update bulk file for STIX objects

austinmccollum · austinmccollum · commit 4a2a7268aabb · 2025-01-22T12:22:45.000-06:00
diff --git a/articles/sentinel/indicators-bulk-file-import.md b/articles/sentinel/indicators-bulk-file-import.md
@@ -1,7 +1,7 @@
 ---
-title: Add indicators in bulk to threat intelligence by file
+title: Add threat intelligence in bulk by file
 titleSuffix: Microsoft Sentinel
-description: Learn how to bulk add indicators to threat intelligence from flat files like .csv or .json in Microsoft Sentinel. 
+description: Learn how to add threat intelligence in bulk from flat files like .csv or .json into Microsoft Sentinel. 
 author: austinmccollum
 ms.service: microsoft-sentinel
 ms.topic: how-to
@@ -13,13 +13,13 @@ appliesto:
 ms.collection: usx-security
 
 
-#Customer intent: As a security analyst, I want to import threat indicators in bulk from CSV or JSON files so that I can quickly integrate and analyze emerging threats within my threat intelligence platform.
+#Customer intent: As a security analyst, I want to import threat intelligence in bulk from CSV or JSON files so that I can quickly integrate and analyze emerging threats within Microsoft Sentinel.
 
 ---
 
-# Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file
+# Add threat intelligence in bulk to Microsoft Sentinel from a CSV or JSON file
 
-In this article, you add indicators from a CSV or JSON file into Microsoft Sentinel threat intelligence. Threat intelligence sharing still happens across emails and other informal channels during an ongoing investigation. You have the ability to import indicators directly into Microsoft Sentinel threat intelligence so that you can quickly relay emerging threats to your team. You make the threats available to power other analytics, such as producing security alerts, incidents, and automated responses.
+This article demonstrates how to add indicators from a CSV or STIX objects from a JSON file into Microsoft Sentinel threat intelligence. Because threat intelligence sharing still happens across emails and other informal channels during an ongoing investigation, the ability to import that information quickly into Microsoft Sentinel is important to relay emerging threats to your team. These identified threats are then available to power other analytics, such as producing security alerts, incidents, and automated responses.
 
 > [!IMPORTANT]
 > This feature is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -28,11 +28,11 @@ In this article, you add indicators from a CSV or JSON file into Microsoft Senti
 
 ## Prerequisites
 
-You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
+You must have read and write permissions to the Microsoft Sentinel workspace to store your threat intelligence.
 
-## Select an import template for your indicators
+## Select an import template for your threat intelligence
 
-Add multiple indicators to your threat intelligence with a specially crafted CSV or JSON file. Download the file templates to get familiar with the fields and how they map to the data you have. Review the required fields for each template type to validate your data before you import it.
+Add multiple threat intelligence objects with a specially crafted CSV or JSON file. Download the file templates to get familiar with the fields and how they map to the data you have. Review the required fields for each template type to validate your data before you import it.
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.
 
@@ -42,34 +42,39 @@ Add multiple indicators to your threat intelligence with a specially crafted CSV
 
     #### [Azure portal](#tab/azure-portal)
 
-    :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-fixed.png" alt-text="Screenshot that shows the menu options to import indicators by using a file menu." lightbox="media/indicators-bulk-file-import/import-using-file-menu-fixed.png":::
+    :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-fixed.png" alt-text="Screenshot that shows the menu options to import threat intelligence by using a file menu." lightbox="media/indicators-bulk-file-import/import-using-file-menu-fixed.png":::
     
     #### [Defender portal](#tab/defender-portal)
-    :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png" alt-text="Screenshot that shows the menu options to import indicators by using a file menu from the Defender portal." lightbox="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png":::
+    :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png" alt-text="Screenshot that shows the menu options to import threat intelligence by using a file menu from the Defender portal." lightbox="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png":::
     ---
 
 1. On the **File format** dropdown menu, select **CSV** or **JSON**.
 
     :::image type="content" source="media/indicators-bulk-file-import/format-select-and-download.png" alt-text="Screenshot that shows the dropdown menu to upload a CSV or JSON file, choose a template to download, and specify a source.":::
+    
+    > [!NOTE]
+    > The CSV template only supports indicators. The JSON template supports indicators and other STIX objects like threat actors, attack patterns, identities and relationships. 
+    > For more information about crafting supported STIX objects in JSON, see [STIX objects API reference](stix-objects-api.md).
+ 
 
 1. After you choose a bulk upload template, select the **Download template** link.
 
-1. Consider grouping your indicators by source because each file upload requires one.
+1. Consider grouping your threat intelligence by source because each file upload requires one.
 
-The templates provide all the fields you need to create a single valid indicator, including required fields and validation parameters. Replicate that structure to populate more indicators in one file. For more information on the templates, see [Understand the import templates](indicators-bulk-file-import.md#understand-the-import-templates).
+The templates provide all the fields you need to create a single valid indicator, including required fields and validation parameters. Replicate that structure to populate more indicators in one file, or add STIX objects to the JSON file. For more information on the templates, see [Understand the import templates](indicators-bulk-file-import.md#understand-the-import-templates).
 
-## Upload the indicator file
+## Upload the threat intelligence file
 
 1. Change the file name from the template default, but keep the file extension as .csv or .json. When you create a unique file name, it's easier to monitor your imports from the **Manage file imports** pane. 
 
-1. Drag your indicators file to the **Upload a file** section, or browse for the file by using the link.
+1. Drag your bulk threat intelligence file to the **Upload a file** section, or browse for the file by using the link.
 
-1. Enter a source for the indicators in the **Source** text box. This value is stamped on all the indicators included in that file. View this property as the `SourceSystem` field. The source is also displayed in the **Manage file imports** pane. For more information, see [Work with threat indicators](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs). 
+1. Enter a source for the threat intelligence in the **Source** text box. This value is stamped on all the indicators included in that file. View this property as the `SourceSystem` field. The source is also displayed in the **Manage file imports** pane. For more information, see [Work with threat indicators](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs). 
 
-1. Choose how you want Microsoft Sentinel to handle invalid indicator entries by selecting one of the buttons at the bottom of the **Import using a file** pane:
+1. Choose how you want Microsoft Sentinel to handle invalid entries by selecting one of the buttons at the bottom of the **Import using a file** pane:
 
-   - Import only the valid indicators and leave aside any invalid indicators from the file.
-   - Don't import any indicators if a single indicator in the file is invalid.
+   - Import only the valid entries and leave aside any invalid entries from the file.
+   - Don't import any entries if a single object in the file is invalid.
 
     :::image type="content" source="media/indicators-bulk-file-import/upload-file-pane.png" alt-text="Screenshot that shows the dropdown menu to upload a CSV or JSON file, choose a template, and specify a source highlighting the Import button.":::
 
@@ -83,19 +88,19 @@ Monitor your imports and view error reports for partially imported or failed imp
 
     :::image type="content" source="media/indicators-bulk-file-import/manage-file-imports.png" alt-text="Screenshot that shows the menu option to manage file imports.":::
 
-1. Review the status of imported files and the number of invalid indicator entries. The valid indicator count is updated after the file is processed. Wait for the import to finish to get the updated count of valid indicators.  
+1. Review the status of imported files and the number of invalid entries. The valid entry count is updated after the file is processed. Wait for the import to finish to get the updated count of valid entries.  
 
     :::image type="content" source="media/indicators-bulk-file-import/manage-file-imports-pane.png" alt-text="Screenshot that shows the Manage file imports pane with example ingestion data. The columns show sorted by imported number with various sources.":::
 
-1. View and sort imports by selecting **Source**, the indicator file **Name**, the number **Imported**, the **Total** number of indicators in each file, or the **Created** date.
+1. View and sort imports by selecting **Source**, the threat intelligence file **Name**, the number **Imported**, the **Total** number of entries in each file, or the **Created** date.
 
-1. Select the preview of the error file or download the error file that contains the errors about invalid indicators.
+1. Select the preview of the error file or download the error file that contains the errors about invalid entries.
 
 Microsoft Sentinel maintains the status of the file import for 30 days. The actual file and the associated error file are maintained in the system for 24 hours. After 24 hours, the file and the error file are deleted, but any ingested indicators continue to show in threat intelligence. 
 
