Lesson 12 — Microsoft Sentinel Threat Intelligence
Threat intelligence helps Microsoft Sentinel recognise activity associated with known malicious infrastructure.
Indicators such as IP addresses, domains, URLs and file hashes can be compared with security telemetry from endpoints, identities, email and cloud services.
An indicator match gives the SOC an important lead—but analysts must still validate the surrounding evidence before confirming malicious activity.
What you will learn
This lesson explains how threat intelligence indicators are imported, stored, matched and validated in Microsoft Sentinel.
Learning objectives
After completing this lesson, you should understand how threat intelligence supports Sentinel detections and investigations.
- Explain what threat intelligence is.
- Recognise common Indicators of Compromise.
- Understand how indicators enter Sentinel.
- Explain confidence, source and expiration.
- Validate an indicator match using surrounding telemetry.
The problem this solves
Security telemetry contains millions of ordinary events. Threat intelligence helps identify events connected to infrastructure already associated with phishing, malware, command-and-control or other malicious activity.
What is threat intelligence?
Threat intelligence is contextual information about known or suspected threats. It can describe malicious infrastructure, attacker techniques, campaigns, malware families and Indicators of Compromise.
An IOC match is an investigation lead, not automatic proof of compromise. Always verify the event, user, device, timing and wider incident context.
How threat intelligence fits into Sentinel
Common indicator types
| Indicator | How it may appear in telemetry | Example investigation |
|---|---|---|
| IP address | RemoteIP, IPAddress or caller address | Check outbound endpoint traffic or suspicious sign-ins. |
| Domain | RemoteUrl, UrlDomain or sender domain | Investigate DNS, web or email activity. |
| URL | Clicked URL, network request or email link | Review phishing clicks and endpoint connections. |
| File hash | SHA1, SHA256 or MD5 fields | Look for known malware across devices. |
| Email address | SenderFromAddress or account fields | Identify known phishing senders or compromised accounts. |
Threat intelligence sources
Indicators may come from Microsoft, commercial providers, government and CERT feeds, TAXII servers, internal investigations or trusted security partners.
STIX and TAXII
STIX is a structured format for representing threat intelligence. TAXII is a protocol commonly used to exchange that intelligence between platforms and feeds.
Indicator context
A useful indicator should include more than its observable value. Source, description, threat type, confidence, creation date and expiration help analysts judge how much weight to give the match.
Confidence
Confidence describes how strongly the source believes an indicator is malicious. A low-confidence indicator should normally require more supporting evidence than a well-sourced, high-confidence indicator.
Expiration
Threat infrastructure changes quickly. Domains are abandoned, IP addresses are reassigned and cloud resources disappear. Expiration helps prevent stale indicators from creating unnecessary alerts.
False positives
An IP address may belong to shared hosting, a CDN, VPN provider or cloud platform. A simple match can therefore affect legitimate users and services unless the surrounding context is reviewed.
Example KQL investigation pattern
The exact threat intelligence table and schema used in your workspace may vary. The investigation pattern remains the same: collect active indicators, normalise the observable and compare it with relevant telemetry.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
let ActiveIndicators =
ThreatIntelligenceIndicator
| where Active == true
| where ExpirationDateTime > now()
| where isnotempty(NetworkIP);
DeviceNetworkEvents
| where RemoteIP in (ActiveIndicators | project NetworkIP)
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
Real-world validation workflow
| Step | Analyst question |
|---|---|
| Confirm the match | Did the telemetry value exactly match the active indicator? |
| Check time and expiration | Was the indicator still valid when the event occurred? |
| Review the source | Who supplied the intelligence, and how reliable is it? |
| Inspect the process or user | Which account, device, process or email generated the activity? |
| Expand the timeline | What happened immediately before and after the match? |
| Search for recurrence | Did the same indicator appear elsewhere in the environment? |
Analytics rules
Scheduled analytics rules can compare active indicators against identity, email, endpoint, DNS and network telemetry. A match can create an alert and group related activity into an incident.
Automation opportunities
After a trusted match, automation can enrich the indicator, notify the SOC, create a ticket, add an incident comment or launch a playbook for controlled response.
Best practices
- Use reputable, relevant intelligence sources.
- Track confidence, source and expiration.
- Remove or deactivate stale indicators.
- Tune analytics rules to reduce noise.
- Record analyst validation and outcomes.
Common mistake
A common mistake is importing every available public feed and assuming more indicators will improve detection. Low-quality or irrelevant feeds can create alert fatigue and reduce analyst trust.
Agent Foskett investigation tip
If a device connects to a known malicious IP, identify the initiating process, command line, user, destination port, related DNS activity and any other devices that made the same connection. The surrounding telemetry tells the real story.
Watchlists vs threat intelligence
Watchlists usually contain organisation-specific reference data such as VIP users or approved IP addresses. Threat intelligence focuses on known or suspected malicious observables supplied with security context.
Agent Foskett takeaway
Threat intelligence helps Sentinel recognise known threats, but analysts still confirm intent and impact. Good intelligence is relevant, current, contextual and supported by investigation evidence.
Related Agent Foskett learning
Continue learning
Microsoft Sentinel Playbooks and Logic Apps
Microsoft Sentinel Watchlists allow analysts to enrich investigations using organisation-specific data such as VIP users, trusted IP addresses and critical assets.
Microsoft Sentinel Lesson 11
This Agent Foskett Microsoft Sentinel Academy lesson explains playbooks, Azure Logic Apps, triggers, actions, connectors, managed identities, permissions, testing and SOC automation.
