How to Create Alerts on Sentinel from Threat Intelligence Feeds

Source

Hi Medium! Here we are again with a new article about Sentinel.

This article will introduce how to create alerts based on threat intelligence feeds, and what workbook to use, we will go through the following:

Create Threat Intelligence Alert

Add an Indicator Manually

Threat Intelligence Workbook

Before we start you can check the previous article regarding importing threat intelligence feeds to your Sentinel

Create Threat Intelligence Alert

In this section, we will create a rule that will alert us once a malicious IP communicates with one of our VM in our network.

In this rule we will use two tables, the first table is the threat intelligence table from where we will retrieve the flagged Ips as malicious and the second table is the table of Sysmon events that will represent the IPs connecting to our Virtual machine.

Sentinel provides a pre-build template ready to use where we will need to do some editing to adapt it to our situation.

As you see in the following screenshot, we will use the “TI map IP entity to AzureActivity” template:

Template name to use

Once we add the name and the description of the rule:

Analytics rule details

We move to the query rule and we change the script here:

Rule query

Our script will be as follow:

Testing script on log page

ThreatIntelligenceIndicator
| where Active == true
// Picking up only IOC’s that contain the entities we want
| where isnotempty(NetworkIP)
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend NetworkIP = tostring(NetworkIP)
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
Sysmon_Event_Parser

// renaming time column so it is clear the log this came from
| extend src_ip = tostring(src_ip)
)
on $left.NetworkIP == $right.src_ip
| project NetworkIP, src_ip

Script added in the query rule

I used a function that I called Sysmon_Event_Parser that will parse the log of Sysmon events, you can get the script from this link: https://github.com/BlueTeamLabs/sentinel-attack/blob/master/parser/Sysmon-OSSEM.txt

You can adapt the previous script to your needs, you can also use another different script ;), I will leave it for you to discover, try and enjoy.

I only mapped the IP source as follows:

Mapped entity

Mapping will help us better understand and extract metadata from the alert when triggered.

And in the description, I gave more details as the image shows below:

Alert description

That way it will be more clear, from this point, we can store the configuration and we will have an alert :D

Add an Indicator Manually

To test the rule, I will add a new indicator, make sure that you don’t tag ‘Revoked’ else the new indicator will not be activated, as mentioned in the next picture, to add a new indicator we go to the page where we have our threat intelligence feeds and we add manually if you need more details this article will help you out:

New Indicator

Make sure that you add your IP or any other IP that you can use to trigger the alert ;)

Here it’s our indicator we can find all the values that we added manually if you filter the source ‘Azure Sentinel’:

Manually added values

Now, we use the IP that we listed above to communicate with one of the monitored VMs on our network.

Bingo!! Within minutes we will be seeing an incident as mentioned below if we use the IP that we listed below to communicate with the monitored VMs:

Incident page

As you can see in the description the IP is printed as we configure it previously.

Threat Intelligence Workbook

Visualization is one of the most important things in a SIEM, what I always enjoy when working is seeing 3 different dashboards on three different screens in my SOC, and for that Sentinel provides a workbook ready to implement that we can activate in the ‘Workbooks’ section as follows:

Threat intelligence template

I will not share any images HAHAHA!! it’s for you to test and try, share your feeds and your insights in the comment section, this will truly help the community ^^

Conclusion

In this article, we discovered how we create an alert using Sentinel based on the threat intelligence collected, if you have any other questions please share them with us so we may answer them in detail in new articles.

Hey again, I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^^!

Twitter: https://twitter.com/HirsiHamza
LinkedIn: https://www.linkedin.com/in/hamza-mhirsi/