Jumpstart threat intelligence programs with the Microsoft Sentinel Threat Intelligence Workbook

Lili Davoudian

TJ Banasik

We’re releasing the next evolution of the Microsoft Sentinel Threat Intelligence Workbook. This solution provides enhanced capabilities in indicator ingestion and indicator search, empowering organizations to centralize and correlate threat data across their workloads and operationalize these insights for investigation and response. As a result, this workbook serves as a starting point for building threat intelligence programs.

For example, Indicator Search provides a free-text search of indicators (IP address, file, hash, email address, username) to determine:

  • Indicators in your data
  • Pattern of the indicator over time
  • Reporting threat intelligence feed and details
  • Security incidents for investigation and response

Learn more by watching the demo:

Use cases

There are several use cases for the Microsoft Sentinel Threat Intelligence Workbook depending on user roles and requirements. Common use cases include threat hunting, developing alerting, and conducting research with custom reporting.

The workbook is organized into two sections:

  • Indicators Ingestion: Evaluate indicators onboarded, threat feeds, and confidence ratings.
  • Indicator Search: Free text search indicators across your cloud workloads.


  • Ingest, analyze, hunt for indicators within cloud, on-premises, multi-cloud, first- and third-party workloads
  • Free text search to hunt for IPs, hash, user account, emails, etc., across your data
  • Investigate and respond to threat intelligence indicators


  • Threat Intelligence Professionals: Investigations
  • SecOps: Alert / automation building
  • MSSP: Consultants, managed service providers

Getting started

  1. Onboard Microsoft Sentinel
  2. Connect threat intelligence platforms
  3. Connect STIX/TAXII feeds
  4. Update workbook version
    1. Microsoft Sentinel > Workbooks > Search “Threat Intelligence” > Select “Update” in bottom right

Image Threat Intelligence Workbook 2 8211 May 2022 gif

  1. Access workbook
    1. Microsoft Sentinel > Threat Intelligence > Threat Intelligence Workbook
  1. Review the content and provide feedback through our survey.

Learn more about threat intelligence with Microsoft Security


Discussion is closed.

Feedback usabilla icon