How to Edit Threat Indicators in Microsoft Sentinel

Microsoft Sentinel customers have had the capability to organize Threat Indicators through tagging.

Tagging indicators

But now the ability to modify any Threat indicator is possible. For any indicator provided by Microsoft Sentinel, all fields are editable. For partner indicators, only specific fields are editable such as the tags, Expiration date, Confidence, and Revoked fields.

Select an indicator and right-click to expose the Edit menu option.

Modify fields


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply