update ioc content

windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -38,7 +38,7 @@ All Custom TI API requests use the following basic URL pattern:
 ```
 
 For this URL:
--	`https://wdatp-tiapi-prd.trafficmanager.net` is the Custom TI API endpoint.
+-	`https://TI.SecurityCenter.Windows.com` is the Custom TI API endpoint.
 -	`{version}` is the target service version. Currently only supported version is: v1.0.
 -	`{resource}` is resource segment or path, such as:
   -	AlertDefinitions (for specific single resource, add: (id))
@@ -54,7 +54,7 @@ The metadata document ($metadata) is published at the service root.
 For example, you can view the service document for the v1.0 version using the following URL:
 
 ```
-  https://wdatp-tiapi-prd.trafficmanager.net/v1.0/$metadata
+  https://TI.SecurityCenter.Windows.com/v1.0/$metadata
 ```
 
 The metadata allows you to see and understand the data model of the Custom TI, including the entity types and sets, complex types, and enums that make up the request and response packets sent to and from Custom TI.
@@ -64,14 +64,14 @@ You can use the metadata to understand the relationships between entities in Cus
 The following sections show a few basic programming pattern calls to the Custom TI API.
 
 ## Create new resource
-Typically, you would start creating custom threat indicators by first creating an Alert definition.
+Typically, you would start creating custom threat indicators by first creating an alert definition.
 
-An ID is created for that Alert definition. You would then create an Indicator Of Compromise and associate it to the ID of the Alert definition.
+An ID is created for that alert definition. You would then create an Indicator Of Compromise and associate it to the ID of the alert definition.
 
-### Create a new Alert definition
+### Create a new alert definition
 
 ```json
-POST https://wdatp-tiapi-prd.trafficmanager.net/v1.0/AlertDefinition HTTP/1.1
+POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinition HTTP/1.1
 Authorization: Bearer <access_token>
 Content-Type: application/json;
 {
@@ -97,7 +97,7 @@ Highlighted section | JSON Value
 4 | UX description
 5 | Recommended Action
 
-If successful, you should get a 201 CREATED response containing the representation of the newly created Alert definition for example:
+If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition for example:
 
 ```json
 
@@ -120,7 +120,7 @@ If successful, you should get a 201 CREATED response containing the representati
 ### Create a new Indicator of Compromise
 
 ```json
-POST https://wdatp-tiapi-prd.trafficmanager.net/v1.0/IndicatorsOfCompromise HTTP/1.1
+POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
 Authorization: Bearer <access_token>
 Content-Type: application/json;
 Content-Length: 194
@@ -137,17 +137,17 @@ Content-Length: 194
 If successful, you should get a 201 CREATED response containing the representation of the newly created Indicators Of Compromise in the payload.
 
 
-## Bulk upload of Alert definitions and IOCs
+## Bulk upload of alert definitions and IOCs
 Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`. </br>
 
 >[!WARNING]
->- This operation is atomic. The entire can either succeed or fail. If one Alert definition or IOC has a malformed property, the entire upload will fail.
+>- This operation is atomic. The entire can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
 >- If your upload exceeds the IOC quota, the entire operation will fail. Consider limiting your uploads.
 
-The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is Alert definition is `alertdefinition` and in the case of IOC is `IOCs`. This field’s value should contain a list of the desired entities.
+The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertdefinition` and in the case of IOC is `IOCs`. This field’s value should contain a list of the desired entities.
 
