Use matching analytics to detect threats
Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the Microsoft Defender Threat Intelligence Analytics rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more.
Install the appropriate solutions from the content hub and connect the data connectors to get following data sources in Microsoft Sentinel:
- Common Event Format (CEF)
- DNS (Preview)
- Office activity logs
- Azure activity logs
For example, depending on your data source you might use the following solutions and data connectors.
Configure the matching analytics rule
Matching analytics is configured when you enable the Microsoft Defender Threat Intelligence Analytics rule.
Click the Analytics menu from the Configuration section.
Select the Rule templates menu tab.
In the search window type threat intelligence.
Select the Microsoft Defender Threat Intelligence Analytics rule template.
Click Create rule. The rule details are read only, and the default status of the rule is enabled.
Click Review > Create.
Data sources and indicators
Microsoft Defender Threat Intelligence (MDTI) Analytics matches your logs with domain, IP and URL indicators in the following way:
CEF logs ingested into the Log Analytics CommonSecurityLog table match URL and domain indicators if populated in the
RequestURLfield, and IPv4 indicators in the
Windows DNS logs where event
SubType == "LookupQuery"ingested into the DnsEvents table match domain indicators populated in the
Namefield, and IPv4 indicators in the
Syslog events where
Facility == "cron"ingested into the Syslog table match domain and IPv4 indicators directly from the
Office activity logs ingested into the OfficeActivity table match IPv4 indicators directly from the
Azure activity logs ingested into the AzureActivity table match IPv4 indicators directly from the
Triage an incident generated by matching analytics
If Microsoft's analytics finds a match, any alerts generated are grouped into incidents.
Use the following steps to triage through the incidents generated by the Microsoft Defender Threat Intelligence Analytics rule:
In the Microsoft Sentinel workspace where you've enabled the Microsoft Defender Threat Intelligence Analytics rule, select Incidents and search for Microsoft Defender Threat Intelligence Analytics.
Any incidents found are shown in the grid.
Select View full details to view entities and other details about the incident, such as specific alerts.
Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from
High. For example, if the indicator is matched with firewall logs that have allowed the traffic, a high severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the alert generated would be low or medium.
Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the
contoso.comdomain are grouped into a single incident with a severity assigned based on the highest alert severity.
Observe the indicator details. When a match is found, the indicator is published to the Log Analytics ThreatIntelligenceIndicators table, and displayed in the Threat Intelligence page. For any indicators published from this rule, the source is defined as Microsoft Defender Threat Intelligence Analytics.
For example, in the ThreatIntelligenceIndicators log:
In the Threat Intelligence page:
Get additional context from Microsoft Defender Threat Intelligence
Along with high fidelity alerts and incidents, some MDTI indicators include a link to a reference article in the MDTI community portal.
In this article, you learned how to connect threat intelligence produced by Microsoft to generate alerts and incidents. For more information about threat intelligence in Microsoft Sentinel, see the following articles: