Combining threat intelligence feeds is important for detecting threats and identifying Indicators of Compromise (IOCs) in various scenarios. Here are some key situations where this approach is advantageous:

1. Comprehensive Threat Detection

Integrating multiple threat intelligence feeds can cover a wider range of threats. Different feeds may provide unique insights into malicious activities, IP addresses, domain names, and other IOCs.

2. Reducing False Positives

Combining feeds helps cross-verify data, decreasing the likelihood of false positives. This ensures that security teams focus on actual threats rather than inaccurate alerts.

3. Enhanced Contextual Analysis

Multiple feeds can offer richer context around threats, including tactics, techniques, and procedures (TTPs) used by attackers. This helps in understanding the threat landscape better and making informed decisions.

4. Real-Time Threat Response

Integrating feeds allows for real-time updates on emerging threats. This enables security teams to respond swiftly to new threats and mitigate potential damage.

5. Proactive Threat Hunting

Threat hunters can use combined feeds to identify patterns and anomalies that might indicate a threat. This proactive approach assists in detecting threats before they can cause significant harm.

6. Improved Threat Intelligence Sharing

Combining feeds from different sources, such as government agencies, commercial vendors, and open-source communities, enhances the overall quality and reliability of threat intelligence.

Example Query in Microsoft Sentinel

Here’s an example of how you might combine two threat intelligence feeds using the coalesce function in KQL:

_______________________________________________________________________________________

ThreatIntelFeed1

| extend CombinedIndicator = coalesce(ThreatIntelFeed1.Indicator, ThreatIntelFeed2.Indicator)

| extend CombinedDescription = coalesce(ThreatIntelFeed1.Description, ThreatIntelFeed2.Description)

| project CombinedIndicator, CombinedDescription

_________________________________________________________________________________________

In the above example coalsce function is used. The coalesce function in Kusto Query Language (KQL) is used to evaluate a list of expressions and return the first non-null (or non-empty for strings) expression. This function is particularly useful in Microsoft Sentinel for handling data where some fields might be missing or null.

Syntax

coalesce(arg, arg_2, [arg_3, …])

• arg: The expression to be evaluated.


• All arguments must be of the same type.


• Maximum of 64 arguments is supported.

Functions of coalesce in Sentinel Threat Intelligence Feeds

1. Handling Missing Data: It helps in filling gaps where data might be missing by providing a fallback value. For example, if one threat intelligence feed lacks an IP address, coalesce can pull it from another feed.


2. Data Normalization: Combines multiple fields into one, ensuring that you always have a value to work with. This is useful when different feeds provide similar data in different fields.


3. Simplifying Queries: Reduces the need for complex conditional logic to handle null values, making queries more readable and maintainable.

Let’s look at Threat Intelligence Analytic rule where caolsec function is used.

The query combines threat intelligence indicators with DNS data to identify potential malicious activity. It ensures that only relevant and recent indicators are considered and matches them with DNS queries to detect suspicious behavior.

This query ensures that you obtain the most comprehensive data by taking the first non-null value from either feed.

Let’s break down this KQL query step by step:

1. Define Lookback Periods

• dt_lookBack: Sets a lookback period of 1 hour for DNS data.


• ioc_lookBack: Sets a lookback period of 14 days for threat intelligence indicators.

2. Extract Relevant Threat Intelligence Indicators

• ThreatIntelligenceIndicator: Filters threat intelligence indicators generated within the last 14 days and not expired.


• arg_max(TimeGenerated, *) by IndicatorId: Summarizes to get the latest indicator for each IndicatorId.


• Active == true: Filters only active indicators.


• coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, “NO_IP”): Combines various IP fields into a single IoC field, defaulting to “NO_IP” if none are present.


• where IoC != “NO_IP”: Filters out entries without valid IP addresses.

3. Join with DNS Data

• join kind=innerunique: Joins the threat intelligence indicators with DNS data using an inner unique join to keep performance fast and result set low.


• _Im_Dns(starttime=ago(dt_lookBack)): Retrieves DNS data from the last hour.


• where isnotempty(DnsResponseName): Filters DNS records with non-empty response names.


• summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor: Summarizes DNS data by various fields.


• extract_all(@'(d+.d+.d+.d+)’, DnsResponseName): Extracts all IP addresses from the DNS response name.


• mv-expand IoC = addresses to typeof(string): Expands the extracted IP addresses into individual rows.

Combined KQL looks like below

_________________________________________________________________________________________

let dt_lookBack = 1h;

let ioc_lookBack = 14d;

let IP_TI =

ThreatIntelligenceIndicator

| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()

| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId

| where Active == true

| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,”NO_IP”)

| where IoC != “NO_IP”

;

IP_TI

| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated

(

_Im_Dns(starttime=ago(dt_lookBack))

| where isnotempty(DnsResponseName)

| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor

| extend addresses = extract_all (@'(d+.d+.d+.d+)’, DnsResponseName)

| mv-expand IoC = addresses to typeof(string)

)

on IoC

_________________________________________________________________________________________

Summary

This article explores the importance of combining threat intelligence feeds to improve security operations. Key benefits include extending threat coverage, reducing false positives, and enhancing contextual analysis through detailed insights into attackers’ tactics and techniques. The integration process also facilitates real-time threat updates and enables better collaboration between different intelligence sources.

An example is provided using KQL (Kusto Query Language) to demonstrate how threat intelligence feeds can be combined effectively within Microsoft Sentinel. The query showcases steps like defining lookback periods, extracting relevant indicators, and correlating them with DNS data through an inner unique join. By leveraging this method, organizations can efficiently identify potential malicious activities and strengthen their threat response capabilities.

The content emphasizes that integrating threat feeds is not just a technical function but a strategic necessity to fortify organizations against evolving cyber threats.