Edit

Use matching analytics to detect threats

  • Article

Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the Microsoft Defender Threat Intelligence Analytics rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more.

Important

Matching analytics is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Install the appropriate solutions from the content hub and connect the data connectors to get following data sources in Microsoft Sentinel:

  • Common Event Format (CEF)
  • DNS (Preview)
  • Syslog
  • Office activity logs
  • Azure activity logs

A screenshot showing the Microsoft Defender Threat Intelligence Analytics rule data source connections.

For example, depending on your data source you might use the following solutions and data connectors.

Solution Data connector
Common Event Format solution for Sentinel Common Event Format (CEF) connector for Microsoft Sentinel
Windows Server DNS DNS connector for Microsoft Sentinel
Syslog solution for Sentinel Syslog connector for Microsoft Sentinel
Microsoft 365 solution for Sentinel Office 365 connector for Microsoft Sentinel
Azure Activity solution for Sentinel Azure Activity connector for Microsoft Sentinel

Configure the matching analytics rule

Matching analytics is configured when you enable the Microsoft Defender Threat Intelligence Analytics rule.

  1. Click the Analytics menu from the Configuration section.

  2. Select the Rule templates menu tab.

  3. In the search window type threat intelligence.

  4. Select the Microsoft Defender Threat Intelligence Analytics rule template.

  5. Click Create rule. The rule details are read only, and the default status of the rule is enabled.

  6. Click Review > Create.

A screenshot showing the Microsoft Defender Threat Intelligence Analytics rule enabled in the Active rules tab.

Data sources and indicators

Microsoft Defender Threat Intelligence (MDTI) Analytics matches your logs with domain, IP and URL indicators in the following way:

  • CEF logs ingested into the Log Analytics CommonSecurityLog table match URL and domain indicators if populated in the RequestURL field, and IPv4 indicators in the DestinationIP field.

  • Windows DNS logs where event SubType == "LookupQuery" ingested into the DnsEvents table match domain indicators populated in the Name field, and IPv4 indicators in the IPAddresses field.

  • Syslog events where Facility == "cron" ingested into the Syslog table match domain and IPv4 indicators directly from the SyslogMessage field.

  • Office activity logs ingested into the OfficeActivity table match IPv4 indicators directly from the ClientIP field.

  • Azure activity logs ingested into the AzureActivity table match IPv4 indicators directly from the CallerIpAddress field.

Triage an incident generated by matching analytics

If Microsoft's analytics finds a match, any alerts generated are grouped into incidents.

Use the following steps to triage through the incidents generated by the Microsoft Defender Threat Intelligence Analytics rule:

  1. In the Microsoft Sentinel workspace where you've enabled the Microsoft Defender Threat Intelligence Analytics rule, select Incidents and search for Microsoft Defender Threat Intelligence Analytics.

    Any incidents found are shown in the grid.

  2. Select View full details to view entities and other details about the incident, such as specific alerts.

    For example:

    Screenshot of incident generated by matching analytics with details pane.

  3. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from Informational to High. For example, if the indicator is matched with firewall logs that have allowed the traffic, a high severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the alert generated would be low or medium.

    Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the contoso.com domain are grouped into a single incident with a severity assigned based on the highest alert severity.

  4. Observe the indicator details. When a match is found, the indicator is published to the Log Analytics ThreatIntelligenceIndicators table, and displayed in the Threat Intelligence page. For any indicators published from this rule, the source is defined as Microsoft Defender Threat Intelligence Analytics.

For example, in the ThreatIntelligenceIndicators log:

Screenshot of ThreatIntelligenceIndicator table in Log Analytics showing recent indicator with SourceSystem of Microsoft Threat Intelligence Analytics.

In the Threat Intelligence page:

Screenshot of the Threat Intelligence overview with an indicator selecting showing the details pain and the source as Microsoft Threat Intelligence Analytics.

Get additional context from Microsoft Defender Threat Intelligence

Along with high fidelity alerts and incidents, some MDTI indicators include a link to a reference article in the MDTI community portal.

Screenshot of an incident with a link to the reference MDTI article.

For more information, see the MDTI portal and What is Microsoft Defender Threat Intelligence?

Next steps

In this article, you learned how to connect threat intelligence produced by Microsoft to generate alerts and incidents. For more information about threat intelligence in Microsoft Sentinel, see the following articles: