You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/work-with-threat-indicators.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,7 +57,7 @@ For more information on supported STIX objects, see [Understand threat intellige
57
57
:::image type="content" source="media/work-with-threat-indicators/threat-intel-add-new-indicator.png" alt-text="Screenshot that shows adding a new threat indicator." lightbox="media/work-with-threat-indicators/threat-intel-add-new-indicator.png":::
58
58
59
59
1. Choose the **Object type**, then fill in the form on the **New TI object** page. Required fields are marked with a red asterisk (*).
60
-
60
+
1. If you know how this object relates to another threat intelligence object, indicate that connection with the **Relationship type** and the **Target reference**.
61
61
1. Select **Add and duplicate** if you want to create more items with the same metadata. The following image shows the common section of each STIX object's metadata that is duplicated.
62
62
63
63
:::image type="content" source="media/work-with-threat-indicators/common-metadata-stix-object.png" alt-text="Screenshot showing new STIX object creation and the common metadata available to all objects.":::
@@ -66,8 +66,21 @@ For more information on supported STIX objects, see [Understand threat intellige
66
66
67
67
### Curate threat intelligence with the relationship builder
68
68
69
+
Connect threat intelligence objects with the relationship builder. There is a maximum of 20 relationships in the builder at once, but more connections can be created through multiple iterations and by adding relationship target references for new objects.
70
+
71
+
1. Start with an object like a threat actor or attack pattern where the single object connects to one or more objects, like indicators.
72
+
1. Add the relationship type according to the best practices outlined in the following table and in the [STIX 2.1 reference relationship summary table](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_6n2czpjuie3v):
69
73
74
+
| Relationship type | Description |
75
+
|---|---|
76
+
| <ul><li>Duplicate of</li><li>Derived from</li><li>Related to</li> | Common relationships defined for any STIX domain object (SDO)<br>For more information, see [STIX 2.1 reference on common relationships](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_f3dx2rhc3vl)|
77
+
| Targets |`Attack pattern` or `Threat actor`*Targets*`Identity`|
78
+
| Uses |`Threat actor`*Uses*`Attack pattern`|
79
+
| Attributed to |`Threat actor`*Attributed to*`Identity`|
80
+
| Indicates |`Indicator`*Indicates*`Attack pattern` or `Threat actor`|
The following image demonstrates connections made between a threat actor and an attack pattern, indicator and identity using the relationship type table.
71
84
72
85
:::image type="content" source="media/work-with-threat-indicators/relationship-example.png" alt-text="Screenshot showing the relationship builder.":::
73
86
@@ -113,7 +126,6 @@ To view your threat intelligence indicators:
113
126
For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Investigation & response** > **Hunting** > **Advanced hunting**.
114
127
115
128
1. The `ThreatIntelligenceIndicator` table is located under the **Microsoft Sentinel** group.
116
-
117
129
1. Select the **Preview data** icon (the eye) next to the table name. Select **See in query editor** to run a query that shows records from this table.
118
130
119
131
Your results should look similar to the sample threat indicator shown here.
0 commit comments