October 18th, 2021

Defending federal information systems with Azure Sentinel threat intelligence workbook

TJ Banasik
CISSP-ISSEP, ISSAP, ISSMP, Principal Product Manager

This blog is co-authored by TJ Banasik, CISSP-ISSEP, ISSAP, ISSMP, Senior Program Manager; and Lili Davoudian, Program Manager II of Microsoft Cloud & AI Security.

Threats against federal information systems are a rising concern requiring detailed understanding of threat actors, behavior, and methods. The Executive Order on Improving the Nation’s Cybersecurity details several requirements for removing barriers to sharing threat information, including access and insights into cyber threats and incident information. Threat intelligence is an advanced cybersecurity discipline requiring detailed knowledge of identifying and responding to an attacker based on observation of indicators in various stages of the attack cycle.

Azure Sentinel is a cloud-native SIEM (security information event management) solution that allows customers to import threat intelligence data from various places such as paid threat feeds, open-source feeds, and from various threat intelligence sharing communities. Azure Sentinel supports open-source standards to bring in feeds from threat intelligence platforms (TIPs) across STIX & TAXII. Microsoft has released the next evolution of threat hunting capabilities in the Azure Sentinel threat intelligence workbook.

Image Azure Sentinel Workbook GIF

Azure Sentinel threat intelligence is based on ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads. Watch this demo for more details:

Benefits

  • Ingest, analyze, hunt for indicators within workloads
  • Free text search to hunt for IPs, hashes, emails, etc., across 50+ Microsoft telemetry components
  • Advanced correlations for artificial intelligence and machine learning (AI/ML), user entity behavior analytics (UEBA), and geospatial location of threats
  • Find, fix, resolve workload weaknesses
  • Query/alert generation

Getting started

The Azure Sentinel threat intelligence workbook provides the capability to both ingest and correlate threat data in cloud workloads. It also provides a free text search to hunt for IPs, hashes, emails etc., across 50+ Microsoft telemetry components. There are advanced correlations for AI/ML, UEBA, and geospatial location of threat sources. Here’s how to get started:

1. Onboard Azure Sentinel

2. Connect threat intelligence platforms

3. Connect STIX/TAXII feeds

4. Access the content:  Azure Sentinel > Threat intelligence > Threat intelligence workbook

Image Azure Sentinel TI 8211 Image 1

5. Review the content and provide feedback through our survey

Image Azure Sentinel TI 8211 Image 2

Learn more about threat intelligence with Microsoft Security

 

 

 

Author

TJ Banasik
CISSP-ISSEP, ISSAP, ISSMP, Principal Product Manager

TJ Banasik is a Senior Program Manager for Microsoft in the Cloud & AI Security Group. He has consulted with numerous organizations in cybersecurity and has built security operations centers across the government, military and commercial sectors. A security operations expert, TJ has extensive experience in incident response, threat intelligence, insider threat, and threat vulnerability management. He’s previously worked as the Director of Security for Veritas Technologies, the Senior Security Operations Center Manager for the U.S. Government Accountability Office (CSRA), and Army Officer with Army Cyber Command (ARCYBER). TJ holds a Master of Arts in intelligence studies concentrating cyber from AMU. TJ holds the CISSP-ISSEP, ISSAP, ISSMP, CCSP, GCIH, GCWN, GCIA, GCCC, GCFA, GSEC, GPEN, PMP, CISM, CISA, CRISC, CEH, CHFI, CASP, Azure Solutions Architect Expert certifications and is currently pursuing his second graduate degree in information systems security engineering from the SANS Technology Institute.

0 comments

Discussion are closed.

Feedback