You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,7 +39,7 @@ Managing Microsoft Sentinel-powered threat intelligence has moved in the Defende
39
39
Enhanced threat intelligence capabilities are available in both Microsoft's unified SecOps platform and Microsoft Sentinel in the Azure portal. The management interface streamlines the manual process of creating individual threat intel with these key features:
40
40
- Define relationships as you create new STIX objects.
41
41
- Curate existing threat intelligence with the new relationship builder.
42
-
-Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing threat intel objects.
42
+
-Copy common metadata from a new or existing TI object with the duplicate feature.
43
43
44
44
Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query. For more information, see the following articles:
45
45
-[New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
Copy file name to clipboardExpand all lines: articles/sentinel/work-with-threat-indicators.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,11 +60,12 @@ For more information on supported STIX objects, see [Understand threat intellige
60
60
61
61
1. Select **Add and duplicate** if you want to create more items with the same metadata. The following image shows the common section of each STIX object's metadata that is duplicated.
:::image type="content" source="media/work-with-threat-indicators/common-metadata-stix-object.png" alt-text="Screenshot showing new STIX object creation and the common metadata available to all objects.":::
64
64
65
65
1. Otherwise, select **Add** to create the single item.
66
66
67
-
Relationship
67
+
## Curate threat intelligence
68
+
68
69
69
70
:::image type="content" source="media/work-with-threat-indicators/relationship-example.png" alt-text="Screenshot showing the relationship builder.":::
70
71
@@ -99,11 +100,11 @@ Here's an example.
99
100
100
101
### Find and view your indicators in Logs
101
102
102
-
This procedure describes how to view your imported threat indicators in the Microsoft Sentinel **Logs** area, together with other Microsoft Sentinel event data, regardless of the source feed or the connector that you used.
103
+
This procedure describes how to view your imported threat indicators in Log Analytics, together with other Microsoft Sentinel event data, regardless of the source feed or method you used to ingest them.
103
104
104
105
Imported threat indicators are listed in the Microsoft Sentinel `ThreatIntelligenceIndicator` table. This table is the basis for threat intelligence queries run elsewhere in Microsoft Sentinel, such as in **Analytics** or **Workbooks**.
105
106
106
-
To view your threat intelligence indicators in **Logs**:
107
+
To view your threat intelligence indicators:
107
108
108
109
1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **General**, select **Logs**.
109
110
@@ -117,9 +118,9 @@ To view your threat intelligence indicators in **Logs**:
117
118
118
119
:::image type="content" source="media/work-with-threat-indicators/ti-table-results.png" alt-text="Screenshot that shows sample ThreatIntelligenceIndicator table results with the details expanded." lightbox="media/work-with-threat-indicators/ti-table-results.png":::
119
120
120
-
### Tag and edit threat indicators
121
+
### Tag and edit threat intelligence
121
122
122
-
Tagging threat indicators is an easy way to group them together to make them easier to find. Typically, you might apply tags to an indicator related to a particular incident, or if the indicator represents threats from a particular known actor or well-known attack campaign. After you search for the indicators you want to work with, tag them individually. Multiselect indicators and tag them all at once with one or more tags. Because tagging is free-form, we recommend that you create standard naming conventions for threat indicator tags.
123
+
Tagging threat intelligence is an easy way to group them together to make them easier to find. Typically, you might apply tags to an indicator related to a particular incident, or if the indicator represents threats from a particular known actor or well-known attack campaign. After you search for the indicators you want to work with, tag them individually. Multiselect indicators and tag them all at once with one or more tags. Because tagging is free-form, we recommend that you create standard naming conventions for threat indicator tags.
123
124
124
125
:::image type="content" source="media/work-with-threat-indicators/threat-intel-tagging-indicators.png" alt-text="Screenshot that shows applying tags to threat indicators." lightbox="media/work-with-threat-indicators/threat-intel-tagging-indicators.png":::
0 commit comments