Merge pull request #231744 from austinmccollum/austinmc-mdti-mssecure28

update for MDTI name change

Author: JamesJBarnett

articles/sentinel/connect-mdti-data-connector.md

@@ -0,0 +1,62 @@
+---
+title: Enable data connector for Microsoft's threat intelligence
+titleSuffix: Microsoft Defender Threat Intelligence 
+description: Learn how to ingest Microsoft's threat intelligence into your Sentinel workspace.
+author: austinmccollum
+ms.topic: how-to
+ms.date: 03/27/2023
+ms.author: austinmc
+---
+
+# Enable data connector for Microsoft Defender Threat Intelligence
+Bring high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace. The MDTI data connector ingests these IOCs with a simple one-click setup. Then monitor, alert and hunt based on the threat intelligence in the same way you utilize other feeds.
+
+> [!IMPORTANT]
+> The Microsoft Defender Threat Intelligence data connector is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+## Prerequisites
+- In order to install, update and delete standalone content or solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](../role-based-access-control/built-in-roles.md#template-spec-contributor) for details on this role.
+- To configure this data connector, you must have read and write permissions to the Microsoft Sentinel workspace.
+
+## Install the Threat Intelligence solution in Microsoft Sentinel
+
+To import threat indicators into Microsoft Sentinel from MDTI, follow these steps:
+
+1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.
+
+1. Choose the **workspace** to which you want to import the MDTI indicators from.
+
+1. Select **Content hub** from the menu.
+
+1. Find and select the **Threat Intelligence** solution.
+
+1. Select the :::image type="icon" source="media/connect-mdti-data-connector/install-update-button.png"::: **Install/Update** button.
+
+For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md).
+
+## Enable the Microsoft Defender Threat Intelligence data connector
+
+1. To configure the MDTI data connector, select the **Data connectors** menu.
+
+1. Find and select the Microsoft Defender Threat Intelligence data connector > **Open connector page** button.
+
+    :::image type="content" source="media/connect-mdti-data-connector/mdti-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the MDTI data connector listed." lightbox="media/connect-mdti-data-connector/mdti-data-connector-config.png"::: 
+
+1. Enable the feed by selecting the **Connect** button
+
+    :::image type="content" source="media/connect-mdti-data-connector/mdti-data-connector-connect.png" alt-text="Screenshot displaying the MDTI data connector page and the connect button." lightbox="media/connect-mdti-data-connector/mdti-data-connector-connect.png"::: 
+
+1. When MDTI indicators start populating the Microsoft Sentinel workspace, the connector status displays **Connected**.
+
+At this point, the ingested indicators are now available for use in the *TI map...* analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md). 
+
+You can find the new indicators in the **Threat intelligence** blade or directly in **Logs** by querying the **ThreatIntelligenceIndicator** table. For more information, see [Work with threat indicators](work-with-threat-indicators.md).
+
+## Next steps
+
+In this document, you learned how to connect Microsoft Sentinel to Microsoft's threat intelligence feed with the MDTI data connector. To learn more about Microsoft Defender for Threat Intelligence see the following articles.
+
+- Learn about [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti).
+- Get started with the MDTI community portal [MDTI portal](https://ti.defender.microsoft.com).
+- Use MDTI in analytics [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).

articles/sentinel/connect-threat-intelligence-taxii.md

@@ -1,11 +1,10 @@
 ---
 title: Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds | Microsoft Docs
 description: Learn about how to connect Microsoft Sentinel to industry-standard threat intelligence feeds to import threat indicators.
-author: yelevin
+author: austinmccollum
 ms.topic: how-to
-ms.date: 11/09/2021
-ms.author: yelevin
-ms.custom: ignite-fall-2021
+ms.date: 03/27/2023
+ms.author: austinmc
 ---
 
 # Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds
@@ -23,7 +22,7 @@ To import STIX formatted threat indicators to Microsoft Sentinel from a TAXII se
 Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Microsoft Sentinel, and specifically about the [TAXII threat intelligence feeds](threat-intelligence-integration.md#taxii-threat-intelligence-feeds) that can be integrated with Microsoft Sentinel.
 
 ## Prerequisites  
-
+- In order to install, update and delete standalone content or solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](../role-based-access-control/built-in-roles.md#template-spec-contributor) for details on this role.
 - You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
 - You must have a TAXII 2.0 or TAXII 2.1 **API Root URI** and **Collection ID**.
 
