View and take action on indicators on the Main Tenant.
From the Main Tenant, on the Threat Intel page, you can see the following tabs:
Indicators
Threat Intel Management (TIM) reports
The Threat Intel page shows all indicators and TIM reports across all child tenants.
Note
If you don't have a TIM license you can only view the Indicators tab.
You can't create indicators/TIM reports on the Main Tenant.
Although you can't investigate indicators directly, you can pivot to the indicator on the child tenant by clicking the indicator. You can also go to the child tenant's indicator page by clicking Main Tenant (top left of the window) and selecting the relevant child tenant.
By default, the Indicators page displays open indicators (from all child tenants) in the last seven days. You can filter this by changing the date and selecting the relevant tenant.
In the Indicators tab, you can do the following:
Action | Description |
---|---|
Export CSV | Export the selected indicators to a CSV file. By default, the CSV file is generated in UTF8 format. Administrator permission is required to update server configurations, including changing the format, see Export incidents and indicators to CSV using the UTF8-BOM forma . |
Export STIX | Export the selected indicators to a STIX file |