Skip to content

Commit a16e3fc

Browse files
austinmccollumaustinmccollum
committed
add images and whats new
1 parent 17f693c commit a16e3fc

File tree

5 files changed

+18
-2
lines changed

5 files changed

+18
-2
lines changed

articles/sentinel/media/understand-threat-intelligence/new-object.png

7.99 KB
Loading

articles/sentinel/media/whats-new/intel-management-defender portal.png

117 KB
Loading

articles/sentinel/media/whats-new/intel-management-navigation.png

20.2 KB
Loading

articles/sentinel/understand-threat-intelligence.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,10 @@ For more information, see [Connect Microsoft Sentinel to STIX/TAXII threat intel
122122

123123
## Create and manage threat intelligence
124124

125+
Threat intelligence management is unified with Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics in the Defender portal.
126+
127+
:::image type="content" source="media/understand-threat-intelligence/intel-management-defender portal.png" alt-text="Screenshot showing intel management page in the Defender portal.":::
128+
125129
Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and tagging intel objects. The management interface streamlines the manual process of creating individual threat intel with a few key features.
126130
- Define relationships as you create new STIX objects.
127131
- Curate existing TI with the relationship builder.
@@ -137,7 +141,7 @@ The following STIX objects are available in Microsoft Sentinel:
137141
| Identity | Describe victims, organizations and other groups or individuals along with the business sectors most closely associated with them. |
138142
| Relationship | The threads that connect threat intelligence, helping to make connections across disparate signals and data points are described with relationships. |
139143

140-
:::image type="content" source="{source}" alt-text="{alt-text}":::
144+
:::image type="content" source="media/understand-threat-intelligence/new-object.png" alt-text="Screenshot of the add new menu STIX object options.":::
141145

142146
Tagging threat intelligence is a quick way to group objects together to make them easier to find. Typically, you might apply tags related to a particular incident. But, if an indicator represents threats from a particular known actor or well-known attack campaign you might create a relationship instead of a tag. After you search for the threat intelligence that you want to work with, tag them individually or multiselect and tag them all at once. Because tagging is free-form, we recommend that you create standard naming conventions for threat intelligence tags.
143147

@@ -153,7 +157,7 @@ Microsoft enriches IPV4 and domain name indicators with [GeoLocation and WhoIs d
153157

154158
Validate your indicators and view your successfully imported threat indicators from the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks.
155159

156-
New tables are used to support the new STIX object schema, but aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt-in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Either ingest your threat intelligence into only the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, or alongside the current table, `ThreatIntelligenceIndicator` with this optional request.
160+
Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt-in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
157161

158162
Here's an example view of a basic query for for just threat indicators using the current table.
159163

articles/sentinel/whats-new.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,25 @@ Get notified when this page is updated by copying and pasting the following URL
2424
## January 2025
2525

2626
- [Threat intelligence management interface updated](#threat-intelligence-management-interface-updated)
27+
- [Opt in to new threat intelligence tables to unlock advanced hunting with new STIX objects](#opt-in-to-new-threat-intelligence-tables-to-unlock-advanced-hunting-with-new-stix-objects)
2728
- [Threat intelligence upload API now supports more STIX objects](#threat-intelligence-upload-api-now-supports-more-stix-objects)
2829
- [Microsoft Defender Threat Intelligence data connectors now generally available (GA)](#microsoft-defender-threat-intelligence-data-connectors-now-generally-available-ga)
2930
- [Bicep template support for repositories (Preview)](#bicep-template-support-for-repositories-preview)
3031
- [View granular solution content in the Microsoft Sentinel content hub](#view-granular-solution-content-in-the-microsoft-sentinel-content-hub)
3132

3233
### Threat intelligence management interface updated
3334

35+
Managing Microsoft Sentinel powered threat intelligence has moved in the Defender portal to a **Intel management**.
3436

37+
:::image type="content" source="media/whats-new/intel-management-navigation.png" alt-text="Screenshot showing new menu placement for Microsoft Sentinel threat intelligence.":::
38+
39+
Enhanced threat intelligence capabilities are available in both Microsoft's unified SecOps platform as well as Microsoft Sentinel in the Azure portal.
40+
41+
### Opt in to new threat intelligence tables to unlock advanced hunting with new STIX objects
42+
43+
Tables supporting the new STIX object schema aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt-in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator` with this opt-in process.
44+
45+
For more information, see the blog announcement [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164).
3546

3647
### Threat intelligence upload API now supports more STIX objects
3748

@@ -47,6 +58,7 @@ For more information, see the following articles:
4758

4859
- [Connect your threat intelligence platform with the upload API (Preview)](connect-threat-intelligence-upload-api.md)
4960
- [Import threat intelligence to Microsoft Sentinel with the upload API (Preview)](stix-objects-api.md)
61+
- [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
5062

5163
### Microsoft Defender Threat Intelligence data connectors now generally available (GA)
5264

0 commit comments

Comments
 (0)