Edits and added art files

Author: chrisda

defender-xdr/advanced-hunting-take-action.md

@@ -28,8 +28,6 @@ ms.date: 11/10/2025
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-
-
 [!INCLUDE [Prerelease information](../includes/prerelease.md)]
 
 You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
@@ -46,7 +44,7 @@ To take action on devices through advanced hunting, you need a role in Microsoft
 
 If you can't take action, contact a Global Administrator about getting the following permission:
 
-*Active remediation actions > Threat and vulnerability management - Remediation handling*
+*Active remediation actions \> Threat and vulnerability management - Remediation handling*.
 
 To take action on emails through advanced hunting, you need a role in Microsoft Defender for Office 365 to [search and purge emails](/defender-office-365/scc-permissions).
 
@@ -87,7 +85,7 @@ Apart from device-focused remediation steps, you can also take some actions on e
 - `Move to mailbox folder` - select this action to move the email messages to Junk, Inbox, or Deleted items folder
 
      Note that you can move email results consisting of quarantined items (for instance, in the case of false positives) by selecting the **Inbox** option.
-   
+
    :::image type="content" source="media/advanced-hunting-quarantine-results.png" alt-text="Screenshot of the Inbox option under take actions pane in the Microsoft Defender portal." lightbox="media/advanced-hunting-quarantine-results.png":::
 
 - `Delete email` - select this action to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**)
@@ -106,19 +104,19 @@ Apart from device-focused remediation steps, you can also take some actions on e
    | project NetworkMessageId,RecipientEmailAddress, EmailDirection, SenderFromAddress, LatestDeliveryAction,LatestDeliveryLocation
    ```
 
-- `Submit to Microsoft` - select this action to submit False positives or False negative emails to Microsoft. As part of the submission, you can also add URLs and senders and their domains to the Tenant Allow/Block List to immediatley resolve the issue while Microsoft works on the submission.
+- `Submit to Microsoft` - select this action to submit false positives or false negative emails to Microsoft. As part of the submission, you can also add URLs, senders, and their domains to the Tenant Allow/Block List to immediately resolve the issue while Microsoft evaluates the submission.
 
-  URL entries in the Tenant Aloow/Block List are supported only if the query result has the `Url` column by joining with `EmailUrlInfo` table on `NetworkMessageId`.
+  URL entries in the Tenant Allow/Block List are supported only if the query result has the `Url` column by joining with `EmailUrlInfo` table on `NetworkMessageId`.
 
-   The **Submit to Microsoft** check box might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** and **Take actions**.
+  **Submit to Microsoft** might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.
 
-   :::image type="content" source="media/submit-to-microsoft.png" alt-text="Screenshot of take actions option in the Microsoft Defender portal." lightbox="media/submit-to-microsoft.png":::
+  :::image type="content" source="media/advanced-hunting-take-actions-submit-to-microsoft.png" alt-text="Screenshot of Choose actions page of the Take actions wizard with Submit to Microsoft selected and the Selected entities to block details flyout." lightbox="media/advanced-hunting-take-actions-submit-to-microsoft.png":::
 
 - `Initiate automated investigation` - select this action to trigger [Automated investigation](/defender-office-365/air-about) on email, sender, recipient or contact recipients.
 
-   The **Initiate automated investigation** check box might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** and **Take actions**.
+  **Initiate automated investigation** might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.
 
-   :::image type="content" source="media/initiate-automated-investigation.png" alt-text="Screenshot of take actions option in the Microsoft Defender portal." lightbox="media/submit-to-microsoft.png":::
+  :::image type="content" source="media/advanced-hunting-take-actions-choose-actions.png" alt-text="Screenshot of the Choose actions page of the Take actions wizard with Initiate automated investigation selected." lightbox="media/advanced-hunting-take-actions-choose-actions.png":::
 
 You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard: