Leveraging Azure Sentinel Threat Intelligence Workbook to hunt for threats in government workloads

The Biden Administration’s recent Executive Order on Improving the Nation’s Cybersecurity emphasizes the need to improve not only the detection of cloud security threats on federal government networks but also the investigation and remediation capabilities. Threats against federal information systems are a growing concern that require detailed understanding of threat actors, behavior, and methods. 

An advanced cybersecurity discipline, threat intelligence focuses on identifying and responding to an attacker-based indicators of compromise across stages of the attack cycle. 


Azure Sentinel is Microsoft’s cloud-native SIEM solution with the ability to import threat intelligence data from multiple sources, including paid threat feeds, open-source feeds, and threat intelligence sharing communities. Azure Sentinel also supports open-source standards to bring in feeds from Threat Intelligence Platforms (TIPs) across STIX & TAXII. 


Today, we are excited to announce that Microsoft has released the next evolution of threat hunting capabilities in the Azure Sentinel Threat Intelligence Workbook.

TI Demo.gif


Azure Sentinel Threat Intelligence is based on ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. By ingesting and correlating threat data across cloud workloads and throughout the attack cycle, this workbook empowers security professionals by serving as a starting point for building threat intelligence programs.


This offering provides a free text search to hunt for IPs, hash, emails and more across over 50 Microsoft telemetry components. There are advanced correlations for AI/ML, UEBA, and geospatial location of threat sources.


Learn more by watching the demoDemo: Azure Sentinel threat intelligence workbook – YouTube


Use Cases

There are several use cases for the Azure Sentinel Threat Intelligence Workbook depending on user roles and requirements. Common use cases include threat hunting, developing alerting, identifying security weaknesses, conducting assessments with custom reporting, time filtering, subscription filtering, workspace filtering, and guides.


The workbook is organized into three sections:

  • Indicators Ingestion: Evaluate indictors onboarded, threat feeds, and confidence ratings
  • Threat Detection & Hunting: Free text search indicators across your cloud workloads
  • Observed Threats: Analyze threats by geolocation, threat group, assets targeted and more


  • Ingest, analyze, hunt for Indicators within workloads
  • Free text search to hunt for IPs, hash, email senders etc. across 50+ Microsoft telemetry components
  • Advanced correlations for AI/ML, UEBA, and geospatial location of threats
  • Find, fix, resolve workload weaknesses
  • Query/Alert generation


  • Threat Intelligence Professionals: Investigations
  • SecOps: Alert/Automation building
  • Assessors: Audit & assessment
  • Security Decision Makers: Situational awareness
  • MSSP: Consultants, Managed Service Providers

Getting Started

This content provides the capability to both ingest and correlate threat data in cloud workloads. This offering provides a free text search to hunt for IPs, hashes, emails, and more across over fifty Microsoft telemetry components. There are advanced correlations for AI/ML, UEBA, and geospatial location of threat sources.



  •  Review the content and provide feedback through our survey




Frequently Asked Questions

  • Why is Threat Intelligence needed?
  • What types of indicators of compromise are included?
  • Is multi-subscription & multi-tenant supported?
  • Is custom reporting available?
    • Yes, via guide, time, workspace, & subscription parameters.
  • Is 3rd Party integration supported?
  • Is this available in US government regions?
    •  Yes, Azure Sentinel Threat Intelligence is Generally Available in Commercial/Government regions
  • Can this content be exported as a report?
    •  Yes, via Print Workbooks and Download Artifacts features.
  • Is STIX/TAXI integrated?
  • What is dynamic display?
    • Dozens of queries are executed and only panels with data display
  •  What rights are required to use this content?

Learn More About Threat Intelligence with Microsoft Security

Source link

More To Explore

Share on facebook
Share on twitter
Share on linkedin
Share on email