XDR DC upd for USX + edits

cwatson-cat · cwatson-cat · commit 90bb6186f6d9 · 2024-06-11T18:26:39.000-07:00
diff --git a/articles/sentinel/connect-microsoft-365-defender.md b/articles/sentinel/connect-microsoft-365-defender.md
@@ -4,22 +4,19 @@ description: Learn how to ingest incidents, alerts, and raw event data from Micr
 author: yelevin
 ms.author: yelevin
 ms.topic: conceptual
-ms.date: 02/01/2023
+ms.date: 06/11/2023
 ---
 
 # Connect data from Microsoft Defender XDR to Microsoft Sentinel
 
-Microsoft Sentinel's [Microsoft Defender XDR](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft Defender XDR incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include all their alerts, entities, and other relevant information. They also include alerts from Microsoft Defender XDR's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention** and **Microsoft Entra ID Protection**. The Microsoft Defender XDR connector also brings incidents from **Microsoft Defender for Cloud**, although in order to synchronize alerts and entities from these incidents, you must enable the Microsoft Defender for Cloud connector, otherwise your Microsoft Defender for Cloud incidents will appear empty. Learn more about the available connectors for [Microsoft Defender for Cloud](ingest-defender-for-cloud-incidents.md).
+The Microsoft Defender XDR connector for Microsoft Sentinel allows you to stream all Microsoft Defender XDR incidents and alerts into Microsoft Sentinel. This connector keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include all their alerts, entities, and other relevant information. The incidents can also include alerts from the Microsoft Defender products and services. For more information, see [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md#advanced-hunting-event-collection).
 
-The connector also lets you stream **advanced hunting** events from *all* of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.
+[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
-For more information about incident integration and advanced hunting event collection, see [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md#advanced-hunting-event-collection).
-
- The Microsoft Defender XDR connector is now generally available.
-
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 ## Prerequisites
 
+Before you begin, you must have the appropriate licensing, access, and configured resources described in this section.
+
 - You must have a valid license for Microsoft Defender XDR, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites). 
 
 - Your user must be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) or [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) roles on the tenant you want to stream the logs from.
@@ -29,15 +26,15 @@ For more information about incident integration and advanced hunting event colle
 - To make any changes to the connector settings, your user must be a member of the same Microsoft Entra tenant with which your Microsoft Sentinel workspace is associated.
 - Install the solution for **Microsoft Defender XDR** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
-### Prerequisites for Active Directory sync via MDI
+For Microsoft Entra ID sync via Microsoft Defender for Identity:
 
 - Your tenant must be onboarded to Microsoft Defender for Identity.
 
-- You must have the MDI sensor installed.
+- You must have the Microsoft Defender for Identity sensor installed.
 
 ## Connect to Microsoft Defender XDR
 
-In Microsoft Sentinel, select **Data connectors**, select **Microsoft Defender XDR** from the gallery and select **Open connector page**.
+In Microsoft Sentinel, select **Data connectors**. Select **Microsoft Defender XDR** from the gallery and **Open connector page**.
 
 The  **Configuration** section has three parts:
 
@@ -47,7 +44,7 @@ The  **Configuration** section has three parts:
 
 1. [**Connect events**](#connect-events) enables the collection of raw advanced hunting events from Defender components.
 
-These are explained in greater detail below. See [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md) for more information.
+For more information, see [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md) for more information.
 
 ### Connect incidents and alerts
 
diff --git a/articles/sentinel/microsoft-365-defender-sentinel-integration.md b/articles/sentinel/microsoft-365-defender-sentinel-integration.md
@@ -4,25 +4,31 @@ description: Learn how using Microsoft Defender XDR together with Microsoft Sent
 author: yelevin
 ms.author: yelevin
 ms.topic: conceptual
-ms.date: 02/01/2023
+ms.date: 06/11/2024
 ---
 
 # Microsoft Defender XDR integration with Microsoft Sentinel
 
-Microsoft Sentinel's [Microsoft Defender XDR](/microsoft-365/security/mtp/microsoft-threat-protection) incident integration allows you to stream all Microsoft Defender XDR incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft Defender XDR include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft Defender XDR, allowing you to take advantage of the benefits of both portals in your incident investigation.
+Microsoft Defender XDR incident integration with Microsoft Sentinel allows you to stream all Microsoft Defender XDR incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft Defender XDR include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents remain bi-directionally synced with Microsoft Defender XDR, allowing you to take advantage of the benefits of both portals in your incident investigation.
 
