2025 年 4 月 3 日,我们公开预览了两个新表,以支持 STIX(结构化威胁信息压缩)指示器和对象架构: ThreatIntelIndicators 以及 ThreatIntelObjects。 本文提供了如何将 STIX 对象合并到查询中以增强威胁搜寻,以及如何迁移到新的威胁指示器架构的示例。
有关 Microsoft Sentinel 中威胁情报的详细信息,请参阅 Microsoft Sentinel 中的威胁情报。
重要
Microsoft Sentinel 会将所有威胁情报引入新 ThreatIntelIndicators 表和 ThreatIntelObjects 表,同时继续将相同的数据引入旧 ThreatIntelligenceIndicator 表,直到 2025 年 7 月 31 日。
请务必在 2025 年 7 月 31 日前更新自定义查询、分析和检测规则、工作簿和自动化,以使用新表。 在此日期之后,Microsoft Sentinel 将停止将数据引入旧 ThreatIntelligenceIndicator 表。 我们正在更新内容中心内所有开箱即用的威胁情报解决方案,以利用新的数据表。 有关新表架构的详细信息,请参阅 ThreatIntelIndicators 和 ThreatIntelObjects。
识别与特定威胁指示器关联的威胁执行组件
此查询是如何将威胁指标(如 IP 地址)与威胁参与者相关联的示例:
let IndicatorsWithThatIP = (ThreatIntelIndicators
| extend tlId = tostring(Data.id)
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let ThreatActors = (ThreatIntelObjects
| where StixType == 'threat-actor'
| extend tlId = tostring(Data.id)
| extend ThreatActorName = Data.name
| extend ThreatActorSource = base64_decode_tostring(tostring(split(Id, '---')[0]))
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let AllRelationships = (ThreatIntelObjects
| where StixType == 'relationship'
| extend tlSourceRef = tostring(Data.source_ref)
| extend tlTargetRef = tostring(Data.target_ref)
| extend tlId = tostring(Data.id)
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let IndicatorAsSource = (IndicatorsWithThatIP
| join AllRelationships on $left.tlId == $right.tlSourceRef
| join ThreatActors on $left.tlTargetRef == $right.tlId);
let IndicatorAsTarget = (IndicatorsWithThatIP
| join AllRelationships on $left.tlId == $right.tlTargetRef
| join ThreatActors on $left.tlSourceRef == $right.tlId);
IndicatorAsSource
| union IndicatorAsTarget
| project ObservableValue, ThreatActorName
列出与特定威胁参与者相关的威胁情报数据
此查询提供威胁参与者的策略、技术和过程(TTP)的见解(替换为 Sangria Tempest 要调查的威胁参与者的名称):
let THREAT_ACTOR_NAME = 'Sangria Tempest';
let ThreatIntelObjectsPlus = (ThreatIntelObjects
| union (ThreatIntelIndicators
| extend StixType = 'indicator')
| extend tlId = tostring(Data.id)
| extend PlusStixTypes = StixType
| extend importantfield = case(StixType == "indicator", Data.pattern,
StixType == "attack-pattern", Data.name,
"Unkown")
| extend feedSource = base64_decode_tostring(tostring(split(Id, '---')[0]))
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let ThreatActorsWithThatName = (ThreatIntelObjects
| where StixType == 'threat-actor'
| where Data.name == THREAT_ACTOR_NAME
| extend tlId = tostring(Data.id)
| extend ActorName = tostring(Data.name)
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let AllRelationships = (ThreatIntelObjects
| where StixType == 'relationship'
| extend tlSourceRef = tostring(Data.source_ref)
| extend tlTargetRef = tostring(Data.target_ref)
| extend tlId = tostring(Data.id)
| summarize arg_max(TimeGenerated,*) by Id
| where IsDeleted == false);
let SourceRelationships = (ThreatActorsWithThatName
| join AllRelationships on $left.tlId == $right.tlSourceRef
| join ThreatIntelObjectsPlus on $left.tlTargetRef == $right.tlId);
let TargetRelationships = (ThreatActorsWithThatName
| join AllRelationships on $left.tlId == $right.tlTargetRef
| join ThreatIntelObjectsPlus on $left.tlSourceRef == $right.tlId);
SourceRelationships
| union TargetRelationships
| project ActorName, PlusStixTypes, ObservableValue, importantfield, Tags, feedSource
将现有查询迁移到新的 ThreatIntelObjects 架构
此示例演示如何将现有查询从旧 ThreatIntelligenceIndicator 表迁移到新 ThreatIntelObjects 架构。 该查询使用 extend 运算符基于新表中的 ObservableKey 列和 ObservableValue 列重新创建旧列。
ThreatIntelIndicators
| extend NetworkIP = iff(ObservableKey == 'ipv4-addr:value', ObservableValue, ''),
NetworkSourceIP = iff(ObservableKey == 'network-traffic:src_ref.value', ObservableValue, ''),
NetworkDestinationIP = iff(ObservableKey == 'network-traffic:dst_ref.value', ObservableValue, ''),
DomainName = iff(ObservableKey == '___domain-name:value', ObservableValue, ''),
EmailAddress = iff(ObservableKey == 'email-addr:value', ObservableValue, ''),
FileHashType = case(ObservableKey has 'MD5', 'MD5',
ObservableKey has 'SHA-1', 'SHA-1',
ObservableKey has 'SHA-256', 'SHA-256',
''),
FileHashValue = iff(ObservableKey has 'file:hashes', ObservableValue, ''),
Url = iff(ObservableKey == 'url:value', ObservableValue, ''),
x509Certificate = iff(ObservableKey has 'x509-certificate:hashes.', ObservableValue, ''),
x509Issuer = iff(ObservableKey has 'x509-certificate:issuer', ObservableValue, ''),
x509CertificateNumber = iff(ObservableKey == 'x509-certificate:serial_number', ObservableValue, ''),
Description = tostring(Data.description),
CreatedByRef = Data.created_by_ref,
Extensions = Data.extensions,
ExternalReferences = Data.references,
GranularMarkings = Data.granular_markings,
IndicatorId = tostring(Data.id),
ThreatType = tostring(Data.indicator_types[0]),
KillChainPhases = Data.kill_chain_phases,
Labels = Data.labels,
Lang = Data.lang,
Name = Data.name,
ObjectMarkingRefs = Data.object_marking_refs,
PatternType = Data.pattern_type,
PatternVersion = Data.pattern_version,
Revoked = Data.revoked,
SpecVersion = Data.spec_version
| project-reorder TimeGenerated, WorkspaceId, AzureTenantId, ThreatType, ObservableKey, ObservableValue, Confidence, Name, Description, LastUpdateMethod, SourceSystem, Created, Modified, ValidFrom, ValidUntil, IsDeleted, Tags, AdditionalFields, CreatedByRef, Extensions, ExternalReferences, GranularMarkings, IndicatorId, KillChainPhases, Labels, Lang, ObjectMarkingRefs, Pattern, PatternType, PatternVersion, Revoked, SpecVersion, NetworkIP, NetworkDestinationIP, NetworkSourceIP, DomainName, EmailAddress, FileHashType, FileHashValue, Url, x509Certificate, x509Issuer, x509CertificateNumber, Data
相关内容
如需了解更多信息,请参阅以下文章:
- Microsoft Sentinel 中的威胁情报。
- 将Microsoft Sentinel 连接到 STIX/TAXII 威胁情报源。
- 查看哪些 TIP、TAXII 馈送和扩充可轻松与 Microsoft Sentinel 集成。
有关 KQL 的更多信息,请参阅 Kusto 查询语言 (KQL) 概述。
其他资源: