polish

austinmccollum · austinmccollum · commit f7a206f98d01 · 2025-01-29T01:06:26.000-06:00
diff --git a/articles/sentinel/understand-threat-intelligence.md b/articles/sentinel/understand-threat-intelligence.md
@@ -39,7 +39,7 @@ The following table outlines the activities required to make the most of threat
 
 | Action | Description|
 |---|---|
-| **Store threat intelligence in Microsoft Sentinel's workspace** | <ul><li>Import threat intelligence into Microsoft Sentinel by enabling data connectors to various threat intelligence [platforms](connect-threat-intelligence-tip.md) and [feeds](connect-threat-intelligence-taxii.md).</li><li>Connect threat intelligence to Microsoft Sentinel by using the upload API to connect various TI [platforms](connect-threat-intelligence-tip.md) or custom applications.</li><li>Create threat intelligence with a streamlined management interface.</li>|
+| **Store threat intelligence in Microsoft Sentinel's workspace** | <ul><li>Import threat intelligence into Microsoft Sentinel by enabling data connectors to various threat intelligence platforms and feeds.</li><li>Connect threat intelligence to Microsoft Sentinel by using the upload API to connect various TI platforms or custom applications.</li><li>Create threat intelligence with a streamlined management interface.</li>|
 | **Manage threat intelligence** | <ul><li>View imported threat intelligence in logs or with advanced search.</li><li>Curate threat intelligence by establishing relationships between objects or adding tags</li><li>Visualize key information about your TI with the threat intelligence workbook.</li>|
 | **Use threat intelligence** | <ul><li>Detect threats and generate security alerts and incidents by using the built-in analytics rule templates based on your threat intelligence.</li><li>Hunt for threats using your threat intel to ask the right questions about the signals captured for your organization.</li>|
 
@@ -51,8 +51,8 @@ Threat intelligence also provides useful context within other Microsoft Sentinel
 
 Most threat intelligence is imported using data connectors or an API. Here are the solutions available for Microsoft Sentinel.
 
-- **Microsoft Defender Threat Intelligence data connector** to ingest Microsoft's threat intelligence 
-- **Threat Intelligence - TAXII** for industry-standard STIX/TAXII feeds
+- **Microsoft Defender Threat Intelligence** data connector to ingest Microsoft's threat intelligence 
+- **Threat Intelligence - TAXII** data connector for industry-standard STIX/TAXII feeds
 - **Threat Intelligence upload API** for integrated and curated TI feeds using a REST API to connect (doesn't require a data connector)
 - **Threat Intelligence Platform data connector** also connects TI feeds using a legacy REST API, but is on the path for deprecation
  
@@ -64,10 +64,12 @@ Also, see [this catalog of threat intelligence integrations](threat-intelligence
 
 Bring public, open-source, and high-fidelity IOCs generated by Defender Threat Intelligence into your Microsoft Sentinel workspace with the Defender Threat Intelligence data connectors. With a simple one-click setup, use the threat intelligence from the standard and premium Defender Threat Intelligence data connectors to monitor, alert, and hunt.
 
-There are two versions of the data connector, standard and premium. There's also a freely available Defender Threat Intelligence threat analytics rule which gives you a sample of what the premium Defender Threat Intelligence data connector provides. However, with matching analytics, only indicators that match the rule are ingested into your environment. The premium Defender Threat Intelligence data connector ingests Microsoft-enriched open source intelligence and Microsoft's curated IOCs. These premium features allow analytics on more data sources with greater flexibility and understanding of that threat intelligence. Here's a table that shows what to expect when you license and enable the Defender Threat Intelligence data connector premium version.
+There are two versions of the data connector, standard and premium. There's also a freely available Defender Threat Intelligence threat analytics rule which gives you a sample of what the premium Defender Threat Intelligence data connector provides. However, with matching analytics, only indicators that match the rule are ingested into your environment. 
+
+The premium Defender Threat Intelligence data connector ingests Microsoft-enriched open source intelligence and Microsoft's curated IOCs. These premium features allow analytics on more data sources with greater flexibility and understanding of that threat intelligence. Here's a table that shows what to expect when you license and enable the Defender Threat Intelligence data connector premium version.
 
 | Free | Premium | 
-|----|----|
+|---|---|
 | Public IOCs | |
 | Open-source intelligence (OSINT) | |
 | | Microsoft IOCs |
@@ -141,21 +143,21 @@ The following STIX objects are available in Microsoft Sentinel:
 
 | STIX object | Description |
 |---|---|
-| **Threat actor** | From script kiddies to nation states, threat actors objects describe motivations, sophistication, and resourcing levels. |
+| **Threat actor** | From script kiddies to nation states, threat actor objects describe motivations, sophistication, and resourcing levels. |
 | **Attack pattern** | Also known as techniques, tactics and procedures, attack patterns describe a specific component of an attack and the MITRE ATT&CK stage it's used on. |
-| **Indicator** | `Domain name`, `URL`, `IPv4 address`, `IPv6 address`, and `File hashes`<ul><li>`X509 certificates` are used to authenticate the identity of devices and servers for  secure communication over the internet.</li><li>`JA3` fingerprints are unique identifiers generated from the TLS/SSL handshake process. They help in identifying specific applications and tools used in network traffic, making it easier to detect malicious activities</li><li>`JA3S` fingerprints extend the capabilities of JA3 by also including server-specific characteristics in the fingerprinting process. This extension provides a more comprehensive view of the network traffic and helps in identifying both client and server-side threats.<li>`User agents` provide information about the client software making requests to a server, such as the browser or operating system. They're useful in identifying and profiling devices and applications accessing a network.</li> |
+| **Indicator** | `Domain name`, `URL`, `IPv4 address`, `IPv6 address`, and `File hashes`</br></br>`X509 certificates` are used to authenticate the identity of devices and servers for  secure communication over the internet.</br></br>`JA3` fingerprints are unique identifiers generated from the TLS/SSL handshake process. They help in identifying specific applications and tools used in network traffic, making it easier to detect malicious activities</br></br>`JA3S` fingerprints extend the capabilities of JA3 by also including server-specific characteristics in the fingerprinting process. This extension provides a more comprehensive view of the network traffic and helps in identifying both client and server-side threats.</br></br>`User agents` provide information about the client software making requests to a server, such as the browser or operating system. They're useful in identifying and profiling devices and applications accessing a network. |
 | Identity | Describe victims, organizations, and other groups or individuals along with the business sectors most closely associated with them. |
 | Relationship | The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
 
 ### Create relationships
 
-Establish connections between objects to enhance threat detection and response. Here are use cases of the relationship builder:
+Enhance threat detection and response by establishing connections between objects with the relationship builder. The following table lists some use cases of establishing connections.
 
 | Use case | Description |
 |---|---|
-| Connecting Threat Actor to Attack Pattern | The threat actor *APT29 uses* the attack pattern *Phishing via Email* to gain initial access.|
-| Linking Indicator to Threat Actor|  An indicator *allyourbase.contoso.com* domain is attributed to the threat actor *APT29*. |
-| Associating Identity (Victim) with Attack Pattern| The *FourthCoffee* organization is targeted by the attack pattern *Phishing via Email*.|
+| Connect threat actor to an attack pattern | The threat actor **APT29** *Uses* the attack pattern **Phishing via Email** to gain initial access.|
+| Link an indicator to a threat actor|  A domain indicator **allyourbase.contoso.com** is *Attributed to* the threat actor **APT29**. |
+| Associate an identity (victim) with an attack pattern| The *FourthCoffee* organization is targeted by the attack pattern *Phishing via Email*.|
 
 The following image shows how the relationship builder connects all of these use cases.
 
@@ -182,19 +184,19 @@ View your threat intelligence from the management interface. Use advanced search
 
 :::image type="content" source="media/understand-threat-intelligence/advanced-search.png" alt-text="Screenshot that shows an advanced search interface with source and confidence conditions selected." lightbox="media/understand-threat-intelligence/advanced-search.png":::
 
-Validate your indicators and view your successfully imported threat indicators from the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks. 
+View your indicators stored in the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks. 
 
 Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
 
 Here's an example view of a basic query for just threat indicators using the current table.
 
 :::image type="content" source="media/understand-threat-intelligence/logs-page-ti-table.png" alt-text="Screenshot that shows the Logs page with a sample query of the ThreatIntelligenceIndicator table." lightbox="media/understand-threat-intelligence/logs-page-ti-table.png":::
 
-Threat intelligence indicators are ingested into the `ThreatIntelligenceIndicator` table of your Log Analytics workspace as read-only. Whenever an indicator is updated, a new entry in the `ThreatIntelligenceIndicator` table is created. Only the most current indicator appears on the **Threat Intelligence** page. Microsoft Sentinel deduplicates indicators based on the `IndicatorId` and `SourceSystem` properties and chooses the indicator with the newest `TimeGenerated[UTC]`.
+Threat intelligence indicators are ingested into the `ThreatIntelligenceIndicator` table of your Log Analytics workspace as read-only. Whenever an indicator is updated, a new entry in the `ThreatIntelligenceIndicator` table is created. Only the most current indicator appears on the management interface. Microsoft Sentinel deduplicates indicators based on the `IndicatorId` and `SourceSystem` properties and chooses the indicator with the newest `TimeGenerated[UTC]`.
 
 The `IndicatorId` property is generated using the STIX indicator ID. When indicators are imported or created from non-STIX sources, `IndicatorId` is generated by the source and pattern of the indicator.
 
-For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#view-your-threat-intelligence-in-microsoft-sentinel).
+For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#find-and-view-your-indicators).
 
 ### View your GeoLocation and WhoIs data enrichments (public preview)
 
@@ -220,13 +222,13 @@ Microsoft provides access to its threat intelligence through the Defender Threat
 
 ## Workbooks provide insights about your threat intelligence
 
-Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel, and threat intelligence is no exception. Use the built-in **Threat Intelligence** workbook to visualize key information about your threat intelligence. You can easily customize the workbook according to your business needs. Create new dashboards by combining many data sources to help you visualize your data in unique ways.
+Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel, and threat intelligence is no exception. Use the built-in **Threat Intelligence** workbook to visualize key information about your threat intelligence. Customize the workbook according to your business needs. Create new dashboards by combining many data sources to help you visualize your data in unique ways.
 
 Because Microsoft Sentinel workbooks are based on Azure Monitor workbooks, extensive documentation and many more templates are already available. For more information, see [Create interactive reports with Azure Monitor workbooks](/azure/azure-monitor/visualize/workbooks-overview).
 
 There's also a rich resource for [Azure Monitor workbooks on GitHub](https://github.com/microsoft/Application-Insights-Workbooks), where you can download more templates and contribute your own templates.
 
-For more information on using and customizing the **Threat Intelligence** workbook, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#gain-insights-about-your-threat-intelligence-with-workbooks).
+For more information on using and customizing the **Threat Intelligence** workbook, see [Visualize threat intelligence with workbooks](work-with-threat-indicators.md#visualize-your-threat-intelligence-with-workbooks).
 
 ## Related content
 
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -122,7 +122,7 @@ The **Agentless solution** is compatible with SAP S/4HANA Cloud, Private Edition
 
 For more information, see:
 
-- [Microsoft Sentinel for SAP goes agentless ](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/microsoft-sentinel-for-sap-goes-agentless/ba-p/13960238)
+- [Microsoft Sentinel for SAP goes agentless](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/microsoft-sentinel-for-sap-goes-agentless/ba-p/13960238)
 - [Sign up for the limited preview](https://aka.ms/SentinelSAPAgentlessSignUp)
 - [Microsoft Sentinel solution for SAP applications: Deployment overview](sap/deployment-overview.md)
 
diff --git a/articles/sentinel/work-with-threat-indicators.md b/articles/sentinel/work-with-threat-indicators.md