 ## Understand the import templates
 
-Review each template to ensure that your indicators are imported successfully. Be sure to reference the instructions in the template file and the following supplemental guidance.
+Review each template to ensure that your threat intelligence is imported successfully. Be sure to reference the instructions in the template file and the following supplemental guidance.
 
 ### CSV template structure
 
@@ -120,17 +125,19 @@ Phishing,"demo, csv",MDTI article - Franken-Phish domainname,Entity appears in M
 
 ### JSON template structure
 
-1. There's only one JSON template for all indicator types. The JSON template is based on the STIX 2.1 format.
+1. There's only one JSON template for all STIX object types. The JSON template is based on the STIX 2.1 format.
 
-1. The `pattern` element supports indicator types of `file`, `ipv4-addr`, `ipv6-addr`, `domain-name`, `url`, `user-account`, `email-addr`, and `windows-registry-key`.
+1. The `type` element supports `indicator`, `attack-pattern`, `identity`, `threat-actor`, and `relationship`.  
+
+1. For indicators, the `pattern` element supports indicator types of `file`, `ipv4-addr`, `ipv6-addr`, `domain-name`, `url`, `user-account`, `email-addr`, and `windows-registry-key`.
 
 1. Remove the template comments before upload.
 
-1. Close the last indicator in the array by using the `}` without a comma.
+1. Close the last object in the array by using the `}` without a comma.
 
    The maximum file size for a JSON file import is 250 MB. 
 
-Here's an example `ipv4-addr` indicator that uses the JSON template:
+Here's an example `ipv4-addr` indicator and `attack-pattern` using the JSON file format:
 
 ```json
 [
@@ -161,13 +168,67 @@ Here's an example `ipv4-addr` indicator that uses the JSON template:
       "external_references": [],
       "object_marking_refs": [],
       "granular_markings": []
+    },
+    {
+        "type": "attack-pattern",
+        "spec_version": "2.1",
+        "id": "attack-pattern--fb6aa549-c94a-4e45-b4fd-7e32602dad85",
+        "created": "2015-05-15T09:12:16.432Z",
+        "modified": "2015-05-20T09:12:16.432Z",
+        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        "revoked": false,
+        "labels": [
+            "heartbleed",
+            "has-logo"
+        ],
+        "confidence": 55,
+        "lang": "en",
+        "object_marking_refs": [
+            "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
+        ],
+        "granular_markings": [
+            {
+                "marking_ref": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123",
+                "selectors": [
+                    "description",
+                    "labels"
+                ],
+                "lang": "en"
+            }
+        ],
+        "extensions": {
+            "extension-definition--d83fce45-ef58-4c6c-a3f4-1fbc32e98c6e": {
+                "extension_type": "property-extension",
+                "rank": 5,
+                "toxicity": 8
+            }
+        },
+        "external_references": [
+            {
+                "source_name": "capec",
+                "description": "spear phishing",
+                "external_id": "CAPEC-163"
+            }
+        ],
+        "name": "Attack Pattern 2.1",
+        "description": "menuPass appears to favor spear phishing to deliver payloads to the intended targets. While the attackers behind menuPass have used other RATs in their campaign, it appears that they use PIVY as their primary persistence mechanism.",
+        "kill_chain_phases": [
+            {
+                "kill_chain_name": "mandiant-attack-lifecycle-model",
+                "phase_name": "initial-compromise"
+            }
+        ],
+        "aliases": [
+            "alias_1",
+            "alias_2"
+        ]
     }
 ]
 ```
 
 ## Related content
 
-In this article, you learned how to manually bolster your threat intelligence by importing indicators gathered in flat files. To learn more about how indicators power other analytics in Microsoft Sentinel, see the following articles:
+In this article, you learned how to manually bolster your threat intelligence by importing indicators and other STIX objects gathered in flat files. To learn more about how threat intelligence powers other analytics in Microsoft Sentinel, see the following articles:
 
 - [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md)
 - [Threat indicators for cyber threat intelligence in Microsoft Sentinel](/azure/architecture/example-scenario/data/sentinel-threat-intelligence)
