Use threat indicators in analytics rules

• Applies to:

  Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

Power your analytics rules with your threat indicators to automatically generate alerts based on the threat intelligence you've integrated.

Prerequisites

• Threat indicators. These can be from threat intelligence feeds, threat intelligence platforms, bulk import from a flat file, or manual input.

• Data sources. Events from your data connectors must be flowing to your Sentinel workspace.

• An analytics rule of the format, "TI map..." that can map the threat indicators you have with the events you've ingested.

Configure a rule to generate security alerts

Below is an example of how to enable and configure a rule to generate security alerts using the threat indicators you've imported into Microsoft Sentinel. For this example, use the rule template called TI map IP entity to AzureActivity. This rule will match any IP address-type threat indicator with all your Azure Activity events. When a match is found, an alert will be generated along with a corresponding incident for investigation by your security operations team. This particular analytics rule requires the Azure Activity data connector (to import your Azure subscription-level events), and one or both of the Threat Intelligence data connectors (to import threat indicators). This rule will also trigger from imported indicators or manually created ones.

1. From the Azure portal, navigate to the Microsoft Sentinel service.

2. Choose the workspace to which you imported threat indicators using the Threat Intelligence data connectors and Azure activity data using the Azure Activity data connector.

3. Select Analytics from the Configuration section of the Microsoft Sentinel menu.

4. Select the Rule templates tab to see the list of available analytics rule templates.

5. Find the rule titled TI map IP entity to AzureActivity and ensure you have connected all the required data sources as shown below.

   

6. Select the TI map IP entity to AzureActivity rule and then select Create rule to open a rule configuration wizard. Configure the settings in the wizard and then select Next: Set rule logic >.

   

7. The rule logic portion of the wizard has been pre-populated with the following items:

   • The query that will be used in the rule.

   • Entity mappings, which tell Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URLs, so that incidents and investigations understand how to work with the data in any security alerts generated by this rule.

   • The schedule to run this rule.

   • The number of query results needed before a security alert is generated.

   The default settings in the template are:

   • Run once an hour.

   • Match any IP address threat indicators from the ThreatIntelligenceIndicator table with any IP address found in the last one hour of events from the AzureActivity table.

   • Generate a security alert if the query results are greater than zero, meaning if any matches are found.

   • The rule is enabled.

   You can leave the default settings or change them to meet your requirements, and you can define incident-generation settings on the Incident settings tab. For more information, see Create custom analytics rules to detect threats. When you are finished, select the Automated response tab.

8. Configure any automation you'd like to trigger when a security alert is generated from this analytics rule. Automation in Microsoft Sentinel is done using combinations of automation rules and playbooks powered by Azure Logic Apps. To learn more, see this Tutorial: Use playbooks with automation rules in Microsoft Sentinel. When finished, select the Next: Review > button to continue.

9. When you see the message that the rule validation has passed, select the Create button and you are finished.

Review your rules

Find your enabled rules in the Active rules tab of the Analytics section of Microsoft Sentinel. Edit, enable, disable, duplicate, or delete the active rule from there. The new rule runs immediately upon activation, and then runs on its defined schedule.

According to the default settings, each time the rule runs on its schedule, any results found will generate a security alert. Security alerts in Microsoft Sentinel can be viewed in the Logs section of Microsoft Sentinel, in the SecurityAlert table under the Microsoft Sentinel group.

In Microsoft Sentinel, the alerts generated from analytics rules also generate security incidents, which can be found in Incidents under Threat Management on the Microsoft Sentinel menu. Incidents are what your security operations teams will triage and investigate to determine the appropriate response actions. You can find detailed information in this Tutorial: Investigate incidents with Microsoft Sentinel.

Note

Since analytic rules constrain lookups beyond 14 days, Microsoft Sentinel refreshes indicators every 12 days to make sure they are available for matching purposes through the analytic rules.

Related content

In this article, you learned how to use threat intelligence indicators to detect threats. For more about threat intelligence in Microsoft Sentinel, see the following articles:

• Work with threat indicators in Microsoft Sentinel.
• Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds.
• Connect threat intelligence platforms to Microsoft Sentinel.
• See which TIP platforms, TAXII feeds, and enrichments can be readily integrated with Microsoft Sentinel.