Jun 07 2023 08:35 AM - edited Jun 07 2023 09:15 AM
Hi here,
All logs coming into the CommonSecurityLog table are automatically mapped to malicious IPs, which produces new fields for:
MaliciousIP, MaliciousIPCountry, ThreatConfidence, ThreatSeverity, (etc)
However these IPs don't always match the data from the Microsoft ThreatIntelligenceIndicator table (assuming you're just using the Microsoft TI data connector).
So my question is:
- Are the Malicious* values better or worse than the Microsoft ThreatIntelligence data connector?
-Is there any benefit of using both? eg. on their own, the Malicious* matches are very noisy, but if they also match an entry in the ThreatIntelligenceIndicator table - is that a good idea?
-or is it best to just use the Microsoft TI feed (ThreatIntelligenceIndicator table) and some other logic condition like EDR alerts?
Here's an example of matching on both MaliciousIP and ThreatIntelligenceIndicator:
CommonSecurityLog
| where DeviceVendor == "Zscaler"
|where MaliciousIP == DestinationIP
|summarize count() by SourceHostName, SourceUserName, SourceIP, RequestMethod, ApplicationProtocol, SentBytes, EventOutcome, Reason,RequestClientApplication, MaliciousIP, MaliciousIPCountry, IndicatorThreatType, ThreatConfidence, ReportReferenceLink
|join kind=innerunique (
ThreatIntelligenceIndicator
| where Active == true
| where isnotempty(NetworkIP)
| extend NetworkIP = tostring(NetworkIP)
)
on $left.MaliciousIP == $right.NetworkIP
I appreciate your feedback/experience on this.
Thanks.
Sep 15 2023 07:47 PM
@SocInABox sooooo in my experience
Commonsecuritylog is for different security appliances that you have integrated into you Sentinel workspace and have a common event format for log ingestion (usually CEF)
The Malicious values aren't better or worse then threat intelligence, the appliance....especially Zscaler will have its own Threat intelligence capability that is available within the product
If you have a dedicated Threat intelligence platform like recorded future, its just a matter of who gets the fastest threat IOC information, but much of a muchness really.
There are definite benefits for using both, The Zscaler (in this example) appliance is self contained, so if your Sentinel workspace ever had an outage (never has, but never say never) your Zscaler would still receive threat intelligence without disruption, also its good to correlate against a vendor who's ingesting it and verifying against there platform vs an open source threat intelligence platform like MISP for example.
So all you should need for threat intelligence within Sentinel is to enable the Threat intelligence analytic and that's it, any alerts will be surfaced from that special analytic type
I'm hoping this answers your question