Agent Foskett Academy • Microsoft Sentinel • Module 2 • Lesson 12

Lesson 12 — Microsoft Sentinel Threat Intelligence

Threat intelligence helps Microsoft Sentinel recognise activity associated with known malicious infrastructure.

Indicators such as IP addresses, domains, URLs and file hashes can be compared with security telemetry from endpoints, identities, email and cloud services.

An indicator match gives the SOC an important lead—but analysts must still validate the surrounding evidence before confirming malicious activity.

Threat intelligence helps Sentinel recognise known threats hidden inside everyday telemetry.
Agent Foskett Microsoft Sentinel threat intelligence lesson
What you will learn

This lesson explains how threat intelligence indicators are imported, stored, matched and validated in Microsoft Sentinel.

What threat intelligence means
Common indicator types
Sources, confidence and expiration
How analysts validate IOC matches

Learning objectives

After completing this lesson, you should understand how threat intelligence supports Sentinel detections and investigations.

  • Explain what threat intelligence is.
  • Recognise common Indicators of Compromise.
  • Understand how indicators enter Sentinel.
  • Explain confidence, source and expiration.
  • Validate an indicator match using surrounding telemetry.

The problem this solves

Security telemetry contains millions of ordinary events. Threat intelligence helps identify events connected to infrastructure already associated with phishing, malware, command-and-control or other malicious activity.

What is threat intelligence?

Threat intelligence is contextual information about known or suspected threats. It can describe malicious infrastructure, attacker techniques, campaigns, malware families and Indicators of Compromise.

Agent Foskett tip:

An IOC match is an investigation lead, not automatic proof of compromise. Always verify the event, user, device, timing and wider incident context.

How threat intelligence fits into Sentinel

Threat intelligence source │ ▼ Indicators imported into Microsoft Sentinel │ ▼ IP, domain, URL or file hash stored with context │ ▼ Analytics rule compares indicator with telemetry │ ▼ Match creates an alert or investigation lead │ ▼ SOC analyst validates the surrounding evidence

Common indicator types

IndicatorHow it may appear in telemetryExample investigation
IP addressRemoteIP, IPAddress or caller addressCheck outbound endpoint traffic or suspicious sign-ins.
DomainRemoteUrl, UrlDomain or sender domainInvestigate DNS, web or email activity.
URLClicked URL, network request or email linkReview phishing clicks and endpoint connections.
File hashSHA1, SHA256 or MD5 fieldsLook for known malware across devices.
Email addressSenderFromAddress or account fieldsIdentify known phishing senders or compromised accounts.

Threat intelligence sources

Indicators may come from Microsoft, commercial providers, government and CERT feeds, TAXII servers, internal investigations or trusted security partners.

STIX and TAXII

STIX is a structured format for representing threat intelligence. TAXII is a protocol commonly used to exchange that intelligence between platforms and feeds.

Indicator context

A useful indicator should include more than its observable value. Source, description, threat type, confidence, creation date and expiration help analysts judge how much weight to give the match.

Confidence

Confidence describes how strongly the source believes an indicator is malicious. A low-confidence indicator should normally require more supporting evidence than a well-sourced, high-confidence indicator.

Expiration

Threat infrastructure changes quickly. Domains are abandoned, IP addresses are reassigned and cloud resources disappear. Expiration helps prevent stale indicators from creating unnecessary alerts.

False positives

An IP address may belong to shared hosting, a CDN, VPN provider or cloud platform. A simple match can therefore affect legitimate users and services unless the surrounding context is reviewed.

Example KQL investigation pattern

The exact threat intelligence table and schema used in your workspace may vary. The investigation pattern remains the same: collect active indicators, normalise the observable and compare it with relevant telemetry.

Threat intelligence IP investigation pattern
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let ActiveIndicators =
    ThreatIntelligenceIndicator
    | where Active == true
    | where ExpirationDateTime > now()
    | where isnotempty(NetworkIP);
DeviceNetworkEvents
| where RemoteIP in (ActiveIndicators | project NetworkIP)
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName

Real-world validation workflow

StepAnalyst question
Confirm the matchDid the telemetry value exactly match the active indicator?
Check time and expirationWas the indicator still valid when the event occurred?
Review the sourceWho supplied the intelligence, and how reliable is it?
Inspect the process or userWhich account, device, process or email generated the activity?
Expand the timelineWhat happened immediately before and after the match?
Search for recurrenceDid the same indicator appear elsewhere in the environment?

Analytics rules

Scheduled analytics rules can compare active indicators against identity, email, endpoint, DNS and network telemetry. A match can create an alert and group related activity into an incident.

Automation opportunities

After a trusted match, automation can enrich the indicator, notify the SOC, create a ticket, add an incident comment or launch a playbook for controlled response.

Best practices

  • Use reputable, relevant intelligence sources.
  • Track confidence, source and expiration.
  • Remove or deactivate stale indicators.
  • Tune analytics rules to reduce noise.
  • Record analyst validation and outcomes.

Common mistake

A common mistake is importing every available public feed and assuming more indicators will improve detection. Low-quality or irrelevant feeds can create alert fatigue and reduce analyst trust.

Agent Foskett investigation tip

Follow the evidence around the indicator.

If a device connects to a known malicious IP, identify the initiating process, command line, user, destination port, related DNS activity and any other devices that made the same connection. The surrounding telemetry tells the real story.

Watchlists vs threat intelligence

Watchlists usually contain organisation-specific reference data such as VIP users or approved IP addresses. Threat intelligence focuses on known or suspected malicious observables supplied with security context.

Agent Foskett takeaway

Threat intelligence helps Sentinel recognise known threats, but analysts still confirm intent and impact. Good intelligence is relevant, current, contextual and supported by investigation evidence.

Lesson summary
Microsoft Sentinel threat intelligence brings known malicious indicators into analytics and investigations. Effective use depends on reliable sources, active indicators, confidence, expiration, careful matching and analyst validation.
Sentinel Academy Home

Related Agent Foskett learning

These links connect Lesson 12 with the wider Sentinel Academy, KQL learning path and Microsoft security investigation library.

Microsoft Sentinel Playbooks and Logic Apps

Microsoft Sentinel Watchlists allow analysts to enrich investigations using organisation-specific data such as VIP users, trusted IP addresses and critical assets.

Microsoft Sentinel Lesson 11

This Agent Foskett Microsoft Sentinel Academy lesson explains playbooks, Azure Logic Apps, triggers, actions, connectors, managed identities, permissions, testing and SOC automation.