Merge pull request #284826 from austinmccollum/main

premium MDTI data connector

Author: v-regandowner

articles/sentinel/connect-mdti-data-connector.md

@@ -1,10 +1,11 @@
 ---
 title: Enable data connector for Microsoft's threat intelligence
-titleSuffix: Microsoft Defender Threat Intelligence 
+titleSuffix: Microsoft Defender Threat Intelligence
+keywords: premium, TI, STIX objects, relationships, threat actor, watchlist, license
 description: Learn how to ingest Microsoft's threat intelligence into your Sentinel workspace to generate high fidelity alerts and incidents.
 author: austinmccollum
 ms.topic: how-to
-ms.date: 3/14/2024
+ms.date: 8/16/2024
 ms.author: austinmc
 appliesto:
     - Microsoft Sentinel in the Azure portal
@@ -14,19 +15,21 @@ ms.collection: usx-security
 ---
 
 # Enable data connector for Microsoft Defender Threat Intelligence
-Bring high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace. The MDTI data connector ingests these IOCs with a simple one-click setup. Then monitor, alert and hunt based on the threat intelligence in the same way you utilize other feeds.
+Bring public, open source and high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace with the MDTI data connectors. With a simple one-click setup, use the TI from the standard and premium MDTI data connectors to monitor, alert and hunt.
 
 > [!IMPORTANT]
-> The Microsoft Defender Threat Intelligence data connector is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The Microsoft Defender Threat Intelligence data connector and the Premium Microsoft Defender Threat Intelligence data connector are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 > [!INCLUDE [unified-soc-preview-without-alert](includes/unified-soc-preview-without-alert.md)]
 
+For more information about the benefits of the standard and premium MDTI data connectors, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-microsoft-defender-threat-intelligence-data-connector).
+
 ## Prerequisites
 - In order to install, update and delete standalone content or solutions in content hub, you need the **Microsoft Sentinel Contributor** role at the resource group level.
-- To configure this data connector, you must have read and write permissions to the Microsoft Sentinel workspace.
+- To configure these data connectors, you must have read and write permissions to the Microsoft Sentinel workspace.
 
 ## Install the Threat Intelligence solution in Microsoft Sentinel
 
-To import threat indicators into Microsoft Sentinel from MDTI, follow these steps:
+To import threat indicators into Microsoft Sentinel from standard and premium MDTI, follow these steps:
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.
 
@@ -42,22 +45,22 @@ For more information about how to manage the solution components, see [Discover
 
 1. Find and select the Microsoft Defender Threat Intelligence data connector > **Open connector page** button.
 
-    :::image type="content" source="media/connect-mdti-data-connector/mdti-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the MDTI data connector listed." lightbox="media/connect-mdti-data-connector/mdti-data-connector-config.png"::: 
+    :::image type="content" source="media/connect-mdti-data-connector/premium-microsoft-defender-threat-intelligence-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the MDTI data connector listed." lightbox="media/connect-mdti-data-connector/premium-microsoft-defender-threat-intelligence-data-connector-config.png"::: 
 
 1. Enable the feed by selecting the **Connect** button
 
-    :::image type="content" source="media/connect-mdti-data-connector/mdti-data-connector-connect.png" alt-text="Screenshot displaying the MDTI data connector page and the connect button." lightbox="media/connect-mdti-data-connector/mdti-data-connector-connect.png"::: 
+    :::image type="content" source="media/connect-mdti-data-connector/microsoft-defender-threat-intelligence-data-connector-connect.png" alt-text="Screenshot displaying the MDTI data connector page and the connect button." lightbox="media/connect-mdti-data-connector/microsoft-defender-threat-intelligence-data-connector-connect.png"::: 
 
 1. When MDTI indicators start populating the Microsoft Sentinel workspace, the connector status displays **Connected**.
 
 At this point, the ingested indicators are now available for use in the *TI map...* analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md). 
 
-You can find the new indicators in the **Threat intelligence** blade or directly in **Logs** by querying the **ThreatIntelligenceIndicator** table. For more information, see [Work with threat indicators](work-with-threat-indicators.md).
+Find the new indicators in the **Threat intelligence** blade or directly in **Logs** by querying the **ThreatIntelligenceIndicator** table. For more information, see [Work with threat indicators](work-with-threat-indicators.md).
 
 ## Related content
 
 In this document, you learned how to connect Microsoft Sentinel to Microsoft's threat intelligence feed with the MDTI data connector. To learn more about Microsoft Defender for Threat Intelligence see the following articles.
 
