Use matching analytics to detect threats

Take advantage of threat intelligence produced by Microsoft to generate high-fidelity alerts and incidents with the Microsoft Defender Threat Intelligence Analytics rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more.

Important

Matching analytics is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

You must install one or more of the supported data connectors to produce high-fidelity alerts and incidents. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the Content hub to connect these data sources:

  • Common Event Format
  • DNS (preview)
  • Syslog
  • Office activity logs
  • Azure activity logs
  • ASIM DNS logs
  • ASIM Network sessions

A screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule data source connections.

For example, depending on your data source, you might use the following solutions and data connectors:

Solution Data connector
Common Event Format solution for Sentinel Common Event Format connector for Microsoft Sentinel
Windows Server DNS DNS connector for Microsoft Sentinel
Syslog solution for Sentinel Syslog connector for Microsoft Sentinel
Microsoft 365 solution for Sentinel Office 365 connector for Microsoft Sentinel
Azure Activity solution for Sentinel Azure Activity connector for Microsoft Sentinel

Configure the matching analytics rule

Matching analytics is configured when you enable the Microsoft Defender Threat Intelligence Analytics rule.

  1. Under the Configuration section, select the Analytics menu.

  2. Select the Rule templates tab.

  3. In the search window, enter threat intelligence.

  4. Select the Microsoft Defender Threat Intelligence Analytics rule template.

  5. Select Create rule. The rule details are read only, and the default status of the rule is enabled.

  6. Select Review > Create.

Screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule enabled on the Active rules tab.

Data sources and indicators

Microsoft Defender Threat Intelligence Analytics matches your logs with domain, IP, and URL indicators in the following ways:

  • CEF logs ingested into the Log Analytics CommonSecurityLog table match URL and domain indicators if populated in the RequestURL field, and IPv4 indicators in the DestinationIP field.
  • Windows DNS logs, where SubType == "LookupQuery" ingested into the DnsEvents table matches domain indicators populated in the Name field, and IPv4 indicators in the IPAddresses field.
  • Syslog events, where Facility == "cron" ingested into the Syslog table matches domain and IPv4 indicators directly from the SyslogMessage field.
  • Office activity logs ingested into the OfficeActivity table match IPv4 indicators directly from the ClientIP field.
  • Azure activity logs ingested into the AzureActivity table match IPv4 indicators directly from the CallerIpAddress field.
  • ASIM DNS logs ingested into the ASimDnsActivityLogs table match domain indicators if populated in the DnsQuery field, and IPv4 indicators in the DnsResponseName field.
  • ASIM Network Sessions ingested into the ASimNetworkSessionLogs table match IPv4 indicators if populated in one or more of the following fields: DstIpAddr, DstNatIpAddr, SrcNatIpAddr, SrcIpAddr, DvcIpAddr.

Triage an incident generated by matching analytics

If Microsoft's analytics finds a match, any alerts generated are grouped into incidents.

Use the following steps to triage through the incidents generated by the Microsoft Defender Threat Intelligence Analytics rule:

  1. In the Microsoft Sentinel workspace where you enabled the Microsoft Defender Threat Intelligence Analytics rule, select Incidents, and search for Microsoft Defender Threat Intelligence Analytics.

    Any incidents that are found appear in the grid.

  2. Select View full details to view entities and other details about the incident, such as specific alerts.

    Here's an example.

    Screenshot of incident generated by matching analytics with details pane.

  3. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from Informational to High. For example, if the indicator is matched with firewall logs that allowed the traffic, a high-severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the generated alert is low or medium.

    Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the contoso.com domain are grouped into a single incident with a severity assigned based on the highest alert severity.

  4. Observe the indicator information. When a match is found, the indicator is published to the Log Analytics ThreatIntelligenceIndicators table, and it appears on the Threat Intelligence page. For any indicators published from this rule, the source is defined as Microsoft Defender Threat Intelligence Analytics.

Here's an example of the ThreatIntelligenceIndicators table.

Screenshot that shows the ThreatIntelligenceIndicator table showing indicator with SourceSystem of Microsoft Threat Intelligence Analytics.

Here's an example of the Threat Intelligence page.

Screenshot that shows the Threat Intelligence overview with indicator selected showing the source as Microsoft Threat Intelligence Analytics.

Get more context from Microsoft Defender Threat Intelligence

Along with high-fidelity alerts and incidents, some Microsoft Defender Threat Intelligence indicators include a link to a reference article in the Microsoft Defender Threat Intelligence community portal.

Screenshot that shows an incident with a link to the Microsoft Defender Threat Intelligence reference article.

For more information, see What is Microsoft Defender Threat Intelligence?.

In this article, you learned how to connect threat intelligence produced by Microsoft to generate alerts and incidents. For more information about threat intelligence in Microsoft Sentinel, see the following articles: