Microsoft

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

Threat intelligence indicators represent data describing known existing or potential threats to systems and users. Threat intelligence addresses many of the challenges Security Operation Centers (SOCs) are faced with today; as a result, successful SOCs are leveraging threat intelligence to improve efficiency in their threat detection, investigation, and response. Here is an example use case of how SOCs use threat intelligence to protect their organizations’ environment. Threat intelligence data provides alert enrichment with additional valuable context such as Severity information, associated Threat Types, and Confidence scores. With such critical information, SOC analysts can make faster and more data-backed decisions in alert validation and prioritization, which helps expedite the incident triage, reduce false positives, and improve the incident analysis.

 

If your organization works with threat intelligence indicators, having a centralized location to efficiently manage your threat intelligence data is crucial to the success of your threat intelligence research and integration experience. To address this need, we are delighted to announce that the threat intelligence menu item is now available in the Azure Sentinel portal! The menu item serves as a single pane of glass for your SOC personnel to view, create, edit, search, sort, and filter your threat intelligence data.

 

How to enable and use the new threat intelligence menu item

In your Azure Sentinel portal, navigate to the Threat Management menu, and select Threat Intelligence (Preview). Below are examples of some of the capabilities you can leverage the threat intelligence menu item today.

 

View indicators

The threat intelligence menu item enables you to conveniently view and access both your custom threat intelligence indicators that you have already created via the User Interface and imported threat intelligence data from external data sources without writing Log Analytics query.

 

 View indicatorsView indicators 

Add and delete a new indicator

Previously, to send threat intelligence data into your Azure Sentinel workspace, you would need to utilize the Threat Intelligence Platform (TIP) and TAXII Server data connectors. All your threat intelligence data are stored in the ThreatIntelligenceIndicator table in your Azure Sentinel workspace.

 

With the new threat intelligence menu item, you can now also create your own custom threat intelligence indicators directly on the Azure Sentinel User Interface. This can be done easily using the “Add new” button on the hero banner of the threat intelligence menu item

 

Deleting an indicator is just as easy as one click using the “Delete” button on the same User Interface.

 

Add and delete an indicatorAdd and delete an indicator

 

Tag an indicator

Tagging is used to categorize and group threat indicators together. Here is an actual example of how you can use tagging. Suppose you are investigating a potential attack and find that the indicator is part of that particular incident, then you can add the incident ID in your desired nomenclature, for example, IncidentID : 1234 to the indicator in Tags. You can later go back to search for all the indicators associated with the incident using the same tag.

 

Tag an indicatorTag an indicator

 

Edit an indicator

If an indicator is created on the Azure Sentinel User Interface using the “Add new” button, it can be edited at any point in time. To distinguish indicators based on where they are imported from, you can use the Source column on the threat intelligence menu item.

If a threat indicator has the Source column as SecurityGraph then it is imported using the threat intelligence – Platforms data connector.

If the Source column is Azure Sentinel then the indicator is created on the Sentinel User Interface using the “Add new” button on the threat intelligence menu item.

If the Source column is the friendly name of TAXII Server that you have connected via Sentinel, then it is imported using the threat intelligence – TAXII data connector.

Only indicators that have Source as Azure Sentinel can be edited due to security reasons.

 

Edit an indicatorEdit an indicator

 

Search, Sort, and Filter indicators

With the new threat intelligence menu item, you can easily search for your specific indicators by their Name, Tags, Values, and Description.

The menu item also enables you to sort the indicators by different columns. Currently you can sort them by Name, Source, and Confidence field.

Additionally, filtering indicators can also be done on the Azure Sentinel User Interface by Type, Source, Confidence, Valid Until, and Threat Type.

 

Search, sort, filter indicatorsSearch, sort, filter indicators

 

Guides and feedback

The “Guides & Feedback” panel provides guidance on how to maximize the use of the threat intelligence. It also gives you the opportunity to share your ideas and experience with our core engineering team and vote/add your ideas on the Azure Sentinel user voice platform.

 

Guides & feedbackGuides & feedback

 

These are just a few highlights of the threat intelligence menu item. For a full list of the functionalities and the step-by-step instruction on how to use a certain feature on there, please refer to the documentation.

 

Get started today!

We encourage you to use the new threat intelligence menu item to improve efficiency in managing your threat intelligence data in your environment.

Try it out, and let us know what you think!

 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.