You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/understand-threat-intelligence.md
+16-3Lines changed: 16 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -132,7 +132,8 @@ Threat intelligence powered by Microsoft Sentinel is managed next to Microsoft D
132
132
>[!NOTE]
133
133
> Threat intelligence in the Azure portal is still accessed from **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.
134
134
135
-
Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and adding tags. The management interface streamlines the manual process of creating individual threat intel with a few key features.
135
+
Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and adding tags. The management interface streamlines the manual process of curating individual threat intel with a few key features.
136
+
- Configure ingestion rules to optimize threat intel from incoming sources.
136
137
- Define relationships as you create new STIX objects.
137
138
- Curate existing TI with the relationship builder.
138
139
- Copy common metadata from a new or existing TI object with the duplicate feature.
@@ -149,11 +150,23 @@ The following STIX objects are available in Microsoft Sentinel:
149
150
|**Identity**| Describe victims, organizations, and other groups or individuals along with the business sectors most closely associated with them. |
150
151
|**Relationship**| The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
151
152
153
+
### Configure ingestion rules
154
+
155
+
Take full control of threat intelligence feeds by filtering and optimizing the intel before it's delivered to your workspace. Ingestion rules update attributes, or filter objects out all together. The following table lists some use cases:
156
+
157
+
| Ingestion rule use case | Description |
158
+
|---|---|
159
+
| Reduce noise | Filter out old threat intelligence not updated for 6 months that also has low confidence. |
160
+
| Extend validity date | Promote high fidelity IOCs from trusted source by extending their `Valid until` by 30 days. |
161
+
| Remember the old days | The new threat actor taxonomy is great, but some of the analysts want to be sure to tag the old names. |
162
+
163
+
For more information, see [Work with threat intelligence ingestion rules](work-with-threat-indicators.md#curate-threat-intelligence-with-ingestion-rules).
164
+
152
165
### Create relationships
153
166
154
-
Enhance threat detection and response by establishing connections between objects with the relationship builder. The following table lists some of its use cases.
167
+
Enhance threat detection and response by establishing connections between objects with the relationship builder. The following table lists some of its use cases:
155
168
156
-
|Use case | Description |
169
+
|Relationship use case | Description |
157
170
|---|---|
158
171
| Connect a threat actor to an attack pattern | The threat actor `APT29`*Uses* the attack pattern `Phishing via Email` to gain initial access.|
159
172
| Link an indicator to a threat actor| A domain indicator `allyourbase.contoso.com` is *Attributed to* the threat actor `APT29`. |
0 commit comments