review comments

Author: dlepow

articles/api-management/protect-with-defender-for-apis.md

@@ -1,6 +1,6 @@
 ---
 title: Protect APIs in API Management with Defender for APIs 
-description: Learn how to enable enhanced API security features in Azure API Management by using Microsoft Defender for Cloud.
+description: Learn how to enable advanced API security features in Azure API Management by using Microsoft Defender for Cloud.
 services: api-management
 author: dlepow
 
@@ -9,25 +9,28 @@ ms.topic: how-to
 ms.date: 04/14/2023
 ms.author: danlep
 ---
-# Enable enhanced API security features using Microsoft Defender for Cloud 
+# Enable advanced API security features using Microsoft Defender for Cloud 
 <!-- Update links to D4APIs docs when available -->
 
-Defender for APIs (preview), a new capability of Microsoft Defender for Cloud, offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes.  
+[Defender for APIs](https://aka.ms/apiSecurityOverview) (preview), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. 
 
-This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. You can also enable Defender for APIs directly in the Microsoft Defender for Cloud console, where more API security insights and inventory experiences are available. 
+Capabilities of Defender for APIs include:
 
-To learn more, see:
+* Analyze for external, unused, or unauthenticated APIs
+* Classify APIs that receive or respond with sensitive data
+* Detect exploits of OWASP API top 10 vulnerabilities
+* Integrate with SIEM systems and Defender Cloud Security Posture Management
 
-* [Microsoft Defender for APIs – Benefits and features](https://aka.ms/apiSecurityOverview) 
-* [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. You can also enable Defender for APIs directly in the Microsoft Defender for Cloud console, where more API security insights and inventory experiences are available. 
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic](../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
 ## Preview limitations
 
 * Currently, Defender for APIs discovers and analyzes REST APIs only. 
 * Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](self-hosted-gateway-overview.md) or managed using API Management [workspaces](workspaces-overview.md).
-* Some ML-based detections and security insights (data classification, authentication check, unused and external APIs) for instances with [multi-region](api-management-howto-deploy-multi-region.md) deployments aren't supported in secondary regions. In such cases, data residency requirements are still met.  
+* Some ML-based detections and security insights (data classification, authentication check, unused and external APIs) for API Management instances with [multi-region](api-management-howto-deploy-multi-region.md) deployments aren't supported in secondary regions. In such cases, data residency requirements are still met. 
+ 
 
 ## Prerequisites
 
@@ -40,9 +43,6 @@ To learn more, see:
 
 Onboarding APIs to Defender for APIs is a two-step process: enabling the Defender for APIs plan, and onboarding unprotected APIs in your API Management instances.   
 
-> [!CAUTION]
-> Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
-
 ### Enable the Defender for APIs plan for a subscription
 
 1. Sign in to the [portal](https://portal.azure.com), and go to your API Management instance.
@@ -57,9 +57,11 @@ Onboarding APIs to Defender for APIs is a two-step process: enabling the Defende
 
 1. Select **Save**.
 
-
 ### Onboard unprotected APIs to Defender for APIs 
 
+> [!CAUTION]
+> Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
+
 1. In the portal, go back to your API Management instance.
 1. In the left menu, select **Microsoft Defender for Cloud (preview)**.
 1. Under **Recommendations**, select **Azure API Management APIs should be onboarded to Defender for APIs**.
@@ -71,7 +73,7 @@ Onboarding APIs to Defender for APIs is a two-step process: enabling the Defende
     * Affected resources, classified as **Healthy** (onboarded to Defender for APIs), **Unhealthy** (not onboarded), or **Not applicable**, along with associated metadata from API Management
 
    > [!NOTE]
-   > Affected resources include all API collections (that is, APIs and their associated operations) from all API Management instances under the subscription. 
+   > Affected resources include API collections (APIs) from all API Management instances under the subscription. 
 
 1. From the list of **Unhealthy** resources, select the API(s) that you wish to onboard to Defender for APIs.
 1. Select **Fix**, and then select **Fix resources**.