TI (Threat Intelligence) in Microsoft Sentinel high level overview
Indicators of Compromise (IOC) is called tactical TI in the form of ‘file hashes, IP-address(s) and/or URLs/Domains’ to detect anomalies and/or malicious behavior;
e.g. use IOC’s when a 0-day is published and before the signature is included in the (Microsoft Defender for) AV detection.
IOC’s on their own (e.g. IP-address only) do not add value to a detection (T-P or F-P?). The context of the Indicator tells the story of an attack, therefore contextual TI is important to triage an Incident and retention (time-based) is important to keep the system clean and accurate (retention).
Microsoft Threat Intelligence
Threat Intelligence (TI) is (shared) information an organization can use to detect (alert) and respond (e.g. block) to malicious behavior (e.g. attack) on different assets (e.g. identity, device, raw data, etc.)
IOC detect(ions) and respond (alert and/or block) can be configured in the following Microsoft products:
- Azure AD; Conditional Access (block logon to Azure AD / Office 365)
- Microsoft 365 Defender; Indicator (block access from endpoint)
- Microsoft Sentinel; Theat Intelligence (alert on detection)
The scope of this blog is Microsoft Sentinel (automated or manual input of IOC’s).
Microsoft Sentinel is a cloud-native SIEM which ingests different data sets (via data connector) in a structured data set to be used by analytics (incident rules), hunting rules, workbooks, etc.
Microsoft Sentinel uses TI (Threat Intelligence) in the form of IOCs to detect anomalies and/or malicious behavior in the Log Analytics workspace (data).
Data Connector (config)
Data connector(s) allow for the connection of data sources from which data is collected (imported) and stored in the Log Analytics Workspace to be processed.
Structured data often comes from Microsoft products (e.g. Microsoft Defender for Cloud or Microsoft 365 Defender) which sends only relevant data, an example is only Incident (+ underlying alerts) data from a Security product (hunting needs to be done in the original data set unless the Raw data is ingested in Azure Sentinel, only MDE and MDO are supported at the time of writing).
Raw data often comes from Microsoft (e.g. Microsoft 365 Defender; MDE and MDO at the time of writing but also Azure WAF, Azure AD, etc.) and/or non-Microsoft products.
Threat Intelligence is structured data and comes from two (three) different sources / formats (two data connectors and one Microsoft TI analytics rule).
Threat Intelligence Platforms [TIP]
Threat Intelligence platforms can be used to stream IOCs via Microsoft Graph Security tiIndicators API (Application Programming Interface) in the Log Analytics Workspace.
Examples of TIP are MISP (Malware Information Sharing Platform), Palo Alto MineMeld, etc. The setup is based on a node/docker image (e.g. Azure IaaS or PaaS), and Azure AD App Registration (App ID, App Secret and Tenant ID) and API (ThreatIndicators) permissions.
Threat Intelligence — TAXII
The most widely adopted industry standard for CTI transmission is the STIX data format and TAXII protocol.
Organizations that get threat indicators from current STIX/TAXII version 2.x solutions can use the Threat Intelligence — TAXII data connector to import threat indicators into Azure Sentinel. The built-in Azure Sentinel TAXII client imports threat intelligence from TAXII 2.x servers (API root & Collection ID).
An example is of TAXII is Anomali Limo (API root https://limo.anomali.com/api/v1/taxii2/feeds/)
Microsoft Threat Intelligence (Analytics)
The Microsoft Threat Intelligence doesn’t require a data connector but an (Preview) Analytics rule to enable (and direct alert if Indicator is detected).
Microsoft Threat Intelligence receives threat intelligence indicators generated by Microsoft that can be used on CEF, DNS and Syslog data at the time of writing.
The Threat intelligence table ThreatIntelligenceIndicators can be used in Analytics, logs and hunting and in the threat intelligence menu.
Threat Intelligence (menu)
Threat intelligence menu is an overview of TI related information (contextual) including detected IOCs (Alert).
Disclaimer: an alert does not create an analytics alert out of the box (requires an analytics rule)!
Microsoft provides a set of template Analytics ‘TI map’ rules for each product (e.g. Azure AD SigninLogs) plus the Threat Intelligence source (e.g. TAXII).
The table ThreatIntelligenceIndicators can be used in anaytics, hunting, workbooks, logs, etc.
If an Indicator is detected (via an Analytics rule), an Incident is created in the Incidents menu.
And details of the incident can be seen in the investigation mode for example.
The Threat Intelligence workbook from Microsoft provides insights in TI information (statistics).
Final words; TI (Threat Intelligence) is a welcome addition to threat detection (use cases) where shared indicators can be used, during a certain time frame coming from 3P and/or Microsoft sources (paid or free), for faster detection of (global or local) threats and not wait for AV detection.