You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/use-matching-analytics-to-detect-threats.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,8 +44,6 @@ Matching analytics is configured when you enable the **Microsoft Threat Intellig
44
44
45
45
:::image type="content" source="media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png" alt-text="A screenshot showing the Microsoft Threat Intelligence Analytics rule enabled in the Active rules tab.":::
46
46
47
-
Alerts are grouped on a per-observable basis. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with the appropriate severity.
48
-
49
47
50
48
## Data sources and indicators
51
49
@@ -74,7 +72,11 @@ Use the following steps to triage through the incidents generated by the **Micro
74
72
75
73
:::image type="content" source="media/work-with-threat-indicators/matching-analytics.png" alt-text="Screenshot of incident generated by matching analytics with details pane.":::
76
74
77
-
When a match is found, the indicator is also published to the Log Analytics **ThreatIntelligenceIndicators**, and displayed in the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Threat Intelligence Analytics**.
75
+
1. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from `Informational` to `High`. For example, if the indicator is matched with firewall logs that have allowed the traffic, a high severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the alert generated would be low or medium.
76
+
77
+
Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with a severity assigned based on the highest alert severity.
78
+
79
+
1. Observe the indicator details. When a match is found, the indicator is published to the Log Analytics **ThreatIntelligenceIndicators** table, and displayed in the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Threat Intelligence Analytics**.
78
80
79
81
For example, in the **ThreatIntelligenceIndicators** log:
80
82
@@ -90,7 +92,7 @@ Part of the Microsoft Threat Intelligence available through matching analytics i
90
92
91
93
:::image type="content" source="media/use-matching-analytics-to-detect-threats/mdti-article-link.png" alt-text="Screenshot of an incident with a link to the reference MDTI article.":::
92
94
93
-
For more information, see the [MDTI portal](https://ti.defender.microsoft.com).
95
+
For more information, see the [MDTI portal](https://ti.defender.microsoft.com) and [What is Microsoft Defender Threat Intelligence?](/../../defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments