Merge pull request #297305 from guywi-ms/new-ti-tables-with-query-samples

Stacyrch140 · web-flow · commit 6ef12cb5bf84 · 2025-04-03T10:49:20.000-04:00
New ti tables with query samples
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -6739,6 +6739,11 @@
       "redirect_url": "/dotnet/maui/data-cloud/push-notifications",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/work-with-styx-objects-and-indicators.md",
+      "redirect_url": "/azure/sentinel/work-with-styx-objects-indicators",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/storage/files/geo-redundant-storage-for-large-file-shares.md",
       "redirect_url": "/azure/storage/files/files-redundancy",
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -802,6 +802,8 @@
     href: use-threat-indicators-in-analytics-rules.md
   - name: Use matching analytics to detect threats
     href: use-matching-analytics-to-detect-threats.md
+  - name: Work with STIX objects and indicators
+    href: work-with-styx-objects-indicators.md
 - name: Detect threats and analyze data
   items:
   - name: Monitor and visualize data
diff --git a/articles/sentinel/understand-threat-intelligence.md b/articles/sentinel/understand-threat-intelligence.md
@@ -2,10 +2,11 @@
 title: Threat intelligence
 titleSuffix: Microsoft Sentinel
 description: Understand threat intelligence and how it integrates with features in Microsoft Sentinel to analyze data, detect threats, and enrich alerts.
-author: austinmccollum
+author: guywi-ms
 ms.topic: concept-article
 ms.date: 02/27/2025
-ms.author: austinmc
+ms.author: guywild
+ms.reviewer: alsheheb
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -203,23 +204,28 @@ For more information, see [Work with threat intelligence in Microsoft Sentinel](
 
 ## View your threat intelligence
 
-View your threat intelligence from the management interface or using queries. From the management interface, use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.
+View your threat intelligence from the management interface or using queries: 
 
-:::image type="content" source="media/understand-threat-intelligence/advanced-search.png" alt-text="Screenshot that shows an advanced search interface with source and confidence conditions selected." lightbox="media/understand-threat-intelligence/advanced-search.png":::
+- From the management interface, use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.
 
-Use queries to view threat intelligence from **Logs** or **Advanced hunting**. Either way, the `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics, hunting queries, and workbooks.
+    :::image type="content" source="media/understand-threat-intelligence/advanced-search.png" alt-text="Screenshot that shows an advanced search interface with source and confidence conditions selected." lightbox="media/understand-threat-intelligence/advanced-search.png":::
+
+- Use queries to view threat intelligence from **Logs** in the Azure portal or **Advanced hunting** in the Defender portal. 
+
+    Either way, the `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics, hunting queries, and workbooks.
 
 >[!IMPORTANT]
->Tables supporting the new STIX object schema aren't available publicly. In order to view the STIX objects in queries and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, alongside or instead of the current table, `ThreatIntelligenceIndicator`, with this opt-in process.
->
+> On April 3, 2025, we publicly previewed two new tables to support STIX indicator and object schemas: `ThreatIntelIndicator` and `ThreatIntelObjects`. Microsoft Sentinel will ingest all threat intelligence into these new tables, while continuing to ingest the same data into the legacy `ThreatIntelligenceIndicator` table until July 31, 2025. 
+>**Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025.** After this date, Microsoft Sentinel will stop ingesting data to the legacy `ThreatIntelligenceIndicator` table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables. For more information about the new table schemas, see [ThreatIntelIndicator](/azure/azure-monitor/reference/tables/threatintelligenceindicator) and [ThreatIntelObjects](/azure/azure-monitor/reference/tables/threatintelobjects).
+> For information on using and migrating to the new tables, see (Work with STIX objects to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview))[work-with-styx-objects-and-indicators.md]. 
 
-For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#find-and-view-threat-intelligence-with-queries).
+### Threat intelligence lifecycle
 
-### Threat intelligence life cycle
+Microsoft Sentinel ingests threat intelligence indicators into the threat intelligence tables in your Log Analytics workspace. For more information on Microsoft Sentinel's threat intelligence tables, see [View your threat intelligence](#view-your-threat-intelligence).
 
-Threat intelligence indicators are ingested into the `ThreatIntelligenceIndicator` table of your Log Analytics workspace as read-only. Whenever an indicator is updated, a new entry in the `ThreatIntelligenceIndicator` table is created. Only the most current indicator appears on the management interface. Microsoft Sentinel deduplicates indicators based on the `IndicatorId` and `SourceSystem` properties and chooses the indicator with the newest `TimeGenerated[UTC]`.
+Whenever an indicator is created, updated, or deleted, Microsoft Sentinel creates a new entry in the tables. Only the most current indicator appears on the management interface. Microsoft Sentinel deduplicates indicators based on the `Id` property (the `IndicatorId` property in the legacy `ThreatIntelligenceIndicator`) and chooses the indicator with the newest `TimeGenerated[UTC]`.
 
-The `IndicatorId` property is generated using the STIX indicator ID. When indicators are imported or created from non-STIX sources, `IndicatorId` is generated using both the source and pattern of the indicator.
+The `Id` property is a concatenation of the base64-encoded `SourceSystem` value, `---` (three dashes), and the `stixId` (which is the `Data.Id` value).
 
 ### View your GeoLocation and WhoIs data enrichments (public preview)
 
diff --git a/articles/sentinel/work-with-styx-objects-indicators.md b/articles/sentinel/work-with-styx-objects-indicators.md
@@ -0,0 +1,152 @@
+---
+title: Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview)
+titleSuffix: Microsoft Sentinel
+description: This article provides examples of how to incorporate STIX objects into queries to enhance threat hunting.
+author: guywi-ms
+ms.topic: how-to
+ms.date: 03/31/2025
+ms.author: guywild
+ms.reviewer: alsheheb
+appliesto:
+    - Microsoft Sentinel in the Azure portal
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.collection: usx-security
+#Customer intent: As a security analyst, I want to understand how to incorporate STIX objects into queries to enhance threat hunting.
+---
+
+# Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview)
+
+On April 3, 2025, we publicly previewed two new tables to support STIX (Structured Threat Information eXpression) indicator and object schemas: `ThreatIntelIndicator` and `ThreatIntelObjects`. This article provides examples of how to incorporate STIX objects into queries to enhance threat hunting, and how to migrate to the new threat indicator schema.
+
+For more information about threat intelligence in Microsoft Sentinel, see [Threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md).
+
+>[!IMPORTANT]
+> Microsoft Sentinel will ingest all threat intelligence into the new `ThreatIntelIndicator` and `ThreatIntelObjects` tables, while continuing to ingest the same data into the legacy `ThreatIntelligenceIndicator` table until July 31, 2025. 
+>
+> **Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025.** After this date, Microsoft Sentinel will stop ingesting data to the legacy `ThreatIntelligenceIndicator` table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables. For more information about the new table schemas, see [ThreatIntelIndicator](/azure/azure-monitor/reference/tables/threatintelligenceindicator) and [ThreatIntelObjects](/azure/azure-monitor/reference/tables/threatintelobjects).
+
+## Identify threat actors associated with specific threat indicators
+
+This query is an example of how to correlate threat indicators, such as IP addresses, with threat actors:
+
+```Kusto
+ let IndicatorsWithThatIP = (ThreatIntelIndicators
+| extend tlId = tostring(Data.id)
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let ThreatActors = (ThreatIntelObjects
+| where StixType == 'threat-actor'
+| extend tlId = tostring(Data.id)
+| extend ThreatActorName = Data.name
+| extend ThreatActorSource = base64_decode_tostring(tostring(split(Id, '---')[0]))
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let AllRelationships = (ThreatIntelObjects
+| where StixType == 'relationship'
+| extend tlSourceRef = tostring(Data.source_ref)
+| extend tlTargetRef = tostring(Data.target_ref)
+| extend tlId = tostring(Data.id)
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let IndicatorAsSource = (IndicatorsWithThatIP
+| join AllRelationships on $left.tlId == $right.tlSourceRef
+| join ThreatActors on $left.tlTargetRef == $right.tlId);
+let IndicatorAsTarget = (IndicatorsWithThatIP
+| join AllRelationships on $left.tlId == $right.tlTargetRef
+| join ThreatActors on $left.tlSourceRef == $right.tlId);
+IndicatorAsSource
+| union IndicatorAsTarget
+| project ObservableValue, ThreatActorName
+```
+
+
+## List threat intelligence data related to a specific threat actor 
+
+This query provides insights into the tactics, techniques, and procedures (TTPs) of the threat actor (replace `Sangria Tempest` with the name of the threat actor you want to investigate):
+
+```Kusto
+let THREAT_ACTOR_NAME = 'Sangria Tempest';
+let ThreatIntelObjectsPlus = (ThreatIntelObjects
+| union (ThreatIntelIndicators
+| extend StixType = 'indicator')
+| extend tlId = tostring(Data.id)
+| extend PlusStixTypes = StixType
+| extend importantfield = case(StixType == "indicator", Data.pattern,
+                            StixType == "attack-pattern", Data.name,
+                            "Unkown")
+| extend feedSource = base64_decode_tostring(tostring(split(Id, '---')[0]))
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let ThreatActorsWithThatName = (ThreatIntelObjects
+| where StixType == 'threat-actor'
+| where Data.name == THREAT_ACTOR_NAME
+| extend tlId = tostring(Data.id)
+| extend ActorName = tostring(Data.name)
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let AllRelationships = (ThreatIntelObjects
+| where StixType == 'relationship'
+| extend tlSourceRef = tostring(Data.source_ref)
+| extend tlTargetRef = tostring(Data.target_ref)
+| extend tlId = tostring(Data.id)
+| summarize arg_max(TimeGenerated,*) by Id
+|  where IsDeleted == false);
+let SourceRelationships = (ThreatActorsWithThatName
+| join AllRelationships on $left.tlId == $right.tlSourceRef
+| join ThreatIntelObjectsPlus on $left.tlTargetRef == $right.tlId);
+let TargetRelationships = (ThreatActorsWithThatName
+| join AllRelationships on $left.tlId == $right.tlTargetRef
+| join ThreatIntelObjectsPlus on $left.tlSourceRef == $right.tlId);
+SourceRelationships
+| union TargetRelationships
+| project ActorName, PlusStixTypes, ObservableValue, importantfield, Tags, feedSource
+ ```
+
+## Migrate existing queries to the new ThreatIntelObjects schema
+
+This example shows how to migrate existing queries from the legacy `ThreatIntelligenceIndicator` table to the new `ThreatIntelObjects` schema. The query uses the `extend` operator to recreate legacy columns based on the `ObservableKey` and `ObservableValue` columns in the new table. 
+
+```Kusto
+ThreatIntelIndicators
+| extend NetworkIP = iff(ObservableKey == 'ipv4-addr:value', ObservableValue, ''),
+        NetworkSourceIP = iff(ObservableKey == 'network-traffic:src_ref.value', ObservableValue, ''),
+        NetworkDestinationIP = iff(ObservableKey == 'network-traffic:dst_ref.value', ObservableValue, ''),
+        DomainName = iff(ObservableKey == 'domain-name:value', ObservableValue, ''),
+        EmailAddress = iff(ObservableKey == 'email-addr:value', ObservableValue, ''),
+        FileHashType = case(ObservableKey has 'MD5', 'MD5',
+                                ObservableKey has 'SHA-1', 'SHA-1',
+                                ObservableKey has 'SHA-256', 'SHA-256',
+                                ''),
+        FileHashValue = iff(ObservableKey has 'file:hashes', ObservableValue, ''),
+        Url = iff(ObservableKey == 'url:value', ObservableValue, ''),
+        x509Certificate = iff(ObservableKey has 'x509-certificate:hashes.', ObservableValue, ''),
+        x509Issuer = iff(ObservableKey has 'x509-certificate:issuer', ObservableValue, ''),
+        x509CertificateNumber = iff(ObservableKey == 'x509-certificate:serial_number', ObservableValue, ''),        
+        Description = tostring(Data.description),
+        CreatedByRef = Data.created_by_ref,
+        Extensions = Data.extensions,
+        ExternalReferences = Data.references,
+        GranularMarkings = Data.granular_markings,
+        IndicatorId = tostring(Data.id),
+        ThreatType = tostring(Data.indicator_types[0]),
+        KillChainPhases = Data.kill_chain_phases,
+        Labels = Data.labels,
+        Lang = Data.lang,
+        Name = Data.name,
+        ObjectMarkingRefs = Data.object_marking_refs,
+        PatternType = Data.pattern_type,
+        PatternVersion = Data.pattern_version,
+        Revoked = Data.revoked,
+        SpecVersion = Data.spec_version
+| project-reorder TimeGenerated, WorkspaceId, AzureTenantId, ThreatType, ObservableKey, ObservableValue, Confidence, Name, Description, LastUpdateMethod, SourceSystem, Created, Modified, ValidFrom, ValidUntil, IsDeleted, Tags, AdditionalFields, CreatedByRef, Extensions, ExternalReferences, GranularMarkings, IndicatorId, KillChainPhases, Labels, Lang, ObjectMarkingRefs, Pattern, PatternType, PatternVersion, Revoked, SpecVersion, NetworkIP, NetworkDestinationIP, NetworkSourceIP, DomainName, EmailAddress, FileHashType, FileHashValue, Url, x509Certificate, x509Issuer, x509CertificateNumber, Data
+```
+
+## Related content
+
+For more information, see the following articles:
+
+- [Threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md).
+- Connect Microsoft Sentinel to [STIX/TAXII threat intelligence feeds](./connect-threat-intelligence-taxii.md).
+- See which [TIPs, TAXII feeds, and enrichments](threat-intelligence-integration.md) can be readily integrated with Microsoft Sentinel.
+
+[!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
diff --git a/articles/sentinel/work-with-threat-indicators.md b/articles/sentinel/work-with-threat-indicators.md
@@ -2,10 +2,11 @@
 title: Work with threat intelligence
 titleSuffix: Microsoft Sentinel
 description: This article explains how to view, create, manage, and visualize threat intelligence in Microsoft Sentinel.
-author: austinmccollum
+author: guywi-ms
 ms.topic: how-to
 ms.date: 02/21/2025
-ms.author: austinmc
+ms.author: guywild
+ms.reviewer: alsheheb
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -133,7 +134,7 @@ In the following image, multiple sources were used to search by placing them in
 
 :::image type="content" source="media/work-with-threat-indicators/advanced-search.png" alt-text="Screenshot shows an OR operator combined with multiple AND conditions to search threat intelligence." lightbox="media/work-with-threat-indicators/advanced-search.png":::
 
-Microsoft Sentinel only displays the most current version of your threat intel in this view. For more information on how objects are updated, see [Threat intelligence life cycle](understand-threat-intelligence.md#threat-intelligence-life-cycle).
+Microsoft Sentinel only displays the most current version of your threat intel in this view. For more information on how objects are updated, see [Threat intelligence lifecycle](understand-threat-intelligence.md#threat-intelligence-lifecycle).
 
 IP and domain name indicators are enriched with extra `GeoLocation` and `WhoIs` data so you can provide more context for any investigations where indicator is found.
 
@@ -164,8 +165,10 @@ This procedure describes how to view your threat intelligence with queries, rega
 Threat indicators are stored in the Microsoft Sentinel `ThreatIntelligenceIndicator` table. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as **Analytics**, **Hunting**, and **Workbooks**.
 
 >[!IMPORTANT]
->Tables supporting the new STIX object schema aren't available publicly. In order to view the STIX objects in queries and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, alongside or instead of the current table, `ThreatIntelligenceIndicator`, with this opt-in process.
->
+> On April 3, 2025, we publicly previewed two new tables to support STIX indicator and object schemas: `ThreatIntelIndicator` and `ThreatIntelObjects`. Microsoft Sentinel will ingest all threat intelligence into these new tables, while continuing to ingest the same data into the legacy `ThreatIntelligenceIndicator` table until July 31, 2025. 
+>**Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025.** After this date, Microsoft Sentinel will stop ingesting data to the legacy `ThreatIntelligenceIndicator` table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables. For more information about the new table schemas, see [ThreatIntelIndicator](/azure/azure-monitor/reference/tables/threatintelligenceindicator) and [ThreatIntelObjects](/azure/azure-monitor/reference/tables/threatintelobjects).
+> For information on using and migrating to the new tables, see (Work with STIX objects to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview))[work-with-styx-objects-and-indicators.md]. 
+
 
 #### [Defender portal](#tab/defender-portal)
 
