add tabbed navigation selection

Author: austinmccollum

articles/sentinel/media/work-with-threat-indicators/intel-management-navigation.png

@@ -13,20 +13,31 @@ ms.collection: usx-security
 #Customer intent: As a security analyst, I want to use threat intelligence managed by Microsoft Sentinel so that I can detect and respond to security threats more effectively.
 ---
 
-# Work with threat intelligence in Microsoft Sentinel
+# Work with Microsoft Sentinel threat intelligence
 
-This article demonstrates how to make the most of threat intelligence (TI) integration in the management interface with these activities:
+Accelerate threat detection and remediation with streamlined creation and management of threat intelligence. This article demonstrates how to make the most of threat intelligence integration in the management interface, whether you're accessing it from Microsoft Sentinel in the Azure portal or using Microsoft's unified SecOps platform.
 
-- Create TI in the management interface
-- Manage TI by viewing, curating, and visualizing 
-
-All of these activities have the same steps except the management interface is accessed differently depending which portal you use.
- 
-- For Microsoft Sentinel-powered threat intelligence in the Defender portal, navigate to **Threat intelligence** > **Intel management**.
-- For Microsoft Sentinel in the Azure portal, navigate to **Threat management** > **Threat intelligence**.
+- Create threat intelligence objects using the standard known as structured threat information expression (STIX)
+- Manage threat intelligence by viewing, curating, and visualizing 
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
+## Access the management interface
+
+Use one of the following tabs, depending on whether you're working in the Azure portal or the Defender portal. Even though the management interface is accessed differently depending which portal you use, the creation and management tasks have the same steps. 
+
+### [Defender portal](#tab/defender-portal)
+
+For Microsoft Sentinel-powered threat intelligence in the Defender portal, navigate to **Threat intelligence** > **Intel management**.
+
+:::image type="content" source="media/work-with-threat-indicators/intel-management-navigation.png" alt-text="Screenshot showing the intel management menu item in the Defender portal.":::
+
+### [Azure portal](#tab/azure-portal)
+
+For Microsoft Sentinel in the Azure portal, navigate to **Threat management** > **Threat intelligence**.
+
+:::image type="content" source="media/work-with-threat-indicators/threat-intelligence-sentinel.png" alt-text="Screenshot showing threat intelligence menu for Microsoft Sentinel in the Azure portal.":::
+
 ## Create threat intelligence in the management interface
 
 Use the management interface to create threat intelligence objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects security investigations.
@@ -94,8 +105,6 @@ To view your threat intelligence indicators in **Logs**:
 
     :::image type="content" source="media/work-with-threat-indicators/ti-table-results.png" alt-text="Screenshot that shows sample ThreatIntelligenceIndicator table results with the details expanded." lightbox="media/work-with-threat-indicators/ti-table-results.png":::
 
-
-
 ### Tag and edit threat indicators
 
 Tagging threat indicators is an easy way to group them together to make them easier to find. Typically, you might apply tags to an indicator related to a particular incident, or if the indicator represents threats from a particular known actor or well-known attack campaign. After you search for the indicators you want to work with, tag them individually. Multiselect indicators and tag them all at once with one or more tags. Because tagging is free-form, we recommend that you create standard naming conventions for threat indicator tags.