Blog Post

Microsoft Sentinel Blog
4 MIN READ

Microsoft Threat Intelligence Matching Analytics

RijutaKapoor's avatar
RijutaKapoor
Icon for Microsoft rankMicrosoft
Jul 28, 2021

Introduction

Azure Sentinel is a cloud native SIEM solution that allows various ways to bring your own threat intelligence data (BYOTI) like STIX/TAXII and from various Threat Intelligence Platforms.

Apart from bringing in your own threat intelligence data, you can also reference threat intelligence data produced by Microsoft for detection and analysis.

Today we are announcing launch of a new analytic rule called Microsoft Threat Intelligence Matching analytics that matches Microsoft generated threat intelligence data with your logs and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Azure Sentinel.

 

In this blog, we will cover:

  1. Details and working of the Microsoft Threat Intelligence Matching analytics
  2. How to enable Microsoft Threat Intelligence Matching analytics
  3. Log sources and threat intelligence types used for matching by this rule
  4. Alert grouping for incident generation and searching IOC’s published by this rule

 

Details and working of the Microsoft Threat Intelligence Matching analytics

Microsoft Threat Intelligence matching analytics is an out of the box analytic rule offered to all Azure Sentinel customers. This rule matches your log data with Microsoft generated threat intelligence. Microsoft has a vast repository of threat intelligence data, and this analytic rule uses a subset of this threat intelligence data to generate high fidelity alerts and incidents for SOC teams to triage.

Currently, this rule matches domain indicators against the following log sources:

  1. Common Security Logs (CEF)
  2. DNS logs
  3. Syslog

How to enable Microsoft Threat Intelligence Matching analytics

Microsoft Threat Intelligence matching analytics can be discovered in the Analytic menu of Azure Sentinel.

Follow the below steps to enable this rule:

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace in which you would like to enable this rule.
  3. Select Analytics from the menu and search for “Microsoft Threat Intelligence Analytics” in the Rule Templates tab.
  4. Click the Create Rule button and make the status of the rule as Enabled.
  5. Click the Next button and review all the details. Click Save.
  6. Now the rule is enabled and will show up in the Active Rules tab.

 

Log sources and threat intelligence types used for matching by this rule

The Threat Intelligence Matcing analytic rule matches Microsoft threat intelligence with your log data. Currently, the following types of logs are available for matching:

1. Common Security Logs (CEF):

  • Matching is done for all CEF logs that are ingested in the CommonSecurityLog table of log analytics except for one that have DeviceVendor as “Cisco”.
  • To match Microsoft generated threat intelligence with CEF logs, please have the domain mapped in the “RequestURL” field of the CEF log. 

2. DNS logs

  • Matching is done for all DNS logs which are lookup DNS queries from clients to DNS services (SubType == "LookupQuery"). Threat Intelligence matching analytics only processes DNS queries for IPv4 (QueryType=”A”) and IPv6 queries(QueryType=” AAAA”).
  • To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The domains will be in “Name” column by standard.

3. Syslog

  • Matching is done for Syslog events with Facility as “cron”. This will be extended to additional log types in the future.
  • To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed as the details come in the “SyslogMessage” field of the Syslog by default. The rule will parse the domain from the SyslogMessage.

Alert grouping for incident generation and searching IOC’s published by this rule

The Microsoft Threat Intelligence matching analytic generates alert every time a match is received. The rule performs alert grouping while generating incidents. The alerts are grouped on a per observable basis over a 24-hour timeframe. For example, all alerts generated in a 24-hour duration for a match with domain “abc.com” will be grouped in a single incident.

To triage through incidents generated by this analytic rule, you can follow the below steps:

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace in which you have enabled this rule.
  3. Select Incidents from the menu and search for “Microsoft threat Intelligence Analytics”.
  4. If you have any incidents they will show up in the grid of incidents.
  5. Click on the View full details button to view entities and other details about the incident like alerts.

Once a match is received, the indicator is also published to the ThreatIntelligenceIndicators table of log analytics and shows up in the Threat Intelligence menu. The indicators are stamped with the Source as “Microsoft Threat Intelligence Analytics”.

 

 

 

Conclusion

Hopefully, this article has helped you understand how to leverage Microsoft generated threat intelligence matching analytics for generating high fidelity alerts and incidents and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.

Updated Jul 28, 2021
Version 1.0
  • AdiGrio's avatar
    AdiGrio
    Brass Contributor

    Ref. exclusion of Cisco,  my guess is that is due to the fact  that Cisco  ASA logs are being converted to CEF after the threat intel match. Cisco ASAs don't support CEF and Sentinel is parsing those logs and converts them to CEF in the background (they are the only type of devices that get this special treatment). 

  • BaselFawal's avatar
    BaselFawal
    Brass Contributor

    Hi same question as tborn, 

    How to enable "Microsoft Threat Intelligence Analytics" TI Source in Microsoft Sentinel?

  • I don't find the Microsoft Threat Intelligence Analytics rule in the Rule Templates tab? Do I just wait for it to be flighted in my client's tenant?

     

  • diegotconti's avatar
    diegotconti
    Copper Contributor

    Hello, The rule states that we should disable any custom rule matching TI indicators. Does it mean we should disable all the (Preview) TI map analytical rules?

     

  • Hello there. 

     

    Where the "Microsoft has a vast repository of threat intelligence data" comes from?  Is there any official documentation explaining the origin of this data? Are these feeds, our signals from Microsoft of some 3P?