Azure Sentinel is a cloud native SIEM solution that allows various ways to bring your own threat intelligence data (BYOTI) like STIX/TAXII and from various Threat Intelligence Platforms.
Apart from bringing in your own threat intelligence data, you can also reference threat intelligence data produced by Microsoft for detection and analysis.
Today we are announcing launch of a new analytic rule called Microsoft Threat Intelligence Matching analytics that matches Microsoft generated threat intelligence data with your logs and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Azure Sentinel.
In this blog, we will cover:
Details and working of the Microsoft Threat Intelligence Matching analytics
Microsoft Threat Intelligence matching analytics is an out of the box analytic rule offered to all Azure Sentinel customers. This rule matches your log data with Microsoft generated threat intelligence. Microsoft has a vast repository of threat intelligence data, and this analytic rule uses a subset of this threat intelligence data to generate high fidelity alerts and incidents for SOC teams to triage.
Currently, this rule matches domain indicators against the following log sources:
How to enable Microsoft Threat Intelligence Matching analytics
Microsoft Threat Intelligence matching analytics can be discovered in the Analytic menu of Azure Sentinel.
Follow the below steps to enable this rule:
Log sources and threat intelligence types used for matching by this rule
The Threat Intelligence Matcing analytic rule matches Microsoft threat intelligence with your log data. Currently, the following types of logs are available for matching:
1. Common Security Logs (CEF):
2. DNS logs
Alert grouping for incident generation and searching IOC’s published by this rule
The Microsoft Threat Intelligence matching analytic generates alert every time a match is received. The rule performs alert grouping while generating incidents. The alerts are grouped on a per observable basis over a 24-hour timeframe. For example, all alerts generated in a 24-hour duration for a match with domain “abc.com” will be grouped in a single incident.
To triage through incidents generated by this analytic rule, you can follow the below steps:
Once a match is received, the indicator is also published to the ThreatIntelligenceIndicators table of log analytics and shows up in the Threat Intelligence menu. The indicators are stamped with the Source as “Microsoft Threat Intelligence Analytics”.
Hopefully, this article has helped you understand how to leverage Microsoft generated threat intelligence matching analytics for generating high fidelity alerts and incidents and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.