 For example:
-Sending an HTTP POST to https://wdatp-tiapi-prd.trafficmanager.net/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
+Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
 
 JSON Body:
 
@@ -178,7 +178,7 @@ JSON Body:
 ### Get a specific resource
 
 ```json
-GET https://wdatp-tiapi-prd.trafficmanager.net/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
+GET https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
 Authorization: Bearer <access_token>
 Accept: application/json;odata.metadata=none
 ```
@@ -211,7 +211,7 @@ odata.metadata = none
 ### Get the entire collection of entities of a given resource
 
   ```
-  GET https://wdatp-tiapi-prd.trafficmanager.net/v1.0/AlertDefinitions HTTP/1.1
+  GET https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
   Authorization : Bearer <access_token>
   ```
 
@@ -223,9 +223,9 @@ odata.metadata = none
 
 
   {
-      "@odata.context": "https://wdatp-tiapi-prd.trafficmanager.net/V1.0/$metadata#AlertDefinitions",
+      "@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions",
       "value": [{
-              "Name": "Demo Alert definition",
+              "Name": "Demo alert definition",
               "Severity": "Medium",
               "InternalDescription": "Some description",
               "ShortUxDescription": "Demo short Ux Desc",
@@ -240,7 +240,7 @@ odata.metadata = none
               "Enabled": true
           },
           {
-              "Name": "demo Alert definition 2",
+              "Name": "Demo alert definition 2",
               "Severity": "Low",
               "InternalDescription": "Some description",
               "ShortUxDescription": "Demo short UX Desc2",
@@ -263,7 +263,7 @@ odata.metadata = none
 You can use the same pattern for both full and partial updates.
 
 ```json
-PATCH https://wdatp-tiapi-prd.trafficmanager.net/v1.0/AlertDefinitions(2) HTTP/1.1
+PATCH https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(2) HTTP/1.1
 Authorization : Bearer <access_token>
 Content-Type: application/json;
 Accept: application/json;odata.metadata=none
@@ -279,43 +279,43 @@ If successful, you should get a 200 OK response containing the updated Indicatio
 ## Update the association (relation) between an Indication Of Compromise to a different Indication Of Attack
 
 ```json
-PUT https://wdatp-tiapi-prd.trafficmanager.net/v1.0/IndicatorsOfCompromise(3)/IndicationOfAttack/$ref HTTP/1.1
+PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/IndicationOfAttack/$ref HTTP/1.1
 Authorization : Bearer <access_token>
 Content-Type: application/json;
 
 {
-	"@odata.id": "https://wdatp-tiapi-prd.trafficmanager.net/v1.0/AlertDefinitions(6)"
+	"@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
 }
 ```
 
 ## Delete a resource
 
 ```
-DELETE https://wdatp-tiapi-prd.trafficmanager.net/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
+DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
 Authorization : Bearer <access_token>
 ```
 
 If successful, you should get a 204 NO CONTENT response.
 
 >[!NOTE]
-  > - Deleting an Alert definition also deletes its corresponding IOC.  
+  > - Deleting an alert definition also deletes its corresponding IOC.  
-  > - Deleting an IOC or an Alert definition will not delete or hide past alerts matching the Alert definition. However, deleting an Alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not advised to delete an Alert definition and create a new one with the same content.
+  > - Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not advised to delete an alert definition and create a new one with the same content.
 
 ## Delete all
 You can use the HTTP DELETE method sent to the relevant source to delete all resources.
 
 ```
-DELETE https://wdatp-tiapi-prd.trafficmanager.net/v1.0/IndicatorsOfCompromise HTTP/1.1
+DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
 Authorization : Bearer <access_token>
 ```
 If successful, you should get a 204 NO CONTENT response.
 
-## Delete all IOCs connected to a given Alert definition
+## Delete all IOCs connected to a given alert definition
-This action will delete all the IOCs associated with a given Alert definition without deleting the Alert definition itself.
+This action will delete all the IOCs associated with a given alert definition without deleting the alert definition itself.
 
-For example, deleting all of the IOCs associated with the Alert definition with ID `1` deletes all those IOCs without deleting the Alert definition itself.
+For example, deleting all of the IOCs associated with the alert definition with ID `1` deletes all those IOCs without deleting the alert definition itself.
 
-Send an HTTP POST to `https://wdatp-tiapi-prd.trafficmanager.net/V1.0/IndicatorsOfAttack(1)/Actions.DeleteIOCs`.
+Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfAttack(1)/Actions.DeleteIOCs`.
 
 Upon a successful request the response will be HTTP 204.