Bring your threat intelligence to Microsoft Sentinel

 

Introduction

Cyber threat intelligence (CTI) is information describing existing or potential threats to systems and users. This type of information takes many forms, from written reports detailing a particular threat actor’s motivations, infrastructure, and techniques, to specific observations of IP addresses, domains, and file hashes associated with cyber threats. CTI is used by organizations to provide essential context to unusual activity so security personnel can quickly take action to protect their people and assets. CTI can be sourced from many places, such as open source data feeds, threat intelligence sharing communities, paid intelligence feeds, and intelligence gathered in the course of security investigations within an organization.

 

Within a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most utilized form of CTI is threat indicators, often referred to as Indicators of Compromise or IoCs. Threat indicators are data that associates observations such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to protect and detect potential threats to an organization. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions.

 

In this blog post, we will cover how to:

 

• Enable Data connectors to import threat intelligence into Microsoft Sentinel
• View the threat intelligence you’ve imported in your Logs
• Use the built-in Analytics rule templates to generate security alerts and incidents using your imported threat intelligence
• Visualize key information about your threat intelligence in Microsoft Sentinel with the Threat Intelligence Workbook

 

Threat Intelligence also provides useful context within other Microsoft Sentinel experiences such as Hunting and Notebooks, and while not covered in this article, Ian Hellen has already written a great post Jupyter Notebooks in Sentinel, which covers the use of CTI within Notebooks.

 

Microsoft Sentinel data connectors for threat intelligence

Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. There are two data connectors in Microsoft Sentinel provided specifically for threat indicators, Threat Intelligence – TAXII and Threat Intelligence – Platforms. You can use either data connector or both connectors together depending on where your organization sources threat indicators. Let’s talk about each of the data connectors.

 

Adding threat indicators to Microsoft Sentinel with the Threat Intelligence – Platforms data connector

Many organizations utilize threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from a variety of sources, curate the data within the platform, and then choose which threat indicators to apply to various security solutions such as network devices, advanced threat protection solutions, or SIEMs such as Microsoft Sentinel. If your organization utilizes an integrated TIP solution, such as MISP, Anomali ThreatStream, ThreatConnect, or Palo Alto Networks MineMeld, the Threat Intelligence – Platforms data connector allows you leverage your TIP to import threat indicators into Microsoft Sentinel. In practice, the Threat Intelligence – Platforms data connector works with the Microsoft Graph Security tiIndicators API to bring threat indicators into Microsoft Sentinel, so this data connector can also be used by any organization who has a custom threat intelligence platform and wants to leverage the tiIndicators API to send indicators to Microsoft Sentinel (and other Microsoft security solutions like Defender ATP).

Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:

 

1. Obtain an App ID and Client Secret from your Azure Active Directory
2. Input this information into your TIP solution or custom application
3. Enable the Threat Intelligence – Platforms data connector in Microsoft Sentinel

 

Now let’s take a detailed look at each of these steps.

 

Obtain an App ID and Client secret from your Azure Active Directory

Whether you are working with a TIP or custom solution, the tiIndicators API requires some basic information to connect and send threat indicators. This information always comes from your Azure Active Directory through a process called App Registration. The three pieces of information you will obtain from this process are:

 

• Application (client) ID
• Directory (tenant) ID
• Client secret

 

To register an app with Azure Active Directory:

 

1. Open the Azure portal and navigate to the Azure Active Directory service.
2. Select App Registrations from the menu and select New registration.
3. Choose a name for your application registration, select the Single tenant radio button and select Register.

    

4. Copy the Application (client) ID and Directory (tenant) ID values as these are the first two pieces of information you’ll need later to configure your TIP or custom solution to send threat indicators to Microsoft Sentinel.

 

The application is now registered with your Azure Active Directory, but you need to specify the permissions this application requires in order to connect to the Microsoft Graph tiIndicators API and send threat indicators. You will also need to grant consent to this application for these permissions for your organization. To do so, follow these steps:

 

1. Open the Azure portal and navigate to the Azure Active Directory service.
2. Select App Registrations from the menu and select your newly registered app.
3. Select API Permissions from the menu and click the Add a permission button.
4. On the Select an API page select Microsoft Graph to choose from a list of Microsoft Graph permissions.
5. When asked what type of permissions does your application require? select Application permissions. This is the type of permissions used by applications authenticating with App ID and App Secrets (API Keys).
6. Select ThreatIndicators.ReadWrite.OwnedBy and select Add permissions to add this permission to your app’s list of permissions.

7. While the required permission has now been added to the app, your organization must grant consent to this application. To grant consent, you need an Azure Active Directory Global Administrator to select the Grant admin consent for your tenant button on your app’s API permissions page. If you do not have the Global Administrator role on your account, this button will be disabled and you will need to ask a Global Administrator from your organization to perform this step.

8. Once consent has been granted to your app, you should see a green check mark under Status.

 

Now that your app has been registered and permissions have been granted, the last thing you’ll need is to obtain a client secret for your app.

 

1. Open the Azure portal and navigate to the Azure Active Directory service.
2. Select App Registrations from the menu and select your newly registered app.
3. Select Certificates & secrets from the menu and click the New client secret button to obtain a secret (API key) for your app.

4. Click the Add button and be sure to copy the client secret as you cannot retrieve this secret again if you navigate away from this page. You will need this value when you configure your TIP or custom solution.

 

Input this information into your TIP solution or custom application

You now have all three pieces of information you need to configure your TIP or custom solution to send threat indicators to Microsoft Sentinel.

 

• Application (client) ID
• Directory (tenant) ID
• Client secret

 

Input these values in your integrated TIP or custom solution and threat indicators will be sent via the Microsoft Graph tiIndicators API targeted at Microsoft Sentinel.

 

Enable the Threat Intelligence – Platforms data connector in Microsoft Sentinel

The last thing you need to do is enable the Threat Intelligence – Platforms data connector in Microsoft Sentinel. This is the step that imports the threat indicators sent from your TIP or custom solution via the Microsoft Graph tiIndicators API into Microsoft Sentinel. These indicators will be available to all Microsoft Sentinel workspaces for your organization. Follow these steps to enable the Threat Intelligence – Platforms data connector for each workspace:

 

1. Open the Azure portal and navigate to the Microsoft Sentinel service.
2. Choose the workspace where you want to import your threat indicators sent from your TIP or custom solution.
3. Select Data connectors from the menu, select Threat Intelligence – Platforms, and click the Open connector page button.
4. As you’ve already completed the app registration and configured your TIP or custom solution to send threat indicators, the only step left is to click the Connect button.

 

Within a few minutes threat indicators should begin flowing into this Microsoft Sentinel workspace.

 

Adding threat indicators to Microsoft Sentinel with the Threat Intelligence - TAXII data connector

The most widely adopted industry standard for the transmission of threat intelligence is a data format known as STIX and a protocol known as TAXII. If your organization obtains threat indicators from solutions supporting the current STIX/TAXII version 2.0 or 2.1, you can use the Threat Intelligence – TAXII data connector to bring your threat indicators into Microsoft Sentinel. The Threat Intelligence – TAXII data connector enables a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

Follow these steps to import STIX formatted threat indicators to Microsoft Sentinel from a TAXII server:

 

1. Obtain the TAXII server API Root and Collection ID
2. Enable the Threat Intelligence – TAXII data connector in Microsoft Sentinel

 

Now let’s take a detailed look at each of these steps.

 

Obtain the TAXII server API Root and Collection ID

TAXII 2.x servers advertise API Roots, which are URLs that host Collections of threat intelligence. Most often the API Root can be obtained via the documentation page of the threat intelligence provider hosting the TAXII server. However, sometimes the only information advertised is a URL known as a Discovery Endpoint. If this is the case, it is easy to find the API Root using the Discovery Endpoint. You can use a simple command line utility called Client URL, which is provided in Windows and most Linux distributions, to discover the API Root and browse the Collections of a TAXII server starting only from the discovery endpoint.

 

Once you have the API root URL, Collection ID and credentials (if required) for the TAXII server follow the steps mentioned in the section "Enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel" to import the indicators into Microsoft Sentinel. 

 

Enable the Threat Intelligence – TAXII data connector in Microsoft Sentinel

To import threat indicators into Microsoft Sentinel from a TAXII server follow these steps:

 

1. Open the Azure portal and navigate to the Microsoft Sentinel service.
2. Choose the workspace where you want to import threat indicators from the TAXII server.
3. Select Data connectors from the menu, select Threat Intelligence – TAXII, and click the Open connector page button.
4. Type a name for this TAXII server Collection, API Root URL, Collection ID, Username (if required), and Password (if required). 
5. Select the polling frequency and lookback period. Polling frequency determines how often the TAXII client connects to the TAXII server.

 

You should receive confirmation that a connection to the TAXII server was established successfully, and you may repeat step (4) above as many times as desired to connect to multiple Collections from the same or different TAXII servers.

 

View your threat indicators in Microsoft Sentinel

Now that you’ve successfully imported threat indicators into Microsoft Sentinel using either the Threat Intelligence – Platforms and/or the Threat Intelligence – TAXII data connector, you can view them in the ThreatIntelligenceIndicator table in Logs which is where all your Microsoft Sentinel event data is stored. This table will be referenced later in this post when we talk about using your threat indicators in other Microsoft Sentinel features such as Analytics and Workbooks. Let’s look at how to view your threat indicators in the ThreatIntelligenceIndicator table.

 

1. Open the Azure portal and navigate to the Microsoft Sentinel service.
2. Choose the workspace where you’ve imported threat indicators using either threat intelligence data connector.
3. Select Logs from the General section of Microsoft Sentinel.
4. The ThreatIntelligenceIndicator table is located under the SecurityInsights group.
5. Select the sample query icon next to the table name and select the Run button to execute a query which will show records from this table.

 

Your results should look similar to the example threat indicator shown below

 

Analytics put your threat indicators to work detecting potential threats

You’ve done all the work to get threat indicators into Microsoft Sentinel so now let’s see how you put them to work. The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics which match your raw events with threat indicators to produce security alerts. In Microsoft Sentinel Analytics, you create analytics rules that trigger on a scheduled basis and generate security alerts. The rules are expressed as queries, along with configurations that determine how often the rule should run, what kind of query results should generate security alerts, and any automated responses to trigger when alerts are generated.

 

You can always create new analytics rules from scratch, but Microsoft Sentinel also provides a set of built-in rule templates created by Microsoft which you can use as-is or you can modify to meet your needs. The set of analytics rule templates used to match your threat indicators with your event data are all titled beginning with, ‘TI map…’. All these rule templates operate similarly with the only difference being which type of threat indicators are used (domain, email, file hash, IP address, or URL) and which event type to match against. Each template lists the required data sources needed for the rule to function so you can see at a glance if you have the necessary events already imported in Microsoft Sentinel.

 

Let’s take a look at one of these rule templates and walk through how to enable and configure the rule to generate security alerts using the threat indicators you’ve imported into Microsoft Sentinel. For this example, we’ll use the rule template called, TI map IP entity to AzureActivity. This rule will match any IP address type threat indicator with all your Azure Activity events. When a match is found, a security alert will be generated, as well as a corresponding Incident for investigation by your security operations team. This example presumes you have used one or both the Threat Intelligence data connectors to import threat indicators and the Azure Activity data connector to import your Azure subscription level events, as both data types are needed for this analytics rule to operate successfully.

 

1. Open the Azure portal and navigate to the Microsoft Sentinel service.
2. Choose the workspace where you imported threat indicators using the threat intelligence data connectors and imported Azure activity data using the Azure Activity data connector.
3. Select Analytics from the Configuration section of the menu.
4. Select the Rule templates tab to see the list of available analytics rule templates.
5. Navigate to the rule titled, TI map IP entity to AzureActivity and ensure you have connected all the required data sources as shown below.

6. Select this rule and select the Create rule button. This opens a wizard to configure the rule. Complete the settings here and select the Next: Set rule logic > button.

7. The rule logic portion of the wizard contains the query which will be used in the rule, performs entity mapping which tells Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URL so experiences like Incidents and Investigations understand how to work with the data in any security alerts generated by this rule, configures the schedule to run this rule, and the number of query results needed before a security alert is generated. The default settings in the template are:

• Run once an hour
• Match any IP address threat indicators from the ThreatIntelligenceIndicator table with any IP address found in the last one hour of events from the AzureActivity table
• Generate a security alert if the query results are greater than zero, meaning if any matches are found

You can leave the default settings or change any of these to meet your requirements. When you are finished select the Next : Automated response > button

8. This step of the wizard allows you to configure any automation you’d like to trigger when a security alert is generated from this analytic rule. Automation in Microsoft Sentinel is done using Playbooks, powered by Azure Logic Apps. To learn more, see this Tutorial: Set up automated threat responses in Microsoft Sentinel. For this example, we will just select the Next : Review > button to continue.
9. This last step validates the settings in your rule. When you are ready to enable the rule, select the Create button and you are finished.

 

Now that you have enabled your analytic rule, you can find your enabled rule in the Active rules tab of the Analytics section of Microsoft Sentinel. You can edit, enable, disable, duplicate or delete the active rule from here. Your newly activated rule triggers immediately when created, and then will trigger on the regular schedule going forward.

 

If left with the default settings as we did in this example, each time the rule is triggered on its schedule, any results found will generate a security alert. Security alerts in Microsoft Sentinel can be viewed within Logs section of Microsoft Sentinel, in the SecurityAlert table under the SecurityInsights group.

 

In Microsoft Sentinel the security alerts generated from analytics rules like the one we just enabled also generate security incidents which can be found in Incidents under Threat Management on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this Tutorial: Investigate incidents with Microsoft Sentinel.

 

Workbooks provide insights about your threat intelligence

Finally, you can use an Microsoft Sentinel Workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and you can easily customize the workbooks according to your business needs.

Let’s walk through how to find the threat intelligence workbook provided in Microsoft Sentinel, and we will also show how to make edits to the workbook to customize it.

 

1. Open the Azure portal and navigate to the Microsoft Sentinel service.
2. Choose the workspace where you’ve imported threat indicators using either threat intelligence data connector.
3. Select Workbooks from the Threat management section of the menu.
4. Navigate to the workbook titled, Threat Intelligence and ensure you have data in the ThreatIntelligenceIndicator table as shown below.
5. Select the Save button and choose an Azure location to store the workbook. This step is required if you are going to modify the workbook in any way and save your changes.
6. Now select the View saved workbook button to open the workbook for viewing and editing.
7. You should now see the default charts provided by the template. Now let’s make some changes to one of the charts. Select the Edit button at the top of the page to enter editing mode for the workbook.
8. Let’s add a new chart of threat indicators by threat type. Scroll to the bottom of the page and select Add Query.
9. Add the following text to the Log Analytics workspace Log Query text box

 

 

 

 

 

 

 

 

ThreatIntelligenceIndicator
| summarize count() by ThreatType

 

 

 

 

 

 

 

 

10. In the Visualization drop down select Bar chart
11. Select the Done editing button and just like that you’ve created a new chart for your workbook.

 

Workbooks provide powerful interactive dashboards to give you insights into all aspects of Microsoft Sentinel. There is a whole lot you can do with workbooks and while the provided templates are a great starting point, you will likely want to dive in and customize these templates or created new dashboards combining many different data sources and visualize your data in unique ways. Since Microsoft Sentinel workbooks are based off Azure Monitor workbooks, there is already extensive documentation and templates available. A great place to start is this article on how to Create interactive reports with Azure Monitor workbooks.

 

There is also a rich community of Azure Monitor workbooks on GitHub where you can download additional templates and contribute your own templates.

 

Conclusion

Hopefully, this article has helped you start exploring the threat intelligence capabilities within Microsoft Sentinel. Over the coming months, you will see additional threat intelligence features added to Microsoft Sentinel as we continue to invest in this important area of the product. We are also actively working with partners like threat intelligence data providers to bring new experiences and capabilities powered by partners you already know and trust.

 

I encourage you to visit Microsoft Sentinel on GitHub where contributions are being made daily by both the community at large and by Microsoft. Here, you’ll find new ideas, templates, and conversations about all the feature areas of Microsoft Sentinel.