You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/understand-threat-intelligence.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -123,10 +123,13 @@ For more information, see [Connect Microsoft Sentinel to STIX/TAXII threat intel
123
123
124
124
## Create and manage threat intelligence
125
125
126
-
Threat intelligence management is unified with Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics in the Defender portal.
126
+
Threat intelligence powered by Microsoft Sentinel is managed next to Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics in Microsoft's unified SecOps platform.
127
127
128
128
:::image type="content" source="media/understand-threat-intelligence/intel-management-defender-portal.png" alt-text="Screenshot showing intel management page in the Defender portal.":::
129
129
130
+
>[!NOTE]
131
+
> Threat intelligence in the Azure portal remains in Microsoft Sentinel > **Threat management** > **Threat intelligence**.
132
+
130
133
Two of the most common threat intelligence tasks are creating new threat intelligence related to security investigations and tagging intel objects. The management interface streamlines the manual process of creating individual threat intel with a few key features.
131
134
- Define relationships as you create new STIX objects.
132
135
- Curate existing TI with the relationship builder.
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,7 +39,7 @@ Managing Microsoft Sentinel-powered threat intelligence has moved in the Defende
39
39
Enhanced threat intelligence capabilities are available in both Microsoft's unified SecOps platform and Microsoft Sentinel in the Azure portal. The management interface streamlines the manual process of creating individual threat intel with these key features:
40
40
- Define relationships as you create new STIX objects.
41
41
- Curate existing threat intelligence with the new relationship builder.
42
-
- Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing threat intel.
42
+
- Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing threat intel objects.
43
43
44
44
Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query. For more information, see the following articles:
45
45
-[New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
Copy file name to clipboardExpand all lines: articles/sentinel/work-with-threat-indicators.md
+28-24Lines changed: 28 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,23 +10,43 @@ appliesto:
10
10
- Microsoft Sentinel in the Azure portal
11
11
- Microsoft Sentinel in the Microsoft Defender portal
12
12
ms.collection: usx-security
13
-
14
-
15
13
#Customer intent: As a security analyst, I want to use threat intelligence managed by Microsoft Sentinel so that I can detect and respond to security threats more effectively.
16
-
17
14
---
18
15
19
16
# Work with threat intelligence in Microsoft Sentinel
20
17
21
-
Manage your threat intelligence with the following features:
18
+
This article demonstrates how to make the most of threat intelligence (TI) integration in the management interface with these activities:
19
+
20
+
- Create TI in the management interface
21
+
- Manage TI by viewing, curating, and visualizing
22
22
23
-
-**Import threat intelligence** into Microsoft Sentinel by enabling *data connectors* to various threat intelligence [platforms](connect-threat-intelligence-tip.md) and [feeds](connect-threat-intelligence-taxii.md).
24
-
-**View and manage** the imported threat intelligence in **Logs** and the management interface.
25
-
-**Detect threats** and generate security alerts and incidents by using the built-in **Analytics**rule templates based on your imported threat intelligence.
26
-
-**Visualize key information** about your imported threat intelligence in Microsoft Sentinel with the **Threat Intelligence workbook**.
23
+
All of these activities have the same steps except the management interface is accessed differently depending which portal you use.
24
+
25
+
-For Microsoft Sentinel-powered threat intelligence in the Defender portal, navigate to **Threat intelligence**> **Intel management**.
26
+
-For Microsoft Sentinel in the Azure portal, navigate to **Threat management** > **Threat intelligence**.
## Create threat intelligence in the management interface
31
+
32
+
Use the management interface to create threat intelligence objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects security investigations.
33
+
34
+
- Define relationships as you create new STIX objects.
35
+
- Curate existing TI with the relationship builder.
36
+
- Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing TI object.
37
+
38
+
### Create a new indicator
39
+
40
+
1. On the menu bar at the top of the page, select **Add new**.
41
+
42
+
:::image type="content" source="media/work-with-threat-indicators/threat-intel-add-new-indicator.png" alt-text="Screenshot that shows adding a new threat indicator." lightbox="media/work-with-threat-indicators/threat-intel-add-new-indicator.png":::
43
+
44
+
1. Choose the indicator type, and then fill in the form on the **New indicator** pane. The required fields are marked with an asterisk (*).
45
+
46
+
1. Select **Apply**. The indicator is added to the indicators list and is also sent to the `ThreatIntelligenceIndicator` table in **Logs**.
47
+
48
+
## Manage threat intelligence
49
+
30
50
## View your threat intelligence in Microsoft Sentinel
31
51
32
52
Learn how to work with threat intelligence intelligence throughout Microsoft Sentinel.
@@ -74,23 +94,7 @@ To view your threat intelligence indicators in **Logs**:
74
94
75
95
:::image type="content" source="media/work-with-threat-indicators/ti-table-results.png" alt-text="Screenshot that shows sample ThreatIntelligenceIndicator table results with the details expanded." lightbox="media/work-with-threat-indicators/ti-table-results.png":::
76
96
77
-
## Create and manage objects
78
-
79
-
Use the management interface to create threat intelligence objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects security investigations.
80
-
81
-
### Create a new indicator
82
-
83
-
1. In the [Defender portal](https://security.microsoft.com/), select **** > **Threat intelligence** > **Intel management**.
84
-
85
-
For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.
86
97
87
-
1. On the menu bar at the top of the page, select **Add new**.
88
-
89
-
:::image type="content" source="media/work-with-threat-indicators/threat-intel-add-new-indicator.png" alt-text="Screenshot that shows adding a new threat indicator." lightbox="media/work-with-threat-indicators/threat-intel-add-new-indicator.png":::
90
-
91
-
1. Choose the indicator type, and then fill in the form on the **New indicator** pane. The required fields are marked with an asterisk (*).
92
-
93
-
1. Select **Apply**. The indicator is added to the indicators list and is also sent to the `ThreatIntelligenceIndicator` table in **Logs**.
0 commit comments