Sentinel’s Enrichment Widgets: Elevating Cybersecurity Intelligence with Microsoft

At Microsoft, we are continually advancing our tools to empower users in making data-driven and informed decisions. Our latest advancement in Microsoft Sentinel is the introduction of Enrichment Widgets.

Widgets provide critical enrichment data, delivering key insights often encapsulated in just a few lines of text, which is pivotal in the realm of .

What are Enrichment Widgets?

Enrichment Widgets in Microsoft Sentinel are dynamic components designed to provide you with in-depth, actionable intelligence about entities. They integrate external and internal content and data from various sources, offering a comprehensive understanding of potential security threats. These widgets serve as a powerful enhancement to your toolkit, offering both depth and breadth in information analysis.

Key Features and Capabilities

The Enrichment Widgets bring together a wealth of information from external and internal sources, as well as data from Log Analytics. This includes:

  1. Integration with external and internal TI sources: Anomali, VirusTotal, Recorded Future, AbuseIPDB, and Microsoft Defender Threat Intelligence, providing detailed insights into IP addresses.
  2. Widgets that draw upon Log Analytics data: Inception Threat Indicator, Anomalies count, allowing for a deeper dive into your own data environment.

The widgets experience also includes a streamlined onboarding process, making it easier to add and manage these enrichment widgets within your SIEM.

Practical SOC Applications

The real value of these Enrichment Widgets becomes apparent when viewed through the lens of real-world SOC scenarios.

Scenario 1: Enhancing Threat Intelligence with external sources  

Consider a SOC team investigating a suspicious IP address. The VirusTotal widget (for example) can instantly provide a detailed reputation score and historical threat activity associated with that IP, a process that would otherwise require time-consuming manual research.

This information aids in more comprehensive analysis and improved incident investigation outcomes.

Scenario 2: In-Depth Analysis with Log Analytics Data

In another instance, a SOC could use widgets connected to data stored in its Log Analytics for an in-depth analysis of unusual patterns in the traffic (For example, a summary of an IP entity's connections on the over a specific time frame), swiftly identifying potential internal threats or breaches.

Enable Enrichment Widgets:

Enabling these widgets involves two primary steps:

ShaharAviv_0-1700163078351.png

Step 1: Create a Key Vault for Widget Credentials

  • Navigate to the ‘Entity behavior' section in Microsoft Sentinel.
  • Select ‘Enrichment widgets (preview)' and create a dedicated Azure Key Vault to store credentials like API keys or usernames/passwords.
  • Follow the on-screen instructions to complete the Key Vault setup.

ShaharAviv_1-1700163078357.png

Step 2: Add Credentials to Your Widgets' Key Vault

  • For each data source, add the required credentials to the Key Vault.
  • Use the Custom Deployment wizard to enter credentials and finalize the setup.

ShaharAviv_2-1700163078364.png

Finding Credentials for Each Widget Source

We provide detailed instructions for obtaining credentials for various data sources like Virus Total, AbuseIPDB, Anomali, Recorded Future, and Microsoft Defender Threat Intelligence (MDTI). For most of these sources, you'll need API keys or specific account credentials, which are then added to your Key Vault.

Adding New Widgets

As Microsoft Sentinel expands its widget offerings, new data sources will be added to the Widgets Onboarding Page. Users are encouraged to regularly check for updates and add credentials for any new data sources as they become available.

ShaharAviv_0-1700410105193.png

We have also included a section on common issues such as errors in widget configuration, issues in creating the Key Vault, or challenges in deploying secrets to your Key Vault.

Next Steps

The introduction of Enrichment Widgets in Microsoft Sentinel marks a significant leap forward in our offerings. These tools provide essential data enrichment that goes beyond basic visualization, aiding SOCs in quickly deciphering complex security data and making informed decisions. Stay tuned to our platform for more updates and enhancements as we continue to evolve Microsoft Sentinel to meet the dynamic needs of the cybersecurity world.

For more detailed information on investigating entities and understanding incident investigation capabilities in Microsoft Sentinel, refer to our official documentation.

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.