Learn about Advanced hunting table reference such as column name, data type, and description
+title: Advanced hunting schema reference
+description: Learn about the tables in the advanced hunting schema
 keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 06/01/2018
+ms.date: 07/24/2019
 ---

 # Advanced hunting reference in Microsoft Defender ATP
@ -26,101 +26,28 @@ ms.date: 06/01/2018

 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

-## Advanced hunting column reference
-To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
+## Advanced hunting table reference

-| Column name | Data type | Description
-:---|:--- |:---                                                            
-| AccountDomain | string | Domain of the account |
-| AccountName | string | User name of the account |
-| AccountSid | string | Security Identifier (SID) of the account |
-| ActionType | string | Type of activity that triggered the event |
-| AdditionalFields | string | Additional information about the event in JSON array format |
-| AlertId | string | Unique identifier for the alert |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| Category | string | Type of threat indicator or breach activity identified by the alert |
-| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
-| DefaultGateways | string | Default gateway addresses in JSON array format |
-| DnsAddresses | string | DNS server addresses in JSON array format |
-| EventTime | datetime | Date and time when the event was recorded |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FileOriginIp | string | IP address where the file was downloaded from |
-| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
-| FileOriginUrl | string | URL where the file was downloaded from |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
-| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
-| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-| Ipv4Dhcp | string | IPv4 address of DHCP server |
-| Ipv6Dhcp | string | IPv6 address of DHCP server |
-| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
-| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-| LocalIP | string | IP address assigned to the local machine used during communication |
-| LocalPort | int | TCP port on the local machine used during communication |
-| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
-| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
-| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> 
-| MacAddress | string | MAC address of the network adapter |
-| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
-| MachineId | string | Unique identifier for the machine in the service |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| NetworkAdapterName | string | Name of the network adapter |
-| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
-| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
-| OSBuild | string | Build version of the operating system running on the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| OsVersion | string | Version of the operating system running on the machine |
-| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
-| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
-| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
-| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
-| ProcessCommandline | string | Command line used to create the new process |
-| ProcessCreationTime | datetime | Date and time the process was created |
-| ProcessId | int | Process ID (PID) of the newly created process |
-| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
-| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| Protocol | string | IP protocol used, whether TCP or UDP |
-| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
-| RegistryKey | string | Registry key that the recorded action was applied to |
-| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
-| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
-| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
-| RemoteIP | string | IP address that was being connected to |
-| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| RemotePort | int | TCP port on the remote device that was being connected to |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
-| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
-| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| RegistryMachineTag | string | Machine tag added through the registry |
-| Table | string | Table that contains the details of the event |
-| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
+The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.

->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
+The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
+
+Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
+
+| Table name | Description |
+|------------|-------------|
+| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
+| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
+| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
+| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
+| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
+| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
+| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
+| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
+| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
+| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |

 ## Related topics
+
 - [Query data using Advanced hunting](advanced-hunting.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
+- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@ -0,0 +1,68 @@
+---
+title: RegistryEvents table in the Advanced hunting schema
+description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-maave
+author: martyav
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 07/24/2019
+---
+
+# RegistryEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| EventTime | datetime | Date and time when the event was recorded |
+| MachineId | string | Unique identifier for the machine in the service |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ActionType | string | Type of activity that triggered the event |
+| RegistryKey | string | Registry key that the recorded action was applied to |
+| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
+| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
+| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
+| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
+| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+
+- [Advanced hunting overview](overview-hunting.md)
+- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
+- [Query data using Advanced hunting](advanced-hunting.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@ -0,0 +1,96 @@
+---
+title: Microsoft Defender ATP for US Government GCC High customers 
+description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers
+keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for US Government GCC High customers
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial.
+
+This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering.
+
+
+## Endpoint versions
+The following OS versions are supported:
+
+- Windows 10, version 1903 
+- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
+- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183))
+- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) 
+- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
+
+>[!NOTE]
+>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment.
+
+The following OS versions are not supported:
+- Windows Server 2008 R2 SP1
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows 7 SP1 Enterprise
+- Windows 7 SP1 Pro
+- Windows 8 Pro
+- Windows 8.1 Enterprise
+- macOS
+
+The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
+
+## Threat & Vulnerability Management
+Not currently available.
+
+
+## Automated investigation and remediation
+The following capabilities are not currently available:
+- Response to Office 365 alerts 
+- Live response 
+
+
+
+## Management and APIs
+The following capabilities are not currently available:
+
+- Threat protection report
+- Machine health and compliance report
+- Integration with third-party products
+
+
+## Integrations
+Integrations with the following Microsoft products are not currently available:
+- Azure Security Center
+- Azure Advanced Threat Protection
+- Azure Information Protection
+- Office 365 Advanced Threat Protection
+- Microsoft Cloud App Security
+- Skype for Business
+- Microsoft Intune (sharing of device information and enhanced policy enforcement)
+
+## Microsoft Threat Experts
+Not currently available.
+
+## Required connectivity settings
+You'll need to ensure that traffic from the following are allowed:
+
+Service location | DNS record
+:---|:---
+Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```
+Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```
+
+
+
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@ -48,7 +48,7 @@ The goal is to remediate the issues in the security recommendations list to impr
 - **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** 
 - **Remediation type** — **Configuration change** or **Software update**

-See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
+See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.

 ## Related topics
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@ -33,7 +33,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use


 - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
+- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
 - End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).


--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@ -47,7 +47,7 @@ You can create rules that determine the machines and alert severities to send em

 2. Click **Add notification rule**.

-3.	Specify the General information:
+3. Specify the General information:
    - **Rule name** - Specify a name for the notification rule.
    - **Include organization name** - Specify the customer name that appears on the email notification.
    - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
@ -93,9 +93,9 @@ This section lists various issues that you may encounter when using email notifi

 **Solution:** Make sure that the notifications are not blocked by email filters:

-1.	Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
-2.	Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
-3.	Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
+1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
+2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
+3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.

 ## Related topics
 - [Update data retention settings](data-retention-settings.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@ -46,7 +46,7 @@ ms.date: 04/24/2018
    
    d. Click **Download package** and save the .zip file.

-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.

 3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.

@ -98,7 +98,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.

-1.	Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):

    a. In the navigation pane, select **Settings** > **Offboarding**.

@ -108,21 +108,21 @@ For security reasons, the package used to Offboard machines will expire 30 days

    d. Click **Download package** and save the .zip file.

-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

-3.	Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.

-4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
+4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.

-5.	Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.

-6.	In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
+6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.

-7.	Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
+7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.

-8.	Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared  *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
+8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared  *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.

-9.	Click **OK** and close any open GPMC windows.
+9. Click **OK** and close any open GPMC windows.

 > [!IMPORTANT]
 > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
@ -132,9 +132,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
 With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.

 ## Monitor machines using the portal
-1.	Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
-2.	Click **Machines list**.
-3.	Verify that machines are appearing.
+1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
+2. Click **Machines list**.
+3. Verify that machines are appearing.

 > [!NOTE]
 > It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.

-1.	Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):

    a. In the navigation pane, select **Settings** >  **Offboarding**.

@ -113,7 +113,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
    
    d. Click **Download package**, and save the .zip file.

-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

 3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.

--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@ -93,7 +93,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.

-1.	Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):

    a.  In the navigation pane, select **Settings** > **Offboarding**.

@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days

    d. Click **Download package** and save the .zip file.

-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

 3.  Open an elevated command-line prompt on the machine and run the script:

@ -127,11 +127,11 @@ You can follow the different verification steps in the [Troubleshoot onboarding
 Monitoring can also be done directly on the portal, or by using the different deployment tools.

 ### Monitor machines using the portal
-1.	Go to Microsoft Defender Security Center.
+1. Go to Microsoft Defender Security Center.

-2.	Click **Machines list**.
+2. Click **Machines list**.

-3.	Verify that machines are appearing.
+3. Verify that machines are appearing.


 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@ -1,5 +1,5 @@
 ---
-title: Onboard Windows 10 machines on Microsoft Defender ATP
+title: Onboarding tools and methods for Windows 10 machines
 description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
 keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune
 search.product: eADQiWindows 10XVcnh
@ -15,10 +15,9 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 07/12/2018
 ---

-# Onboard Windows 10 machines
+# Onboarding tools and methods for Windows 10 machines

 **Applies to:**

--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---

 # Optimize ASR rule deployment and detections
@ -22,8 +22,6 @@ ms.topic: procedural
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)

 [Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---

 # Get machines onboarded to Microsoft Defender ATP
@ -22,14 +22,13 @@ ms.topic: procedural
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)

 Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.

->[!NOTE]
->Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+Before you can track and manage onboarding of machines:
+- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
+- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)

 ## Discover and track unprotected machines

@ -39,8 +38,7 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b
 *Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*

 >[!NOTE]
->- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
->- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.

 ## Onboard more machines with Intune profiles

@ -65,11 +63,11 @@ From the overview, create a configuration profile specifically for the deploymen

 3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.

-   ![Profile assignment screen screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
-   *Assigning the new agent profile to all machines*
+   ![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
+   *Assigning the new profile to all machines*

 >[!TIP]
->To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
+>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).

 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---

 # Increase compliance to the Microsoft Defender ATP security baseline
@ -22,16 +22,15 @@ ms.topic: procedural
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)

 Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.

 To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).

->[!NOTE]
->Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+Before you can deploy and track compliance to security baselines:
+- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
+- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)

 ## Compare the Microsoft Defender ATP and the Windows Intune security baselines
 The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
@ -41,13 +40,8 @@ The Windows Intune security baseline provides a comprehensive set of recommended

 Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.

-## Get permissions to manage security baselines in Intune
-
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.
-
-![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png)
-
-*Security baseline permissions on Intune*
+>[!NOTE]
+>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.

 ## Monitor compliance to the Microsoft Defender ATP security baseline

@ -65,10 +59,8 @@ Each machine is given one of the following status types:

 To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.

->[!NOTE] 
->During preview, you might encounter a few known limitations:
->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+>[!NOTE]
+>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.

 ## Review and assign the Microsoft Defender ATP security baseline

@ -77,7 +69,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.

   >[!TIP]
-   > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
+   > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.


 2. Create a new profile.
@ -95,13 +87,13 @@ Machine configuration management monitors baseline compliance only of Windows 10
   ![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
   *Assigning the security baseline profile on Intune*

-5. Save the profile and deploy it to the assigned machine group.
+5. Create the profile to save it and deploy it to the assigned machine group.

   ![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
-   *Saving and deploying the security baseline profile on Intune*
+   *Creating the security baseline profile on Intune*

 >[!TIP]
->To learn more about Intune security baselines and assigning them, read [Create a Windows 10 security baseline in Intune](https://docs.microsoft.com/intune/security-baselines).
+>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).

 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: conceptual
 ---

 # Ensure your machines are configured properly
@ -22,8 +22,6 @@ ms.topic: procedural
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

-[!include[Prerelease information](prerelease.md)]
-
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)

 With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
@ -47,20 +45,29 @@ In doing so, you benefit from:

 Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.

-Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
+Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).

 >[!NOTE]
->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
+>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).

 >[!TIP] 
->To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
+>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).

-## Known issues and limitations in this preview 
-During preview, you might encounter a few known limitations:
- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+## Obtain required permissions
+By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.

+If you have been assigned other roles, ensure you have the necessary permissions:
+
+- Full permissions to device configurations
+- Full permissions to security baselines
+- Read permissions to device compliance policies
+- Read permissions to the organization
+
+![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
+*Device configuration permissions on Intune*
+
+>[!TIP] 
+>To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).

 ## In this section
 Topic | Description
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@ -172,8 +172,59 @@ If at least one of the connectivity options returns a (200) status, then the Mic
 However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.

 > [!NOTE]
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
 > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.

+## Conduct investigations with Microsoft Defender ATP behind a proxy
+Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
+The proxy acts as if it was the target endpoint.  In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
+By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
+
+**Investigation Impact**<br>
+In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
+![Image of network events on machine's timeline](images/atp-proxy-investigation.png)<br>
+
+Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
+Event's information:
+![Image of single network event](images/atp-proxy-investigation-event.png)<br>
+
+**Advanced Hunting**<br>
+All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.<br>
+Using this simple query will show you all the relevant events:
+
+```
+NetworkCommunicationEvents
+| where ActionType == "ConnectionSuccess" 
+| take 10
+```
+![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
+
+You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
+```
+NetworkCommunicationEvents
+| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"  
+| take 10
+```
+
+**How to enable the advanced network connection sensor**<br>
+Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode. <br>
+
+Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites.  Its behavior can be controlled by the following options: Block and Audit. <br>
+If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
+
+If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
+
+If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
+
+If you do not configure this policy, network blocking will be disabled by default. <br><br>
+
+> [!NOTE]
+> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
+
+Additional documentation:
+- [Applying network protection with GP – policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
+- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
+
 ## Related topics
 - [Onboard Windows 10 machines](configure-endpoints.md)
 - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@ -104,14 +104,14 @@ The following steps are required to enable this integration:

 ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 

-1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
+1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).

-2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 

-3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).

 Once completed, you should see onboarded servers in the portal within an hour.

@ -149,7 +149,7 @@ Supported tools include:

 1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). 

-2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:

    a. Set the following registry entry:
       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@ -28,13 +28,13 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
 >[!NOTE]
 >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.

-1.	In the navigation pane, select **Advanced hunting**.
+1. In the navigation pane, select **Advanced hunting**.

-2.	Select an existing query that you'd like to base the monitor on or create a new query.
+2. Select an existing query that you'd like to base the monitor on or create a new query.

-3.	Select **Create detection rule**.
+3. Select **Create detection rule**.

-4.	Specify the alert details:
+4. Specify the alert details:

    - Alert title
    - Severity
@ -42,7 +42,7 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
    - Description
    - Recommended actions

-5.	Click **Create**.
+5. Click **Create**.

 > [!TIP]
 > TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@ -0,0 +1,157 @@
+---
+title: Microsoft Defender ATP evaluation lab
+description: Learn about Microsoft Defender ATP capabilities, run attack simulations, and see how it prevents, detects, and remediates threats.
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Microsoft Defender ATP evaluation lab
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
+
+The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
+ focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+
+When you get started with the lab, you'll be guided through a simple set-up process where your tenant will be provisioned with test machines. These test machines will come pre-configured to have the latest and greatest Windows 10 version with the right security components in place and Office 2019 Standard installed.
+
+With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs. 
+
+You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. 
+
+
+## Get started with the lab
+You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**.
+
+![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png)
+
+When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat protection product. 
+
+It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform.
+
+
+## Evaluation setup 
+When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. The machine will be configured with the most up to date version of Windows 10 and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
+
+The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. 
+
+   The following security components are pre-configured in the test machines:
+
+  - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+  - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+  - [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
+  - [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
+  - [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
+  - [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
+  - [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
+  - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+
+  >[!NOTE]
+  > Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+
+Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
+
+>[!NOTE]
+>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+
+
+1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**.
+
+2. Select **Prepare lab**. 
+
+     ![Image of welcome page](images/welcome-evaluation-lab.png)
+
+3. Select **Add machine**.
+
+    >[!WARNING]
+    > The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation. 
+
+   ![Image of add machine](images/evaluation-add-machine.png)
+
+    >[!NOTE]
+    >If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota. 
+
+4. The connection details are displayed. Select **Copy** to save the password for the machine.
+
+    >[!NOTE]
+    >The password is only displayed once. Be sure to save it for later use.
+
+5. Machine set up begins. This can take up to approximately 30 minutes. 
+
+The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation.
+
+
+![Image of test machines](images/eval-lab-dashboard.png)
+
+## Simulate attack scenarios
+Use the test machines to run attack simulations by connecting to them. 
+
+If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience.
+
+You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
+
+>[!NOTE]
+>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+
+1. Connect to your machine and run an attack simulation by selecting **Connect**. 
+
+    ![Image of the connect button for test machines](images/test-machine-table.png)
+
+2. Save the RDP file and launch it by selecting **Connect**.
+
+    ![Image of remote desktop connection](images/remote-connection.png)
+
+    >[!NOTE]
+    >If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu:
+    > ![Image of reset password](images/reset-password-test-machine.png)<br>
+    > The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes.
+
+3. Enter the password that was displayed during the machine creation step. 
+
+   ![Image of window to enter credentials](images/enter-password.png)
+
+4. Run simulations on the machine. 
+
+After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
+
+
+Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
+
+
+## Simulation results
+Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with every detail you need.
+
+View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant alerts and investigations by exploring the rich context provided on the attack simulation. 
+
+### Evaluation report
+The lab reports summarize the results of the simulations conducted on the machines. 
+
+![Image of the evaluation report](images/eval-report.png)
+
+At a glance, you'll quickly be able to see:
+- Incidents that were triggered
+- Generated alerts
+- Assessments on exposure level 
+- Threat categories observed
+- Detection sources
+- Automated investigations
+
+## Provide feedback
+Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results.
+
+Let us know what you think, by selecting **Provide feedback**.
+
+![Image of provide feedback](images/eval-feedback.png)
+
--- a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md
@ -141,11 +141,11 @@ This step will guide you in simulating an event in connection to a malicious IP
 ## Step 4: Explore the custom alert in the portal
 This step will guide you in exploring the custom alert in the portal.

-1.	Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
+1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.

-2.	Log in with your Microsoft Defender ATP credentials.
+2. Log in with your Microsoft Defender ATP credentials.

-3.	The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
+3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.

    ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)

--- a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-incidents.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-incidents.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/connection-details.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/connection-details.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/eval-feedback.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/eval-feedback.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/eval-lab-dashboard.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/eval-lab-dashboard.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/eval-machines.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/eval-machines.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-add-machine.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-add-machine.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-menu.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-menu.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/provide-feedback.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/provide-feedback.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/welcome-eval-lab.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/welcome-eval-lab.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/welcome-evaluation-lab.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/welcome-evaluation-lab.png
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
@ -1,14 +1,14 @@
 ---
 title: Configure information protection in Windows 
 ms.reviewer: 
-description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin.
+description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
 keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
@ -34,34 +34,36 @@ If a file meets the criteria set in the policy settings and endpoint data loss p

 ## Prerequisites
 - Endpoints need to be on Windows 10, version 1809 or later
- You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
+- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration
+- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)


 ## Configure endpoint data loss prevention
+Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them.
+
+>[!NOTE]
+>- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
+>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
+
 1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
 2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
    
   1. Go to: **Classifications > Labels**.
-   2. Create a new label or edit an existing one. 
+   2. Create a label or edit an existing one. 
   3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.

      ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)

   4. Repeat for every label that you want to get WIP applied to in Windows. 

-After completing these steps Microsoft Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them.

->[!NOTE]
->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.


 ## Configure auto labeling

-Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
+Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types.

-Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
+Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention.

 >[!NOTE]
 > Auto-labeling requires Windows 10, version 1903.
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@ -83,7 +83,7 @@ Use the slider or the range selector to quickly specify a time period that you w

 ## Deep analysis

-The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
+The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.

 ![Image of deep analysis tab](images/submit-file.png)

--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@ -109,7 +109,7 @@ To see a full page view of an alert including incident graph and process tree, s

 The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.

-Timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
+The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.

 >[!NOTE]
 > For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
@ -131,15 +131,15 @@ Some of the functionality includes:
 - Export detailed machine timeline events
  - Export the machine timeline for the current date or a specified date range up to seven days.

-Along with event time and users, one of the main categories on the timeline is "Details". They describe what happened in the events. The list of possible details are:
+More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example: 

- Contained by Application Guard
- Active threat detected - when the detection happened, the threat was executing (i.e. it was running)
- Remediation unsuccessful - remediation was invoked but failed
- Remediation successful - the threat was stopped and cleaned up
- Warning bypassed by user - SmartScreen warning appeared but the user dismissed it
- Suspicious script detected
- Alert category (e.g. lateral movement)- if the event is correlated to an alert, the tag will show the alert category
+- Contained by Application Guard - the web browser event was restricted by an isolated container
+- Active threat detected - the threat detection occurred while the threat was running
+- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
+- Remediation successful - the detected threat was stopped and cleaned
+- Warning bypassed by user - the SmartScreen warning was dismissed and overridden by a user
+- Suspicious script detected - a potentially malicious script was found running
+- The alert category - if the event led to the generation of an alert, the alert category  ("Lateral Movement", for example) is provided

 You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.

--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@ -28,13 +28,13 @@ ms.topic: article

 ## Check license state

-Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
+Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.

 1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).

   ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)

-1. Alternately, in the **Office 365 admin center**, navigate to **Billing** > **Subscriptions**.
+1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.

   - On the screen you will see all the provisioned licenses and their current **Status**.

@ -43,11 +43,11 @@ Checking for the license state and whether it got properly provisioned, can be d

 ## Cloud Service Provider validation

-To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the **Office 365 admin center**.
+To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.

 1. From the **Partner portal**, click on the **Administer services > Office 365**.

-2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer **Office 365 admin center**.
+2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.

   ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)

--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@ -99,6 +99,9 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
 <a name="ss"></a>

 **[Secure score](overview-secure-score.md)**<br>
+>[!NOTE]
+>  Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+
 Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.

 <a name="mte"></a>
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
@ -1,7 +1,9 @@
 # [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md)

-## [Overview](overview.md)
-### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+## [Overview]()
+### [Overview of Microsoft Defender ATP capabilities](overview.md)
+### [Threat & Vulnerability Management]()
+#### [Next-generation capabilities](next-gen-threat-and-vuln-mgt.md)
 #### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
 #### [Exposure score](tvm-exposure-score.md)
 #### [Configuration score](configuration-score.md)
@ -12,29 +14,39 @@
 #### [Scenarios](threat-and-vuln-mgt-scenarios.md)


-### [Attack surface reduction](overview-attack-surface-reduction.md)
-#### [Hardware-based isolation](overview-hardware-based-isolation.md)
-##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
+### [Attack surface reduction]()
+#### [Hardware-based isolation]()
+##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md)
+
+##### [Application isolation]()
+###### [Application guard overview](../windows-defender-application-guard/wd-app-guard-overview.md)
 ###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
+
 ##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
+
+#### [Application control]()
+##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
+
 #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
 #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
 #### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
 #### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
 #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
+
+
 ### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-### [Endpoint detection and response](overview-endpoint-detection-response.md)
+
+
+### [Endpoint detection and response]()
+#### [Endpoint detection and response overview](overview-endpoint-detection-response.md)
 #### [Security operations dashboard](security-operations-dashboard.md)

-
-#### [Incidents queue](incidents-queue.md)
+#### [Incidents queue]()
 ##### [View and organize the Incidents queue](view-incidents-queue.md)
 ##### [Manage incidents](manage-incidents.md)
 ##### [Investigate incidents](investigate-incidents.md)

-
-#### Alerts queue
+#### [Alerts queue]()
 ##### [View and organize the Alerts queue](alerts-queue.md)
 ##### [Manage alerts](manage-alerts.md)
 ##### [Investigate alerts](investigate-alerts.md)
@ -44,16 +56,18 @@
 ##### [Investigate a domain](investigate-domain.md)
 ##### [Investigate a user account](investigate-user.md)
 
-#### [Machines list](machines-view-overview.md)
-##### [Investigate machines](investigate-machines.md#machine-timeline)
+#### [Machines list]()
+##### [View and organize the Machines list](machines-view-overview.md)
+
+##### [Investigate machines]()
 ###### [Machine details](investigate-machines.md#machine-details)
 ###### [Response actions](investigate-machines.md#response-actions)
 ###### [Cards](investigate-machines.md#cards)
 ###### [Tabs](investigate-machines.md#tabs)

-
-#### [Take response actions](response-actions.md)
-##### [Take response actions on a machine](respond-machine-alerts.md)
+#### [Take response actions]()
+##### [Take response actions on a machine]()
+###### [Understand response actions](respond-machine-alerts.md)
 ###### [Manage tags](respond-machine-alerts.md#manage-tags)
 ###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation)
 ###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session)
@ -63,46 +77,60 @@
 ###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network)
 ###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center)
 
-##### [Take response actions on a file](respond-file-alerts.md)
+##### [Take response actions on a file]()
+###### [Understand response actions](respond-file-alerts.md)
 ###### [Stop and quarantine files in your network](respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](respond-file-alerts.md#remove-file-from-quarantine)
-###### [Block files in your network](respond-file-alerts.md#block-files-in-your-network)
-###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
-###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Restore file from quarantine](respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add an indicator to block or allow a file](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
 ###### [Deep analysis](respond-file-alerts.md#deep-analysis)

-
-##### [Investigate entities using Live response](live-response.md)
+##### [Live response]()
+###### [Investigate entities on machines](live-response.md)
 ###### [Live response command examples](live-response-command-examples.md)

-### [Automated investigation and remediation](automated-investigations.md)
+
+### [Automated investigation and remediation]()
+#### [Understand Automated investigations](automated-investigations.md)
 #### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
 #### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)


 ### [Secure score](overview-secure-score.md)
+
+
 ### [Threat analytics](threat-analytics.md)

+
 ### [Microsoft Threat Experts](microsoft-threat-experts.md)

-### [Advanced hunting](overview-hunting.md)
-#### [Query data using Advanced hunting](advanced-hunting.md)
+
+### [Advanced hunting]()
+#### [Advanced hunting overview](overview-hunting.md)
+
+#### [Query data using Advanced hunting]()
+##### [Data querying basics](advanced-hunting.md)
 ##### [Advanced hunting reference](advanced-hunting-reference.md)
 ##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-#### [Custom detections](overview-custom-detections.md)
+
+#### [Custom detections]()
+##### [Understand custom detection rules](overview-custom-detections.md)
 ##### [Create custom detections rules](custom-detection-rules.md)

-### [Management and APIs](management-apis.md)
+### [Management and APIs]()
+#### [Overview of management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts.md)
 #### [Microsoft Defender ATP APIs](apis-intro.md)
 #### [Managed security service provider support](mssp-support.md)

-### [Microsoft Threat Protection](threat-protection-integration.md)
-####  [Protect users, data, and devices with Conditional Access](conditional-access.md)
-#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
-#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)

+### [Integrations]()
+#### [Microsoft Defender ATP integrations](threat-protection-integration.md)
+#### [Conditional Access integration overview](conditional-access.md)
+#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
+
+#### [Information protection in Windows overview]()
+##### [Windows integration](information-protection-in-windows-overview.md)
+##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)


 ### [Microsoft Threat Experts](microsoft-threat-experts.md)
@ -111,100 +139,148 @@
 ### [Portal overview](portal-overview.md)


-## [Get started](get-started.md)
+
+## [Get started]()
 ### [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md)
+### [Preview features](preview.md)
+### [Evaluation lab](evaluation-lab.md)
 ### [Minimum requirements](minimum-requirements.md)
 ### [Validate licensing and complete setup](licensing.md)
-### [Preview features](preview.md)
+
 ### [Data storage and privacy](data-storage-privacy.md)
 ### [Assign user access to the portal](assign-portal-access.md)

-### [Evaluate Microsoft Defender ATP](evaluate-atp.md)
-#### Evaluate attack surface reduction
-##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-#### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+### [Evaluate Microsoft Defender ATP capabilities]()
+#### [Evaluate attack surface reduction]()
+
+##### [Evaluate attack surface reduction and next-generation capabilities](evaluate-atp.md)
+###### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+###### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
+###### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
+###### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
+###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+##### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)

 ### [Access the Microsoft Defender Security Center Community Center](community.md)

-## [Configure and manage capabilities](onboard.md)
+## [Configure and manage capabilities]()
+
 ### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-### Hardware-based isolation
+
+### [Hardware-based isolation]()
 #### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
+
+#### [Application isolation]()
+##### [Install Windows Defender Application Guard](../windows-defender-application-guard/install-wd-app-guard.md)
 ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) 
+
 #### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
-#### Device control
+
+#### [Device control]()
 ##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
-##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
+
+##### [Device Guard]()
+###### [Code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+
+###### [Memory integrity]()
+####### [Understand memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
 ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
-#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
+
+#### [Exploit protection]()
+##### [Enable exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
 ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+
 #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+
+#### [Controlled folder access]()
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
 ##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
-#### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+
+#### [Attack surface reduction controls]()
+##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction rules](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+
 #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)


-
-### [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
-#### [Utilize Microsoft cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+### [Configure next generation protection]()
+#### [Configure Windows Defender Antivirus features](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection]()
+##### [Understand cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
 ##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
 ##### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
 ##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
 ##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-#### [Configure behavioral, heuristic, and real-time protection](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+
+#### [Configure behavioral, heuristic, and real-time protection]()
+##### [Configuration overview](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
 ##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
 ##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+
 #### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
-#### [Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+
+#### [Antivirus compatibility]()
+##### [Compatibility charts](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
 ##### [Use limited periodic antivirus scanning](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)

-#### [Deploy, manage updates, and report on antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable antivirus](../windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+#### [Deploy, manage updates, and report on antivirus]()
+##### [Using Windows Defender Antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+
+##### [Deploy and enable antivirus]()
+###### [Preparing to deploy](../windows-defender-antivirus/deploy-windows-defender-antivirus.md)
 ###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
-##### [Report on antivirus protection](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+
+##### [Report on antivirus protection]()
+###### [Review protection status and aqlerts](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
 ###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+
+##### [Manage updates and apply baselines]()
+###### [Learn about the different kinds of updates](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
 ###### [Manage protection and Security intelligence updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
 ###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
 ###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
 ###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
 ###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)

-#### [Customize, initiate, and review the results of scans and remediation](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in antivirus scans](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+#### [Customize, initiate, and review the results of scans and remediation]()
+##### [Configuration overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
+##### [Configure and validate exclusions in antivirus scans]()
+###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 ###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+
 ##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
 ##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
 ##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
 ##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
 ##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
 ##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
+
 #### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage antivirus in your business](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+
+#### [Manage antivirus in your business]()
+##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
 ##### [Use Group Policy settings to configure and manage antivirus](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
 ##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
 ##### [Use PowerShell cmdlets to configure and manage antivirus](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
 ##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
 ##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)

-#### [Manage scans and remediation](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in antivirus scans](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+#### [Manage scans and remediation]()
+##### [Management overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
+##### [Configure and validate exclusions in antivirus scans]()
+###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
 ###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 ###### [Configure antivirus exclusions on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+
 ##### [Configure scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
 ##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
 ##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
@ -212,7 +288,9 @@
 ##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
 ##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
 ##### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-#### [Manage next generation protection in your business](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+
+#### [Manage next generation protection in your business]()
+##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
 ##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
 ##### [Use Group Policy settings to manage next generation protection](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
 ##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
@ -220,41 +298,56 @@
 ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)


-### [Configure Secure score dashboard security controls](secure-score-dashboard.md) 
+### [Configure Secure score dashboard security controls](secure-score-dashboard.md)
+

 ### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)

-### Management and API support
-#### [Onboard machines](onboard-configure.md)
+
+### [Endpoint detection and response management and API support]()
+
+#### [Onboard machines]()
+##### [Onboarding overview](onboard-configure.md)
 ##### [Onboard previous versions of Windows](onboard-downlevel.md)
-##### [Onboard Windows 10 machines](configure-endpoints.md)
+
+##### [Onboard Windows 10 machines]()
+###### [Ways to onboard](configure-endpoints.md)
 ###### [Onboard machines using Group Policy](configure-endpoints-gp.md)
 ###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm.md)
-###### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm.md)
+
+###### [Onboard machines using Mobile Device Management tools]()
+####### [Overview](configure-endpoints-mdm.md)
 ####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune)
 ###### [Onboard machines using a local script](configure-endpoints-script.md)
 ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
+
 ##### [Onboard servers](configure-server-endpoints.md)
 ##### [Onboard non-Windows machines](configure-endpoints-non-windows.md)
 ##### [Onboard machines without Internet access](onboard-offline-machines.md)
 ##### [Run a detection test on a newly onboarded machine](run-detection-test.md)
 ##### [Run simulated attacks on machines](attack-simulations.md)
 ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
-##### [Troubleshoot onboarding issues](troubleshoot-onboarding.md)
+
+##### [Troubleshoot onboarding issues]()
+###### [Troubleshooting basics](troubleshoot-onboarding.md)
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md)
  
-
-#### [Microsoft Defender ATP API](use-apis.md)
+#### [Microsoft Defender ATP API]()
+##### [Understand Microsoft Defender ATP APIs](use-apis.md)
 ##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
-##### [Get started with Microsoft Defender ATP APIs](apis-intro.md)
+
+##### [Get started with Microsoft Defender ATP APIs]()
+###### [Introduction](apis-intro.md)
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
-##### [APIs](exposed-apis-list.md)

+##### [APIs]()
+###### [Supported Microsoft Defender ATP query APIs](exposed-apis-list.md)
 ###### [Advanced Hunting](run-advanced-query-api.md)

-###### [Alert](alerts.md)
+###### [Alert]()
+####### [Methods, properties, and JSON representation](alerts.md)
 ####### [List alerts](get-alerts.md)
 ####### [Create alert](create-alert-by-reference.md)
 ####### [Update Alert](update-alert.md)
@ -265,7 +358,8 @@
 ####### [Get alert related machine information](get-alert-related-machine-info.md)
 ####### [Get alert related user information](get-alert-related-user-info.md)

-###### [Machine](machine.md)
+###### [Machine]()
+####### [Methods and properties](machine.md)
 ####### [List machines](get-machines.md)
 ####### [Get machine by ID](get-machine-by-id.md)
 ####### [Get machine log on users](get-machine-log-on-users.md)
@ -273,7 +367,8 @@
 ####### [Add or Remove machine tags](add-or-remove-machine-tags.md)
 ####### [Find machines by IP](find-machines-by-ip.md)

-###### [Machine Action](machineaction.md)
+###### [Machine Action]()
+####### [Methods and properties](machineaction.md)
 ####### [List Machine Actions](get-machineactions-collection.md)
 ####### [Get Machine Action](get-machineaction-object.md)
 ####### [Collect investigation package](collect-investigation-package.md)
@ -287,45 +382,49 @@
 ####### [Stop and quarantine file](stop-and-quarantine-file.md)
 ####### [Initiate investigation (preview)](initiate-autoir-investigation.md)

-###### [Indicators](ti-indicator.md)
+###### [Indicators]()
+####### [Methods and properties](ti-indicator.md)
 ####### [Submit Indicator](post-ti-indicator.md)
 ####### [List Indicators](get-ti-indicators-collection.md)
 ####### [Delete Indicator](delete-ti-indicator-by-id.md)

-###### Domain
+###### [Domain]()
 ####### [Get domain related alerts](get-domain-related-alerts.md)
 ####### [Get domain related machines](get-domain-related-machines.md)
 ####### [Get domain statistics](get-domain-statistics.md)
 ####### [Is domain seen in organization](is-domain-seen-in-org.md)

-###### [File](files.md)
+###### [File]()
+####### [Methods and properties](files.md)
 ####### [Get file information](get-file-information.md)
 ####### [Get file related alerts](get-file-related-alerts.md)
 ####### [Get file related machines](get-file-related-machines.md)
 ####### [Get file statistics](get-file-statistics.md)

-###### IP
+###### [IP]()
 ####### [Get IP related alerts](get-ip-related-alerts.md)
 ####### [Get IP related machines](get-ip-related-machines.md)
 ####### [Get IP statistics](get-ip-statistics.md)
 ####### [Is IP seen in organization](is-ip-seen-org.md)

-###### [User](user.md)
+###### [User]()
+####### [Methods](user.md)
 ####### [Get user related alerts](get-user-related-alerts.md)
 ####### [Get user related machines](get-user-related-machines.md)

-##### How to use APIs - Samples
-###### Advanced Hunting API
+##### [How to use APIs - Samples]()
+###### [Advanced Hunting API]()
 ####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
 ####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
 ####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
 ####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
-###### Multiple APIs
+
+###### [Multiple APIs]()
 ####### [PowerShell](exposed-apis-full-sample-powershell.md)
+
 ###### [Using OData Queries](exposed-apis-odata-samples.md)

-
-#### API for custom alerts
+#### [API for custom alerts]()
 ##### [Enable the custom threat intelligence application](enable-custom-ti.md)
 ##### [Use the threat intelligence API to create custom alerts](use-custom-ti.md)
 ##### [Create custom threat intelligence alerts](custom-ti-api.md)
@ -334,8 +433,8 @@
 ##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
 ##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
 
-
-#### [Pull alerts to your SIEM tools](configure-siem.md)
+#### [Pull alerts to your SIEM tools]()
+##### [Learn about different ways to pull alerts](configure-siem.md)
 ##### [Enable SIEM integration](enable-siem-integration.md)
 ##### [Configure Splunk to pull alerts](configure-splunk.md)
 ##### [Configure HP ArcSight to pull alerts](configure-arcsight.md)
@ -343,88 +442,94 @@
 ##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md)
 ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

-
-#### Reporting
+#### [Reporting]()
 ##### [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
 ##### [Threat protection reports](threat-protection-reports.md)
 ##### [Machine health and compliance reports](machine-reports.md)

-
-#### Interoperability
+#### [Interoperability]()
 ##### [Partner applications](partner-applications.md)

-#### [Manage machine configuration](configure-machines.md)
+#### [Manage machine configuration]()
+##### [Ensure your machines are configured properly](configure-machines.md)
 ##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
 ##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
 ##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)

-#### Role-based access control
-##### [Manage portal access using RBAC](rbac.md)
+#### [Role-based access control]()
+
+##### [Manage portal access using RBAC]()
+###### [Using RBAC](rbac.md)
 ###### [Create and manage roles](user-roles.md)
-###### [Create and manage machine groups](machine-groups.md)
+
+###### [Create and manage machine groups]()
+####### [Using machine groups](machine-groups.md)
 ####### [Create and manage machine tags](machine-tags.md)

 #### [Configure managed security service provider (MSSP) support](configure-mssp-support.md)

-### Configure Microsoft Threat Protection integration
+
+### [Configure Microsoft threat protection integration]()
 #### [Configure Conditional Access](configure-conditional-access.md)
 #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
 #### [Configure information protection in Windows](information-protection-in-windows-config.md)


-### [Configure Microsoft Defender Security Center settings](preferences-setup.md)
-#### General
+### [Configure portal settings]()
+#### [Set up preferences](preferences-setup.md)
+
+#### [General]()
 ##### [Update data retention settings](data-retention-settings.md)
 ##### [Configure alert notifications](configure-email-notifications.md)
 ##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md)
 ##### [Enable Secure score security controls](enable-secure-score.md)
 ##### [Configure advanced features](advanced-features.md)
- 
-#### Permissions
+
+#### [Permissions]()
 ##### [Use basic permissions to access the portal](basic-permissions.md)
 ##### [Manage portal access using RBAC](rbac.md)
 ###### [Create and manage roles](user-roles.md)
 ###### [Create and manage machine groups](machine-groups.md)
 ####### [Create and manage machine tags](machine-tags.md)
- 
-#### APIs
+
+#### [APIs]()
 ##### [Enable Threat intel](enable-custom-ti.md)
 ##### [Enable SIEM integration](enable-siem-integration.md)
- 
-#### Rules
+
+#### [Rules]()
 ##### [Manage suppression rules](manage-suppression-rules.md)
 ##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
 ##### [Manage indicators](manage-indicators.md)
 ##### [Manage automation file uploads](manage-automation-file-uploads.md)
 ##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
- 
-#### Machine management
+
+#### [Machine management]()
 ##### [Onboarding machines](onboard-configure.md)
 ##### [Offboarding machines](offboard-machines.md)
- 
-#### [Configure Windows Security app time zone settings](time-settings.md)
- 
+
+#### [Configure time zone settings](time-settings.md)


-## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md)
-### Troubleshoot sensor state
+
+## [Troubleshoot Microsoft Defender ATP]()
+
+### [Troubleshoot sensor state]()
 #### [Check sensor state](check-sensor-status.md)
 #### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
 #### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
 #### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines)
 #### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)

-### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md)
+
+### [Troubleshoot service issues]()
+#### [Troubleshooting issues](troubleshoot-mdatp.md)
 #### [Check service health](service-status.md)


-### [Troubleshoot live response issues]()
-#### [Troubleshoot issues related to live response](troubleshoot-live-response.md)
-
-### Troubleshoot attack surface reduction
+### [Troubleshoot attack surface reduction issues]()
 #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
 #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
 #### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)

 
-### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
+### [Troubleshoot next generation protection issues](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@ -21,6 +21,9 @@ ms.topic: conceptual
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

+>[!NOTE]
+>  Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+
 The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.

 >[!IMPORTANT]
@ -37,13 +40,13 @@ The **Secure score dashboard** displays a snapshot of:
 ![Secure score dashboard](images/new-secure-score-dashboard.png)

 ## Microsoft secure score
-The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
+The Microsoft secure score tile is reflective of the sum of all the Microsoft Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.

 ![Image of Microsoft secure score tile](images/mss.png)

-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Microsoft Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 
+Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 

-The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
+The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).

 In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. 

@ -77,5 +80,14 @@ Within the tile, you can click on each control to see the recommended optimizati
 Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.

 ## Related topic
+- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
 - [Threat analytics](threat-analytics.md)

--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@ -130,25 +130,25 @@ For more information, see [Create a Power BI dashboard from a report](https://po
 You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.  

 ### Before you begin
-1.	Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
+1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).

-2.	In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
+2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.

    ![Image of settings Power BI reports](images/atp-settings-powerbi.png)    

-3.	Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
+3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.

    ![Settings with download connector button](images/atp-download-connector.png)

-4.	Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
+4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.

-5.	Copy WDATPDataConnector.mez from the zip to the directory you just created.
+5. Copy WDATPDataConnector.mez from the zip to the directory you just created.

-6.	Open Power BI Desktop.
+6. Open Power BI Desktop.

-7.	Click **File** > **Options and settings** > **Custom data connectors**.
+7. Click **File** > **Options and settings** > **Custom data connectors**.

-8.	Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
+8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
    
    >[!NOTE]
    >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
@ -160,36 +160,36 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
 ## Customize the Microsoft Defender ATP Power BI dashboard
 After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.

-1.	Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
+1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.

-2.	If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
+2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.

    ![Consent image](images/atp-powerbi-consent.png)

-3.	Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.



 ## Mashup Microsoft Defender ATP data with other data sources
 You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.

-1.	In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
+1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.

 2. Click **Connect**.

-3.	On the Preview Connector windows, click **Continue**. 
+3. On the Preview Connector windows, click **Continue**. 

-4.	If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
+4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.

    ![Consent image](images/atp-powerbi-consent.png)

-5.	Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.

-6.	In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
+6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.

-7.	Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
+7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.

-8.	Add visuals and select fields from the available data sources. 
+8. Add visuals and select fields from the available data sources. 

 ## Using the Power BI reports
 There are a couple of tabs on the report that's generated:
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:

+- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
+ focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
 - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.

 - [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@ -173,7 +173,7 @@ Here is an example return value:
 ### Get access token
 The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.

-```syntax
+```csharp
 AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
 ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
 AuthenticationResult authenticationResult  = context.AcquireToken(resource, clientCredentials);
--- a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
@ -39,7 +39,7 @@ The following example demonstrates how to obtain an Azure AD access token that y

 Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Settings** page in the portal:

-```
+```python
 import json
 import requests
 from pprint import pprint
@ -62,7 +62,7 @@ token = json.loads(response.text)["access_token"]
 ## Step 2: Create request session object
 Add HTTP headers to the session object, including the Authorization header with the token that was obtained.

-```
+```python
 with requests.Session() as session:
    session.headers = {
        'Authorization': 'Bearer {}'.format(token),
@ -74,7 +74,7 @@ with requests.Session() as session:
 ## Step 3: Create calls to the custom threat intelligence API
 After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:

