Edit

Share via

Work with Microsoft Sentinel threat intelligence

  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

Accelerate threat detection and remediation with streamlined creation and management of threat intelligence. This article demonstrates how to make the most of threat intelligence integration in the management interface, whether you're accessing it from Microsoft Sentinel in the Azure portal or the Defender portal.

  • Create threat intelligence objects using structured threat information expression (STIX)
  • Manage threat intelligence by viewing, curating, and visualizing

Important

Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Access the management interface

Reference one of the following tabs, depending on where you want to work with threat intelligence. Even though the management interface is accessed differently depending which portal you use, the creation and management tasks have the same steps once you get there.

In the Defender portal, navigate to Threat intelligence > Intel management.

Screenshot showing the intel management menu item in the Defender portal.

Create threat intelligence

Use the management interface to create STIX objects and perform other common threat intelligence tasks such as indicator tagging and establishing connections between objects.

  • Define relationships as you create new STIX objects.
  • Quickly create multiple objects by using the duplicate feature to copy the metadata from a new or existing TI object.

For more information on supported STIX objects, see Threat intelligence in Microsoft Sentinel.

Create a new STIX object

  1. Select Add new > TI object.

    Screenshot that shows adding a new threat indicator.

  2. Choose the Object type, then fill in the form on the New TI object page. Required fields are marked with a red asterisk (*).

  3. Consider designating a sensitivity value, or Traffic light protocol (TLP) rating to the TI object. For more information on what the values represent, see Curate threat intelligence.

  4. If you know how this object relates to another threat intelligence object, indicate that connection with the Relationship type and the Target reference.

  5. Select Add for an individual object, or Add and duplicate if you want to create more items with the same metadata. The following image shows the common section of each STIX object's metadata that is duplicated.

Screenshot showing new STIX object creation and the common metadata available to all objects.

Manage threat intelligence

Optimize TI from your sources with ingestion rules. Curate existing TI with the relationship builder. Use the management interface to search, filter and sort, then add tags to your threat intelligence.

Optimize threat intelligence feeds with ingestion rules

Reduce noise from your TI feeds, extend the validity of high value indicators, and add meaningful tags to incoming objects. These are just some of the use cases for ingestion rules. Here are the steps for extending the validity date on high value indicators.

  1. Select Ingestion rules to open a whole new page to view existing rules and construct new rule logic.

    Screenshot showing threat intelligence management menu hovering on ingestion rules.

  2. Enter a descriptive name for your rule. The ingestion rules page has ample rule for the name, but it's the only text description available to differentiate your rules without editing them.

  3. Select the Object type. This use case is based on extending the Valid from property which is only available for Indicator object types.

  4. Add condition for Source Equals and select your high value Source.

  5. Add condition for Confidence Greater than or equal and enter a Confidence score.

  6. Select the Action. Since we want to modify this indicator, select Edit.

  7. Select the Add action for Valid until, Extend by, and select a time span in days.

  8. Consider adding a tag to indicate the high value placed on these indicators, like Extended. The modified date is not updated by ingestion rules.

  9. Select the Order you want the rule to run. Rules run from lowest order number to highest. Each rule evaluates every object ingested.

  10. If the rule is ready to be enabled, toggle Status to on.

  11. Select Add to create the ingestion rule.

Screenshot showing new ingestion rule creation for extending valid until date.

For more information, see Threat intelligence ingestion rules.

Curate threat intelligence with the relationship builder

Connect threat intelligence objects with the relationship builder. There's a maximum of 20 relationships in the builder at once, but more connections can be created through multiple iterations and by adding relationship target references for new objects.

  1. Select Add new > TI relationship.

  2. Start with an existing TI object like a threat actor or attack pattern where the single object connects to one or more existing objects, like indicators.

  3. Add the relationship type according to the best practices outlined in the following table and in the STIX 2.1 reference relationship summary table:

    Relationship type Description
    Duplicate of
    Derived from
    Related to    		 Common relationships defined for any STIX domain object (SDO)
    For more information, see STIX 2.1 reference on common relationships
    Targets Attack pattern or Threat actor Targets Identity
    Uses Threat actor Uses Attack pattern
    Attributed to Threat actor Attributed to Identity
    Indicates Indicator Indicates Attack pattern or Threat actor
    Impersonates Threat actor Impersonates Identity

  4. Use the following image as an example in how to use the relationship builder. This example demonstrates how to make connections made between a threat actor and an attack pattern, indicator, and identity using the relationship builder in the Defender portal.

    Screenshot showing the relationship builder.

  5. Complete the relationship by configuring Common properties.

View your threat intelligence in the management interface

Use the management interface to sort, filter, and search your threat intelligence from whatever source they were ingested from without writing a Log Analytics query.

  1. From the management interface, expand the What would you like to search? menu.

  2. Select a STIX object type or leave the default All object types.

  3. Select conditions using logical operators.

  4. Select the object you want to see more information about.

In the following image, multiple sources were used to search by placing them in an OR group, while multiple conditions were grouped with the AND operator.

Screenshot shows an OR operator combined with multiple AND conditions to search threat intelligence.

Microsoft Sentinel only displays the most current version of your threat intel in this view. For more information on how objects are updated, see Threat intelligence lifecycle.

IP and domain name indicators are enriched with extra GeoLocation and WhoIs data so you can provide more context for any investigations where indicator is found.

Here's an example.

Screenshot that shows the Threat intelligence page with an indicator showing GeoLocation and WhoIs data.

Important

GeoLocation and WhoIs enrichment is currently in preview. The Azure Preview Supplemental Terms include more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Tag and edit threat intelligence

Tagging threat intelligence is a quick way to group objects together to make them easier to find. Typically, you might apply tags related to a particular incident. But, if an object represents threats from a particular known actor or well-known attack campaign, consider creating a relationship instead of a tag.

  1. Use the management interface to sort, filter, and search for your threat intelligence.
  2. After you find the objects you want to work with, multiselect them choosing one or more objects of the same type.
  3. Select Add tags and tag them all at once with one or more tags.
  4. Because tagging is free-form, we recommend that you create standard naming conventions for tags in your organization.

Edit threat intelligence one object at a time, whether created directly in Microsoft Sentinel or from partner sources, like TIP and TAXII servers. For threat intel created in the management interface, all fields are editable. For threat intel ingested from partner sources, only specific fields are editable, including tags, Expiration date, Confidence, and Revoked. Either way, only the latest version of the object appears in the management interface.

For more information on how threat intel is updated, see View your threat intelligence.

Find and view threat intelligence with queries

This procedure describes how to view your threat intelligence with queries, regardless of the source feed or method you used to ingest them.

Threat indicators are stored in the Microsoft Sentinel ThreatIntelligenceIndicator table. This table is the basis for threat intelligence queries performed by other Microsoft Sentinel features, such as Analytics, Hunting, and Workbooks.

Important

On April 3, 2025, we publicly previewed two new tables to support STIX indicator and object schemas: ThreatIntelIndicator and ThreatIntelObjects. Microsoft Sentinel will ingest all threat intelligence into these new tables, while continuing to ingest the same data into the legacy ThreatIntelligenceIndicator table until July 31, 2025. Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025. After this date, Microsoft Sentinel will stop ingesting data to the legacy ThreatIntelligenceIndicator table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables. For more information about the new table schemas, see ThreatIntelIndicator and ThreatIntelObjects. For information on using and migrating to the new tables, see (Work with STIX objects to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview))[work-with-styx-objects-and-indicators.md].

  1. For Microsoft Sentinel in the Defender portal, select Investigation & response > Hunting > Advanced hunting.

  2. The ThreatIntelligenceIndicator table is located under the Microsoft Sentinel group.

Screenshot of add watchlist option on watchlist page.

For more information, see View your threat intelligence.

Visualize your threat intelligence with workbooks

Use a purpose-built Microsoft Sentinel workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and customize the workbook according to your business needs.

Here's how to find the threat intelligence workbook provided in Microsoft Sentinel, and an example of how to make edits to the workbook to customize it.

  1. From the Azure portal, go to Microsoft Sentinel.

  2. Choose the workspace to which you imported threat indicators by using either threat intelligence data connector.

  3. Under the Threat management section of the Microsoft Sentinel menu, select Workbooks.

  4. Find the workbook titled Threat Intelligence. Verify that you have data in the ThreatIntelligenceIndicator table.

    Screenshot that shows verifying that you have data.

  5. Select Save, and choose an Azure location in which to store the workbook. This step is required if you intend to modify the workbook in any way and save your changes.

  6. Now select View saved workbook to open the workbook for viewing and editing.

  7. You should now see the default charts provided by the template. To modify a chart, select Edit at the top of the page to start the editing mode for the workbook.

  8. Add a new chart of threat indicators by threat type. Scroll to the bottom of the page and select Add Query.

  9. Add the following text to the Log Analytics workspace Log Query text box:

    ThreatIntelligenceIndicator
| summarize count() by ThreatType

    See more information on the following items used in the preceding example, in the Kusto documentation:

  10. On the Visualization dropdown menu, select Bar chart.

  11. Select Done editing, and view the new chart for your workbook.

    Screenshot that shows a bar chart for the workbook.

Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel. You can do many tasks with workbooks, and the provided templates are a great starting point. Customize the templates or create new dashboards by combining many data sources so that you can visualize your data in unique ways.

Microsoft Sentinel workbooks are based on Azure Monitor workbooks, so extensive documentation and many more templates are available. For more information, see Create interactive reports with Azure Monitor workbooks.

There's also a rich resource for Azure Monitor workbooks on GitHub, where you can download more templates and contribute your own templates.

Related content

For more information, see the following articles:

For more information on KQL, see Kusto Query Language (KQL) overview.

Other resources: