Bring public, open source and high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace with the MDTI data connectors. With a simple one-click setup, use the TI from the standard and premium MDTI data connectors to monitor, alert and hunt.

For more information about the benefits of the standard and premium MDTI data connectors, see Understand threat intelligence.

• In order to install, update and delete standalone content or solutions in content hub, you need the Microsoft Sentinel Contributor role at the resource group level.
• To configure these data connectors, you must have read and write permissions to the Microsoft Sentinel workspace.

To import threat indicators into Microsoft Sentinel from standard and premium MDTI, follow these steps:

1. For Microsoft Sentinel in the Azure portal, under Content management, select Content hub.
   For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Content management > Content hub.

2. Find and select the Threat Intelligence solution.

3. Select the :::image type="icon" source="media/connect-mdti-data-connector/install-update-button.png"::: Install/Update button.

For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

1. For Microsoft Sentinel in the Azure portal, under Configuration, select Data connectors.
   For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Data connectors.

2. Find and select the Microsoft Defender Threat Intelligence data connector > Open connector page button.

   :::image type="content" source="media/connect-mdti-data-connector/premium-microsoft-defender-threat-intelligence-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the MDTI data connector listed." lightbox="media/connect-mdti-data-connector/premium-microsoft-defender-threat-intelligence-data-connector-config.png":::

3. Enable the feed by selecting the Connect button

   :::image type="content" source="media/connect-mdti-data-connector/microsoft-defender-threat-intelligence-data-connector-connect.png" alt-text="Screenshot displaying the MDTI data connector page and the connect button." lightbox="media/connect-mdti-data-connector/microsoft-defender-threat-intelligence-data-connector-connect.png":::

4. When MDTI indicators start populating the Microsoft Sentinel workspace, the connector status displays Connected.

At this point, the ingested indicators are now available for use in the TI map... analytics rules. For more information, see Use threat indicators in analytics rules.

Find the new indicators in the Threat intelligence blade or directly in Logs by querying the ThreatIntelligenceIndicator table. For more information, see Work with threat indicators.

In this document, you learned how to connect Microsoft Sentinel to Microsoft's threat intelligence feed with the MDTI data connector. To learn more about Microsoft Defender for Threat Intelligence see the following articles.

• Learn about What is Microsoft Defender Threat Intelligence?.
• Get started with the MDTI portal MDTI portal.
• Use MDTI in analytics Use matching analytics to detect threats.