-```
+```python
    response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
    pprint(json.loads(response.text))
 ```
@ -85,7 +85,7 @@ The response is empty on initial use of the API.
 ## Step 4: Create a new alert definition
 The following example demonstrates how you to create a new alert definition.

-```
+```python
    alert_definition = {"Name": "The alert's name",
                          "Severity": "Low",
                          "InternalDescription": "An internal description of the alert",
@ -104,7 +104,7 @@ The following example demonstrates how you to create a new alert definition.
 ## Step 5: Create a new indicator of compromise
 You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.

-```
+```python
    alert_definition_id = json.loads(response.text)["Id"]

      ioc = {'Type': "Sha1",
@ -121,7 +121,7 @@ You can now use the alert ID obtained from creating a new alert definition to cr
 ## Complete code
 You can use the complete code to create calls to the API.

-```syntax
+```python
 import json
 import requests
 from pprint import pprint
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w

 ## Before you begin:

-1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
+1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.

 ## Enable raw data streaming:
@ -86,4 +86,4 @@ To get the data types for event properties do the following:
 - [Overview of Advanced Hunting](overview-hunting.md)
 - [Microsoft Defender ATP streaming API](raw-data-export.md)
 - [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w

 ## Before you begin:

-1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
+1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.

 ## Enable raw data streaming:
@ -86,4 +86,4 @@ In order to get the data types for our events properties do the following:
 - [Overview of Advanced Hunting](overview-hunting.md)
 - [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
 - [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
+- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@ -27,7 +27,7 @@ ms.topic: article

 ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.

-Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/).
+Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).

 ## In this section

@ -39,5 +39,5 @@ Topic | Description

 ## Related topics
 - [Overview of Advanced Hunting](overview-hunting.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)
+- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@ -170,7 +170,7 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which

 Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.

-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the the file's profile page.
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.

 **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
@ -8,22 +8,26 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: mjcaparas
+ms.author: dolmont
+author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: article 
+ms.topic: conceptual
 ---

 # Configure the security controls in Secure score
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

+>[!NOTE]
+>  Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+
 Each security control lists recommendations that you can take to increase the security posture of your organization.

 ### Endpoint detection and response (EDR) optimization
-For an machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.

 >[!IMPORTANT]
 >This feature is available for machines on Windows 10, version  1607 or later.
@ -41,18 +45,18 @@ You can take the following actions to increase the overall security score of you

 For more  information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). 

-### Windows Defender Antivirus (Windows Defender AV) optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
+### Microsoft Defender Antivirus (Microsoft Defender AV) optimization
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AV.

 >[!IMPORTANT]
 >This feature is available for machines on Windows 10, version  1607 or later. 

-#### Minimum baseline configuration setting for Windows Defender AV:
-Machines are considered "well configured" for Windows Defender AV if the following requirements are met:
+#### Minimum baseline configuration setting for Microsoft Defender AV:
+Machines are considered "well configured" for Microsoft Defender AV if the following requirements are met:

- Windows Defender AV is reporting correctly
- Windows Defender AV is turned on
- Security intelligence is up to date
+- Microsoft Defender AV is reporting correctly
+- Microsoft Defender AV is turned on
+- Security intelligence is up-to-date
 - Real-time protection is on
 - Potentially Unwanted Application (PUA) protection is enabled

@ -60,20 +64,20 @@ Machines are considered "well configured" for Windows Defender AV if the followi
 You can take the following actions to increase the overall security score of your organization:

 >[!NOTE]
-> For the Windows Defender Antivirus properties to show,  you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. 
+> For the Microsoft Defender Antivirus properties to show,  you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine. 

 - Fix antivirus reporting
-  - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
+  - This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
 - Turn on antivirus
 - Update antivirus Security intelligence 
 - Turn on real-time protection
 - Turn on PUA protection

-For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
+For more information, see [Configure Microsoft Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).


 ### OS security updates optimization
-This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
+This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
 
 >[!IMPORTANT]
 >This feature is available for machines on Windows 10, version  1607 or later.
@ -81,20 +85,20 @@ This tile shows you the exact number of machines that require the latest securit
 You can take the following actions to increase the overall security score of your organization:
 - Install the latest security updates
 - Fix sensor data collection
-  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).

 For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).


-### Windows Defender Exploit Guard (Windows Defender EG) optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on machines so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Microsoft Defender ATP Machine timeline. 
+### Microsoft Defender Exploit Guard (Microsoft Defender EG) optimization
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. 


 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later.

-#### Minimum baseline configuration setting for Windows Defender EG:
-Machines are considered "well configured" for Windows Defender EG if the following requirements are met:
+#### Minimum baseline configuration setting for Microsoft Defender EG:
+Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:

 - System level protection settings are configured correctly
 - Attack Surface Reduction rules are configured correctly
@ -103,11 +107,11 @@ Machines are considered "well configured" for Windows Defender EG if the followi
 ##### System level protection:
 The following system level configuration settings must be set to **On or Force On**:

-1.	Control Flow Guard 
-2.	Data Execution Prevention (DEP)
-3.	Randomize memory allocations (Bottom-up ASLR)
-4.	Validate exception chains (SEHOP)
-5.	Validate heap integrity
+1. Control Flow Guard 
+2. Data Execution Prevention (DEP)
+3. Randomize memory allocations (Bottom-up ASLR)
+4. Validate exception chains (SEHOP)
+5. Validate heap integrity

 >[!NOTE]
 >The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
@ -144,21 +148,21 @@ You can take the following actions to increase the overall security score of you
 - Turn on all system-level Exploit Protection settings
 - Set all ASR rules to enabled or audit mode
 - Turn on Controlled Folder Access
- Turn on Windows Defender Antivirus on compatible machines
+- Turn on Microsoft Defender Antivirus on compatible machines

-For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
+For more information, see [Microsoft Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).

-### Windows Defender Application Guard (Windows Defender AG) optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Microsoft Defender ATP Machine timeline. 
+### Microsoft Defender Application Guard (Microsoft Defender AG) optimization
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. 

 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later.

-#### Minimum baseline configuration setting for Windows Defender AG:
-Machines are considered "well configured" for Windows Defender AG if the following requirements are met:
+#### Minimum baseline configuration setting for Microsoft Defender AG:
+Machines are considered "well configured" for Microsoft Defender AG if the following requirements are met:

 - Hardware and software prerequisites are met
- Windows Defender AG is turned on compatible machines
+- Microsoft Defender AG is turned on compatible machines
 - Managed mode is turned on

 ##### Recommended actions:
@ -166,26 +170,26 @@ You can take the following actions to increase the overall security score of you
 - Ensure hardware and software prerequisites are met
    
    >[!NOTE]
-    >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
+    >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.

- Turn on  Windows Defender AG on compatible machines
+- Turn on  Microsoft Defender AG on compatible machines
 - Turn on managed mode


-For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).


-### Windows Defender SmartScreen optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
+### Microsoft Defender SmartScreen optimization
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.

 >[!WARNING]
-> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
+> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.


 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later.

-#### Minimum baseline configuration setting for Windows Defender SmartScreen:
+#### Minimum baseline configuration setting for Microsoft Defender SmartScreen:
 The following settings must be configured with the following settings:
 - Check apps and files: **Warn** or **Block** 
 - SmartScreen for Microsoft Edge: **Warn** or **Block**
@ -197,27 +201,27 @@ You can take the following actions to increase the overall security score of you
 - Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
 - Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**

-For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).



-### Windows Defender Firewall optimization
-For a machine to be considered "well configured", Windows Defender Firewall must be turned on and enabled for all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled. 
+### Microsoft Defender Firewall optimization
+A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. 

 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later.

-#### Minimum baseline configuration setting for Windows Defender Firewall 
+#### Minimum baseline configuration setting for Microsoft Defender Firewall 

- Windows Defender Firewall is turned on for all network connections
- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
+- Microsoft Defender Firewall is turned on for all network connections
+- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked

-For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
+For more information on Microsoft Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).

 >[!NOTE]
-> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
+> If Microsoft Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.


 ##### Recommended actions:
@ -228,12 +232,12 @@ You can take the following actions to increase the overall security score of you
 - Secure public profile
 - Verify secure configuration of third-party firewall
 - Fix sensor data collection
-  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).

-For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
+For more information, see [Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).

 ### BitLocker optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. 
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. 

 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1803 or later.
@ -250,21 +254,21 @@ You can take the following actions to increase the overall security score of you
 - Resume protection on all drives
 - Ensure drive compatibility
 - Fix sensor data collection
-  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).

 For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).

-### Windows Defender Credential Guard optimization
-For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled.
+### Microsoft Defender Credential Guard optimization
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Credential Guard.

 >[!IMPORTANT]
 >This security control is only applicable for machines with Windows 10, version 1709 or later. 

-#### Minimum baseline configuration setting for Windows Defender Credential Guard:
-Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements are met:
+#### Minimum baseline configuration setting for Microsoft Defender Credential Guard:
+Well-configured machines for Microsoft Defender Credential Guard meets the following requirements:

 - Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on compatible machines
+- Microsoft Defender Credential Guard is turned on compatible machines


 ##### Recommended actions:
@ -273,14 +277,24 @@ You can take the following actions to increase the overall security score of you
 - Ensure hardware and software prerequisites are met
 - Turn on Credential Guard 
 - Fix sensor data collection
-  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+  - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).

-For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
+For more information, see [Manage Microsoft Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).

 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) 

 ## Related topics
 - [Overview of Secure score](overview-secure-score.md)
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+



--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@ -118,7 +118,7 @@ Security Administrators like you can request for the IT Administrator to remedia

 4. Go to the **Remediation** page to view the status of your remediation request.

-See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.

 >[!NOTE]
 >If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@ -56,9 +56,9 @@ The Microsoft Defender ATP time zone is set by default to UTC.
 Setting the time zone also changes the times for all Microsoft Defender ATP views.
 To set the time zone:

-1.	Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
-2.	Select the **Timezone UTC** indicator.
-3.	Select **Timezone UTC** or your local time zone, for example -7:00.
+1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
+2. Select the **Timezone UTC** indicator.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.

 ### Regional settings
 To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. 
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@ -29,7 +29,7 @@ This page provides detailed steps to troubleshoot live response issues.
 ## File cannot be accessed during live response sessions
 If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.

-1.	Copy the following script code snippet and save it as a PS1 file:
+1. Copy the following script code snippet and save it as a PS1 file:

    ```
    $copied_file_path=$args[0] 
@ -47,10 +47,10 @@ If while trying to take an action during a live response session, you encounter
    ```


-2.	Add the script to the live response library.
-3.	Run the script with one parameter: the file path of the file to be copied.
-4.	Navigate to your TEMP folder.
-5.	Run the action you wanted to take on the copied file.
+2. Add the script to the live response library.
+3. Run the script with one parameter: the file path of the file to be copied.
+4. Navigate to your TEMP folder.
+5. Run the action you wanted to take on the copied file.



--- a/Show More
+++ b/Show More