Introduction

Completed

Microsoft Sentinel provides a table to store indicator data accessible to Kusto Query Language (KQL) queries. The Threat intelligence page in Microsoft Sentinel provides the management options to maintain the indicators.

You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You receive threat indicators from threat intelligence providers and your threat hunting team. The Indicators include IP addresses, domains, and file hashes that can be utilized by many components within Microsoft Sentinel.

The indicators from the threat intelligence providers are automatically imported into the workspace using connectors. You're tasked with adding the indicators from the threat hunting team. You use the Threat Intelligence page to add the indicators for use by the detection KQL queries.

After completing this module, you'll be able to:

  • Manage threat indicators in Microsoft Sentinel
  • Use KQL to access threat indicators in Microsoft Sentinel

Prerequisites

Basic knowledge of operational concepts such as monitoring, logging, and alerting.