polish final run through before wider review

Author: austinmccollum

articles/sentinel/media/work-with-threat-indicators/threat-intel-add-new-indicator.png

@@ -40,8 +40,8 @@ The following table outlines the activities required to make the most of threat
 | Action | Description|
 |---|---|
 | **Store threat intelligence in Microsoft Sentinel's workspace** | <ul><li>Import threat intelligence into Microsoft Sentinel by enabling data connectors to various threat intelligence platforms and feeds.</li><li>Connect threat intelligence to Microsoft Sentinel by using the upload API to connect various TI platforms or custom applications.</li><li>Create threat intelligence with a streamlined management interface.</li>|
-| **Manage threat intelligence** | <ul><li>View imported threat intelligence in logs or with advanced search.</li><li>Curate threat intelligence by establishing relationships between objects or adding tags</li><li>Visualize key information about your TI with the threat intelligence workbook.</li>|
-| **Use threat intelligence** | <ul><li>Detect threats and generate security alerts and incidents by using the built-in analytics rule templates based on your threat intelligence.</li><li>Hunt for threats using your threat intel to ask the right questions about the signals captured for your organization.</li>|
+| **Manage threat intelligence** | <ul><li>View imported threat intelligence using queries or advanced search.</li><li>Curate threat intelligence with relationships or tags</li><li>Visualize key information about your TI with workbooks.</li>|
+| **Use threat intelligence** | <ul><li>Detect threats and generate security alerts and incidents with built-in analytics rule templates based on your threat intelligence.</li><li>Hunt for threats using your threat intel to ask the right questions about the signals captured for your organization.</li>|
 
 Threat intelligence also provides useful context within other Microsoft Sentinel experiences, such as notebooks. For more information, see [Get started with notebooks and MSTICPy](/azure/sentinel/notebook-get-started). 
 
@@ -54,7 +54,7 @@ Most threat intelligence is imported using data connectors or an API. Here are t
 - **Microsoft Defender Threat Intelligence** data connector to ingest Microsoft's threat intelligence 
 - **Threat Intelligence - TAXII** data connector for industry-standard STIX/TAXII feeds
 - **Threat Intelligence upload API** for integrated and curated TI feeds using a REST API to connect (doesn't require a data connector)
-- **Threat Intelligence Platform data connector** also connects TI feeds using a legacy REST API, but is on the path for deprecation
+- **Threat Intelligence Platform** data connector also connects TI feeds using a legacy REST API, but is on the path for deprecation
 
 Use these solutions in any combination, depending on where your organization sources threat intelligence. All of these data connectors are available in **Content hub** as part of the **Threat Intelligence** solution. For more information about this solution, see the Azure Marketplace entry [Threat Intelligence](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-threatintelligence-taxii?tab=Overview).
 
@@ -66,7 +66,7 @@ Bring public, open-source, and high-fidelity IOCs generated by Defender Threat I
 
 There are two versions of the data connector, standard and premium. There's also a freely available Defender Threat Intelligence threat analytics rule which gives you a sample of what the premium Defender Threat Intelligence data connector provides. However, with matching analytics, only indicators that match the rule are ingested into your environment. 
 
-The premium Defender Threat Intelligence data connector ingests Microsoft-enriched open source intelligence and Microsoft's curated IOCs. These premium features allow analytics on more data sources with greater flexibility and understanding of that threat intelligence. Here's a table that shows what to expect when you license and enable the Defender Threat Intelligence data connector premium version.
+The premium Defender Threat Intelligence data connector ingests Microsoft-enriched open source intelligence and Microsoft's curated IOCs. These premium features allow analytics on more data sources with greater flexibility and understanding of that threat intelligence. Here's a table that shows what to expect when you license and enable the premium version.
 
 | Free | Premium | 
 |---|---|
@@ -132,7 +132,7 @@ Threat intelligence powered by Microsoft Sentinel is managed next to Microsoft D
 >[!NOTE]
 > Threat intelligence in the Azure portal is still accessed from **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.
 
-Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and tagging intel objects. The management interface streamlines the manual process of creating individual threat intel with a few key features.
+Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and adding tags. The management interface streamlines the manual process of creating individual threat intel with a few key features.
 - Define relationships as you create new STIX objects.
 - Curate existing TI with the relationship builder.
 - Copy common metadata from a new or existing TI object with the duplicate feature.
@@ -146,16 +146,16 @@ The following STIX objects are available in Microsoft Sentinel:
 | **Threat actor** | From script kiddies to nation states, threat actor objects describe motivations, sophistication, and resourcing levels. |
 | **Attack pattern** | Also known as techniques, tactics and procedures, attack patterns describe a specific component of an attack and the MITRE ATT&CK stage it's used on. |
 | **Indicator** | `Domain name`, `URL`, `IPv4 address`, `IPv6 address`, and `File hashes`</br></br>`X509 certificates` are used to authenticate the identity of devices and servers for  secure communication over the internet.</br></br>`JA3` fingerprints are unique identifiers generated from the TLS/SSL handshake process. They help in identifying specific applications and tools used in network traffic, making it easier to detect malicious activities</br></br>`JA3S` fingerprints extend the capabilities of JA3 by also including server-specific characteristics in the fingerprinting process. This extension provides a more comprehensive view of the network traffic and helps in identifying both client and server-side threats.</br></br>`User agents` provide information about the client software making requests to a server, such as the browser or operating system. They're useful in identifying and profiling devices and applications accessing a network. |
-| Identity | Describe victims, organizations, and other groups or individuals along with the business sectors most closely associated with them. |
-| Relationship | The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
+| **Identity** | Describe victims, organizations, and other groups or individuals along with the business sectors most closely associated with them. |
+| **Relationship** | The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
 
