Visa Threat Intelligence Solution: Initial Package Release with IOC Detection Rules

What Changed

First-time packaging of Visa Threat Intelligence (VTI) solution for Microsoft Sentinel, including complete solution artifacts:

• DCR-based data connector for Visa IOC ingestion
• 2 high-severity analytic rules targeting domain and SHA1 IOCs
• VTI IOC Feed workbook for threat intelligence visualization
• Solution packaging with ARM templates and metadata

Data Source

Visa Threat Intelligence Platform (VTIP): DCR connector ingests IOCs using X-Pay Token authentication

• Custom table: VisaThreatIntelligenceIOC_CL
• IOC types: Domains, file hashes (SHA1), additional IOC types supported
• Severity classification: High, Medium, Low severity indicators from Visa threat intelligence

Detection Logic

VTI - High Severity Domain Collision Detection (VTIP_high_severity_domain.yaml):

• Data source: EmailUrlInfo joined with VisaThreatIntelligenceIOC_CL
• Logic: Correlates email URL domains against VTI high-severity domain IOCs
• Entity mapping: URL and DNS entities for threat hunting
• MITRE: T1566 (Phishing) - Initial Access tactic

VTI - High Severity SHA1 Collision Detection (VTIP_high_severity_sha1.yaml):

• Data source: DeviceFileEvents joined with VisaThreatIntelligenceIOC_CL
• Logic: Matches file SHA1 hashes against VTI high-severity hash IOCs
• Entity mapping: Host and FileHash entities for endpoint correlation
• MITRE: T1204 (User Execution) - Execution tactic

Security Impact (Threat Intelligence Integration)

Provides financial sector threat intelligence visibility:

• Payment industry IOCs: Visa-specific threat intelligence for financial services
• Cross-platform detection: Email security (domains) and endpoint security (file hashes)
• High-confidence indicators: Focus on high-severity IOCs to minimize false positives
• Real-time correlation: DCR ingestion enables near real-time IOC matching

Affected Files

.vscode/extensions.json
.vscode/launch.json
.vscode/settings.json
.vscode/tasks.json
Solutions/Visa Threat Intelligence (VTI)/Analytic Rules/VTIP_high_severity_domain.yaml
Solutions/Visa Threat Intelligence (VTI)/Analytic Rules/VTIP_high_severity_sha1.yaml
Solutions/Visa Threat Intelligence (VTI)/DataConnectors/VisaThreatIntelligenceConnector.json
Solutions/Visa Threat Intelligence (VTI)/Package/testParameters.json
Solutions/Visa Threat Intelligence (VTI)/README.md
Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Logo/Visa_VTI_Logo.svg
Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Preview/VTIOverview_black.png
Solutions/Visa Threat Intelligence (VTI)/Workbooks/Images/Preview/VTIOverview_white.png
Solutions/Visa Threat Intelligence (VTI)/Workbooks/VTI_IOC_Feed.json
(packaging artefacts: 3.0.0.zip, SolutionMetadata.json, Solution_VTI.json, createUiDefinition.json, mainTemplate.json)