Here is a short demonstration of threat intelligence within Azure Sentinel and how it provides information on potential cyber threats and risk.

Threat Intelligent feeds Azure Demo Banner play


How’s it going everybody and welcome to a quick demonstration of threat intelligence within Azure Sentinel. So basically threat intelligence feeds are streams of data that provide information on potential cyber threats and risk, so these could include things like IP addresses and domains, and so we get these threat intelligence indicators either through the government or from known trusted security vendors and threat intelligence providers.

So if we come down here and look on the left pane, we can click over into threat intelligence. So as you can see, we currently have over 1,600 threat indicators. Azure Sentinel lets you import these threat indicators what they do is they enhance your security analysis ability to detect and prioritize any known threats. So the data that’s brought in can enrich current alerts and also can create new alerts. So what I mean by that is in our analytics tab over here. So basically these are any of the analytic rules that we get that once we receive them, it creates an alert. So any of these threat intelligence feeds and indicators when they’re in Sentinel, they actually can enrich this data, and we’re also able to create rules that once they go to any of those IPs or domains, we get an alert right away. So if we go back into threat intelligence, we’re able to have a look at the threat intelligence workbook.

And so we’re just going to change the date here to the last 60 days. Alright?

So basically what this workbook can do is to summarize all the information that we have about our threat intelligence feeds. So currently it tells us that we have 986 domain threat intelligence feeds and 620 IPs, so these are 986 known malicious domains and 620 known malicious IPs. Then we see the confidence score which is 100 and in this little spot here, we will have the alerts generated by threat intelligence by the severity and their date. So currently just as it’s a demo tenant, we haven’t received any alerts from any of these threat intelligence feeds as of yet.

So, much like analytics and being able to enrich the data that we have there within hunting rules, which is similar in a sense to analytics, it just doesn’t provide the alerts we are able to enrich and create new hunting rules by using these threat intelligence feeds. So it just provides us the ability to use these threat indicators within the context of our common hunting scenarios that we have. As well, threat intelligence feeds are there when we go into notebooks. Notebooks give the ability and help us troubleshoot any common issues and so with threat indicators and threat intelligence when you investigate these anomalies and hunt for these malicious behaviours, it helps you out. With threat intelligence, the main thing that we’re able to do is to greatly enrich current incidents and create new incidents based on any of the IPs or domains that users within the organization are going to.

Thank you for coming around today and I hope you enjoyed this brief demo of threat intelligence.

Written By:

Brendan Timm

Brendan is a Business Technology and Azure Consultant at Softlanding. He has proven expertise in cloud computing, cloud security, automation, and consulting.

More By This Author