Merge pull request #88542 from cabailey/cabailey-azuredocs-tip

Updates for threat intelligence

Author: Kellylorenebaker

articles/sentinel/connect-threat-intelligence.md

@@ -11,42 +11,73 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 09/10/2019
+ms.date: 09/17/2019
 ms.author: rkarlin
 
 ---
 # Connect data from threat intelligence providers - Preview
 
+> [!IMPORTANT]
+> Threat intelligence in Azure Sentinel is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
+Azure Sentinel lets you import the threat indicators that your organization is using, which can enhance your security analysts' ability to detect and prioritize known threats. Several features from Azure Sentinel then become available or are enhanced:
 
-After you stream your data into Azure Sentinel, you can enrich it with the threat intelligence feed that you use across your organization. 
+- **Analytics** includes a set of scheduled rule templates that you can enable to generate alerts and incidents that are based on matches of log events from your threat indicators.
 
-To enable you to cross check your alerts and rules with true threat intelligence, for example if you get an alert from a specific IP address, your threat intelligence provider integration will be able to let you know if that IP address was recently found to be malicious, Azure Sentinel enables integration with [threat intelligence providers](https://aka.ms/graphsecuritytips). 
+- **Workbooks** provide summarized information about the threat indicators that are imported into Azure Sentinel and any alerts generated from analytics rules that match your threat indicators.
+
+- **Hunting** queries allow security investigators to use threat indicators within the context of common hunting scenarios.
+
+- **Notebooks** can use threat indicators when you investigate anomalies and hunt for malicious behaviors.
+
+You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products that are listed in the next section, or by using direct integration with the [Microsoft Graph Security tiIndicators API](https://aka.ms/graphsecuritytiindicators).
+
+## Integrated threat intelligence platform products
+
+- [MISP Open Source Threat Intelligence Platform](https://www.misp-project.org/)
+    
+    For a sample script that provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API, see the [MISP to Microsoft Graph Security Script](https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP).
+
+- [Palo Alto Networks MineMeld](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld)
+    
+    For guided instructions, see [Sending IOCs to the Microsoft Graph Security API using MineMeld](https://live.paloaltonetworks.com/t5/MineMeld-Articles/Sending-IOCs-to-the-Microsoft-Graph-Security-API-using-MineMeld/ta-p/258540).
+
+- [ThreatConnect Platform](https://threatconnect.com/solution/)
 
-You can stream logs from Threat intelligence providers into Azure Sentinel with a single click. This connection enables you to incorporate indicators containing various types of observables such as IP address, domain, URL and file hash to search and create custom alerts rules in Azure Sentinel.  
-> [!NOTE]
-> You can input customized threat indicators into Azure Sentinel for use in alert rules, dashboards, and hunting scenarios by integrating with the [Microsoft Graph Security tiIndicator](https://aka.ms/graphsecuritytiindicators) entity or by using a [Microsoft Graph Security integrated Threat Intelligence Platform](https://aka.ms/graphsecuritytips).
 
 ## Prerequisites  
 
-- User with global administrator or security administrator permissions 
+- Azure AD role of either Global administrator or Security administrator to grant permissions to your TIP product or custom application that uses direct integration with the Microsoft Graph Security tiIndicators API.
+
+- Read and write permissions to the Azure Sentinel workspace to store your threat indicators.
+
+## Connect Azure Sentinel to your threat intelligence provider
+
+1. [Register an application](/graph/auth-v2-service#1-register-your-app) in Azure Active Directory to get an application ID, application secret, and Azure Active Directory tenant ID. You need these values for when you configure your integrated TIP product or app that uses direct integration with Microsoft Graph Security tiIndicators API.
 
-- Threat intelligence application integrated with Microsoft Intelligent Security Graph 
+2. [Configure API permissions](/graph/auth-v2-service#2-configure-permissions-for-microsoft-graph) for the registered application: Add the Microsoft Graph Application permission **ThreatIndicators.ReadWrite.OwnedBy** to your registered application.
 
-## Connect to threat intelligence 
+3. Ask your Azure Active Directory tenant administrator to grant admin consent to the registered application for your organization. From the Azure portal: **Azure Active Directory** > **App registrations** > **\<*app name*>** > **View API Permissions** > **Grant admin consent for \<*tenant name*>**.
 
-1. If you’re already using a threat intelligence provider, be sure to browse to your TIP application and grant permission to send indicators to Microsoft and specify the service as Azure Sentinel.  
+4. Configure your TIP product or app that uses direct integration with Microsoft Graph Security tiIndicators API to send indicators to Azure Sentinel by specifying the following:
+    
+    a. The values for the registered application's ID, secret, and tenant ID.
+    
+    b. For the target product, specify Azure Sentinel.
+    
+    c. For the action, specify alert.
 
-2. In Azure Sentinel, select **Data connectors** and then click the **Threat Intelligence** tile.
+5. In the Azure portal, navigate to **Azure Sentinel** > **Data connectors** and then select the **Threat Intelligence Platforms (Preview)** connector.
 
-3. Click **Connect**. 
+6. Select **Open connector page**, and then **Connect**.
 
-4. To use the relevant schema in Log Analytics for threat intelligence feeds, search for **ThreatIntelligenceIndicator**. 
+7. To view the threat indicators that are imported into Azure Sentinel, navigate to **Azure Sentinel - Logs** > **SecurityInsights**, and then expand **ThreatIntelligenceIndicator**.
 
- 
 ## Next steps
 
-In this document, you learned how to connect your Threat Intelligence provider to Azure Sentinel. To learn more about Azure Sentinel, see the following articles.
+In this document, you learned how to connect your threat intelligence provider to Azure Sentinel. To learn more about Azure Sentinel, see the following articles.
 
-- To get started with Azure Sentinel, you need a subscription to Microsoft Azure. If you do not have a subscription, you can sign up for a [free trial](https://azure.microsoft.com/free/).
-- Learn how to [onboard your data to Azure Sentinel](quickstart-onboard.md), and [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md).