Microsoft Sentinel provides the capability to reference premium threat intelligence data produced by Microsoft for detection and analysis using the Microsoft threat intelligence matching analytics.
This analytic rule allows you to match your logs with Microsoft TI and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Microsoft Sentinel.
Up until now, “domain” indicators from Microsoft were used by this rule. Today we are announcing the addition of IP indicators to this analytic for matching purposes.
IP indicators are now matched with the following 3 logs:
Steps to use IP detections with the Microsoft Threat Intelligence Matching analytics:
If you have already enabled this rule, you do not have to do anything to start matching your logs with IP indicators. This will be done by default for your workspace.
If you have not enabled this rule, follow the below steps mentioned here to get immediate value of Microsoft generated TI within Sentinel.
Working of IP detections with the Microsoft Threat Intelligence Matching analytics:
Common Security Logs (CEF):
DNS Logs
Syslog
We match only with IPv4 indicators and IPv6 indicators are not part of this matching analytics as of now.
Conclusion
Hopefully, this article has helped you understand how to leverage Microsoft threat intelligence matching analytics for generating high fidelity alerts and incidents with premium quality Microsoft TI and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.