Merge pull request #2590 from MicrosoftDocs/main

Published main to live, Wednesday 10:30 AM PST, 01/29

Author: padmagit77

unified-secops-platform/TOC.yml

@@ -47,6 +47,8 @@
       href: reduce-risk-overview.md
     - name: Detect threats
       href: detect-threats-overview.md
+    - name: Uncover adversaries with threat intel
+      href: threat-intelligence-overview.md
     - name: Hunt for threats
       items:
       - name: Overview

unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png

@@ -0,0 +1,88 @@
+---
+title: Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform
+ms.reviewer: 
+description: Learn about threat intelligence features across Microsoft's unified security operations (SecOps) platform.
+search.appverid: met150
+ms.service: unified-secops-platform
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: dolmont
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- tier1
+- usx-security
+ms.custom:
+- cx-ti
+ms.topic: conceptual
+ms.date: 01/24/2025
+# customer intent: As a security operations center business decision maker, I want to learn about threat intelligence tools available in Microsoft's unified SecOps platform to help me understand emerging threats affecting organizations like me and how to manage actionable intelligence.
+---
+
+# Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform
+
+Uncover and neutralize modern adversaries with threat intelligence in Microsoft’s unified security operations (SecOps) platform. Whether you use Microsoft's threat intelligence or other sources important to your SecOps organization, **Threat intelligence** in the Microsoft Defender portal unifies the tools needed to identify cyberattackers and their infrastructure.
+
+:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png" alt-text="Screenshot of Threat intelligence section of the Microsoft Defender portal." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-threat-intel.png":::
+
+_Threat intelligence in the Defender portal_
+
+The emergence of new cybersecurity threats and threat actors and the continuous evolution of the threat landscape result in an ever-increasing amount of threat intelligence that security operations centers (SOCs) must investigate. This threat intelligence takes many forms—from specific indicators of compromise (IOCs) to reports and analyses—and can come from various sources. Microsoft's unified SecOps platform in the Defender portal consolidates all your threat intelligence in one location so SOCs can assess this intelligence quickly and accurately to make informed decisions. Microsoft's unified SecOps platform in the Defender portal pulls threat intelligence from the following sources:
+- Microsoft Defender XDR Threat analytics reports
+- Microsoft Defender Threat Intelligence articles and data sets
+- Microsoft Sentinel threat intelligence
+
+## Threat analytics in Microsoft Defender XDR
+
+**Threat analytics** is the [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender) in-product threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png" alt-text="The analyst report section of a threat analytics report" lightbox="/unified-secops-platform/media/threat-intel-overview/usx-threat-analytics.png":::
+
+_Analyst report section of a threat analytics report_
+
+Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. 
+
+For more information, see [Threat analytics in Microsoft Defender XDR](/defender-xdr/threat-analytics).
+
+## Microsoft Defender Threat Intelligence
+
+**Microsoft Defender Threat Intelligence** (Defender TI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows. Defender TI aggregates and enriches critical threat information in an easy-to-use interface where users can correlate IOCs with related articles, actor profiles, and vulnerabilities. Defender TI also lets analysts collaborate with fellow Defender TI-licensed users within their tenant on investigations.
+
+You can access Defender TI in the following pages within the **Threat intelligence** navigation menu of the Defender portal:
+- **Intel profiles** - Access a comprehensive library of threat actor, tooling, and vulnerability profiles.
+- **Intel explorer** - Browse threat intelligence for relevant analyses, artifacts, and indicators.
+- **Intel projects** - Manage security artifacts for your entire tenant.
+
+:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png" alt-text="Screenshot of Intel explorer page." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-intel-explorer.png":::
+
+_Defender TI's **Intel explorer** page in the Defender portal_
+
+For more information, see [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti).
+
+## Intelligence management
+**Intel management** is powered by [Microsoft Sentinel](/azure/sentinel/overview) and provides tools to update, search, and create threat intelligence and manage it at scale. 
+
+The most common forms of threat intelligence are threat indicators, or IOCs. Another facet of threat intelligence represents threat actors, their techniques, tactics, and procedures (TTPs), their infrastructure, and their victims. Intel management supports managing all these facets using structured threat information expression (STIX), the open-source standard for exchanging threat intelligence.
+
+Intel management operationalizes your threat intelligence while Microsoft Sentinel sources it with the following methods of ingestion: 
+- **Import threat intelligence** into Microsoft Sentinel by enabling data connectors to various threat intelligence platforms, including Microsoft’s own Defender TI.
+- **Connect threat intelligence** to Microsoft Sentinel by using the upload API to connect various threat intelligence platforms or custom applications.
+- **Create threat intelligence** individually or import using a file from the Intel management interface.
+
+:::image type="content" source="/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png" alt-text="Screenshot of Intel management add new STIX object feature." lightbox="/unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png":::
+
+_Example of adding a new STIX object in Intel management_
+
+For more information, see [Understand threat intelligence in Microsoft Sentinel](/azure/sentinel/understand-threat-intelligence).
+
+## Related content
+
+- [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)
+- [Microsoft Security Copilot in Microsoft Defender Threat Intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence)
+- [Infrastructure chaining](/defender/threat-intelligence/infrastructure-chaining)

unified-secops-platform/media/threat-intel-overview/usx-sentinel-new-stix-object.png

@@ -22,13 +22,33 @@ This article lists recent features added into Microsoft's unified SecOps platfor
 
 ## January 2025
 
+- [Unified threat intelligence](#unified-threat-intelligence)
 - [Manage SecOps work natively with case management (Preview)](#case-management-preview)
 - [Unified device timeline in Microsoft Defender portal (Preview)](#unified-device-timeline-in-microsoft-defender-portal-preview)
 - [SOC optimization updates for unified coverage management](#soc-optimization-updates-for-unified-coverage-management)
 
+### Unified threat intelligence
+
+Microsoft Sentinel-powered threat intelligence has moved in the Defender portal to **Intel management**, unifying threat intelligence features. In the Azure portal, the location remains unchanged.
+
+:::image type="content" source="media/whats-new/intel-management-navigation.png" alt-text="Screenshot showing new menu placement for Microsoft Sentinel threat intelligence.":::
+
+Along with the new location, the management interface streamlines the creation and curation of threat intel with these key features:
+
+- Define relationships as you create new STIX objects.
+- Curate existing threat intelligence with the new relationship builder.
+- Create multiple objects quickly by copying common metadata from a new or existing TI object with the duplicate feature.
+- Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.
+
+For more information, see the following articles:
+
+- [Uncover adversaries with threat intelligence in Microsoft's unified SecOps platform](threat-intelligence-overview.md)
+- [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
+- [Understand threat intelligence](/azure/sentinel/understand-threat-intelligence#create-and-manage-threat-intelligence)
+
 ### Case management (Preview)
 
-Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that CMSK supports.
+Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that case management supports.
 
 - Define your own case workflow with custom status values
 - Assign tasks to collaborators and configure due dates
@@ -38,6 +58,7 @@ Case management is the first installment of an end-to-end solution that provides
 This is just the start. Stay tuned for additional capabilities as we evolve this solution.
 
 For more information, see the following articles:
+
 - [Manage cases natively in Microsoft's unified security operations (SecOps) platform](cases-overview.md)
 - [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)