Are you getting the most out of Threat Intelligence in Sentinel?
Correlating threat intelligence feeds with your Security Information and Event Management (SIEM) data can significantly enhance your organization's cybersecurity posture. Here are just a few of the key benefits:
Enhanced Visibility and Context: Threat intelligence enriches SIEM data with additional context, such as the reputation of IP addresses, domains, or file hashes. This helps security analysts prioritize and investigate security events more efficiently.
Improved Threat Detection and Response: By correlating threat intelligence with SIEM data, organizations can identify indicators of compromise (IOCs) and detect sophisticated threats that may otherwise go unnoticed.
Faster Threat Detection: Integrating threat intelligence with your SIEM accelerates threat discovery, enabling quick monitoring and actions. This real-time detection helps security teams respond promptly to potential threats.
Getting the threat intelligence (TI) feed into Microsoft Sentinel is the first step. But to take advantage of this TI to generate high-fidelity alerts and incidents you have to enable the Microsoft Defender Threat Intelligence Analytics rule.
If you’re ingesting Microsoft’s threat intelligence feed into Sentinel, you do have to enable an analytic rule so that the IOCs actually get matched up to the data in your tables. This built-in rule matches logs with domain, IP, and URL indicators, searching across these log sources.
Azure Activity
ASIM DNS
ASIM Network Sessions
CEF
Office Activity
Syslog
Windows DNS
To enable the analytics rule, simply navigate into Sentinel and select Analytics on the left-hand side of the screen. Then click on the Rule templates tab.
Type Microsoft Defender Threat Intelligence Analytics in the Search box.
Once you’ve found the rule, open up the tab and select Create rule.
Click the Review + create button, then click Save.
Hopefully, you’ll never think about this again because nothing bad is in your environment. But if the Analytic rule finds a match, you’ll get an alert. The alert will contain a link to any information about that specific piece of threat intel.
