move content around

windows/security/threat-protection/TOC.md

@@ -362,12 +362,12 @@
 #### [Microsoft Defender ATP API]()
 ##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ##### [Get started with Microsoft Defender ATP APIs]()
-###### [Introduction](microsoft-defender-atp/apis-intro.md)
+###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
-###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
+###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 
-##### [APIs]()
+##### [Investigation, response, and entities APIs]()
 ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 
@@ -434,22 +434,21 @@
 ####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
 ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
 
-#### [Stream data using APIs]()
+##### [Stream data using APIs]()
-##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
+###### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
-##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
+###### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
-##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
+###### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
-
+ 
-
-#### [Pull detections to your SIEM tools]()
-##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
-##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
-##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
-##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
-##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 
+##### [Pull detections to your SIEM tools]()
+###### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
+###### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
+###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+###### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
+###### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
+###### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
+###### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 
 ##### [How to use APIs - Samples]()
 ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
@@ -458,8 +457,6 @@
 ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 
-
-
 #### [Reporting]()
 ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
 ##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
@@ -488,7 +485,8 @@
 
 
 
-### [Partner integration]()
+### [Partner integration opportunities]()
+#### [Technical integrations](microsoft-defender-atp/)
 #### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
 ##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
 

windows/security/threat-protection/microsoft-defender-atp/apis-intro.md

@@ -1,5 +1,5 @@
 ---
-title: Microsoft Defender Advanced Threat Protection API overview  
+title: Access the Microsoft Defender Advanced Threat Protection APIs  
 ms.reviewer: 
 description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
 keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Microsoft Defender ATP API overview
+# Access the Microsoft Defender Advanced Threat Protection APIs 
 
 **Applies to:** 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

windows/security/threat-protection/microsoft-defender-atp/configure-siem.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/16/2017
 ---
 
 # Pull detections to your SIEM tools
@@ -56,13 +55,3 @@ Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using
 For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
 
 
-## In this section
-
-Topic | Description
-:---|:---
-[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
-[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
-[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
-[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.

windows/security/threat-protection/microsoft-defender-atp/management-apis.md

@@ -55,7 +55,7 @@ IMAGE 2:
 ### Authentication and authorization
 Accessing Microsoft Defender ATP APIs is granted in accordance with the service users and permissions model. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). 
 
-For services, the Azure Active Directory (Azure AD) application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application “manifested” permissions will require Global Admin Consent. 
+For services, the Azure Active Directory (Azure AD) application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application "manifested" permissions will require Global Admin Consent. 
 
 ### Investigation API
 You can use the APIs to investigate entities such as machine, user, and file as well as discrete events (for example, process creation and file creation). For more information see, [Supported APIs](exposed-apis-list.md).
@@ -68,9 +68,8 @@ Take actions on machine such as isolate machine from the network, quarantine fil
 
 Indicator matching is essential feature available in Microsoft Defender ATP that gives SecOps the ability to create indicators that define the detection, prevention, and exclusion of entities. For more information see [Indicator resource type](ti-indicator.md).
 
-When certain conditions that you set are met, you can initiate automated response using the APIs.
+You can initiate automated investigation on a machine using APIs.
 
-EFRAT, PLEASE KINDLY CHECK IF THE ABOVE STATEMENT ABOUT AUTO-IR SHOULD BE INCLUDED, AND IF YES - THAT IT'S ACCURATE. THANKS!
 
 ### Entities API
 Run API calls on the supported entities. You can create calls such as get alerts, create indicators, and more. 
@@ -89,28 +88,8 @@ It enables ingesting complete event data from the Microsoft Defender ATP platfor
 Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information see, [SIEM integration](enable-siem-integration.md)
 
 ## Related topics
-- [](apis-intro.md)
+- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
 - [Supported APIs](exposed-apis-list.md)
-- [How]
-
------------------------------
-
-
-- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. 
-- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation:
-   - Enriching events coming from other security systems with foot print or prevalence information
-   - Triggering file or machine level response actions through APIs
-   - Keeping systems in-sync such as importing machine tags from asset management systems into Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft Defender ATP.
 
 
 
-
-## Related topics
-- [Onboard machines](onboard-configure.md)
-- [Manage indicators](manage-indicators.md)
-- [Microsoft Defender ATP Public API](apis-intro.md)
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Role-based access control](rbac.md)
-
-

windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md

@@ -50,5 +50,19 @@ Here is an example of an IOC:
 
 IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
 
+## In this section
+
+Topic | Description
+:---|:---
+[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections.
+[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
+[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
+[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
+[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
+
+
+
 ## Related topics
 - [Manage indicators](manage-indicators.md)