MicrosoftDocs
diff --git a/‎articles/sentinel/add-entity-to-threat-intelligence.md
Lines changed: 48 additions & 46 deletions b/‎articles/sentinel/add-entity-to-threat-intelligence.md
Lines changed: 48 additions & 46 deletions
diff --git a/‎articles/sentinel/connect-threat-intelligence-taxii.md
Lines changed: 5 additions & 3 deletions b/‎articles/sentinel/connect-threat-intelligence-taxii.md
Lines changed: 5 additions & 3 deletions
diff --git a/‎articles/sentinel/indicators-bulk-file-import.md
Lines changed: 5 additions & 3 deletions b/‎articles/sentinel/indicators-bulk-file-import.md
Lines changed: 5 additions & 3 deletions
@@ -9,128 +9,130 @@ ms.date: 3/14/2024
 appliesto: 
     - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
-#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so I don't lose important information.
+#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so that I don't lose important information.
 ---
 
 # Add entities to threat intelligence in Microsoft Sentinel
 
-During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise (IOC) in your threat intelligence.
+During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise in your threat intelligence.
 
-For example, you discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
+For example, you might discover an IP address that performs port scans across your network or functions as a command and control node by sending and receiving transmissions from large numbers of nodes in your network.
 
-Microsoft Sentinel allows you to flag these types of entities right from within your incident investigation, and add it to your threat intelligence. You are able to view the added indicators both in **Logs** and **Threat Intelligence**, and use them across your Microsoft Sentinel workspace.
+With Microsoft Sentinel, you can flag these types of entities from within your incident investigation and add them to your threat intelligence. You can view the added indicators in **Logs** and **Threat Intelligence** and use them across your Microsoft Sentinel workspace.
 
 ## Add an entity to your threat intelligence
 
-The new [incident details page](investigate-incidents.md) gives you another way to add entities to threat intelligence, in addition to the investigation graph. Both ways are shown below.
+The [new incident details page](investigate-incidents.md) and the investigation graph give you two ways to add entities to threat intelligence. Both ways are shown here.
 
 # [Incident details page](#tab/incidents)
 
-1. From the Microsoft Sentinel navigation menu, select **Incidents**.
+1. On the Microsoft Sentinel menu, select **Incidents**.
 
-1. Select an incident to investigate. In the incident details panel, select **View full details** to open the incident details page.
+1. Select an incident to investigate. On the incident details pane, select **View full details** to open the incident details page.
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot of incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::
+    :::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot that shows the incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::
 
-1. Find the entity from the **Entities** widget that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)
+1. On the **Entities** pane, find the entity that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)
 
 1. Select the three dots to the right of the entity, and select **Add to TI** from the pop-up menu.
 
-    Only the following types of entities can be added as threat indicators:
+    Only add the following types of entities as threat indicators:
+
     - Domain name
     - IP address (IPv4 and IPv6)
     - URL
     - File (hash)
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/entity-actions-from-overview.png" alt-text="Screenshot of adding an entity to threat intelligence.":::
+    :::image type="content" source="media/add-entity-to-threat-intelligence/entity-actions-from-overview.png" alt-text="Screenshot that shows adding an entity to threat intelligence.":::
 
 # [Investigation graph](#tab/cases)
 
-The [investigation graph](investigate-cases.md) is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. You can use it to add entities to your threat intelligence indicator lists, making them available across your workspace.
+The [investigation graph](investigate-cases.md) is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. Use it to add entities to your threat intelligence indicator lists by making them available across your workspace.
+
+1. On the Microsoft Sentinel menu, select **Incidents**.
 
-1. From the Microsoft Sentinel navigation menu, select **Incidents**.
+1. Select an incident to investigate. On the incident details pane, select **Actions**, and choose **Investigate** from the pop-up menu to open the investigation graph.
 
-1. Select an incident to investigate. In the incident details panel, select the **Actions** button and choose **Investigate** from the pop-up menu. This will open the investigation graph.
+    :::image type="content" source="media/add-entity-to-threat-intelligence/select-incident-to-investigate.png" alt-text="Screenshot that shows selecting an incident from the list to investigate.":::
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/select-incident-to-investigate.png" alt-text="Screenshot of selecting incident from queue to investigate.":::
+1. Select the entity from the graph that you want to add as a threat indicator. On the side pane that opens, select **Add to TI**.
 
-1. Select the entity from the graph that you want to add as a threat indicator. A side panel will open on the right. Select **Add to TI**.
+    Only add the following types of entities as threat indicators:
 
-    Only the following types of entities can be added as threat indicators:
     - Domain name
     - IP address (IPv4 and IPv6)
     - URL
     - File (hash)
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/add-entity-to-ti.png" alt-text="Screenshot of adding entity to threat intelligence.":::
+    :::image type="content" source="media/add-entity-to-threat-intelligence/add-entity-to-ti.png" alt-text="Screenshot that shows adding an entity to threat intelligence.":::
 
 ---
 
-Whichever of the two interfaces you choose, you will end up here:
+Whichever of the two interfaces you choose, you end up here.
 
-1. The **New indicator** side panel will open. The following fields will be populated automatically:
+1. The **New indicator** side pane opens. The following fields are populated automatically:
 
-    - **Type**
-        - The type of indicator represented by the entity you're adding.  
-            Drop-down with possible values: *ipv4-addr*, *ipv6-addr*, *URL*, *file*, *domain-name*
-        - Required; automatically populated based on the **entity type**.
+    - **Types**
+        - The type of indicator represented by the entity you're adding.
+            - Dropdown list with possible values: `ipv4-addr`, `ipv6-addr`, `URL`, `file`, and `domain-name`.
+        - Required. Automatically populated based on the **entity type**.
 
     - **Value**
         - The name of this field changes dynamically to the selected indicator type.
         - The value of the indicator itself.
-        - Required; automatically populated by the **entity value**.
+        - Required. Automatically populated by the **entity value**.
 
-    - **Tags** 
+    - **Tags**
         - Free-text tags you can add to the indicator.
-        - Optional; automatically populated by the **incident ID**. You can add others.
+        - Optional. Automatically populated by the **incident ID**. You can add others.
 
     - **Name**
-        - Name of the indicator&mdash;this is what will be displayed in your list of indicators.
-        - Optional; automatically populated by the **incident name.**
+        - Name of the indicator. This name is what appears in your list of indicators.
+        - Optional. Automatically populated by the **incident name.**
 
     - **Created by**
         - Creator of the indicator.
-        - Optional; automatically populated by the user logged into Microsoft Sentinel.
+        - Optional. Automatically populated by the user signed in to Microsoft Sentinel.
 
     Fill in the remaining fields accordingly.
 
-    - **Threat type**
+    - **Threat types**
         - The threat type represented by the indicator.
-        - Optional; free text.
+        - Optional. Free text.
 
     - **Description**
         - Description of the indicator.
-        - Optional; free text.
+        - Optional. Free text.
 
     - **Revoked**
-        - Revoked status of the indicator. Mark checkbox to revoke the indicator, clear checkbox to make it active.
-        - Optional; boolean.
+        - Revoked status of the indicator. Select the checkbox to revoke the indicator. Clear the checkbox to make it active.
+        - Optional. Boolean.
 
     - **Confidence**
-        - Score reflecting confidence in the correctness of the data, by percent.
-        - Optional; integer, 1-100
+        - Score that reflects confidence in the correctness of the data, by percent.
+        - Optional. Integer, 1-100.
 
-    - **Kill chain**
-        - Phases in the [*Lockheed Martin Cyber Kill Chain*](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html#OVERVIEW) to which the indicator corresponds.
-        - Optional; free text 
+    - **Kill chains**
+        - Phases in the [Lockheed Martin Cyber Kill Chain](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html#OVERVIEW) to which the indicator corresponds.
+        - Optional. Free text.
 
     - **Valid from**
         - The time from which this indicator is considered valid.
-        - Required; date/time 
+        - Required. Date/time.
 
     - **Valid until**
         - The time at which this indicator should no longer be considered valid.
-        - Optional; date/time 
+        - Optional. Date/time.
 
