You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/use-matching-analytics-to-detect-threats.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,15 +24,14 @@ Take advantage of threat intelligence produced by Microsoft to generate high-fid
24
24
25
25
You must install one or more of the supported data connectors to produce high-fidelity alerts and incidents. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the **Content hub** to connect these data sources:
26
26
27
-
- Common Event Format
28
-
- DNS (preview)
29
-
- Syslog
30
-
- Office activity logs
27
+
- Common Event Format (CEF) via Legacy Agent
28
+
- Syslog via Legacy Agent
29
+
- Microsoft 365 (formerly, Office 365)
31
30
- Azure activity logs
32
-
-ASIM DNS logs
31
+
-Windows DNS via AMA
33
32
- ASIM Network sessions
34
33
35
-
:::image type="content" source="media/use-matching-analytics-to-detect-threats/data-sources.png" alt-text="A screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule data source connections.":::
34
+
:::image type="content" source="media/use-matching-analytics-to-detect-threats/matching-analytics-template-ga.png" alt-text="A screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule data source connections.":::
36
35
37
36
For example, depending on your data source, you might use the following solutions and data connectors:
38
37
@@ -67,7 +66,6 @@ Matching analytics is configured when you enable the **Microsoft Defender Threat
67
66
Microsoft Defender Threat Intelligence Analytics matches your logs with domain, IP, and URL indicators in the following ways:
68
67
69
68
-**CEF logs** ingested into the Log Analytics `CommonSecurityLog` table match URL and domain indicators if populated in the `RequestURL` field, and IPv4 indicators in the `DestinationIP` field.
70
-
-**Windows DNS logs**, where `SubType == "LookupQuery"` ingested into the `DnsEvents` table matches domain indicators populated in the `Name` field, and IPv4 indicators in the `IPAddresses` field.
71
69
-**Syslog events**, where `Facility == "cron"` ingested into the `Syslog` table matches domain and IPv4 indicators directly from the `SyslogMessage` field.
72
70
-**Office activity logs** ingested into the `OfficeActivity` table match IPv4 indicators directly from the `ClientIP` field.
73
71
-**Azure activity logs** ingested into the `AzureActivity` table match IPv4 indicators directly from the `CallerIpAddress` field.
@@ -80,7 +78,7 @@ If Microsoft's analytics finds a match, any alerts generated are grouped into in
80
78
81
79
Use the following steps to triage through the incidents generated by the **Microsoft Defender Threat Intelligence Analytics** rule:
82
80
83
-
1. In the Microsoft Sentinel workspace where you enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents**, and search for **Microsoft Defender Threat Intelligence Analytics**.
81
+
1. In the Microsoft Sentinel workspace where you enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents**, and search for **Microsoft Threat Intelligence Analytics**.
84
82
85
83
Any incidents that are found appear in the grid.
86
84
@@ -94,7 +92,7 @@ Use the following steps to triage through the incidents generated by the **Micro
94
92
95
93
Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with a severity assigned based on the highest alert severity.
96
94
97
-
1. Observe the indicator information. When a match is found, the indicator is published to the Log Analytics `ThreatIntelligenceIndicators` table, and it appears on the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Defender Threat Intelligence Analytics**.
95
+
1. Observe the indicator information. When a match is found, the indicator is published to the Log Analytics `ThreatIntelligenceIndicators` table, and it appears on the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Threat Intelligence Analytics**.
98
96
99
97
Here's an example of the `ThreatIntelligenceIndicators` table.
-[Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables](#unlock-advanced-hunting-with-new-stix-objects-by-opting-in-to-new-threat-intelligence-tables)
29
30
-[Threat intelligence upload API now supports more STIX objects](#threat-intelligence-upload-api-now-supports-more-stix-objects)
@@ -35,7 +36,11 @@ Get notified when this page is updated by copying and pasting the following URL
35
36
36
37
Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together.
37
38
38
-
For more information, see [Understand threat intelligence ingestion rules](understand-threat-intelligence.md#configure-ingestion-rules)
39
+
For more information, see [Understand threat intelligence ingestion rules](understand-threat-intelligence.md#configure-ingestion-rules).
40
+
41
+
### Matching analytics rule now generally available (GA)
42
+
43
+
Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).
39
44
40
45
### Threat intelligence management interface has moved
0 commit comments