![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json
index 2f80a894b08..2886a3b99ff 100644
--- a/Solutions/Threat Intelligence/Package/mainTemplate.json
+++ b/Solutions/Threat Intelligence/Package/mainTemplate.json
@@ -516,7 +516,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "Threat intelligence - TAXII",
"publisher": "Microsoft",
- "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+ "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@@ -622,7 +622,7 @@
"connectorUiConfig": {
"title": "Threat intelligence - TAXII",
"publisher": "Microsoft",
- "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+ "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@@ -832,7 +832,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId3')]",
- "title": "Threat Intelligence Upload Indicators API (Preview)",
+ "title": "Threat Intelligence Upload API (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
@@ -894,8 +894,8 @@
"title": "1. Get Microsoft Entra ID Access Token"
},
{
- "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
- "title": "2. Send indicators to Sentinel"
+ "description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01 \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of STIX objects.",
+ "title": "2. Send STIX objects to Sentinel"
}
]
}
@@ -936,7 +936,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId3')]",
"contentKind": "DataConnector",
- "displayName": "Threat Intelligence Upload Indicators API (Preview)",
+ "displayName": "Threat Intelligence Upload API (Preview)",
"contentProductId": "[variables('_dataConnectorcontentProductId3')]",
"id": "[variables('_dataConnectorcontentProductId3')]",
"version": "[variables('dataConnectorVersion3')]"
@@ -980,7 +980,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Threat Intelligence Upload Indicators API (Preview)",
+ "title": "Threat Intelligence Upload API (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
@@ -1042,8 +1042,8 @@
"title": "1. Get Microsoft Entra ID Access Token"
},
{
- "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
- "title": "2. Send indicators to Sentinel"
+ "description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01 \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of STIX objects.",
+ "title": "2. Send STIX objects to Sentinel"
}
],
"id": "[variables('_uiConfigId3')]"
@@ -2785,12 +2785,12 @@
],
"customDetails": {
"IoCExpirationTime": "ExpirationDateTime",
- "EventTime": "Event_TimeGenerated",
- "IoCDescription": "Description",
"ActivityGroupNames": "ActivityGroupNames",
- "ThreatType": "ThreatType",
+ "IndicatorId": "IndicatorId",
"IoCConfidenceScore": "ConfidenceScore",
- "IndicatorId": "IndicatorId"
+ "IoCDescription": "Description",
+ "ThreatType": "ThreatType",
+ "EventTime": "Event_TimeGenerated"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
@@ -6309,12 +6309,12 @@
],
"customDetails": {
"IoCExpirationTime": "ExpirationDateTime",
- "EventTime": "imNWS_TimeGenerated",
- "IoCDescription": "Description",
"ActivityGroupNames": "ActivityGroupNames",
- "ThreatType": "ThreatType",
+ "IndicatorId": "IndicatorId",
"IoCConfidenceScore": "ConfidenceScore",
- "IndicatorId": "IndicatorId"
+ "IoCDescription": "Description",
+ "ThreatType": "ThreatType",
+ "EventTime": "imNWS_TimeGenerated"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.",
@@ -8398,16 +8398,16 @@
],
"customDetails": {
"LatestIndicatorTime": "LatestIndicatorTime",
- "SourceIPAddress": "SrcIpAddr",
+ "DnsQuery": "DnsQuery",
"ExpirationDateTime": "ExpirationDateTime",
"Description": "Description",
- "DnsQuery": "DnsQuery",
+ "SourceIPAddress": "SrcIpAddr",
+ "ConfidenceScore": "ConfidenceScore",
"ActivityGroupNames": "ActivityGroupNames",
- "ThreatType": "ThreatType",
+ "IndicatorId": "IndicatorId",
"QueryType": "DnsQueryType",
- "DNSRequestTime": "DNS_TimeGenerated",
- "ConfidenceScore": "ConfidenceScore",
- "IndicatorId": "IndicatorId"
+ "ThreatType": "ThreatType",
+ "DNSRequestTime": "DNS_TimeGenerated"
}
}
},
@@ -8593,15 +8593,15 @@
],
"customDetails": {
"LatestIndicatorTime": "LatestIndicatorTime",
- "SourceIPAddress": "SrcIpAddr",
+ "DnsQuery": "DnsQuery",
"ExpirationDateTime": "ExpirationDateTime",
"Description": "Description",
- "DnsQuery": "DnsQuery",
+ "SourceIPAddress": "SrcIpAddr",
+ "ConfidenceScore": "ConfidenceScore",
"ActivityGroupNames": "ActivityGroupNames",
+ "IndicatorId": "IndicatorId",
"ThreatType": "ThreatType",
- "DNSRequestTime": "imDns_mintime",
- "ConfidenceScore": "ConfidenceScore",
- "IndicatorId": "IndicatorId"
+ "DNSRequestTime": "imDns_mintime"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
@@ -8815,15 +8815,15 @@
}
],
"customDetails": {
- "EventStartTime": "imNWS_mintime",
- "IoCExpirationTime": "ExpirationDateTime",
"IoCIPDirection": "IoCDirection",
- "IoCDescription": "Description",
+ "IoCExpirationTime": "ExpirationDateTime",
+ "IndicatorId": "IndicatorId",
"ActivityGroupNames": "ActivityGroupNames",
- "ThreatType": "ThreatType",
- "IoCConfidenceScore": "ConfidenceScore",
+ "EventStartTime": "imNWS_mintime",
"EventEndTime": "imNWS_maxtime",
- "IndicatorId": "IndicatorId"
+ "IoCDescription": "Description",
+ "ThreatType": "ThreatType",
+ "IoCConfidenceScore": "ConfidenceScore"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.",
@@ -9678,7 +9678,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Threat Intelligence",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.
\nData Connectors: 5, Workbooks: 1, Analytic Rules: 52, Hunting Queries: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.
\nData Connectors: 5, Workbooks: 1, Analytic Rules: 52, Hunting Queries: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]",