update work indicators create section

austinmccollum · austinmccollum · commit 71beff02144c · 2025-01-27T16:52:50.000-06:00
diff --git a/articles/sentinel/media/work-with-threat-indicators/threat-intel-add-new-indicator.png b/articles/sentinel/media/work-with-threat-indicators/threat-intel-add-new-indicator.png
diff --git a/articles/sentinel/understand-threat-intelligence.md b/articles/sentinel/understand-threat-intelligence.md
@@ -147,9 +147,28 @@ The following STIX objects are available in Microsoft Sentinel:
 | Identity | Describe victims, organizations, and other groups or individuals along with the business sectors most closely associated with them. |
 | Relationship | The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
 
-Tagging threat intelligence is a quick way to group objects together to make them easier to find. Typically, you might apply tags related to a particular incident. But, if an indicator represents threats from a particular known actor or well-known attack campaign you might create a relationship instead of a tag. After you search for the threat intelligence that you want to work with, tag them individually or multiselect and tag them all at once. Because tagging is free-form, we recommend that you create standard naming conventions for threat intelligence tags.
+### Create relationships
 
-For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#create-and-manage-objects).
+Establish connections between objects to enhance threat detection and response. Here are some examples of the relationship builder:
+
+Connecting Threat Actor to Attack Pattern: The threat actor "APT29" uses the attack pattern "Phishing via Email" to gain initial access.
+Linking Indicator to Threat Actor: An indicator (malicious domain) is attributed to the threat actor "APT29".
+Associating Identity (Victim) with Attack Pattern: The organization "Example Corp" is targeted by the attack pattern "Phishing via Email".
+
+### Curate threat intelligence
+
+Designate which TI objects can be shared with appropriate audiences by designating a sensitivity level called Traffic Light Protocol (TLP).
+
+| TLP color | Sensitivity |
+|---|---|
+| White | Information can be shared freely and publicly without any restrictions. |
+| Green | Information can be shared with peers and partner organizations within the community, but not publicly. It is intended for a wider audience within the community. |
+| Amber | Information can be shared with members of the organization, but not publicly. It is intended to be used within the organization to protect sensitive information. |
+| Red | Information is highly sensitive and should not be shared outside of the specific group or meeting where it was originally disclosed. |
+
+Tagging threat intelligence is a quick way to group objects together to make them easier to find. Typically, you might apply tags related to a particular incident. But, if an indicator represents threats from a particular known actor or well-known attack campaign, consider creating a relationship instead of a tag. After you search and filter for the threat intelligence that you want to work with, tag them individually or multiselect and tag them all at once. Because tagging is free-form, we recommend that you create standard naming conventions for threat intelligence tags.
+
+For more information, see [Work with threat intelligence in Microsoft Sentinel](work-with-threat-indicators.md#create-threat-intelligence).
 
 ## View your threat intelligence
 
diff --git a/articles/sentinel/work-with-threat-indicators.md b/articles/sentinel/work-with-threat-indicators.md
@@ -24,37 +24,42 @@ Accelerate threat detection and remediation with streamlined creation and manage
 
 ## Access the management interface
 
-Use one of the following tabs, depending on whether you're working in the Azure portal or the Defender portal. Even though the management interface is accessed differently depending which portal you use, the creation and management tasks have the same steps. 
+Use one of the following tabs, depending on where you want to work with threat intelligence. Even though the management interface is accessed differently depending which portal you use, the creation and management tasks have the same steps once you get there. 
 
 ### [Defender portal](#tab/defender-portal)
 
-For Microsoft Sentinel-powered threat intelligence in the Defender portal, navigate to **Threat intelligence** > **Intel management**.
+In the Defender portal, navigate to **Threat intelligence** > **Intel management**.
 
 :::image type="content" source="media/work-with-threat-indicators/intel-management-navigation.png" alt-text="Screenshot showing the intel management menu item in the Defender portal.":::
 
 ### [Azure portal](#tab/azure-portal)
 
-For Microsoft Sentinel in the Azure portal, navigate to **Threat management** > **Threat intelligence**.
+In the Azure portal, navigate to **Threat management** > **Threat intelligence**.
 
 :::image type="content" source="media/work-with-threat-indicators/threat-intelligence-sentinel.png" alt-text="Screenshot showing threat intelligence menu for Microsoft Sentinel in the Azure portal.":::
 
-## Create threat intelligence in the management interface
+---
+
+## Create threat intelligence
 
-Use the management interface to create threat intelligence objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects security investigations.
+Use the management interface to create STIX objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects.
 
 - Define relationships as you create new STIX objects.
 - Curate existing TI with the relationship builder.
 - Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing TI object.
 
-### Create a new indicator
+For more information on supported STIX objects, see [Understand threat intelligence](understand-threat-intelligence.md#create-and-manage-threat-intelligence).
 
-1. On the menu bar at the top of the page, select **Add new**.
+### Create a new STIX object
+
+1. Select **Add new** > **TI object**.
 
     :::image type="content" source="media/work-with-threat-indicators/threat-intel-add-new-indicator.png" alt-text="Screenshot that shows adding a new threat indicator." lightbox="media/work-with-threat-indicators/threat-intel-add-new-indicator.png":::
 
-1. Choose the indicator type, and then fill in the form on the **New indicator** pane. The required fields are marked with an asterisk (*).
+1. Choose the **Object type**, then fill in the form on the **New TI object** page. Required fields are marked with a red asterisk (*).
+
+1. Select **Add and duplicate** if you want to create more items with the same metadata. Otherwise, select **Add** to create the single item.
 
-1. Select **Apply**. The indicator is added to the indicators list and is also sent to the `ThreatIntelligenceIndicator` table in **Logs**.
 
 ## Manage threat intelligence 
 
