Bring your threat intelligence to Microsoft Sentinel
Cyber threat intelligence (CTI) is information describing existing or potential threats to systems and users. This type of information takes many forms, from written reports detailing a particular threat actor’s motivations, infrastructure, and techniques, to specific observations of IP addresses, domains, and file hashes associated with cyber threats. CTI is used by organizations to provide essential context to unusual activity so security personnel can quickly take action to protect their people and assets. CTI can be sourced from many places, such as open source data feeds, threat intelligence sharing communities, paid intelligence feeds, and intelligence gathered in the course of security investigations within an organization.
Within a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most utilized form of CTI is threat indicators, often referred to as Indicators of Compromise or IoCs. Threat indicators are data that associates observations such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to protect and detect potential threats to an organization. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions.
In this blog post, we will cover how to:
Threat Intelligence also provides useful context within other Microsoft Sentinel experiences such as Hunting and Notebooks, and while not covered in this article, Ian Hellen has already written a great post Jupyter Notebooks in Sentinel, which covers the use of CTI within Notebooks.
Just like all the other event data in Microsoft Sentinel, threat indicators are imported using data connectors. There are two data connectors in Microsoft Sentinel provided specifically for threat indicators, Threat Intelligence – TAXII and Threat Intelligence – Platforms. You can use either data connector or both connectors together depending on where your organization sources threat indicators. Let’s talk about each of the data connectors.
Many organizations utilize threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from a variety of sources, curate the data within the platform, and then choose which threat indicators to apply to various security solutions such as network devices, advanced threat protection solutions, or SIEMs such as Microsoft Sentinel. If your organization utilizes an integrated TIP solution, such as MISP, Anomali ThreatStream, ThreatConnect, or Palo Alto Networks MineMeld, the Threat Intelligence – Platforms data connector allows you leverage your TIP to import threat indicators into Microsoft Sentinel. In practice, the Threat Intelligence – Platforms data connector works with the Microsoft Graph Security tiIndicators API to bring threat indicators into Microsoft Sentinel, so this data connector can also be used by any organization who has a custom threat intelligence platform and wants to leverage the tiIndicators API to send indicators to Microsoft Sentinel (and other Microsoft security solutions like Defender ATP).
Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:
Now let’s take a detailed look at each of these steps.
Whether you are working with a TIP or custom solution, the tiIndicators API requires some basic information to connect and send threat indicators. This information always comes from your Azure Active Directory through a process called App Registration. The three pieces of information you will obtain from this process are:
To register an app with Azure Active Directory:
The application is now registered with your Azure Active Directory, but you need to specify the permissions this application requires in order to connect to the Microsoft Graph tiIndicators API and send threat indicators. You will also need to grant consent to this application for these permissions for your organization. To do so, follow these steps:
Now that your app has been registered and permissions have been granted, the last thing you’ll need is to obtain a client secret for your app.
You now have all three pieces of information you need to configure your TIP or custom solution to send threat indicators to Microsoft Sentinel.
Input these values in your integrated TIP or custom solution and threat indicators will be sent via the Microsoft Graph tiIndicators API targeted at Microsoft Sentinel.
The last thing you need to do is enable the Threat Intelligence – Platforms data connector in Microsoft Sentinel. This is the step that imports the threat indicators sent from your TIP or custom solution via the Microsoft Graph tiIndicators API into Microsoft Sentinel. These indicators will be available to all Microsoft Sentinel workspaces for your organization. Follow these steps to enable the Threat Intelligence – Platforms data connector for each workspace:
Within a few minutes threat indicators should begin flowing into this Microsoft Sentinel workspace.
Adding threat indicators to Microsoft Sentinel with the Threat Intelligence - TAXII data connector
The most widely adopted industry standard for the transmission of threat intelligence is a data format known as STIX and a protocol known as TAXII. If your organization obtains threat indicators from solutions supporting the current STIX/TAXII version 2.0 or 2.1, you can use the Threat Intelligence – TAXII data connector to bring your threat indicators into Microsoft Sentinel. The Threat Intelligence – TAXII data connector enables a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Follow these steps to import STIX formatted threat indicators to Microsoft Sentinel from a TAXII server:
Now let’s take a detailed look at each of these steps.
TAXII 2.x servers advertise API Roots, which are URLs that host Collections of threat intelligence. Most often the API Root can be obtained via the documentation page of the threat intelligence provider hosting the TAXII server. However, sometimes the only information advertised is a URL known as a Discovery Endpoint. If this is the case, it is easy to find the API Root using the Discovery Endpoint. You can use a simple command line utility called Client URL, which is provided in Windows and most Linux distributions, to discover the API Root and browse the Collections of a TAXII server starting only from the discovery endpoint.
Once you have the API root URL, Collection ID and credentials (if required) for the TAXII server follow the steps mentioned in the section "Enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel" to import the indicators into Microsoft Sentinel.
To import threat indicators into Microsoft Sentinel from a TAXII server follow these steps:
You should receive confirmation that a connection to the TAXII server was established successfully, and you may repeat step (4) above as many times as desired to connect to multiple Collections from the same or different TAXII servers.
View your threat indicators in Microsoft Sentinel
Now that you’ve successfully imported threat indicators into Microsoft Sentinel using either the Threat Intelligence – Platforms and/or the Threat Intelligence – TAXII data connector, you can view them in the ThreatIntelligenceIndicator table in Logs which is where all your Microsoft Sentinel event data is stored. This table will be referenced later in this post when we talk about using your threat indicators in other Microsoft Sentinel features such as Analytics and Workbooks. Let’s look at how to view your threat indicators in the ThreatIntelligenceIndicator table.
Your results should look similar to the example threat indicator shown below
Analytics put your threat indicators to work detecting potential threats
You’ve done all the work to get threat indicators into Microsoft Sentinel so now let’s see how you put them to work. The most important use case for threat indicators in SIEM solutions like Microsoft Sentinel is to power analytics which match your raw events with threat indicators to produce security alerts. In Microsoft Sentinel Analytics, you create analytics rules that trigger on a scheduled basis and generate security alerts. The rules are expressed as queries, along with configurations that determine how often the rule should run, what kind of query results should generate security alerts, and any automated responses to trigger when alerts are generated.
You can always create new analytics rules from scratch, but Microsoft Sentinel also provides a set of built-in rule templates created by Microsoft which you can use as-is or you can modify to meet your needs. The set of analytics rule templates used to match your threat indicators with your event data are all titled beginning with, ‘TI map…’. All these rule templates operate similarly with the only difference being which type of threat indicators are used (domain, email, file hash, IP address, or URL) and which event type to match against. Each template lists the required data sources needed for the rule to function so you can see at a glance if you have the necessary events already imported in Microsoft Sentinel.
Let’s take a look at one of these rule templates and walk through how to enable and configure the rule to generate security alerts using the threat indicators you’ve imported into Microsoft Sentinel. For this example, we’ll use the rule template called, TI map IP entity to AzureActivity. This rule will match any IP address type threat indicator with all your Azure Activity events. When a match is found, a security alert will be generated, as well as a corresponding Incident for investigation by your security operations team. This example presumes you have used one or both the Threat Intelligence data connectors to import threat indicators and the Azure Activity data connector to import your Azure subscription level events, as both data types are needed for this analytics rule to operate successfully.
You can leave the default settings or change any of these to meet your requirements. When you are finished select the Next : Automated response > button
Now that you have enabled your analytic rule, you can find your enabled rule in the Active rules tab of the Analytics section of Microsoft Sentinel. You can edit, enable, disable, duplicate or delete the active rule from here. Your newly activated rule triggers immediately when created, and then will trigger on the regular schedule going forward.
If left with the default settings as we did in this example, each time the rule is triggered on its schedule, any results found will generate a security alert. Security alerts in Microsoft Sentinel can be viewed within Logs section of Microsoft Sentinel, in the SecurityAlert table under the SecurityInsights group.
In Microsoft Sentinel the security alerts generated from analytics rules like the one we just enabled also generate security incidents which can be found in Incidents under Threat Management on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this Tutorial: Investigate incidents with Microsoft Sentinel.
Workbooks provide insights about your threat intelligence
Finally, you can use an Microsoft Sentinel Workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and you can easily customize the workbooks according to your business needs.
Let’s walk through how to find the threat intelligence workbook provided in Microsoft Sentinel, and we will also show how to make edits to the workbook to customize it.
ThreatIntelligenceIndicator | summarize count() by ThreatType
Workbooks provide powerful interactive dashboards to give you insights into all aspects of Microsoft Sentinel. There is a whole lot you can do with workbooks and while the provided templates are a great starting point, you will likely want to dive in and customize these templates or created new dashboards combining many different data sources and visualize your data in unique ways. Since Microsoft Sentinel workbooks are based off Azure Monitor workbooks, there is already extensive documentation and templates available. A great place to start is this article on how to Create interactive reports with Azure Monitor workbooks.
There is also a rich community of Azure Monitor workbooks on GitHub where you can download additional templates and contribute your own templates.
Hopefully, this article has helped you start exploring the threat intelligence capabilities within Microsoft Sentinel. Over the coming months, you will see additional threat intelligence features added to Microsoft Sentinel as we continue to invest in this important area of the product. We are also actively working with partners like threat intelligence data providers to bring new experiences and capabilities powered by partners you already know and trust.
I encourage you to visit Microsoft Sentinel on GitHub where contributions are being made daily by both the community at large and by Microsoft. Here, you’ll find new ideas, templates, and conversations about all the feature areas of Microsoft Sentinel.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.