How do you handle threat indicators in your workloads? Threat intelligence indicators are often the trigger for incident response investigations, yet many organizations struggle to ingest and make sense of their threat intelligence data. Microsoft Sentinel is a cloud native SIEM that allows customers to import threat intelligence data from various sources, including as paid threat feeds, open-source feeds (including Threat Intelligence Platforms (TIPs) across STIX & TAXII), and threat intelligence sharing communities. Threat intelligence indicators alone don’t provide significant value to security teams without operationalizing the data. As a result, once feeds are onboarded, organizations require a method to evaluate quality, health, and throughput of threat intelligence sources.
The next evolution of the Threat Intelligence Workbook to provides enhanced capabilities in both indicator ingestion and indicator search,empowering organizations to not only ingest indicators across their workloads, but also to operationalize this data for investigation and response.This solution provides a starting point for building threat intelligence programs, which require the ability to both ingest and correlate threat data across cloud workloads.
For example, indicator search provides a free-text search of indicators (IP address, file, hash, email address, username) to determine: