How do you handle threat indicators in your workloads? Threat intelligence indicators are often the trigger for incident response investigations, yet many organizations struggle to ingest and make sense of their threat intelligence data. Microsoft Sentinel is a cloud native SIEM that allows customers to import threat intelligence data from various sources, including as paid threat feeds, open-source feeds (including Threat Intelligence Platforms (TIPs) across STIX & TAXII), and threat intelligence sharing communities. Threat intelligence indicators alone don’t provide significant value to security teams without operationalizing the data. As a result, once feeds are onboarded, organizations require a method to evaluate quality, health, and throughput of threat intelligence sources.
The next evolution of the Threat Intelligence Workbook provides enhanced capabilities in both indicator ingestion and indicator search, empowering organizations to not only ingest indicators across their workloads, but also to operationalize this data for investigation and response. This solution provides a starting point for building threat intelligence programs, which require the ability to both ingest and correlate threat data across cloud workloads.
For example, indicator search provides a free-text search of indicators (IP address, file, hash, email address, username) to determine:
Use cases
There are several use cases for the Microsoft Sentinel Threat Intelligence Workbook depending on user roles and requirements. Common use cases include threat hunting, developing alerting, and conducting research with custom reporting.
The workbook is organized into two sections:
Benefits
Audience
Getting started
Frequently asked questions
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.