Merge pull request #50322 from KenMAG/main

Updated the SC-200 Threat intelligence module and improved Acrolinx scores

Author: JamesJBarnett

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/3-manage-threat-indicators.yml

@@ -4,9 +4,9 @@ title: Manage your threat indicators
 metadata:
   title: Manage your threat indicators
   description: "Manage your threat indicators"
-  ms.date: 06/21/2022
-  author: wwlpublish
-  ms.author: bneeb
+  ms.date: 05/07/2025
+  author: KenMAG
+  ms.author: kelawson
   ms.topic: unit
 azureSandbox: false
 labModal: false

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/4-view-threat-indicators-with-kql.yml

@@ -4,9 +4,9 @@ title: View your threat indicators with KQL
 metadata:
   title: View your threat indicators with KQL
   description: "View your threat indicators with KQL"
-  ms.date: 06/21/2022
-  author: wwlpublish
-  ms.author: bneeb
+  ms.date: 05/07/2025
+  author: KenMAG
+  ms.author: kelawson
   ms.topic: unit
 azureSandbox: false
 labModal: false

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/includes/2-define-threat-intelligence.md

@@ -15,4 +15,3 @@ You can integrate threat intelligence (TI) into Microsoft Sentinel through the f
 - Perform threat hunting with your imported threat intelligence.
 
 :::image type="content" source="../media/sentinel-data-flow.png" alt-text="Screenshot of Threat Intelligence uses in Microsoft Sentinel.":::
-

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/includes/3-manage-threat-indicators.md

@@ -1,13 +1,37 @@
 With the Threat Intelligence area, accessible from the Microsoft Sentinel menu, you can also view, sort, filter, and search your imported threat indicators without even writing a Logs query. This area also allows you to create threat indicators directly within the Microsoft Sentinel interface and perform everyday threat intelligence administrative tasks. These tasks include indicator tagging and creating new indicators related to security investigations. Let's look at two of the most common tasks, creating new threat indicators and tagging indicators for easy grouping and reference.
 
-1. Open the [Azure portal](https://portal.azure.com/?azure-portal=true) and navigate to the Microsoft Sentinel service.
+## [Defender portal](#tab/defender-portal)
 
-1. Choose the workspace to which you've imported threat indicators using either threat intelligence data connector.
+1. Open the [Defender portal](https://security.microsoft.com/) and navigate to Microsoft Sentinel.
 
-1. Select **Threat intelligence** from the **Threat management** section of the Microsoft Sentinel menu.
+1. From the **Threat management** section of the Microsoft Sentinel menu, select **Threat intelligence**.
+
+1. If you see the *This page has a new home* message. Select the **Open Intel management** button.
+
+    :::image type="content" source="../media/threat-intelligence-new-home.png" alt-text="Screenshot of the this page has a new home message for Threat Intelligence in Microsoft Sentinel.":::
+
+1. You're redirected to the *Intel management* page under the *Threat Intelligence* section of the Defender portal navigation menu.
+
+    :::image type="content" source="../media/intel-management.png" alt-text="Screenshot of the Defender Intel management page.":::
+
+    > [!TIP]
+    > As the *Threat intelligence* capabilities in Microsoft Sentinel are being consolidated into the Defender portals *Threat intelligence* section, you can go directly to *Intel management* from there.
+
+1. On the Select the **Add new** button from the top menu of the page.
+
+1. Choose the indicator type, then complete the required fields marked with a red asterisk (*) on the New indicator panel. Select **Apply**.
+
+## [Azure portal](#tab/azure-portal)
+
+Open the [Azure portal](https://portal.azure.com/?azure-portal=true) and navigate to Microsoft Sentinel.
+
+1. Choose the workspace to which you imported threat indicators using either threat intelligence data connector.
+
+1. From the **Threat management** section of the Microsoft Sentinel menu, select **Threat intelligence**.
 
 1. Select the **Add new** button from the top menu of the page.
 
-1. Choose the indicator type, then complete the required fields marked with a red asterisk (*) on the New indicator panel.  Select **Apply**.
+1. Choose the indicator type, then complete the required fields marked with a red asterisk (*) on the New indicator panel. Select **Apply**.
 
-Tagging threat indicators is an easy way to group them to make them easier to find. Typically, you might apply a tag to indicators related to a particular incident or indicators representing threats from a known actor or a well-known attack campaign. You can tag threat indicators individually or multi-select indicators and tag them all at once. Since tagging is free-form, a recommended practice is to create standard naming conventions for threat indicator tags. You can apply multiple tags to each indicator.
+---
+Tagging threat indicators is an easy way to group them to make them easier to find. Typically, you might apply a tag to indicators related to a particular incident or indicators representing threats from a known actor or a well-known attack campaign. You can tag threat indicators individually or multi-select indicators and tag them all at once. Since tagging is free-form, a recommended practice is to create standard naming conventions for threat indicator tags. You can apply multiple tags to each indicator.

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/includes/4-view-threat-indicators-with-kql.md

@@ -1,9 +1,12 @@
-The indicators reside in the *ThreatIntelligenceIndicator* table.  This table is the basis for queries performed by other Microsoft Sentinel features such as Analytics and Workbooks. Here's how to find and view your threat indicators in the ThreatIntelligenceIndicator table.
+The indicators reside in the *ThreatIntelligenceIndicator* table. This table is the basis for queries performed by other Microsoft Sentinel features such as Analytics and Workbooks. Here's how to find and view your threat indicators in the ThreatIntelligenceIndicator table.
 
-To view your threat indicators with KQL.  Select **Logs** from the General section of the Microsoft Sentinel menu. Then run a query on the ThreatIntelligenceIndicator table.
+To view your threat indicators with KQL. Select **Logs** from the General section of the Microsoft Sentinel menu. Then run a query on the ThreatIntelligenceIndicator table.
 
 ```kusto
-ThreatIntelligenceIndicator
+`ThreatIntelligenceIndicator`
 
 ```
 
+> [!IMPORTANT]
+> On April 3, 2025, we publicly previewed two new tables to support STIX indicator and object schemas: `ThreatIntelIndicators` and `ThreatIntelObjects`. Microsoft Sentinel will ingest all threat intelligence into these new tables, while continuing to ingest the same data into the legacy `ThreatIntelligenceIndicator` table until July 31, 2025.
+> **Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025.** After this date, Microsoft Sentinel will stop ingesting data to the legacy `ThreatIntelligenceIndicator` table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables. For more information about the new table schemas, see [ThreatIntelIndicators](/azure/azure-monitor/reference/tables/threatintelindicators) and [ThreatIntelObjects](/azure/azure-monitor/reference/tables/threatintelobjects).

learn-pr/wwl-sci/utilize-threat-intelligence-azure-sentinel/index.yml

@@ -3,16 +3,17 @@ uid: learn.wwl.utilize-threat-intelligence-azure-sentinel
 metadata:
   title: Utilize threat intelligence in Microsoft Sentinel
   description: "Utilize threat intelligence in Microsoft Sentinel"
-  ms.date: 06/21/2022
-  author: wwlpublish
+  ms.date: 05/07/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Utilize threat intelligence in Microsoft Sentinel
 summary: Learn how the Microsoft Sentinel Threat Intelligence page enables you to manage threat indicators.
 abstract: |
-  Upon completion of this module, the learner will be able to:
+  Upon completion of this module, the learner is able to:
   - Manage threat indicators in Microsoft Sentinel
+  - Manage threat indicators in Microsoft Defender
   - Use KQL to access threat indicators in Microsoft Sentinel
 prerequisites: |
   Basic knowledge of security operational concepts such as monitoring, logging, and alerting.
@@ -22,7 +23,7 @@ levels:
 roles:
 - security-operations-analyst
 products:
-- azure
+- microsoft-defender
 - microsoft-sentinel
 subjects:
 - cloud-security