updates

windows/security/threat-protection/TOC.md

@@ -360,15 +360,15 @@
 ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 #### [Microsoft Defender ATP API]()
-##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ##### [Get started with Microsoft Defender ATP APIs]()
+###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
 ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 
-##### [Investigation, response, and entities APIs]()
+##### [Microsoft Defender ATP APIs]()
 ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 
@@ -435,22 +435,6 @@
 ####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
 ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
 
-##### [Stream data using APIs]()
-###### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
-###### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
-###### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
- 
-
-##### [Pull detections to your SIEM tools]()
-###### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-###### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
-###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-###### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
-###### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
-###### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
-###### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
-###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
-
 ##### [How to use APIs - Samples]()
 ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
 ###### [Power BI](microsoft-defender-atp/api-power-bi.md)
@@ -458,6 +442,23 @@
 ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 
+#### [Stream APIs]()
+##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
+##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
+##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
+ 
+
+#### [SIEM integration]()
+##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
+##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
+##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
+##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
+##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
+##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
+
+
 #### [Reporting]()
 ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
 ##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)

windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md

@@ -28,7 +28,7 @@ ms.topic: conceptual
 To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
 
 ## Step 1: Subscribe to a Microsoft Defender ATP Developer license
-This gives you a license to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
+Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP. 
 
 ## Step 2: Fulfill the solution validation and certification requirements
 The best way for technology partners to certify their integration works, is to have it tested and used by a joint customer. Once the Microsoft Defender ATP team reviews and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.

windows/security/threat-protection/microsoft-defender-atp/management-apis.md

@@ -38,54 +38,34 @@ Microsoft Defender ATP provides fine-grained control over what users with access
 - Tiered model security operations teams
 - Fully segregated devisions with single centralized global security operations teams 
 
-## Integration and APIs
+## Available APIs
 The Microsoft Defender ATP solution is built on top of an integration-ready platform.
 
 Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
 
+![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png)
 
-EFRAT, PLEASE LET ME KNOW WHICH IMAGE IS MORE APPROPRIATE IN THIS PAGE: IMAGE 1 OR IMAGE 2
-
-IMAGE 1:
-![Image of available API and integration in Microsoft Defender ATP](images/api-and-integration.png)
-
-IMAGE 2:
-![Image of API categories in Microsoft Defender ATP](images/atp-apis.png)
-
-### Authentication and authorization
-Accessing Microsoft Defender ATP APIs is granted in accordance with the service users and permissions model. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). 
-
-For services, the Azure Active Directory (Azure AD) application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application "manifested" permissions will require Global Admin Consent. 
-
-### Investigation API
-You can use the APIs to investigate entities such as machine, user, and file as well as discrete events (for example, process creation and file creation). For more information see, [Supported APIs](exposed-apis-list.md).
-
-There are also [advanced hunting APIs](run-advanced-query-api.md) to hunt for possible threats across your organization.
+The Microsoft Defender ATP APIs can be grouped into three:
+- Microsoft Defender ATP APIs (includes the investigation, response, and entities)
+- Raw data streaming API
+- SIEM integration
 
 
-### Response API
-Take actions on machine such as isolate machine from the network, quarantine files, and others using APIs. For more information see, [Machine action](machineaction.md).
+## Microsoft Defender ATP APIs
 
-Indicator matching is essential feature available in Microsoft Defender ATP that gives SecOps the ability to create indicators that define the detection, prevention, and exclusion of entities. For more information see [Indicator resource type](ti-indicator.md).
+Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure  AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. 
 
-You can initiate automated investigation on a machine using APIs.
+The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
 
-
-### Entities API
-Run API calls on the supported entities. You can create calls such as get alerts, create indicators, and more. 
-
-### Integration scenarios
-To further augment the API uses, the platform also supports various integration scenarios. 
-
-Custom integration scenarios help in 
+The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. 
 
 ### Streaming API 
-Streaming API allows you to receive real-time event and alerts from instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
+Allows you to receive real-time event and alerts from instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. For more information see, [Raw data streaming API](raw-data-export.md).
 
-It enables ingesting complete event data from the Microsoft Defender ATP platform into your local data warehouse or data layer and correlating it against logs collected from other systems. For more information see, [Raw data streaming API](raw-data-export.md).
 
 ### SIEM API
-Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information see, [SIEM integration](enable-siem-integration.md)
+When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
+
 
 ## Related topics
 - [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)

windows/security/threat-protection/microsoft-defender-atp/partner-integration.md

@@ -44,20 +44,9 @@ Microsoft Defender ATP adds support for this scenario in the following forms:
 ## Scenario 2: Security orchestration and automation response (SOAR) integration
 Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others.
 
-## Scenario 3 - Indicators matching 
+## Scenario 3: Indicators matching 
 Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
 
-## Scenario 4: Decision making based on device security score & vulnerabilities
- Microsoft Defender ATP Threat & Vulnerability Management is built-in, real-time, cloud-powered, and is fully integrated with Microsoft endpoint security stack. It uses vulnerability and security configuration assessment data as discovery tools that are used to calculate the exposure score. Using secure score and endpoint vulnerabilities data with other solutions will help to expand the customer's visibility into the overall security posture of their endpoints and help them make better decisions.
-
-## Scenario 5: Managed security service provider support 
-support Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP.
-
-Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: 
-- Get access to MSSP customer's Microsoft Defender Security Center portal
-- Get email notifications 
-- Fetch alerts through security information and event management (SIEM) tools and the rich set of programmatic APIs and 
-- Use the streaming API to receive real-time event and alerts from instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism
-
+The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios.
 
 Follow the steps in [Become a Microsoft Defender ATP integration partner](get-started-partner-integration.md) to become a Microsoft Defender ATP partner.