The Revoke Action for Threat Indicators in Microsoft Sentinel

It's not as scary as it sounds

Someone asked a great question today about what exactly marking a Threat Indicator in the Threat Intelligence blade in Microsoft Sentinel does. We don’t currently have a good explanation in the docs, so I’ll add an explanation here and submit it for inclusion in the docs.

When you edit a Threat Indicator in Microsoft Sentinel and mark it as Revoked, it sets a flag or tag as Revoked == True for the indicator as shown in the following image.

Revoked

In the ThreatIntelligenceIndicator table it sets the Active data column for the specific indicator to ‘false’.

ThreatIntelligenceIndicator
| where Active == false
| project TimeGenerated, Description, Active, SourceSystem

false flag

This is important to know because the Analytics Rules that run against Threat Intelligence all begin by looking for Active indicators.

Looking for Active indicators

Marking the indicator as Revoked, excludes it from being identified by the rule. You could just delete the indicator entirely, but unless it’s an indicator you created manually (the source column will show Sentinel), it will show up again once the source replicates. For most customers the indicators listed in the Threat Intelligence blade come from 3rd party, trusted sources and are managed through the stream. You may find that an indicator is a false positive and it may take hours or days for the 3rd party source to reflect that. By marking it as Revoked, it will remain excluded from the rule but still be present in the system to query against.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]