put table first then image, fix toc, add api fields topic

windows/keep-secure/TOC.md

@@ -768,11 +768,12 @@
 ######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
 ######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Configure SIEM tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Configure SIEM tools or use REST API to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
 ##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 ##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md

@@ -25,17 +25,6 @@ Understand how the SIEM schema maps to the values in the Windows Defender ATP po
 
 Field numbers match the numbers in the images.
 
-![Image of actor profile with numbers](images/atp-actor.png)
-
-![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
-
-![Image of new alerts with numbers](images/atp-alert-source.png)
-
-![Image of machine timeline with numbers](images/atp-remediated-alert.png)
-
-![Image of file details](images/atp-file-details.png)
-
-
 #	SIEM fields and portal mapping
 
 Portal label  | SIEM field name | Description
@@ -50,7 +39,7 @@ Portal label  | SIEM field name | Description
 8 | Status in queue | Alert status in queue
 9	| ComputerDnsName|	Computer DNS name and machine name
 10| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
-11 | UserName	| The user context relevant to the activity on the machine which triggered the alert.
+11 | UserName	| The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
 12 | FileName	| File name
 13 | FileHash	| Sha1 of file observed
 14 | FilePath	| File path
@@ -59,16 +48,26 @@ Portal label  | SIEM field name | Description
 17 | FullId	| (Internal only)  <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
 18 | AlertPart	| (Internal only)  <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
 19 | LastProccesedTimeUtc | (Internal only)  <br><br>	Time the alert was last processed in Windows Defender ATP.
-20 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP)
+20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
 21 | ThreatCategory| Windows Defender AV threat category
 22 | ThreatFamily |	Windows Defender AV family name
 23 | RemediationAction |	Windows Defender AV threat category	 |
-24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected. (Windows Defender AV field)
-25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated. (Windows Defender AV field)
+24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected.
+25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated.
 26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
 27 | Md5 | Md5 of file observed	(when available)
 28 | Sha256 |	Sha256 of file observed	(when available)
 29	|	ThreatName	| Windows Defender AV threat name
 
 >[!NOTE]
->A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender Antivirus alerts.
+> Fields #21-29 are related to Windows Defender Antivirus alerts.
+
+![Image of actor profile with numbers](images/atp-actor.png)
+
+![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
+
+![Image of new alerts with numbers](images/atp-alert-source.png)
+
+![Image of machine timeline with numbers](images/atp-remediated-alert.png)
+
+![Image of file details](images/atp-file-details.png)

windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md

@@ -1,6 +1,6 @@
 ---
-title: Configure SIEM tools to pull alerts in Windows Defender Advanced Threat Protection
-description: Learn how to configure supported security information and events management tools to receive and pull alerts using REST API.
+title: Configure SIEM tools and use REST API to pull alerts from Windows Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts using REST API.
 keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure SIEM tools to pull alerts
+# Configure SIEM tools and use REST API to pull alerts
 
 **Applies to:**
 
@@ -21,6 +21,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
 ## Pull alerts using supported security information and events management (SIEM) tools
 Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
@@ -37,8 +39,12 @@ To use either of these supported SIEM tools you'll need to:
     - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
     - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 
+For list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
+
+
 ## Pull Windows Defender ATP alerts using REST API
 Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+
 For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
 
 
@@ -47,5 +53,7 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
 Topic | Description
 :---|:---
 [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand how the SIEM schema maps to the values in the Windows Defender ATP portal.
+[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.