 - Learn about [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti).
-- Get started with the MDTI community portal [MDTI portal](https://ti.defender.microsoft.com).
+- Get started with the MDTI portal [MDTI portal](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal).
 - Use MDTI in analytics [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).

articles/sentinel/media/connect-mdti-data-connector/mdti-data-connector-connect.png

@@ -4,7 +4,7 @@ titleSuffix: Microsoft Sentinel
 description: Understand how threat intelligence feeds are connected to, managed, and used in Microsoft Sentinel to analyze data, detect threats, and enrich alerts.
 author: austinmccollum
 ms.topic: concept-article
-ms.date: 3/06/2024
+ms.date: 8/16/2024
 ms.author: austinmc
 appliesto:
     - Microsoft Sentinel in the Azure portal
@@ -44,7 +44,8 @@ Threat Intelligence also provides useful context within other Microsoft Sentinel
 
 Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. Here are the data connectors in Microsoft Sentinel provided specifically for threat indicators.
 
-- **Microsoft Defender Threat Intelligence data connector** to ingest Microsoft's threat indicators 
+- **Microsoft Defender Threat Intelligence data connector** to ingest Microsoft's threat indicators
+- **Premium Microsoft Defender Threat Intelligence data connector** to ingest MDTI's premium intelligence feed
 - **Threat Intelligence - TAXII** for industry-standard STIX/TAXII feeds
 - **Threat Intelligence upload indicators API** for integrated and curated TI feeds using a REST API to connect 
 - **Threat Intelligence Platform data connector** also connects TI feeds using a REST API, but is on the path for deprecation
@@ -55,9 +56,22 @@ Also, see this catalog of [threat intelligence integrations](threat-intelligence
 
 ### Add threat indicators to Microsoft Sentinel with the Microsoft Defender Threat Intelligence data connector
 
-Bring high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace. The MDTI data connector ingests these IOCs with a simple one-click setup. Then monitor, alert and hunt based on the threat intelligence in the same way you utilize other feeds.
+Bring public, open source and high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace with the MDTI data connectors. With a simple one-click setup, use the TI from the standard and premium MDTI data connectors to monitor, alert and hunt.
 
-For more information on MDTI data connector, see [Enable MDTI data connector](connect-mdti-data-connector.md).
+The freely available MDTI threat analytics rule gives you a taste of what the premium MDTI data connector provides. However with matching analytics, only indicators that match the rule are actually ingested into your environment. The premium MDTI data connector brings the premium TI and allows analytics for more data sources with greater flexibility and understanding of that threat intelligence. Here's a table showing what to expect when you license and enable the premium MDTI data connector.
+
+| Free | Premium | 
+|----|----|
+| Public indicators of compromise (IOCs) | |
+| Open-source intelligence (OSINT) | |
+| | Microsoft IOCs |
+| | Microsoft-enriched OSINT |
+
+For more information see the following articles:
+- To learn how to get a premium license and explore all the differences between the standard and premium versions, see the [Microsoft Defender Threat Intelligence product page](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence).
+- To learn more about the free MDTI experience, see [Introducing MDTI free experience for Microsoft Defender XDR](https://techcommunity.microsoft.com/t5/microsoft-defender-threat/introducing-mdti-free-experience-for-microsoft-defender-xdr/ba-p/3976635).
+- To learn how to enable the MDTI and the PMDTI data connectors, see [Enable MDTI data connector](connect-mdti-data-connector.md).
+- To learn about matching analytics, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).
 
 ### Add threat indicators to Microsoft Sentinel with the Threat Intelligence Upload Indicators API data connector
 

articles/sentinel/media/connect-mdti-data-connector/mdti-data-connector-config.png renamed to articles/sentinel/media/connect-mdti-data-connector/microsoft-defender-threat-intelligence-data-connector-config.png

@@ -20,11 +20,18 @@ The listed features were released in the last three months. For information abou
 
 ## August 2024
 
+- [Premium Microsoft Defender Threat Intelligence data connector (Preview)](#premium-microsoft-defender-threat-intelligence-data-connector-preview)
 - [Unified AMA-based connectors for syslog ingestion](#unified-ama-based-connectors-for-syslog-ingestion)
 - [Better visibility for Windows security events](#better-visibility-for-windows-security-events)
 - [New Auxiliary logs retention plan (Preview)](#new-auxiliary-logs-retention-plan-preview)
 - [Create summary rules for large sets of data (Preview)](#create-summary-rules-in-microsoft-sentinel-for-large-sets-of-data-preview)
 
+### Premium Microsoft Defender Threat Intelligence data connector (Preview)
+
+Your premium license for Microsoft Defender Threat Intelligence (MDTI) now unlocks the ability to ingest all premium indicators directly into your workspace. The premium MDTI data connector adds more to your hunting and research capabilities within Microsoft Sentinel. 
+
+For more information, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-microsoft-defender-threat-intelligence-data-connector). 
+
 ### Unified AMA-based connectors for syslog ingestion
 
 With the impending retirement of the Log Analytics Agent, Microsoft Sentinel has consolidated the collection and ingestion of syslog, CEF, and custom-format log messages into three multi-purpose data connectors based on the Azure Monitor Agent (AMA):