@@ -34,15 +33,29 @@ TAXII 2.x servers advertise API Roots, which are URLs that host Collections of t
 > [!NOTE]
 > In some cases, the provider will only advertise a URL called a Discovery Endpoint. You can use the [cURL](https://en.wikipedia.org/wiki/CURL) utility to browse the discovery endpoint and request the API Root.
 
-## Enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel
+## Install the Threat Intelligence solution in Microsoft Sentinel
 
 To import threat indicators into Microsoft Sentinel from a TAXII server, follow these steps:
 
 1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.
 
 1. Choose the **workspace** to which you want to import threat indicators from the TAXII server.
 
-1. Select **Data connectors** from the menu, select **Threat Intelligence - TAXII** from the connectors gallery, and select the **Open connector page** button.
+1. Select **Content hub** from the menu.
+
+1. Find and select the **Threat Intelligence** solution.
+
+1. Select the :::image type="icon" source="media/connect-threat-intelligence-taxii/install-update-button.png"::: **Install/Update** button.
+
+    For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md).
+
+## Enable the Threat intelligence - TAXII data connector
+
+1. To configure the TAXII data connector, select the **Data connectors** menu. 
+
+1. Find and select the **Threat Intelligence - TAXII** data connector > **Open connector page** button.
+
+    :::image type="content" source="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the TAXII data connector listed." lightbox="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png":::
 
 1. Enter a **friendly name** for this TAXII server Collection, the **API Root URL**, the **Collection ID**, a **Username** (if required), and a **Password** (if required), and choose the group of indicators and the polling frequency you want. Select the **Add** button.
 
@@ -53,7 +66,6 @@ You should receive confirmation that a connection to the TAXII server was establ
 Within a few minutes, threat indicators should begin flowing into this Microsoft Sentinel workspace. You can find the new indicators in the **Threat intelligence** blade, accessible from the Microsoft Sentinel navigation menu.
 
 
-
 ## IP allow listing for the Microsoft Sentinel TAXII client
 
 Some TAXII servers, like FS-ISAC, have a requirement to keep the IP addresses of the Microsoft Sentinel TAXII client on the allowlist. Most TAXII servers don't have this requirement.

articles/sentinel/connect-threat-intelligence-tip.md

@@ -24,8 +24,8 @@ Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Mic
 
 ## Prerequisites  
 
+- In order to install, update and delete standalone content or solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](../role-based-access-control/built-in-roles.md#template-spec-contributor) for details on this role.
 - You must have either the **Global administrator** or **Security administrator** Azure AD roles in order to grant permissions to your TIP product or to any other custom application that uses direct integration with the Microsoft Graph Security tiIndicators API.
-
 - You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
 
 ## Instructions
@@ -118,11 +118,23 @@ Once this configuration is complete, threat indicators will be sent from your TI
 
 The last step in the integration process is to enable the **Threat Intelligence Platforms data connector** in Microsoft Sentinel. Enabling the connector is what allows Microsoft Sentinel to receive the threat indicators sent from your TIP or custom solution. These indicators will be available to all Microsoft Sentinel workspaces for your organization. Follow these steps to enable the Threat Intelligence Platforms data connector for each workspace:
 
-1. From the Azure portal, navigate to the **Microsoft Sentinel** service.
+1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.
 
 1. Choose the **workspace** to which you want to import the threat indicators sent from your TIP or custom solution.
 
-1. Select **Data connectors** from the menu, select **Threat Intelligence Platforms** from the connectors gallery, and select the **Open connector page** button.
+1. Select **Content hub** from the menu.
+
+1. Find and select the **Threat Intelligence** solution.
+
+1. Select the :::image type="icon" source="media/connect-threat-intelligence-tip/install-update-button.png"::: **Install/Update** button.
+
+    For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md).
+
+1. To configure the TIP data connector, select the **Data connectors** menu. 
+
+1. Find and select the **Threat Intelligence Platforms** data connector > **Open connector page** button.
+
+    :::image type="content" source="media/connect-threat-intelligence-tip/tip-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the TIP data connector listed." lightbox="media/connect-threat-intelligence-tip/tip-data-connector-config.png":::
 
 1. As you’ve already completed the app registration and configured your TIP or custom solution to send threat indicators, the only step left is to select the **Connect** button.