Update advanced-hunting-take-action.md with query reference

defender-xdr/advanced-hunting-take-action.md

@@ -116,6 +116,17 @@ Apart from device-focused remediation steps, you can also take some actions on e
 
   **Initiate automated investigation** might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.
 
+See the following query as reference to enable *Submit to Microsoft* and *Initiate automated investigation*
+
+   ```kusto
+   EmailEvents
+  | where ThreatTypes contains "spam"
+  | project  Timestamp, NetworkMessageId,RecipientEmailAddress,SenderFromAddress,SenderMailFromAddress,Subject,SenderFromDomain,TimeGenerated,SenderIPv4,SenderIPv6
+  | join EmailUrlInfo on NetworkMessageId
+   ```
+
+
+
   :::image type="content" source="media/advanced-hunting-take-actions-choose-actions.png" alt-text="Screenshot of the Choose actions page of the Take actions wizard with Initiate automated investigation selected." lightbox="media/advanced-hunting-take-actions-choose-actions.png":::
 
 You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard: