remove x-links; review comments

dlepow · dlepow · commit 40f1934864bb · 2023-04-19T15:54:23.000-07:00
diff --git a/articles/api-management/protect-with-defender-for-apis.md b/articles/api-management/protect-with-defender-for-apis.md
@@ -6,42 +6,48 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: how-to
-ms.date: 04/14/2023
+ms.date: 04/19/2023
 ms.author: danlep
 ---
 # Enable advanced API security features using Microsoft Defender for Cloud 
 <!-- Update links to D4APIs docs when available -->
 
-[Defender for APIs](https://aka.ms/apiSecurityOverview) (preview), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. 
+Defender for APIs, a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. 
 
 Capabilities of Defender for APIs include:
 
-* Analyze for external, unused, or unauthenticated APIs
+* Identify external, unused, or unauthenticated APIs
 * Classify APIs that receive or respond with sensitive data
-* Detect exploits of OWASP API top 10 vulnerabilities
+* Apply configuration recommendations to strengthen the security posture of APIs and API Management services
+* Detect anomalous and suspicious API traffic patterns and exploits of OWASP API top 10 vulnerabilities
+* Prioritize threat remediation
 * Integrate with SIEM systems and Defender Cloud Security Posture Management
 
-This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. You can also enable Defender for APIs directly in the Microsoft Defender for Cloud console, where more API security insights and inventory experiences are available. 
+This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. 
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic](../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
 ## Preview limitations
 
 * Currently, Defender for APIs discovers and analyzes REST APIs only. 
 * Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](self-hosted-gateway-overview.md) or managed using API Management [workspaces](workspaces-overview.md).
-* Some ML-based detections and security insights (data classification, authentication check, unused and external APIs) for API Management instances with [multi-region](api-management-howto-deploy-multi-region.md) deployments aren't supported in secondary regions. In such cases, data residency requirements are still met. 
+* Some ML-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions in [multi-region](api-management-howto-deploy-multi-region.md) deployments. Defender for APIs relies on local data pipelines to ensure regional data residency and improved performance in such deployments. 
  
 
 ## Prerequisites
 
 * At least one API Management instance in an Azure subscription. Defender for APIs is enabled at the level of a subscription. 
 * One or more supported APIs must be imported to the API Management instance.
-* Permissions to [enable the Defender for APIs plan](/azure/defender-for-cloud/permissions).
-* Owner or Contributor permissions on the API Management instance. 
+* Role to [enable the Defender for APIs plan](/azure/defender-for-cloud/permissions).
+* Owner or Contributor role on the API Management instance. 
 
 ## Onboard to Defender for APIs
 
-Onboarding APIs to Defender for APIs is a two-step process: enabling the Defender for APIs plan, and onboarding unprotected APIs in your API Management instances.   
+Onboarding APIs to Defender for APIs is a two-step process: enabling the Defender for APIs plan for the subscription, and onboarding unprotected APIs in your API Management instances.   
+
+> [!TIP]
+> You can also onboard to Defender for APIs directly in the Defender for Cloud portal, where more API security insights and inventory experiences are available.
+
 
 ### Enable the Defender for APIs plan for a subscription
 
@@ -60,7 +66,7 @@ Onboarding APIs to Defender for APIs is a two-step process: enabling the Defende
 ### Onboard unprotected APIs to Defender for APIs 
 
 > [!CAUTION]
-> Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
+> Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance, which in extreme cases may cause an outage of the API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
 
 1. In the portal, go back to your API Management instance.
 1. In the left menu, select **Microsoft Defender for Cloud (preview)**.
@@ -97,14 +103,11 @@ You can view a summary of all security recommendations and alerts for onboarded
 
 For the security alerts received, Defender for APIs suggests necessary steps to perform the required analysis and validate the potential exploit or anomaly associated with the APIs. Follow the steps in the security alert to fix and return the APIs to healthy status. 
 
-To learn more about the benefits of Defender for APIs, including additional API inventory experiences within Defender for Cloud, see [Microsoft Defender for APIs – Benefits and features](https://aka.ms/apiSecurityOverview). 
+## Offboard protected APIs from Defender for APIs
+
+You can offboard protected APIs from Defender for APIs by using the Defender for Cloud portal. For more information, see the Microsoft Defender for Cloud documentation.
 
 ## Next steps
 
-* Learn more about Defender for APIs:
-    * [Benefits and features](https://aka.ms/apiSecurityOverview) 
-    * [API security alerts](https://aka.ms/apiSecurityAlerts)
-    * [API security threats](https://aka.ms/apiSecurityRecommendations)
-    * [API security troubleshooting guide](https://aka.ms/apiSecurityTroubleshooting)
-    * [Pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/)
+* Learn more about [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
 * Learn how to [upgrade and scale](upgrade-and-scale.md) an API Management instance.
