You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/use-matching-analytics-to-detect-threats.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,6 +25,7 @@ Take advantage of threat intelligence produced by Microsoft to generate high-fid
25
25
You must install one or more of the supported data connectors to produce high-fidelity alerts and incidents. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the **Content hub** to connect these data sources:
26
26
27
27
- Common Event Format (CEF) via Legacy Agent
28
+
- Windows DNS via Legacy Agent (Preview)
28
29
- Syslog via Legacy Agent
29
30
- Microsoft 365 (formerly, Office 365)
30
31
- Azure activity logs
@@ -41,7 +42,7 @@ You must install one or more of the supported data connectors to produce high-fi
41
42
|[Windows Server DNS](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-dns?tab=Overview)|[DNS connector for Microsoft Sentinel](data-connectors/dns.md)|
42
43
|[Syslog solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-syslog?tab=Overview)|[Syslog connector for Microsoft Sentinel](data-connectors/syslog.md)|
43
44
|[Microsoft 365 solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-office365?tab=Overview)|[Office 365 connector for Microsoft Sentinel](data-connectors/office-365.md)|
44
-
|[Azure Activity solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivity?tab=Overview)|[Azure Activity connector for Microsoft Sentinel](data-connectors/azure-activity.md)|
45
+
|[Azure Activity solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivity?tab=Overview)|[Azure Activity connector for Microsoft Sentinel](data-connectors/azure-activity.md)|
45
46
46
47
## Configure the matching analytics rule
47
48
@@ -66,6 +67,7 @@ Matching analytics is configured when you enable the **Microsoft Defender Threat
66
67
Microsoft Defender Threat Intelligence Analytics matches your logs with domain, IP, and URL indicators in the following ways:
67
68
68
69
-**CEF logs** ingested into the Log Analytics `CommonSecurityLog` table match URL and domain indicators if populated in the `RequestURL` field, and IPv4 indicators in the `DestinationIP` field.
70
+
-**Windows DNS logs**, where `SubType == "LookupQuery"` ingested into the `DnsEvents` table matches domain indicators populated in the `Name` field, and IPv4 indicators in the `IPAddresses` field.
69
71
-**Syslog events**, where `Facility == "cron"` ingested into the `Syslog` table matches domain and IPv4 indicators directly from the `SyslogMessage` field.
70
72
-**Office activity logs** ingested into the `OfficeActivity` table match IPv4 indicators directly from the `ClientIP` field.
71
73
-**Azure activity logs** ingested into the `AzureActivity` table match IPv4 indicators directly from the `CallerIpAddress` field.
0 commit comments