-This integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate – Microsoft 365 incidents together with those from all of your other cloud and on-premises systems. At the same time, it allows you to take advantage of the unique strengths and capabilities of Microsoft Defender XDR for in-depth investigations and a Microsoft 365-specific experience across the Microsoft 365 ecosystem. Microsoft Defender XDR enriches and groups alerts from multiple Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. The component services that are part of the Microsoft Defender XDR stack are:
+[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
-- **Microsoft Defender for Endpoint**
-- **Microsoft Defender for Identity**
-- **Microsoft Defender for Office 365**
-- **Microsoft Defender for Cloud Apps**
-- **Microsoft Defender for Cloud**
+## Incident correlation and alerts
+
+The integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate – Microsoft 365 incidents together with those from all of your other cloud and on-premises systems. At the same time, it allows you to take advantage of the unique strengths and capabilities of Microsoft Defender XDR for in-depth investigations and a Microsoft 365-specific experience across the Microsoft 365 ecosystem. Microsoft Defender XDR enriches and groups alerts from multiple Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve. Alerts from the following Microsoft Defender products and services are also included in the integration of Defender XDR to Microsoft:
+
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Identity
+- Microsoft Defender for Office 365
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender Vulnerability Management
 
 Other services whose alerts are collected by Microsoft Defender XDR include:
 
-- **Microsoft Purview Data Loss Prevention** ([Learn more](/microsoft-365/security/defender/investigate-dlp))
-- **Microsoft Entra ID Protection** ([Learn more](/defender-cloud-apps/aadip-integration))
+- Microsoft Purview Data Loss Prevention ([Learn more](/microsoft-365/security/defender/investigate-dlp))
+- Microsoft Entra ID Protection ([Learn more](/defender-cloud-apps/aadip-integration))
+
+The Microsoft Defender XDR connector also brings incidents from Microsoft Defender for Cloud. Although to synchronize alerts and entities from these incidents, you must enable the Microsoft Defender for Cloud connector. Otherwise, your Microsoft Defender for Cloud incidents appear empty. For more information, see [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](ingest-defender-for-cloud-incidents.md).
 
 In addition to collecting alerts from these components and other services, Microsoft Defender XDR generates alerts of its own. It creates incidents from all of these alerts and sends them to Microsoft Sentinel.
 
@@ -40,9 +46,9 @@ In addition to collecting alerts from these components and other services, Micro
 
 ## Connecting to Microsoft Defender XDR <a name="microsoft-defender-xdr-incidents-and-microsoft-incident-creation-rules"></a>
 
-(*"Microsoft Defender XDR incidents and Microsoft incident creation rules"* redirects here.)
+Install the Microsoft Defender XDR solution for Microsoft Sentinel and enable the Microsoft Defender XDR data connector to collect incidents and alerts. For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](connect-microsoft-365-defender.md). 
 
-Install the Microsoft Defender XDR solution for Microsoft Sentinel and enable the Microsoft Defender XDR data connector to [collect incidents and alerts](connect-microsoft-365-defender.md). Microsoft Defender XDR incidents appear in the Microsoft Sentinel incidents queue, with **Microsoft Defender XDR** (or one of the component services' names) in the **Alert product name** field, shortly after they are generated in Microsoft Defender XDR.
+Microsoft Defender XDR incidents appear in the Microsoft Sentinel incidents queue, with **Microsoft Defender XDR** (or one of the component services' names) in the **Alert product name** field, shortly after they are generated in Microsoft Defender XDR.
 
 - It can take up to 10 minutes from the time an incident is generated in Microsoft Defender XDR to the time it appears in Microsoft Sentinel.
 
@@ -73,7 +79,7 @@ In Microsoft Defender XDR, all alerts from one incident can be transferred to an
 
 ## Advanced hunting event collection
 
-The Microsoft Defender XDR connector also lets you stream **advanced hunting** events - a type of raw event data - from Microsoft Defender XDR and its component services into Microsoft Sentinel. You can now *(as of April 2022)* collect [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview) events from *all* Microsoft Defender XDR components, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace. These tables are built on the same schema that is used in the Microsoft Defender Portal, giving you complete access to the full set of advanced hunting events, and allowing you to do the following:
+The Microsoft Defender XDR connector also lets you stream **advanced hunting** events - a type of raw event data - from Microsoft Defender XDR and its component services into Microsoft Sentinel. Collect [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview) events from all Microsoft Defender XDR components, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace. These tables are built on the same schema that is used in the Microsoft Defender Portal, giving you complete access to the full set of advanced hunting events, and allowing you to do the following:
 
 - Easily copy your existing Microsoft Defender for Endpoint/Office 365/Identity/Cloud Apps advanced hunting queries into Microsoft Sentinel.
 
