Merge pull request #232465 from austinmccollum/austinmc-concept-ti

Austinmc concept ti

Author: Court72

articles/sentinel/media/understand-threat-intelligence/detect-threats-matching-analytics.png

@@ -3,17 +3,19 @@ title: Threat intelligence integration in Microsoft Sentinel
 description: Learn about the different ways threat intelligence feeds are integrated with and used by Microsoft Sentinel.
 author: austinmccollum
 ms.topic: conceptual
-ms.date: 9/26/2022
+ms.date: 3/28/2022
 ms.author: austinmc
 ---
 
 # Threat intelligence integration in Microsoft Sentinel
 
 Microsoft Sentinel gives you a few different ways to [use threat intelligence feeds](work-with-threat-indicators.md) to enhance your security analysts' ability to detect and prioritize known threats. 
 
-You can use one of many available integrated [threat intelligence platform (TIP) products](connect-threat-intelligence-tip.md), you can [connect to TAXII servers](connect-threat-intelligence-taxii.md) to take advantage of any STIX-compatible threat intelligence source, and you can also make use of any custom solutions that can communicate directly with the [Microsoft Graph Security tiIndicators API](/graph/api/resources/tiindicator). 
-
-You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.
+- Use one of many available integrated [threat intelligence platform (TIP) products](connect-threat-intelligence-tip.md).
+- [Connect to TAXII servers](connect-threat-intelligence-taxii.md) to take advantage of any STIX-compatible threat intelligence source.
+- Connect directly to the [Microsoft Defender Threat Intelligence](connect-mdti-data-connector.md) feed.
+- Make use of any custom solutions that can communicate directly with the [Microsoft Graph Security tiIndicators API](/graph/api/resources/tiindicator). 
+- You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.
 
 > [!TIP]
 > If you have multiple workspaces in the same tenant, such as for [Managed Security Service Providers (MSSPs)](mssp-protect-intellectual-property.md), it may be more cost effective to connect threat indicators only to the centralized workspace.
@@ -103,7 +105,7 @@ To connect to Threat Intelligence Platform (TIP) feeds, follow the instructions
 
 ### GroupIB Threat Intelligence and Attribution
 
-- To connect [GroupIB Threat Intelligence and Attribution](https://www.group-ib.com/intelligence-attribution.html) to Microsoft Sentinel, GroupIB makes use of Azure Logic Apps. See the [specialized instructions](https://techcommunity.microsoft.com/t5/azure-sentinel/group-ib-threat-intelligence-and-attribution-connector-azure/ba-p/2252904) necessary to take full advantage of the complete offering.
+- To connect [GroupIB Threat Intelligence and Attribution](https://www.group-ib.com/products/threat-intelligence/) to Microsoft Sentinel, GroupIB makes use of Azure Logic Apps. See the [specialized instructions](https://techcommunity.microsoft.com/t5/azure-sentinel/group-ib-threat-intelligence-and-attribution-connector-azure/ba-p/2252904) necessary to take full advantage of the complete offering.
 
 ### MISP Open Source Threat Intelligence Platform
 
@@ -132,9 +134,13 @@ Besides being used to import threat indicators, threat intelligence feeds can al
 
 ### HYAS Insight
 
-- Find and enable incident enrichment playbooks for [HYAS Insight](https://www.hyas.com/hyas-insight) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks). Search for subfolders beginning with "Enrich-Sentinel-Incident-HYAS-Insight-".
+- Find and enable incident enrichment playbooks for [HYAS Insight](https://www.hyas.com/hyas-insight) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/HYAS/Playbooks). Search for subfolders beginning with "Enrich-Sentinel-Incident-HYAS-Insight-".
 - See the HYAS Insight Logic App [connector documentation](/connectors/hyasinsight/).
 
