Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MS Sentinel - Matching Analytics with Threat Intillgence - MDE Logs match

Copper Contributor

Use matching analytics to detect threats

 

https://learn.microsoft.com/en-us/azure/sentinel/use-matching-analytics-to-detect-threats

 

Hello All,

So I came across the documentation above but do not have the prerequisites of CEF, DNS or syslog. We have Data for MS Cloud, Office365 and Microsoft Defender for Endpoint in Sentinel . I have also setup Threat Intelligence Taxii feeds in Sentinel. Is there really no other way to use the TI to match against common fields like doman/url/ip/hashes from MDE?

I am new to KQL but I was trying something similar with the query below but I feel my query is off. Please let me know what is missing or if this simiply can't be done.

In other SIEMs like Splunk you can easily take IOCs in an index and search across other index's for matches. I was hoping their would be a similar way to accomplish this task in MS Sentinel.

Thanks

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(Url)
| extend RemoteUrl = Url
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
DeviceNetworkEvents
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(RemoteUrl)
) on RemoteUrl
| where TimeGenerated < ExpirationDateTime
| summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, Url
| project-reorder

0 Replies