Threat intelligence in Azure Security Center
This article helps you to use Azure Security Center threat intelligence to address security-related issues.
What is threat intelligence?
By using the threat intelligence option available in Security Center, IT administrators can identify security threats against the environment. For example, they can identify whether a particular computer is part of a botnet. Computers can become nodes in a botnet when attackers illicitly install malware that secretly connects the computer to the command and control. Threat intelligence can also identify potential threats coming from underground communication channels, such as the dark web.
To build this threat intelligence, Security Center uses data that comes from multiple sources within Microsoft. Security Center uses this data to identify potential threats against your environment. The Threat intelligence pane is composed of three major options:
- Detected threat types
- Threat origin
- Threat intelligence map
When should you use threat intelligence?
One of the steps of a security incident response process is to identify the severity of the compromised system(s). In this phase, you should perform the following tasks:
- Determine the nature of the attack.
- Determine the attack point of origin.
- Determine the intent of the attack. Was the attack directed at your organization to acquire specific information, or was it random?
- Identify the systems that were compromised.
- Identify the files that were accessed and determine the sensitivity of those files.
You can use threat intelligence information in Security Center to help with these tasks.
Access the threat intelligence
To visualize the current threat intelligence for your environment, you must first select the workspace where your information resides. If you don't have multiple workspaces, you bypass the workspace selector and go directly to the Threat intelligence dashboard. To access the dashboard:
Open the Security Center dashboard.
In the left pane, under Detection select Threat intelligence. The Threat intelligence dashboard appears.
If the far-right column shows UPGRADE PLAN, this workspace is using the free subscription. Upgrade to Standard to use this feature. If the far-right column shows REQUIRES UPDATE, update Azure Log Analytics to use this feature. For more information about the pricing plan, read Azure Security Center pricing.
If you have more than one workspace to investigate, prioritize the investigation according to the Malicious IP column. It shows the current number of malicious IPs in this workspace. Select the workspace that you want to use, and the Threat intelligence dashboard appears.
The dashboard is divided into four tiles:
a. Threat types. Summarizes the type of threats that were detected in the selected workspace.
b. Origin country. Aggregates the amount of traffic according to its source location.
c. Threat location. Helps you to identify the current locations around the globe that communicate with your environment. In the map shown, orange (incoming) and red (outgoing) arrows identify the traffic directions. If you select one of these arrows, the type of threat and the traffic direction appears.
d. Threat details. Shows more details about the threat that you selected in the map.
Regardless of which option tile you select, the dashboard that appears is based on the Log Search query. The only difference is the type of query and the result.
Select the Threat types tile to open the Log Search dashboard. Filter options appear on the left, and query results appear on the right.
The query result shows the threats by name. You can use the left pane to select the attribute that you want to filter. For example, to see only the threats that are currently connected to the machines, in SESSIONSTATE, select Connected > Apply.
For Azure VMs, only the network data that flows through the agent appears in the Threat intelligence dashboard. The following data types also are used by threat intelligence:
- CEF Data (Type=CommonSecurityLog)
- WireData (Type= WireData)
- IIS Logs (Type=W3CIISLog)
- Windows Firewall (Type=WindowsFirewall)
- DNS Events (Type=DnsEvents)
In this article, you learned how to use threat intelligence in Security Center to assist you in identifying suspicious activity. To learn more about Security Center, see the following articles:
- Manage and respond to security alerts in Azure Security Center. Learn how to manage alerts and respond to security incidents in Security Center.
- Security health monitoring in Azure Security Center. Learn how to monitor the health of your Azure resources.
- Understand security alerts in Azure Security Center. Learn about the different types of security alerts.
- Azure Security Center troubleshooting guide. Learn how to troubleshoot common issues in Security Center.
- Azure Security Center FAQ. Find answers to frequently asked questions about using the service.
- Azure security blog. Find blog posts about Azure security and compliance.