+### Microsoft Defender Threat Intelligence
+
+- Find and enable incident enrichment playbooks for [Microsoft Defender Threat Intelligence]() in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks).
+
 ### Recorded Future Security Intelligence Platform
 
 - Find and enable incident enrichment playbooks for [Recorded Future](https://www.recordedfuture.com/integrations/microsoft-azure/) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks). Search for subfolders beginning with "RecordedFuture_".
@@ -153,7 +159,7 @@ Besides being used to import threat indicators, threat intelligence feeds can al
 
 ### Virus Total
 
-- Find and enable incident enrichment playbooks for [Virus Total](https://developers.virustotal.com/v3.0/reference) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks). Search for subfolders beginning with "Get-VirusTotal" and "Get-VTURL".
+- Find and enable incident enrichment playbooks for [Virus Total](https://developers.virustotal.com/v3.0/reference) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/Playbooks). Search for subfolders beginning with "Get-VTURL".
 - See the Virus Total Logic App [connector documentation](/connectors/virustotal/).
 
 ## Next steps

articles/sentinel/threat-intelligence-integration.md

@@ -3,7 +3,7 @@ title: Understand threat intelligence in Microsoft Sentinel
 description: Understand how threat intelligence feeds are connected to, managed, and used in Microsoft Sentinel to analyze data, detect threats, and enrich alerts.
 author: austinmccollum
 ms.topic: conceptual
-ms.date: 9/26/2022
+ms.date: 3/28/2022
 ms.author: austinmc
 ---
 
@@ -35,9 +35,21 @@ Threat Intelligence also provides useful context within other Microsoft Sentinel
 
 ## Import threat intelligence with data connectors
 
-Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. There are two data connectors in Microsoft Sentinel provided specifically for threat indicators, **Threat Intelligence - TAXII** for industry-standard STIX/TAXII feeds and **Threat Intelligence Platforms** for integrated and curated TI feeds. You can use either data connector alone, or both connectors together, depending on where your organization sources threat indicators.
+Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. There are three data connectors in Microsoft Sentinel provided specifically for threat indicators.
 
-See this catalog of [threat intelligence integrations](threat-intelligence-integration.md) available with Microsoft Sentinel.
+- **Microsoft Defender Threat Intelligence data connector** to ingest Microsoft's threat indicators 
+- **Threat Intelligence - TAXII** for industry-standard STIX/TAXII feeds and 
+- **Threat Intelligence Platforms** for integrated and curated TI feeds. 
+ 
+You can use any of these data connectors in any combination together, depending on where your organization sources threat indicators. All three of these are available in **Content hub** as part of the **Threat Intelligence** solution. For more information about this solution, see the Azure Marketplace entry [Threat Intelligence](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-threatintelligence-taxii?tab=Overview).
+
+Also, see this catalog of [threat intelligence integrations](threat-intelligence-integration.md) available with Microsoft Sentinel.
+
+### Add threat indicators to Microsoft Sentinel with the Microsoft Defender Threat Intelligence data connector
+
+Bring high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace. The MDTI data connector ingests these IOCs with a simple one-click setup. Then monitor, alert and hunt based on the threat intelligence in the same way you utilize other feeds.
+
+For more information on MDTI data connector, see [Enable MDTI data connector](connect-mdti-data-connector.md).
 
 ### Add threat indicators to Microsoft Sentinel with the Threat Intelligence Platforms data connector
 
@@ -107,7 +119,7 @@ By default, when these built-in rules are triggered, an alert will be created. I
 
 For more details on using threat indicators in your analytics rules, see [Use threat intelligence to detect threats](use-threat-indicators-in-analytics-rules.md).
 
-Microsoft provides access to its threat intelligence through the **Microsoft Threat Intelligence Analytics** rule. For more information on how to take advantage of this rule which generates high fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md)
+Microsoft provides access to its threat intelligence through the **Microsoft Defender Threat Intelligence Analytics** rule. For more information on how to take advantage of this rule which generates high fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md)
 
 :::image type="content" source="media/understand-threat-intelligence/detect-threats-matching-analytics.png" alt-text="Screenshot that shows a high fidelity incident generated by matching analytics with additional context information from Microsoft Defender Threat Intelligence.":::