Merge pull request #201969 from cwatson-cat/docs-editor/work-with-threat-indicators-1655480580

Sentinel TI - Add table for IP indicator matching

Author: PRMerger12

articles/sentinel/work-with-threat-indicators.md

@@ -70,7 +70,6 @@ The **Threat intelligence** page also allows you to create threat indicators dir
 
 > [!IMPORTANT]
 > GeoLocation and WhoIs enrichment is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
 
 #### Create a new indicator
 
@@ -123,20 +122,22 @@ Below is an example of how to enable and configure a rule to generate security a
     :::image type="content" source="media/work-with-threat-indicators/threat-intel-create-analytics-rule.png" alt-text="Create analytics rule":::
 
 1. The rule logic portion of the wizard has been pre-populated with the following items:
-    - The query that will be used in the rule.
 
-    - Entity mappings, which tell Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URLs, so that **incidents** and **investigations** understand how to work with the data in any security alerts generated by this rule.
+   - The query that will be used in the rule.
 
-    - The schedule to run this rule.
+   - Entity mappings, which tell Microsoft Sentinel how to recognize entities like Accounts, IP addresses, and URLs, so that **incidents** and **investigations** understand how to work with the data in any security alerts generated by this rule.
 
-    - The number of query results needed before a security alert is generated.
+   - The schedule to run this rule.
+
+   - The number of query results needed before a security alert is generated.
 
     The default settings in the template are:
-    - Run once an hour.
 
-    - Match any IP address threat indicators from the **ThreatIntelligenceIndicator** table with any IP address found in the last one hour of events from the **AzureActivity** table.
+   - Run once an hour.
+
+   - Match any IP address threat indicators from the **ThreatIntelligenceIndicator** table with any IP address found in the last one hour of events from the **AzureActivity** table.
 
-    - Generate a security alert if the query results are greater than zero, meaning if any matches are found.
+   - Generate a security alert if the query results are greater than zero, meaning if any matches are found.
 
     You can leave the default settings or change them to meet your requirements, and you can define incident-generation settings on the **Incident settings** tab. For more information, see [Create custom analytics rules to detect threats](detect-threats-custom.md). When you are finished, select the **Automated response** tab.
 
@@ -156,7 +157,6 @@ IMPORTANT: Microsoft Sentinel refreshes indicators every 14 days to make sure th
 
 > [!IMPORTANT]
 > Matching analytics is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
 
 [Create a rule](detect-threats-built-in.md#use-built-in-analytics-rules) using the built-in **Microsoft Threat Intelligence Matching Analytics** analytics rule template to have Microsoft Sentinel match Microsoft-generated threat intelligence data with the logs you've ingested in to Microsoft Sentinel.
 
@@ -192,41 +192,52 @@ In the **Threat Intelligence** page:
 
 ### Supported log sources for matching analytics
 
-The **Microsoft Threat Intelligence Matching Analytics** rule is currently supported for the following log sources:
+The Microsoft Threat Intelligence Matching Analytics matches the log sources in the following tables with domain and IP indicators.
+
+#### Domain indicator matching
 
 | Log source | Description |
 | --------- | --------- |
 | [CEF](connect-common-event-format.md) | Matching is done for all CEF logs that are ingested in the Log Analytics **CommonSecurityLog** table, except for any where the `DeviceVendor` is listed as `Cisco`. <br><br>To match Microsoft-generated threat intelligence with CEF logs, make sure to map the domain in the `RequestURL` field of the CEF log. |
 | [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). DNS queries are processed only for IPv4 (`QueryType=”A”`) and IPv6 queries (`QueryType=” AAAA”`).<br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed, as all columns are standard from Windows DNS Server, and the domains will be in the `Name` column by default. |
 | [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default, and the rule will parse the domain directly from the SyslogMessage. |
 
+#### IP indicator matching
 
+Microsoft Threat Intelligence Matching Analytics currently matches only with IPv4 indicators. 
+
+| Log source | Description |
+| --------- | --------- |
+|[CEF](connect-common-event-format.md) |Matching is done for all CEF logs that are ingested in the **CommonSecurityLog** table of log analytics except for ones that have `DeviceVendor` as `Cisco`. <br><br>To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The IP is populated in the `DestinationIP` field by default.|
+| [DNS](./data-connectors-reference.md#windows-dns-server-preview) | Matching is done for all DNS logs that are lookup DNS queries from clients to DNS services (`SubType == "LookupQuery"`). Threat intelligence matching analytics only process DNS queries for IPv4 (`QueryType="A"`). <br><br>To match Microsoft-generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The IPs are in the `IPAddresses` column by default. |
+| [Syslog](connect-syslog.md) | Matching is currently done for only for Syslog events where the `Facility` is `cron`. <br><br>To match Microsoft-generated threat intelligence with Syslog, no manual mapping of columns is needed. The details come in the `SyslogMessage` field of the Syslog by default. The rule parses the IP directly from the `SyslogMessage`. |
 
 ## Workbooks provide insights about your threat intelligence
 
 You can use a purpose-built Microsoft Sentinel workbook to visualize key information about your threat intelligence in Microsoft Sentinel, and you can easily customize the workbook according to your business needs.
 
 Here's how to find the threat intelligence workbook provided in Microsoft Sentinel, and an example of how to make edits to the workbook to customize it.
 
-1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.
+ 1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.
 
-1. Choose the **workspace** to which you’ve imported threat indicators using either threat intelligence data connector.
+ 1. Choose the **workspace** to which you’ve imported threat indicators using either threat intelligence data connector.
 
-1. Select **Workbooks** from the **Threat management** section of the Microsoft Sentinel menu.
+ 1. Select **Workbooks** from the **Threat management** section of the Microsoft Sentinel menu.
 
-1. Find the workbook titled **Threat Intelligence** and verify you have data in the **ThreatIntelligenceIndicator** table as shown below.
+ 1. Find the workbook titled **Threat Intelligence** and verify you have data in the **ThreatIntelligenceIndicator** table as shown below.
 
-    :::image type="content" source="media/work-with-threat-indicators/threat-intel-verify-data.png" alt-text="Verify data":::
+     :::image type="content" source="media/work-with-threat-indicators/threat-intel-verify-data.png" alt-text="Verify data":::
 
-1. Select the **Save** button and choose an Azure location to store the workbook. This step is required if you are going to modify the workbook in any way and save your changes.
+ 1. Select the **Save** button and choose an Azure location to store the workbook. This step is required if you are going to modify the workbook in any way and save your changes.
 
-1. Now select the **View saved workbook** button to open the workbook for viewing and editing.
+ 1. Now select the **View saved workbook** button to open the workbook for viewing and editing.
 
-1. You should now see the default charts provided by the template. To modify a chart, select the **Edit** button at the top of the page to enter editing mode for the workbook.
+ 1. You should now see the default charts provided by the template. To modify a chart, select the **Edit** button at the top of the page to enter editing mode for the workbook.
 
-1. Add a new chart of threat indicators by threat type. Scroll to the bottom of the page and select **Add Query**.
+ 1. Add a new chart of threat indicators by threat type. Scroll to the bottom of the page and select **Add Query**.
+
+ 1. Add the following text to the **Log Analytics workspace Log Query** text box:
 
-1. Add the following text to the **Log Analytics workspace Log Query** text box:
     ```kusto
     ThreatIntelligenceIndicator
     | summarize count() by ThreatType
@@ -245,6 +256,7 @@ There is also a rich community of [Azure Monitor workbooks on GitHub](https://gi
 ## Next steps
 
 In this article, you learned all the ways you can work with threat intelligence indicators throughout Microsoft Sentinel. For more about threat intelligence in Microsoft Sentinel, see the following articles:
+
 - [Understand threat intelligence in Microsoft Sentinel](understand-threat-intelligence.md).
 - Connect Microsoft Sentinel to [STIX/TAXII threat intelligence feeds](./connect-threat-intelligence-taxii.md).
 - [Connect threat intelligence platforms](./connect-threat-intelligence-tip.md) to Microsoft Sentinel.