Skip to content

Commit 2e9d416

Browse files
austinmccollumaustinmccollum
committed
make consistency adjusts
1 parent 7ca3067 commit 2e9d416

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

articles/sentinel/work-with-threat-indicators.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -198,24 +198,24 @@ The Microsoft Threat Intelligence Matching Analytics matches the log sources i
198198

199199
| Log source | Description |
200200
| --------- | --------- |
201-
| [CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except for any where the `DeviceVendor` is listed as `Cisco`. <br><br>To match Microsoft-generated threat intelligence with CEF logs, make sure to map the domain in the `RequestURL` field of the CEF log. |
202-
| [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). DNS queries are processed only for IPv4 (`QueryType=”A”`) and IPv6 queries (`QueryType=” AAAA”`).<br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed, as all columns are standard from Windows DNS Server, and the domains will be in the `Name` column by default. |
203-
| [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default, and the rule will parse the domain directly from the SyslogMessage. |
201+
| [CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except when the `DeviceVendor` is `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, make sure to map the domain in the `RequestURL` field of the CEF log.|
202+
| [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). DNS queries are processed only for IPv4 (`QueryType=”A”`) and IPv6 queries (`QueryType=” AAAA”`).<br><br>To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed, as all columns are standard from Windows DNS Server, and the domains will be in the `Name` column by default.|
203+
| [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default, and the rule will parse the domain directly from the SyslogMessage.|
204204

205205
#### [IPv4](#tab/ipv4)
206206

207207
| Log source | Description |
208208
| --------- | --------- |
209-
|[CEF](connect-common-event-format.md) |Matching is done for all CEF logs that are ingested in the **CommonSecurityLog** table of log analytics except for ones that have `DeviceVendor` as `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The IP is populated in the `DestinationIP` field by default.|
210-
| [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). Threat intelligence matching analytics only process DNS queries for IPv4 (`QueryType="A"`). <br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The IPs are in the `IPAddresses` column by default. |
211-
| [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default. The rule parses the IP directly from the `SyslogMessage`. |
209+
|[CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except when the `DeviceVendor` is `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The IP is populated in the `DestinationIP` field by default.|
210+
| [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). Threat intelligence matching analytics only process DNS queries for IPv4 (`QueryType="A"`). <br><br>To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The IPs are in the `IPAddresses` column by default.|
211+
| [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default. The rule parses the IP directly from the `SyslogMessage`.|
212212

213213
Microsoft Threat Intelligence Matching Analytics currently matches only with IPv4 indicators.
214214

215215
#### [Microsoft Defender Threat Intelligence (MDTI)](#tab/microsoft-defender-threat-intelligence)
216216
| Log source | Description |
217217
| --------- | --------- |
218-
|[CEF](connect-common-event-format.md) |Matching is done for all CEF logs that are ingested in the **CommonSecurityLog** table of log analytics except for ones that have `DeviceVendor` as `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The URL is populated in the `RequestURL` field by default.|
218+
|[CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except when the `DeviceVendor` is `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The URL is populated in the `RequestURL` field by default.|
219219

220220

221221
## Workbooks provide insights about your threat intelligence

0 commit comments

Comments
 (0)