Update02/04/2025

Optimize threat intelligence feeds with ingestion rules

Sentinel
Microsoft

Update from:
patrick-devicebase (expert)

Optimize threat intelligence feeds with ingestion rules
Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together.
For more information, see Understand threat intelligence ingestion rules.

Matching analytics rule now generally available (GA)
Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see Use matching analytics to detect threats.

Threat intelligence management interface has moved
Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience.

Enhancements to threat intelligence capabilities are available for customers using both Microsoft Sentinel experiences. The management interface streamlines the creation and curation of threat intel with these key features:

Define relationships as you create new STIX objects.
Curate existing threat intelligence with the new relationship builder.
Create multiple objects quickly by copying common metadata from a new or existing TI object using a duplication feature.
Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.

Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables
Tables supporting the new STIX object schema are in private preview. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicator and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process.