19.2 Understanding How Sentinel Processes Data

Sentinel downloads the data from the data sources to a map file, <sentinel_data_directory>/data/map_data/Threat_Intelligence.csv. Each data source is differentiated by a unique ID. When the SourceIP or the Target IP of an incoming event matches with any of the IP addresses in the map file, Sentinel enriches the event with threat information by adding the following source or target event fields accordingly:

  • SourceHostThreatSource (shts)

  • TargetHostThreatSource (thts)

  • SourceHostThreatType (rv198)

  • TargetHostThreatType (rv199)

  • SourceHostReputationScore (rv158)

  • TargetHostReputationScore (rv159)

If the IP addresses are listed in more than one data source, Sentinel considers the values for the above event fields from the data source that has a higher priority.

You can also assign reputation scores to indicate the reputation of a threat intelligence source, based on the threat type and the data source. A higher score indicates a better reputation. After assigning a reputation score, you can determine the events that need to be enriched with the reputation score.

To assign a reputation score:

  1. Go to Integration > Threat Intelligence Sources.

  2. Enter a score between 0 and 100 in the Source reputation score field.

    Depending on the IP address (source or target) present in the event field, Sentinel enriches the corresponding SourceHostReputationScore (rv158) or TargetHostReputationScore (rv159) field with the specified value.

  3. In the Enrich events only with reputation scores less than or equal to field, specify the score based on which you want to enrich events.

  4. Click Save.

For example, if you do not want to enrich internal feed data, set the Source reputation score to 80 and set the Enrich events only with reputation scores less than or equal to field to 70.

Sentinel provides the Threat Intelligence Solution Pack out-of-the-box, which includes correlation rules that detect communications to or from these IP addresses in your network. In upgrade installations, you must manually upgrade the Threat Intelligence Solution Pack in Solution Manager to get these latest correlation rules.

You can also create your own correlation rules as necessary. For more information, see Correlating Event Data in the Sentinel User Guide.