Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Enable the data connector for Microsoft's threat intelligence titleSuffix: Microsoft Defender Threat Intelligence keywords: premium, TI, STIX objects, relationships, threat actor, watchlist, license description: Learn how to ingest Microsoft's threat intelligence into your Microsoft Sentinel workspace to generate high-fidelity alerts and incidents. author: poliveria ms.topic: how-to ms.date: 8/16/2024 ms.author: pauloliveria appliesto: - Microsoft Sentinel in the Microsoft Defender portal - Microsoft Sentinel in the Azure portal ms.collection: usx-security ms.custom: sfi-image-nochange #Customer intent: As a security administrator, I want to enable the data connector for Microsoft Defender Threat Intelligence so that I can ingest high fidelity threat intelligence into my Microsoft Sentinel workspace for enhanced threat monitoring and response. --- # Enable the Microsoft Defender Threat Intelligence data connector Bring public, open-source and high-fidelity indicators of compromise (IOCs) generated by Microsoft Defender Threat Intelligence into your Microsoft Sentinel workspace with the Defender Threat Intelligence data connectors. With a simple one-click setup, use the threat intelligence from the standard and premium Defender Threat Intelligence data connectors to monitor, alert, and hunt. > [!INCLUDE [unified-soc-preview-without-alert](includes/unified-soc-preview-without-alert.md)] For more information about the benefits of the standard and premium Defender Threat Intelligence data connectors, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-intelligence-to-microsoft-sentinel-with-the-defender-threat-intelligence-data-connector). ## Prerequisites - To install, update, and delete standalone content or solutions in the **Content hub**, you need the Microsoft Sentinel Contributor role at the resource group level. - To configure these data connectors, you must have read and write permissions to the Microsoft Sentinel workspace. - To access threat intelligence from the premium version of the Defender Threat Intelligence data connector, contact sales to purchase the **MDTI API Access** SKU. For more information on how to get a premium license and explore all the differences between the standard and premium versions, see [Explore Defender Threat Intelligence licenses](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence#areaheading-oc8e7d). ## Install the threat intelligence solution in Microsoft Sentinel To import threat intelligence into Microsoft Sentinel from standard and premium Defender Threat Intelligence, follow these steps: 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**. 1. Find and select the **Threat Intelligence** solution. 1. Select the :::image type="icon" source="media/connect-mdti-data-connector/install-update-button.png"::: **Install/Update** button. For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](sentinel-solutions-deploy.md). ## Enable the Defender Threat Intelligence data connector 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Data connectors**. 1. Find and select either the standard or premium Defender Threat Intelligence data connector. Select **Open connector page** button. 1. Enable the feed by selecting **Connect**. :::image type="content" source="media/connect-mdti-data-connector/premium-connect.png" alt-text="Screenshot that shows the Defender Threat Intelligence Data connector page and the Connect button." lightbox="media/connect-mdti-data-connector/premium-connect.png"::: 1. When Defender Threat Intelligence starts populating the Microsoft Sentinel workspace, the connector status displays **Connected**. At this point, the ingested intelligence is now available for use in the `TI map...` analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md). Find the new intelligence in the management interface or directly in **Logs** by querying the `ThreatIntelligenceIndicator` table. For more information, see [Work with threat intelligence](work-with-threat-indicators.md). ## Related content In this article, you learned how to connect Microsoft Sentinel to the Microsoft threat intelligence feed with the Defender Threat Intelligence data connector. To learn more about Defender Threat Intelligence, see the following articles: - Learn about [What is Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti). - Get started with the [Defender Threat Intelligence portal](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal). - Use Defender Threat Intelligence in analytics [by using matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).