update for operational TI

Author: austinmccollum

articles/sentinel/connect-mdti-data-connector.md

@@ -13,7 +13,7 @@ appliesto:
 ms.collection: usx-security
 
 
-#Customer intent: As a security administrator, I want to enable the data connector for Microsoft Defender Threat Intelligence so that I can ingest high fidelity indicators of compromise into my Microsoft Sentinel workspace for enhanced threat monitoring and response.
+#Customer intent: As a security administrator, I want to enable the data connector for Microsoft Defender Threat Intelligence so that I can ingest high fidelity threat intelligence into my Microsoft Sentinel workspace for enhanced threat monitoring and response.
 
 ---
 
@@ -23,7 +23,7 @@ Bring public, open-source and high-fidelity indicators of compromise (IOCs) gene
 
 > [!INCLUDE [unified-soc-preview-without-alert](includes/unified-soc-preview-without-alert.md)]
 
-For more information about the benefits of the standard and premium Defender Threat Intelligence data connectors, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-defender-threat-intelligence-data-connector).
+For more information about the benefits of the standard and premium Defender Threat Intelligence data connectors, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-intelligence-to-microsoft-sentinel-with-the-defender-threat-intelligence-data-connector).
 
 ## Prerequisites
 
@@ -35,7 +35,7 @@ For more information on how to get a premium license and explore all the differe
 
 ## Install the threat intelligence solution in Microsoft Sentinel
 
-To import threat indicators into Microsoft Sentinel from standard and premium Defender Threat Intelligence, follow these steps:
+To import threat intelligence into Microsoft Sentinel from standard and premium Defender Threat Intelligence, follow these steps:
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**.
 
@@ -59,11 +59,11 @@ For more information about how to manage the solution components, see [Discover
 
     :::image type="content" source="media/connect-mdti-data-connector/premium-connect.png" alt-text="Screenshot that shows the Defender Threat Intelligence Data connector page and the Connect button." lightbox="media/connect-mdti-data-connector/premium-connect.png"::: 
 
-1. When Defender Threat Intelligence indicators start populating the Microsoft Sentinel workspace, the connector status displays **Connected**.
+1. When Defender Threat Intelligence starts populating the Microsoft Sentinel workspace, the connector status displays **Connected**.
 
-At this point, the ingested indicators are now available for use in the `TI map...` analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md). 
+At this point, the ingested intelligence is now available for use in the `TI map...` analytics rules. For more information, see [Use threat indicators in analytics rules](use-threat-indicators-in-analytics-rules.md). 
 
-Find the new indicators on the **Threat intelligence** pane or directly in **Logs** by querying the `ThreatIntelligenceIndicator` table. For more information, see [Work with threat indicators](work-with-threat-indicators.md).
+Find the new intelligence in the management interface or directly in **Logs** by querying the `ThreatIntelligenceIndicator` table. For more information, see [Work with threat intelligence](work-with-threat-indicators.md).
 
 ## Related content
 

articles/sentinel/understand-threat-intelligence.md

@@ -47,8 +47,8 @@ Use threat intelligence in Microsoft Sentinel to detect malicious activity obser
 You can integrate threat intelligence into Microsoft Sentinel through the following activities:
 
 - **Import threat intelligence** into Microsoft Sentinel by enabling *data connectors* to various threat intelligence [platforms](connect-threat-intelligence-tip.md) and [feeds](connect-threat-intelligence-taxii.md).
-- **Create threat intelligence** individually or import using a file from the management interface.
 - **Connect threat intelligence** to Microsoft Sentinel by using the upload API to connect various TI [platforms](connect-threat-intelligence-tip.md) or custom applications.
+- **Create threat intelligence** individually or import using a file from the management interface.
 - **View and manage** the imported threat intelligence in **Logs** or with advanced search in the user interface.
 - **Detect threats** and generate security alerts and incidents by using the built-in **Analytics** rule templates based on your imported threat intelligence.
 - **Visualize key information** about your imported threat intelligence in Microsoft Sentinel with the **Threat Intelligence** workbook.
@@ -59,13 +59,13 @@ Threat intelligence also provides useful context within other Microsoft Sentinel
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
-## Import threat intelligence with data connectors
+## Import and connect threat intelligence
 
 Most threat intelligence is imported using data connectors or an API. Here are the solutions available for Microsoft Sentinel.
 
 - **Microsoft Defender Threat Intelligence data connector** to ingest Microsoft's threat intelligence 
 - **Threat Intelligence - TAXII** for industry-standard STIX/TAXII feeds
-- **Threat Intelligence upload API** for integrated and curated TI feeds using a REST API to connect 
+- **Threat Intelligence upload API** for integrated and curated TI feeds using a REST API to connect (doesn't require a data connector)
 - **Threat Intelligence Platform data connector** also connects TI feeds using a legacy REST API, but is on the path for deprecation
 
 Use any of these solutions in any combination, depending on where your organization sources threat intelligence. All of these are available in **Content hub** as part of the **Threat Intelligence** solution. For more information about this solution, see the Azure Marketplace entry [Threat Intelligence](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-threatintelligence-taxii?tab=Overview).
@@ -133,23 +133,25 @@ To import STIX-formatted threat intelligence to Microsoft Sentinel from a TAXII
 
 For more information, see [Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds](connect-threat-intelligence-taxii.md).
 
-## View and manage your threat intelligence
+## Create threat intelligence
 
-View and manage threat intelligence from the management interface. 
-- For threat intelligence powered by Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Threat intelligence** > **Intel management**
-- For threat intelligence in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.
+Manually create threat intelligence 
 
-Sort, filter, and search your imported threat intelligence without even writing a Log Analytics query.
+## View and manage your threat intelligence
+
+View and manage threat intelligence from the management interface. Sort, filter, and search your imported threat intelligence without even writing a Log Analytics query.
 
 :::image type="content" source="media/understand-threat-intelligence/advanced-search.png" alt-text="Screenshot that shows an advanced search interface with source and confidence conditions selected." lightbox="media/understand-threat-intelligence/advanced-search.png":::
 
 Two of the most common threat intelligence tasks are tagging and creating new threat intelligence related to security investigations. Create or edit the threat indicators directly in the management interface.
 
 Tagging threat intelligence is an easy way to group them together to make them easier to find. Typically, you might apply tags related to a particular incident, or if an indicator represents threats from a particular known actor or well-known attack campaign you might create a relationship. After you search for the threat intelligence that you want to work with, tag them individually or multiselect and tag them all at once. Because tagging is free-form, we recommend that you create standard naming conventions for threat intelligence tags.
 
-Validate your indicators and view your successfully imported threat indicators from the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks. The tables that support other STIX objects aren't available for public preview yet. For more information about opting into tables supporting STIX objects, check with our customer connection program [http://www.aka.ms/JoinCCP](http://www.aka.ms/JoinCCP). 
+Validate your indicators and view your successfully imported threat indicators from the Microsoft Sentinel-enabled Log Analytics workspace. The `ThreatIntelligenceIndicator` table under the **Microsoft Sentinel** schema is where all your Microsoft Sentinel threat indicators are stored. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as analytics and workbooks. 
+
+New tables are used to support the new STIX object schema, but aren't available publicly yet. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt-in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Either ingest your threat intelligence into only the new tables, `ThreatIntelIndicator` and `ThreatIntelObjects`, or alongside the current table, `ThreatIntelligenceIndicator` with this optional request.
 
-Here's an example view of a basic query for threat indicators.
+Here's an example view of a basic query for for just threat indicators using the current table.
 
 :::image type="content" source="media/understand-threat-intelligence/logs-page-ti-table.png" alt-text="Screenshot that shows the Logs page with a sample query of the ThreatIntelligenceIndicator table." lightbox="media/understand-threat-intelligence/logs-page-ti-table.png":::
 

articles/sentinel/whats-new.md

@@ -23,11 +23,16 @@ Get notified when this page is updated by copying and pasting the following URL
 
 ## January 2025
 
+- [Threat intelligence management interface updated](#threat-intelligence-management-interface-updated)
 - [Threat intelligence upload API now supports more STIX objects](#threat-intelligence-upload-api-now-supports-more-stix-objects)
 - [Microsoft Defender Threat Intelligence data connectors now generally available (GA)](#microsoft-defender-threat-intelligence-data-connectors-now-generally-available-ga)
 - [Bicep template support for repositories (Preview)](#bicep-template-support-for-repositories-preview)
 - [View granular solution content in the Microsoft Sentinel content hub](#view-granular-solution-content-in-the-microsoft-sentinel-content-hub)
 
+### Threat intelligence management interface updated
+
+
+
 ### Threat intelligence upload API now supports more STIX objects
 
 Make the most of your threat intelligence platforms when you connect them to Microsoft Sentinel with the upload API. Now you can ingest more objects than just indicators, reflecting the varied threat intelligence available. The upload API supports the following STIX objects:
@@ -91,7 +96,7 @@ The **Agentless solution** uses the SAP Cloud Connector and SAP Integration Suit
 The **Agentless solution** is compatible with SAP S/4HANA Cloud, Private Edition RISE with SAP, SAP S/4HANA on-premises, and SAP ERP Central Component (ECC), ensuring continued functionality of existing security content, including detections, workbooks, and playbooks.
 
 > [!IMPORTANT]
-> Microsoft Sentinel's **Agentless solution** is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the **Agentless solution** also requires registration and is only available to approved customers and partners during the preview period. 
+> Microsoft Sentinel's **Agentless solution** is in limited preview as a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the **Agentless solution** also requires registration and is only available to approved customers and partners during the preview period. 
 
 For more information, see:
 
@@ -274,7 +279,7 @@ If you've onboarded Microsoft Sentinel to the Microsoft unified security operati
 
 Your premium license for Microsoft Defender Threat Intelligence (MDTI) now unlocks the ability to ingest all premium indicators directly into your workspace. The premium MDTI data connector adds more to your hunting and research capabilities within Microsoft Sentinel. 
 
-For more information, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-indicators-to-microsoft-sentinel-with-the-defender-threat-intelligence-data-connector). 
+For more information, see [Understand threat intelligence](understand-threat-intelligence.md#add-threat-intelligence-to-microsoft-sentinel-with-the-defender-threat-intelligence-data-connector). 
 
 ### Unified AMA-based connectors for syslog ingestion
 

articles/sentinel/work-with-threat-indicators.md

@@ -12,24 +12,24 @@ appliesto:
 ms.collection: usx-security
 
 
-#Customer intent: As a security analyst, I want to use threat intelligence in Microsoft Sentinel so that I can detect and respond to security threats more effectively.
+#Customer intent: As a security analyst, I want to use threat intelligence managed by Microsoft Sentinel so that I can detect and respond to security threats more effectively.
 
 ---
 
-# Work with threat indicators in Microsoft Sentinel
+# Work with threat intelligence in Microsoft Sentinel
 
-Integrate threat intelligence into Microsoft Sentinel through the following activities:
+Manage your threat intelligence with the following features:
 
 - **Import threat intelligence** into Microsoft Sentinel by enabling *data connectors* to various threat intelligence [platforms](connect-threat-intelligence-tip.md) and [feeds](connect-threat-intelligence-taxii.md).
-- **View and manage** the imported threat intelligence in **Logs** and on the Microsoft Sentinel **Threat intelligence** page.
+- **View and manage** the imported threat intelligence in **Logs** and the management interface.
 - **Detect threats** and generate security alerts and incidents by using the built-in **Analytics** rule templates based on your imported threat intelligence.
 - **Visualize key information** about your imported threat intelligence in Microsoft Sentinel with the **Threat Intelligence workbook**.
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
-## View your threat indicators in Microsoft Sentinel
+## View your threat intelligence in Microsoft Sentinel
 
-Learn how to work with threat intelligence indicators throughout Microsoft Sentinel.
+Learn how to work with threat intelligence intelligence throughout Microsoft Sentinel.
 
 ### Find and view your indicators on the Threat intelligence page
 
@@ -43,7 +43,7 @@ To view your threat intelligence indicators on the **Threat intelligence** page:
 
 1. From the grid, select the indicator for which you want to view more information. The indicator's information includes confidence levels, tags, and threat types.
 
-Microsoft Sentinel only displays the most current version of indicators in this view. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators).
+Microsoft Sentinel only displays the most current version of indicators in this view. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-intelligence).
 
 IP and domain name indicators are enriched with extra `GeoLocation` and `WhoIs` data. This data provides more context for investigations where the selected indicator is found.
 
@@ -98,7 +98,7 @@ Tagging threat indicators is an easy way to group them together to make them eas
 
 :::image type="content" source="media/work-with-threat-indicators/threat-intel-tagging-indicators.png" alt-text="Screenshot that shows applying tags to threat indicators." lightbox="media/work-with-threat-indicators/threat-intel-tagging-indicators.png":::
 
-With Microsoft Sentinel, you can also edit indicators, whether they were created directly in Microsoft Sentinel or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators that come from partner sources, only specific fields are editable, including tags, **Expiration date**, **Confidence**, and **Revoked**. Either way, only the latest version of the indicator appears on the **Threat Intelligence** page. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators).
+With Microsoft Sentinel, you can also edit indicators, whether they were created directly in Microsoft Sentinel or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators that come from partner sources, only specific fields are editable, including tags, **Expiration date**, **Confidence**, and **Revoked**. Either way, only the latest version of the indicator appears on the **Threat Intelligence** page. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-intelligence).
 
 ## Gain insights about your threat intelligence with workbooks
 
@@ -149,7 +149,7 @@ There's also a rich resource for [Azure Monitor workbooks on GitHub](https://git
 
 ## Related content
 
-For more about threat intelligence in Microsoft Sentinel, see the following articles:
+For more information, see the following articles:
 
 - [Understand threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md).
 - Connect Microsoft Sentinel to [STIX/TAXII threat intelligence feeds](./connect-threat-intelligence-taxii.md).