-    :::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot of entering information in new threat indicator panel.":::
+    :::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot that shows entering information in the new threat indicator pane.":::
 
-1. When all the fields are filled in to your satisfaction, select **Apply**. You'll see a confirmation message in the upper-right-hand corner that your indicator was created.
+1. When all the fields are filled in to your satisfaction, select **Apply**. A confirmation message appears in the upper-right corner stating that your indicator was created.
 
-1. The entity will be added as a threat indicator in your workspace. You can find it [in the list of indicators in the **Threat intelligence** page](work-with-threat-indicators.md#find-and-view-your-indicators-in-the-threat-intelligence-page), and also [in the *ThreatIntelligenceIndicators* table in **Logs**](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs). 
+1. The entity is added as a threat indicator in your workspace. You can find it [in the list of indicators on the Threat Intelligence page](work-with-threat-indicators.md#find-and-view-your-indicators-in-the-threat-intelligence-page). You can also find it [in the ThreatIntelligenceIndicators table in Logs](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs).
 
 ## Related content
 
-In this article, you learned how to add entities to your threat indicator lists. For more information, see:
+In this article, you learned how to add entities to your threat indicator lists. For more information, see the following articles:
 
 - [Investigate incidents with Microsoft Sentinel](investigate-incidents.md)
 - [Understand threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md)
 
@@ -31,7 +31,7 @@ For more information, see [Connect your threat intelligence platform (TIP) to Mi
 
 ## Prerequisites
 
-- To install, update and delete standalone content or solutions in the **Content hub**, you need the Microsoft Sentinel Contributor role at the resource group level.
+- To install, update, and delete standalone content or solutions in the **Content hub**, you need the Microsoft Sentinel Contributor role at the resource group level.
 - You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
 - You must have a TAXII 2.0 or TAXII 2.1 API root URI and collection ID.
 
@@ -46,7 +46,9 @@ TAXII 2.x servers advertise API roots, which are URLs that host collections of t
 
 To import threat indicators into Microsoft Sentinel from a TAXII server, follow these steps:
 
-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**.
+
+   For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.
 
 1. Find and select the **Threat Intelligence** solution.
 
@@ -58,7 +60,7 @@ For more information about how to manage the solution components, see [Discover
 
 1. To configure the TAXII data connector, select the **Data connectors** menu.
 
-1. Find and select the **Threat intelligence - TAXII** data connector and then select **Open connector page**.
+1. Find and select the **Threat intelligence - TAXII** data connector, and then select **Open connector page**.
 
     :::image type="content" source="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png" alt-text="Screenshot that shows the Data connectors page with the TAXII data connector listed." lightbox="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png":::
 
 
@@ -31,7 +31,9 @@ In this how-to guide, you add indicators from a CSV or JSON file into Microsoft
 
 Add multiple indicators to your threat intelligence with a specially crafted CSV or JSON file. Download the file templates to get familiar with the fields and how they map to the data you have. Review the required fields for each template type to validate your data before you import it.
 
-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.
+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.
+
+   For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.
 
 1. Select **Import** > **Import using a file**.
 
@@ -68,7 +70,7 @@ The templates provide all the fields you need to create a single valid indicator
 
     :::image type="content" source="media/indicators-bulk-file-import/upload-file-pane.png" alt-text="Screenshot that shows the dropdown menu to upload a CSV or JSON file, choose a template, and specify a source highlighting the Import button.":::
 
-1. Select the **Import** button.
+1. Select **Import**.
 
 ## Manage file imports
 
@@ -94,7 +96,7 @@ Review each template to ensure that your indicators are imported successfully. B
 
 ### CSV template structure
 
-1. Choose between the **File indicators** or **All other indicator types** option from the **Indicator type** dropdown menu when you select **CSV**. 
+1. On the **Indicator type** dropdown menu, select **CSV**. Then choose between the **File indicators** or **All other indicator types** options. 
 
     The CSV template needs multiple columns to accommodate the file indicator type because file indicators can have multiple hash types like MD5 and SHA256. All other indicator types like IP addresses only require the observable type and the observable value.