edit pass: sentinel-threat-intelligence-batch2

Author: paulth1

articles/sentinel/add-entity-to-threat-intelligence.md

@@ -22,21 +22,21 @@ With Microsoft Sentinel, you can flag these types of entities from within your i
 
 ## Add an entity to your threat intelligence
 
-The [Incident details page](investigate-incidents.md) and the investigation graph give you two ways to add entities to threat intelligence. Both ways are shown here.
+The [Incident details page](investigate-incidents.md) and the investigation graph give you two ways to add entities to threat intelligence.
 
 # [Incident details page](#tab/incidents)
 
 1. On the Microsoft Sentinel menu, select **Incidents** from the **Threat management** section.
 
 1. Select an incident to investigate. On the **Incident details** pane, select **View full details** to open the **Incident details** page.
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot that shows the Incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::
-
 1. On the **Entities** pane, find the entity that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)
 
+    :::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot that shows the Incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::
+
 1. Select the three dots to the right of the entity, and select **Add to TI** from the pop-up menu.
 
-    Only add the following types of entities as threat indicators:
+    Add only the following types of entities as threat indicators:
 
     - Domain name
     - IP address (IPv4 and IPv6)
@@ -75,20 +75,20 @@ Whichever of the two interfaces you choose, you end up here.
     - **Types**
         - The type of indicator represented by the entity you're adding.
             - Dropdown list with possible values: `ipv4-addr`, `ipv6-addr`, `URL`, `file`, and `domain-name`.
-        - Required. Automatically populated based on the **entity type**.
+        - Required. Automatically populated based on the *entity type*.
 
     - **Value**
         - The name of this field changes dynamically to the selected indicator type.
         - The value of the indicator itself.
-        - Required. Automatically populated by the **entity value**.
+        - Required. Automatically populated by the *entity value*.
 
     - **Tags**
         - Free-text tags you can add to the indicator.
-        - Optional. Automatically populated by the **incident ID**. You can add others.
+        - Optional. Automatically populated by the *incident ID*. You can add others.
 
     - **Name**
         - Name of the indicator. This name is what appears in your list of indicators.
-        - Optional. Automatically populated by the **incident name.**
+        - Optional. Automatically populated by the *incident name*.
 
     - **Created by**
         - Creator of the indicator.
@@ -126,7 +126,7 @@ Whichever of the two interfaces you choose, you end up here.
 
     :::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot that shows entering information in the new threat indicator pane.":::
 
-1. When all the fields are filled in to your satisfaction, select **Apply**. A confirmation message appears in the upper-right corner stating that your indicator was created.
+1. When all the fields are filled in to your satisfaction, select **Apply**. A message appears in the upper-right corner to confirm that your indicator was created.
 
 1. The entity is added as a threat indicator in your workspace. You can find it [in the list of indicators on the Threat intelligence page](work-with-threat-indicators.md#find-and-view-your-indicators-on-the-threat-intelligence-page). You can also find it [in the ThreatIntelligenceIndicators table in Logs](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs).
 

articles/sentinel/indicators-bulk-file-import.md

@@ -106,7 +106,7 @@ Review each template to ensure that your indicators are imported successfully. B
 
 1. Delete the entire first row from the template to remove the comments before upload. 
 
-   - The maximum file size for a CSV file import is 50 MB. 
+   The maximum file size for a CSV file import is 50 MB. 
 
 Here's an example domain-name indicator that uses the CSV template:
 
@@ -125,7 +125,7 @@ Phishing,"demo, csv",MDTI article - Franken-Phish domainname,Entity appears in M
 
 1. Close the last indicator in the array by using the `}` without a comma.
 
-   - The maximum file size for a JSON file import is 250 MB. 
+   The maximum file size for a JSON file import is 250 MB. 
 
 Here's an example `ipv4-addr` indicator that uses the JSON template:
 

articles/sentinel/use-matching-analytics-to-detect-threats.md

@@ -15,15 +15,15 @@ ms.collection: usx-security
 
 # Use matching analytics to detect threats
 
-Take advantage of threat intelligence produced by Microsoft to generate high-fidelity alerts and incidents with the **Microsoft Defender Threat Intelligence Analytics** rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows domain name system (DNS) events with domain and IPv4 threat indicators, syslog data, and more.
+Take advantage of threat intelligence produced by Microsoft to generate high-fidelity alerts and incidents with the **Microsoft Defender Threat Intelligence Analytics** rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more.
 
 > [!IMPORTANT]
 > Matching analytics is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
 
 ## Prerequisites
 
-To produce high-fidelity alerts and incidents, one or more of the supported data connectors must be installed. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the **Content hub** to connect these data sources:
+You must install one or more of the supported data connectors to produce high-fidelity alerts and incidents. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the **Content hub** to connect these data sources:
 
   - Common Event Format
   - DNS (preview)
@@ -79,15 +79,15 @@ Use the following steps to triage through the incidents generated by the **Micro
 
 1. In the Microsoft Sentinel workspace where you enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents**, and search for **Microsoft Defender Threat Intelligence Analytics**.
 
-    Any incidents found are shown in the grid.
+    Any incidents that are found appear in the grid.
 
 1. Select **View full details** to view entities and other details about the incident, such as specific alerts.
 
     Here's an example.
 
     :::image type="content" source="media/use-matching-analytics-to-detect-threats/matching-analytics.png" alt-text="Screenshot of incident generated by matching analytics with details pane.":::
 
-1. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from `Informational` to `High`. For example, if the indicator is matched with firewall logs that allowed the traffic, a high-severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the alert generated is low or medium.
+1. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from `Informational` to `High`. For example, if the indicator is matched with firewall logs that allowed the traffic, a high-severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the generated alert is low or medium.
 
     Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with a severity assigned based on the highest alert severity.
 

articles/sentinel/work-with-threat-indicators.md

@@ -53,7 +53,7 @@ Here's an example.
 
 ### Find and view your indicators in Logs
 
-This procedure describes how to view your imported threat indicators in the Microsoft Sentinel **Logs** area, together with other Microsoft Sentinel event data, regardless of the source feed or the connector used.
+This procedure describes how to view your imported threat indicators in the Microsoft Sentinel **Logs** area, together with other Microsoft Sentinel event data, regardless of the source feed or the connector that you used.
 
 Imported threat indicators are listed in the Microsoft Sentinel `ThreatIntelligenceIndicator` table. This table is the basis for threat intelligence queries run elsewhere in Microsoft Sentinel, such as in **Analytics** or **Workbooks**.
 
@@ -97,7 +97,7 @@ Tagging threat indicators is an easy way to group them together to make them eas
 
 With Microsoft Sentinel, you can also edit indicators, whether they were created directly in Microsoft Sentinel or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators that come from partner sources, only specific fields are editable, including tags, **Expiration date**, **Confidence**, and **Revoked**. Either way, only the latest version of the indicator appears on the **Threat Intelligence** page. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators).
 
-## Workbooks provide insights about your threat intelligence
+## Gain insights about your threat intelligence with workbooks
 
 Use a purpose-built Microsoft Sentinel workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and customize the workbook according to your business needs.