update MDTI matching analytics

austinmccollum · austinmccollum · commit f3caf25896dd · 2022-08-04T15:10:18.000-05:00
diff --git a/articles/sentinel/work-with-threat-indicators.md b/articles/sentinel/work-with-threat-indicators.md
@@ -192,17 +192,17 @@ In the **Threat Intelligence** page:
 
 ### Supported log sources for matching analytics
 
-The Microsoft Threat Intelligence Matching Analytics matches the log sources in the following tables with domain and IP indicators.
+The Microsoft Threat Intelligence Matching Analytics matches the log sources in the following tables with domain, IP and Microsoft Defender Threat Intelligence (MDTI) indicators.
 
-#### Domain indicator matching
+#### [Domain](#tab/domain)
 
 | Log source | Description |
 | --------- | --------- |
 | [CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except for any where the `DeviceVendor` is listed as `Cisco`. <br><br>To match Microsoft-generated threat intelligence with CEF logs, make sure to map the domain in the `RequestURL` field of the CEF log. |
 | [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). DNS queries are processed only for IPv4 (`QueryType=”A”`) and IPv6 queries (`QueryType=” AAAA”`).<br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed, as all columns are standard from Windows DNS Server, and the domains will be in the `Name` column by default. |
 | [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default, and the rule will parse the domain directly from the SyslogMessage. |
 
-#### IP indicator matching
+#### [IP](#tab/ip)
 
 Microsoft Threat Intelligence Matching Analytics currently matches only with IPv4 indicators. 
 
@@ -212,6 +212,12 @@ Microsoft Threat Intelligence Matching Analytics currently matches only with IPv
 | [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). Threat intelligence matching analytics only process DNS queries for IPv4 (`QueryType="A"`). <br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The IPs are in the `IPAddresses` column by default. |
 | [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default. The rule parses the IP directly from the `SyslogMessage`. |
 
+#### [Microsoft Defender Threat Intelligence (MDTI)](#tab/microsoft-defender-threat-intelligence)
+| Log source | Description |
+| --------- | --------- |
+|[CEF](connect-common-event-format.md) |Matching is done for all CEF logs that are ingested in the **CommonSecurityLog** table of log analytics except for ones that have `DeviceVendor` as `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The URL is populated in the `RequestURL` field by default.|
+
+
 ## Workbooks provide insights about your threat intelligence
 
 You can use a purpose-built Microsoft Sentinel workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and you can easily customize the workbook according to your business needs.
