complete how to

Author: austinmccollum

articles/sentinel/media/work-with-threat-indicators/advanced-search.png

@@ -155,9 +155,9 @@ Enhance threat detection and response by establishing connections between object
 
 | Use case | Description |
 |---|---|
-| Connect threat actor to an attack pattern | The threat actor **APT29** *Uses* the attack pattern **Phishing via Email** to gain initial access.|
-| Link an indicator to a threat actor|  A domain indicator **allyourbase.contoso.com** is *Attributed to* the threat actor **APT29**. |
-| Associate an identity (victim) with an attack pattern| The *FourthCoffee* organization is targeted by the attack pattern *Phishing via Email*.|
+| Connect threat actor to an attack pattern | The threat actor `APT29` *Uses* the attack pattern `Phishing via Email` to gain initial access.|
+| Link an indicator to a threat actor|  A domain indicator `allyourbase.contoso.com` is *Attributed to* the threat actor `APT29`. |
+| Associate an identity (victim) with an attack pattern| The attack pattern `Phishing via Email` *Targets* the `FourthCoffee` organization.|
 
 The following image shows how the relationship builder connects all of these use cases.
 
@@ -170,9 +170,9 @@ Designate which TI objects can be shared with appropriate audiences by designati
 | TLP color | Sensitivity |
 |---|---|
 | White | Information can be shared freely and publicly without any restrictions. |
-| Green | Information can be shared with peers and partner organizations within the community, but not publicly. It is intended for a wider audience within the community. |
-| Amber | Information can be shared with members of the organization, but not publicly. It is intended to be used within the organization to protect sensitive information. |
-| Red | Information is highly sensitive and should not be shared outside of the specific group or meeting where it was originally disclosed. |
+| Green | Information can be shared with peers and partner organizations within the community, but not publicly. It's intended for a wider audience within the community. |
+| Amber | Information can be shared with members of the organization, but not publicly. It's intended to be used within the organization to protect sensitive information. |
+| Red | Information is highly sensitive and shouldn't be shared outside of the specific group or meeting where it was originally disclosed. |
 
 Tagging threat intelligence is a quick way to group objects together to make them easier to find. Typically, you might apply tags related to a particular incident. But, if an indicator represents threats from a particular known actor or well-known attack campaign, consider creating a relationship instead of a tag. After you search and filter for the threat intelligence that you want to work with, tag them individually or multiselect and tag them all at once. Because tagging is free-form, we recommend that you create standard naming conventions for threat intelligence tags.
 
@@ -186,15 +186,15 @@ View your threat intelligence from the management interface. Use advanced search
 
 View your indicators stored in the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks. 
 
-Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
+Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
 
 Here's an example view of a basic query for just threat indicators using the current table.
 
 :::image type="content" source="media/understand-threat-intelligence/logs-page-ti-table.png" alt-text="Screenshot that shows the Logs page with a sample query of the ThreatIntelligenceIndicator table." lightbox="media/understand-threat-intelligence/logs-page-ti-table.png":::
 
 Threat intelligence indicators are ingested into the `ThreatIntelligenceIndicator` table of your Log Analytics workspace as read-only. Whenever an indicator is updated, a new entry in the `ThreatIntelligenceIndicator` table is created. Only the most current indicator appears on the management interface. Microsoft Sentinel deduplicates indicators based on the `IndicatorId` and `SourceSystem` properties and chooses the indicator with the newest `TimeGenerated[UTC]`.
 
-The `IndicatorId` property is generated using the STIX indicator ID. When indicators are imported or created from non-STIX sources, `IndicatorId` is generated by the source and pattern of the indicator.
+The `IndicatorId` property is generated using the STIX indicator ID. When indicators are imported or created from non-STIX sources, `IndicatorId` is generated from the source and pattern of the indicator.
 
 For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#find-and-view-your-indicators).
 
@@ -204,11 +204,11 @@ Microsoft enriches IP and domain indicators with extra `GeoLocation` and `WhoIs`
 
 View `GeoLocation` and `WhoIs` data on the **Threat Intelligence** pane for those types of threat indicators imported into Microsoft Sentinel.
 
-For example, use `GeoLocation` data to find information like the organization or country/region for an IP indicator. Use `WhoIs` data to find data like registrar and record creation data from a domain indicator.
+For example, use `GeoLocation` data to find information like the organization or country or region for an IP indicator. Use `WhoIs` data to find data like registrar and record creation data from a domain indicator.
 
 ## Detect threats with threat indicator analytics
 
-The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel Analytics, you create analytics rules that run on a schedule and generate security alerts. The rules are driven by queries. Along with configurations, they determine how often the rule should run, what kind of query results should generate security alerts and incidents, and, optionally, when to trigger an automated response.
+The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organization. In Microsoft Sentinel Analytics, you create analytics rules powered by queries that run on a schedule and generate security alerts. Along with configurations, they determine how often the rule should run, what kind of query results should generate security alerts and incidents, and, optionally, when to trigger an automated response.
 
 Although you can always create new analytics rules from scratch, Microsoft Sentinel provides a set of built-in rule templates, created by Microsoft security engineers, to take advantage of your threat indicators. These templates are based on the type of threat indicators (domain, email, file hash, IP address, or URL) and data source events that you want to match. Each template lists the required sources that are needed for the rule to function. This information makes it easy to determine if the necessary events are already imported in Microsoft Sentinel.
 

articles/sentinel/media/work-with-threat-indicators/common-metadata-stix-object-reduced.png

@@ -45,7 +45,6 @@ In the Azure portal, navigate to **Threat management** > **Threat intelligence**
 Use the management interface to create STIX objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects.
 
 - Define relationships as you create new STIX objects.
-- Curate existing TI with the relationship builder.
 - Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing TI object.
 
 For more information on supported STIX objects, see [Understand threat intelligence](understand-threat-intelligence.md#create-and-manage-threat-intelligence).
@@ -58,17 +57,17 @@ For more information on supported STIX objects, see [Understand threat intellige
 
 1. Choose the **Object type**, then fill in the form on the **New TI object** page. Required fields are marked with a red asterisk (*).
 1. If you know how this object relates to another threat intelligence object, indicate that connection with the **Relationship type** and the **Target reference**.
-1. Select **Add and duplicate** if you want to create more items with the same metadata. The following image shows the common section of each STIX object's metadata that is duplicated. 
+1. Select **Add** for an individual object, or **Add and duplicate** if you want to create more items with the same metadata. The following image shows the common section of each STIX object's metadata that is duplicated. 
 
-:::image type="content" source="media/work-with-threat-indicators/common-metadata-stix-object.png" alt-text="Screenshot showing new STIX object creation and the common metadata available to all objects.":::
-
-1. Otherwise, select **Add** to create the single item.
+:::image type="content" source="media/work-with-threat-indicators/common-metadata-stix-object-reduced.png" alt-text="Screenshot showing new STIX object creation and the common metadata available to all objects.":::
 
 ## Manage threat intelligence 
 
+Curate existing TI with the relationship builder. Use the management interface to search, filter and sort, then add tags to your threat intelligence.
+
 ### Curate threat intelligence with the relationship builder
 
-Connect threat intelligence objects with the relationship builder. There is a maximum of 20 relationships in the builder at once, but more connections can be created through multiple iterations and by adding relationship target references for new objects.
+Connect threat intelligence objects with the relationship builder. There's a maximum of 20 relationships in the builder at once, but more connections can be created through multiple iterations and by adding relationship target references for new objects.
 
 1. Start with an object like a threat actor or attack pattern where the single object connects to one or more objects, like indicators.
 1. Add the relationship type according to the best practices outlined in the following table and in the [STIX 2.1 reference relationship summary table](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_6n2czpjuie3v):
@@ -82,19 +81,26 @@ Connect threat intelligence objects with the relationship builder. There is a ma
 | **Indicates** | `Indicator` Indicates `Attack pattern` or `Threat actor` |
 | **Impersonates** | `Threat actor` Impersonates `Identity` |
 
-The following image demonstrates connections made between a threat actor and an attack pattern, indicator and identity using the relationship type table.
+The following image demonstrates connections made between a threat actor and an attack pattern, indicator, and identity using the relationship type table.
 
 :::image type="content" source="media/work-with-threat-indicators/relationship-example.png" alt-text="Screenshot showing the relationship builder.":::
 
 ### View your threat intelligence in the management interface
 
-This procedure describes how to view and manage your indicators. Use the **Threat intelligence** page to sort, filter, and search your imported threat indicators without writing a Log Analytics query.
+Use the management interface to sort, filter, and search your threat indicators from whatever source they were ingested from without writing a Log Analytics query.
+
+1. From the management interface, expand the **What would you like to search?** menu.
+1. Select the STIX object type or leave the default **All object types**.
+1. Select conditions using logical operators.
+1. Select the object you want to see more information about.
+
+In the following image, multiple sources were used to search by placing them in an `OR` group, while multiple conditions were group with the `AND` operator.
 
-1. From the grid, select the indicator for which you want to view more information. The indicator's information includes confidence levels, tags, and threat types.
+:::image type="content" source="media/works-with-threat-indicators/advanced-search.png" alt-text="Screenshot shows an OR operator combined with multiple AND conditions to search threat intelligence.":::
 
-Microsoft Sentinel only displays the most current version of indicators in this view. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-your-threat-intelligence).
+Microsoft Sentinel only displays the most current version of your threat intel in this view. For more information on how objects are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-your-threat-intelligence).
 
-IP and domain name indicators are enriched with extra `GeoLocation` and `WhoIs` data. This data provides more context for investigations where the selected indicator is found.
+IP and domain name indicators are enriched with extra `GeoLocation` and `WhoIs` data so you can provide more context for any investigations where indicator is found.
 
 Here's an example.