Microsoft Threat Intelligence Matching Analytics

Introduction

Azure Sentinel is a cloud native SIEM solution that allows various ways to bring your own threat intelligence data (BYOTI) like STIX/TAXII and from various Threat Intelligence Platforms.

Apart from bringing in your own threat intelligence data, you can also reference threat intelligence data produced by Microsoft for detection and analysis.

Today we are announcing launch of a new analytic rule called Microsoft Threat Intelligence Matching analytics that matches Microsoft generated threat intelligence data with your logs and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Azure Sentinel.

In this blog, we will cover:

1. Details and working of the Microsoft Threat Intelligence Matching analytics
2. How to enable Microsoft Threat Intelligence Matching analytics
3. Log sources and threat intelligence types used for matching by this rule
4. Alert grouping for incident generation and searching IOC’s published by this rule

Details and working of the Microsoft Threat Intelligence Matching analytics

Microsoft Threat Intelligence matching analytics is an out of the box analytic rule offered to all Azure Sentinel customers. This rule matches your log data with Microsoft generated threat intelligence. Microsoft has a vast repository of threat intelligence data, and this analytic rule uses a subset of this threat intelligence data to generate high fidelity alerts and incidents for SOC teams to triage.

Currently, this rule matches domain indicators against the following log sources:

1. Common Security Logs (CEF)
2. DNS logs
3. Syslog

How to enable Microsoft Threat Intelligence Matching analytics

Microsoft Threat Intelligence matching analytics can be discovered in the Analytic menu of Azure Sentinel.

Follow the below steps to enable this rule:

1. Open the Azure portal and navigate to the Azure Sentinel service.
2. Choose the workspace in which you would like to enable this rule.
3. Select Analytics from the menu and search for “Microsoft Threat Intelligence Analytics” in the Rule Templates tab.
4. Click the Create Rule button and make the status of the rule as Enabled.
5. Click the Next button and review all the details. Click Save.
6. Now the rule is enabled and will show up in the Active Rules tab.

Log sources and threat intelligence types used for matching by this rule

The Threat Intelligence Matcing analytic rule matches Microsoft threat intelligence with your log data. Currently, the following types of logs are available for matching:

1. Common Security Logs (CEF):

• Matching is done for all CEF logs that are ingested in the CommonSecurityLog table of log analytics except for one that have DeviceVendor as “Cisco”.
• To match Microsoft generated threat intelligence with CEF logs, please have the domain mapped in the “RequestURL” field of the CEF log. 

2. DNS logs

• Matching is done for all DNS logs which are lookup DNS queries from clients to DNS services (SubType == "LookupQuery"). Threat Intelligence matching analytics only processes DNS queries for IPv4 (QueryType=”A”) and IPv6 queries(QueryType=” AAAA”).
• To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The domains will be in “Name” column by standard.

3. Syslog

• Matching is done for Syslog events with Facility as “cron”. This will be extended to additional log types in the future.
• To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed as the details come in the “SyslogMessage” field of the Syslog by default. The rule will parse the domain from the SyslogMessage.

Alert grouping for incident generation and searching IOC’s published by this rule

The Microsoft Threat Intelligence matching analytic generates alert every time a match is received. The rule performs alert grouping while generating incidents. The alerts are grouped on a per observable basis over a 24-hour timeframe. For example, all alerts generated in a 24-hour duration for a match with domain “abc.com” will be grouped in a single incident.

To triage through incidents generated by this analytic rule, you can follow the below steps:

1. Open the Azure portal and navigate to the Azure Sentinel service.
2. Choose the workspace in which you have enabled this rule.
3. Select Incidents from the menu and search for “Microsoft threat Intelligence Analytics”.
4. If you have any incidents they will show up in the grid of incidents.
5. Click on the View full details button to view entities and other details about the incident like alerts.

Once a match is received, the indicator is also published to the ThreatIntelligenceIndicators table of log analytics and shows up in the Threat Intelligence menu. The indicators are stamped with the Source as “Microsoft Threat Intelligence Analytics”.

Conclusion

Hopefully, this article has helped you understand how to leverage Microsoft generated threat intelligence matching analytics for generating high fidelity alerts and incidents and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.