Microsoft Threat Intelligence Matching Analytics: IP Detections

Microsoft Sentinel provides the capability to reference premium threat intelligence data produced by Microsoft for detection and analysis using the Microsoft threat intelligence matching analytics.

 

This analytic rule allows you to match your logs with Microsoft TI and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Microsoft Sentinel.

 

Up until now, “domain” indicators from Microsoft were used by this rule. Today we are announcing the addition of IP indicators to this analytic for matching purposes.

IP indicators are now matched with the following 3 logs:

1. Common Security logs (CEF)
2. DNS logs
3. Syslog

 

Steps to use IP detections with the Microsoft Threat Intelligence Matching analytics:

 

If you have already enabled this rule, you do not have to do anything to start matching your logs with IP indicators. This will be done by default for your workspace.

 

If you have not enabled this rule, follow the below steps mentioned here to get immediate value of Microsoft generated TI within Sentinel.

 

 

Working of IP detections with the Microsoft Threat Intelligence Matching analytics:

 

Common Security Logs (CEF):

• Matching is done for all CEF logs that are ingested in the CommonSecurityLog table of log analytics except for ones that have DeviceVendor as "Cisco".
• To match Microsoft generated threat intelligence with CEF logs, no manual mapping needs to be done. The IP is populated in the "DestinationIP" field by default.

 

DNS Logs

• Matching is done for all DNS logs which are lookup DNS queries from clients to DNS services (SubType == "LookupQuery"). Threat intelligence matching analytics only process DNS queries for IPv4 (QueryType="A").
• To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The IPs will be in "IPAddresses" column by default.

 

Syslog

• Matching is done for Syslog events with Facility as "cron". This will be extended to additional log types in the future.
• To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed as the details come in the "SyslogMessage" field of the Syslog by default. The rule will parse the IP from the SyslogMessage.

We match only with IPv4 indicators and IPv6 indicators are not part of this matching analytics as of now.

 

 

Conclusion

Hopefully, this article has helped you understand how to leverage Microsoft threat intelligence matching analytics for generating high fidelity alerts and incidents with premium quality Microsoft TI and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.