 ### Create relationships
 
-Enhance threat detection and response by establishing connections between objects with the relationship builder. The following table lists some use cases of establishing connections.
+Enhance threat detection and response by establishing connections between objects with the relationship builder. The following table lists some of its use cases.
 
 | Use case | Description |
 |---|---|
-| Connect threat actor to an attack pattern | The threat actor `APT29` *Uses* the attack pattern `Phishing via Email` to gain initial access.|
+| Connect a threat actor to an attack pattern | The threat actor `APT29` *Uses* the attack pattern `Phishing via Email` to gain initial access.|
 | Link an indicator to a threat actor|  A domain indicator `allyourbase.contoso.com` is *Attributed to* the threat actor `APT29`. |
 | Associate an identity (victim) with an attack pattern| The attack pattern `Phishing via Email` *Targets* the `FourthCoffee` organization.|
 
@@ -165,7 +165,7 @@ The following image shows how the relationship builder connects all of these use
 
 ### Curate threat intelligence
 
-Designate which TI objects can be shared with appropriate audiences by designating a sensitivity level called Traffic Light Protocol (TLP).
+Configure which TI objects can be shared with appropriate audiences by designating a sensitivity level called Traffic Light Protocol (TLP).
 
 | TLP color | Sensitivity |
 |---|---|
@@ -186,7 +186,9 @@ View your threat intelligence from the management interface. Use advanced search
 
 View your indicators stored in the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics, hunting queries, and workbooks. 
 
-Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
+>[!IMPORTANT]
+>Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
+>
 
 Here's an example view of a basic query for just threat indicators using the current table.
 
@@ -208,7 +210,7 @@ For example, use `GeoLocation` data to find information like the organization or
 
 ## Detect threats with threat indicator analytics
 
-The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel Analytics, you create analytics rules powered by queries that run on a schedule and generate security alerts. Along with configurations, they determine how often the rule should run, what kind of query results should generate security alerts and incidents, and, optionally, when to trigger an automated response.
+The most important use case for threat intelligence in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel Analytics, you create analytics rules powered by queries that run on a schedule and generate security alerts. Along with configurations, they determine how often the rule should run, what kind of query results should generate security alerts and incidents, and, optionally, when to trigger an automated response.
 
 Although you can always create new analytics rules from scratch, Microsoft Sentinel provides a set of built-in rule templates, created by Microsoft security engineers, to take advantage of your threat indicators. These templates are based on the type of threat indicators (domain, email, file hash, IP address, or URL) and data source events that you want to match. Each template lists the required sources that are needed for the rule to function. This information makes it easy to determine if the necessary events are already imported in Microsoft Sentinel.
 

articles/sentinel/understand-threat-intelligence.md

@@ -40,7 +40,7 @@ Enhanced threat intelligence capabilities are available in both Microsoft's unif
 
 - Define relationships as you create new STIX objects.
 - Curate existing threat intelligence with the new relationship builder.
-- Create multiple objects quickly by copying common metadata from a new or existing TI object with the duplicate feature.
+- Create multiple objects quickly by copying common metadata from a new or existing TI object using a duplication feature.
 - Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.
 
 For more information, see the following articles:
@@ -50,7 +50,7 @@ For more information, see the following articles:
 
 ### Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables
 
-Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
+Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator`, with this opt-in process.
 
 For more information, see the blog announcement [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164).
 

articles/sentinel/whats-new.md

@@ -90,11 +90,14 @@ The following image demonstrates connections made between a threat actor and an
 Use the management interface to sort, filter, and search your threat intelligence from whatever source they were ingested from without writing a Log Analytics query.
 
 1. From the management interface, expand the **What would you like to search?** menu.
-1. Select the STIX object type or leave the default **All object types**.
+
+1. Select a STIX object type or leave the default **All object types**.
+
 1. Select conditions using logical operators.
+
 1. Select the object you want to see more information about.
 
-In the following image, multiple sources were used to search by placing them in an `OR` group, while multiple conditions were group with the `AND` operator.
+In the following image, multiple sources were used to search by placing them in an `OR` group, while multiple conditions were grouped with the `AND` operator.
 
 :::image type="content" source="media/work-with-threat-indicators/advanced-search.png" alt-text="Screenshot shows an OR operator combined with multiple AND conditions to search threat intelligence.":::
 
@@ -124,9 +127,9 @@ For more information on how threat intel is updated, see [View your threat intel
 
 ### Find and view your indicators with queries
 
-This procedure describes how to view your imported threat indicators in Log Analytics, together with other Microsoft Sentinel event data, regardless of the source feed or method you used to ingest them.
+This procedure describes how to view your threat indicators in Log Analytics, together with other Microsoft Sentinel event data, regardless of the source feed or method you used to ingest them.
 
-Imported threat indicators are listed in the Microsoft Sentinel `ThreatIntelligenceIndicator` table. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as **Analytics**, **Hunting**, and **Workbooks**.
+Threat indicators are listed in the Microsoft Sentinel `ThreatIntelligenceIndicator` table. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as **Analytics**, **Hunting**, and **Workbooks**.
 
 To view your threat intelligence indicators:
 
@@ -141,7 +144,7 @@ To view your threat intelligence indicators:
 
     :::image type="content" source="media/work-with-threat-indicators/ti-table-results.png" alt-text="Screenshot that shows sample ThreatIntelligenceIndicator table results with the details expanded." lightbox="media/work-with-threat-indicators/ti-table-results.png":::
 
-## Visualize your threat intelligence with workbooks
+### Visualize your threat intelligence with workbooks
 
 Use a purpose-built Microsoft Sentinel workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and customize the workbook according to your business needs.