update top level topic and TOC

windows/keep-secure/TOC.md

@@ -738,7 +738,13 @@
 #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
 ##### [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md)
 ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Consume alerts and create custom indicators](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Understand threat indicators](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 ##### [Machines overview](machines-view-overview-windows-defender-advanced-threat-protection.md)
 ##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
 ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
@@ -748,10 +754,6 @@
 ###### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
-#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 #### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Configure security information and events management tools
-description: Configure supported security information and events management tools to receive and consume alerts.
-keywords: configure siem, security information and events management tools, splunk, arcsight
+title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
+description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure security information and events management (SIEM) tools to consume alerts
+# Consume alerts and create custom indicators
 
 **Applies to:**
 
@@ -21,7 +21,9 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Consume alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
 
 Windows Defender ATP currently supports the following SIEM tools:
 
@@ -35,6 +37,11 @@ To use either of these supported SIEM tools you'll need to:
     - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
     - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 
+## Create custom threat indicators in Windows Defender ATP
+You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+
+For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
+
 ## In this section
 
 Topic | Description