Microsoft Sentinel users can use Microsoft Defender Threat Intelligence (Defender TI) 's threat intelligence indicators to generate detections within Microsoft Sentinel. Microsoft Sentinel users with appropriate permissions can enable the "Microsoft Threat Intelligence Analytics" Analytic rule template, which will allow the correlation of Defender TI's threat intelligence phishing and malware feed indicators along with its' article indicators against the user's event logs in their Log Analytics workspace every hour. Suppose there is a correlation between the Defender TI indicators and the user's logs. In that case, an incident will generate, and the indicator that triggered the incident will write to Sentinel's Threat intelligence table. Therefore, the user can then view the indicator in their Microsoft Sentinel Threat intelligence blade and the associated incident in the Incidents blade. Users will need to filter by the Microsoft Threat Intelligence Analytics source to identify Defender TI phishing, malware, and article indicators that have generated incidents.
Figure 1 – Threat Intelligence indicators, filtered by Microsoft Threat Intelligence Analytics source
How to locate the "Microsoft Threat Intelligence Analytics" Analytic Rule template