How do you handle threat indicators in your workloads? Threat intelligence indicators are often the trigger for incident response investigations, yet many organizations struggle to ingest and make sense of their threat intelligence data. Microsoft Sentinel is a cloud native SIEM that allows customers to import threat intelligence data from various sources, including as paid threat feeds, open-source feeds (including Threat Intelligence Platforms (TIPs) across STIX & TAXII), and threat intelligence sharing communities. Threat intelligence indicators alone don’t provide significant value to security teams without operationalizing the data. As a result, once feeds are onboarded, organizations require a method to evaluate quality, health, and throughput of threat intelligence sources.
The next evolution of the Threat Intelligence Workbook provides enhanced capabilities in both indicator ingestion and indicator search, empowering organizations to not only ingest indicators across their workloads, but also to operationalize this data for investigation and response. This solution provides a starting point for building threat intelligence programs, which require the ability to both ingest and correlate threat data across cloud workloads.
For example, indicator search provides a free-text search of indicators (IP address, file, hash, email address, username) to determine:
Indicators in your data
Pattern of the indicator over time
Reporting threat intelligence feed and details
Security Incidents for investigation and response
Search, Investigate, & Respond to Indicators of Compromise
There are several use cases for the Microsoft Sentinel Threat Intelligence Workbook depending on user roles and requirements. Common use cases include threat hunting, developing alerting, and conducting research with custom reporting.
The workbook is organized into two sections:
Indicators Ingestion: Evaluate indicators onboarded, threat feeds, and confidence ratings.
Indicator Search: Free text search indicators across your cloud workloads.
Ingest, analyze, hunt for indicators within cloud, on-premises, multi-cloud, 1st/3rd party workloads
Free text search to hunt for IPs, hash, user account, emails etc. across your data
Investigate and respond to threat intelligence indicators
What if a threat indicator is observed in the workbook?
Guide your investigation to determine where in your data the indicator was observed, determine how the indicator is classified by the threat intelligence feed, and pivot into Microsoft Sentinel Incidents for investigation/response