This chapter covers threat intelligence indicators in Microsoft Sentinel, a core topic for the SC-200 exam. You will learn what threat intelligence is, how Sentinel ingests and uses indicators of compromise (IOCs), and how to create analytics rules that match events against these indicators. Expect approximately 10-15% of exam questions to touch on threat intelligence integration, indicator management, and related analytics rule configuration. Mastering this topic is critical for passing the exam and for real-world threat detection.
Jump to a section
Think of threat intelligence indicators like a police department's criminal watchlist. The watchlist contains known criminals' names, aliases, license plates, and known associates. When officers patrol the city, they check people and vehicles against this list. If a match is found, the officer knows that person is dangerous and can take immediate action. In Microsoft Sentinel, threat intelligence feeds are like watchlists from multiple agencies (local police, FBI, Interpol) that are merged into a single database. Sentinel’s analytics rules are the officers constantly checking every incoming event—every login, every network connection, every file hash—against this watchlist. When a match occurs, Sentinel generates an alert with high confidence because the indicator is from a trusted source. Just as a watchlist might include false positives (e.g., a common name), threat intelligence indicators can have varying confidence levels. Sentinel uses the confidence score and severity to prioritize alerts. The key mechanistic detail: the watchlist is not a static list; it is updated in real time as new intelligence arrives. Sentinel’s built-in connectors pull from sources like Microsoft Defender for Threat Intelligence (MDTI) and third-party TAXII feeds, automatically ingesting new indicators every few minutes. This is analogous to the police department receiving daily bulletins with new suspects. Without this integration, analysts would have to manually search each log, which is impractical at cloud scale.
What is Threat Intelligence and Why Does It Matter?
Threat intelligence is evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, and actionable advice. In cybersecurity, threat intelligence indicators (IOCs) are specific artifacts observed by security researchers that indicate malicious activity. Common IOCs include IP addresses, domain names, URLs, file hashes (MD5, SHA1, SHA256), email addresses, and registry keys. Sentinel uses these indicators to detect known threats by matching them against data ingested from various sources like Azure AD logs, Windows Event Logs, and network logs.
How Sentinel Ingests Threat Intelligence
Sentinel supports two primary methods for ingesting threat intelligence:
1. Built-in Threat Intelligence Connectors: These connect to external threat intelligence platforms (TIPs) or feeds. The main connectors are: - Microsoft Defender for Threat Intelligence (MDTI): Provides premium intelligence from Microsoft's vast telemetry. It includes indicators, articles, and threat actor profiles. - TAXII Connector: Supports TAXII 2.0 and 2.1 protocols to pull intelligence from feeds like AlienVault OTX, Anomali, and others. You configure a TAXII server URL, collection ID, and polling interval. - Threat Intelligence – Upload Indicators (Preview): Allows manual upload of CSV or JSON files containing IOCs.
Microsoft Graph Security API: Integrates with third-party TIPs that push indicators to Sentinel via the API. This method is used for custom integrations.
Once ingested, indicators are stored in the ThreatIntelligenceIndicator table in Log Analytics. This table has a schema that includes fields like IndicatorId, IndicatorType, ThreatType, ConfidenceScore, Severity, and ExpirationDateTime. The table is optimized for high-volume ingestion and fast lookups.
Indicator Lifecycle and Expiration
Every indicator has an expiration date. Sentinel automatically removes expired indicators from the active matching set. The default expiration is set by the source feed, but you can override it. Expired indicators are still stored in the table for historical analysis but are not used for alert generation. The indicator lifecycle:
Active: Indicator is valid and used for matching.
Expired: Past expiration date; no longer matched.
Archived: Manually disabled or removed.
Creating Threat Intelligence Analytics Rules
To use threat intelligence, you must create an Analytics Rule of type Threat Intelligence. These rules are essentially detection queries that join the ThreatIntelligenceIndicator table with other data tables (e.g., SigninLogs, CommonSecurityLog, SecurityEvent). The rule runs on a schedule (default every 5 minutes) and generates alerts when a match is found.
Key configuration parameters:
Rule Query: A KQL query that performs the join. Example:
let iocs = ThreatIntelligenceIndicator
| where ExpirationDateTime > now()
| where Active == true;
let ipMatches = CommonSecurityLog
| where TimeGenerated > ago(5m)
| evaluate ipv4_lookup(iocs, DestinationIP, NetworkIP, return_unmatched = false);
ipMatches
| project TimeGenerated, Message, SourceIP, DestinationIP, IndicatorId, ThreatType, ConfidenceScoreEntity Mapping: Maps results to entities (e.g., IP, Host, Account) for investigation and incident correlation.
Alert Details: Customize alert name, description, and severity. Severity can be overridden based on the indicator's severity or confidence.
Grouping: Group alerts into incidents based on entities or time windows.
Matching Techniques
Sentinel uses several matching techniques:
Exact Match: Direct comparison of string values (e.g., file hash equals indicator hash).
Substring Match: For domain names and URLs, matching can be partial (e.g., indicator "evil.com" matches "sub.evil.com").
CIDR Match: For IP ranges, Sentinel supports CIDR notation. Use the ipv4_lookup or ipv6_lookup Kusto functions for efficient matching.
Fuzzy Hash Matching: For file hashes, Sentinel can use similarity matching (e.g., SSDEEP) if the indicator includes a fuzzy hash.
Performance and Scale Considerations
Large threat intelligence feeds can contain millions of indicators. To maintain performance, Sentinel uses a lookup table that is optimized for high-speed joins. The ThreatIntelligenceIndicator table is indexed and partitioned. However, joining with large tables (e.g., CommonSecurityLog) can be resource-intensive. Best practices:
Filter indicators to only active and relevant types.
Use time-bound queries (e.g., TimeGenerated > ago(5m)) to limit the data scanned.
Consider using TI Map analytics rules that are pre-built and optimized by Microsoft.
Integration with Microsoft Defender XDR
Threat intelligence indicators can be shared with Microsoft Defender XDR (formerly Microsoft 365 Defender) via the Microsoft Graph Security API. This bidirectional sharing allows indicators created in Defender to appear in Sentinel and vice versa. For example, a custom indicator added in Microsoft Defender for Endpoint can be used in Sentinel analytics rules.
Common Indicators and Their Use Cases
IP Addresses: Used to detect connections to known command-and-control (C2) servers. Often have low confidence because IPs can be reused.
Domains/URLs: Detect access to phishing sites or malware distribution points. Can be matched with substrings.
File Hashes: Detect known malware files. SHA256 is preferred for uniqueness.
Email Addresses: Detect phishing campaigns using known sender addresses.
Registry Keys: Detect persistence mechanisms in Windows systems.
How to Verify Ingestion
To verify that threat intelligence is being ingested:
In Sentinel, navigate to Threat Management > Threat Intelligence.
Check the Indicators blade for count and recent activity.
Run a sample query:
ThreatIntelligenceIndicator
| where TimeGenerated > ago(1h)
| summarize Count = count() by SourceSystemIf indicators are missing, check the connector health in Data connectors.
Interaction with Other Sentinel Features
Threat intelligence integrates with:
Incident Investigation: Matching indicators are automatically added as evidence in incidents.
Hunting: You can use the ThreatIntelligenceIndicator table in hunting queries to proactively search for threats.
Workbooks: Pre-built workbooks like Threat Intelligence Dashboard visualize indicator sources and match rates.
Exam-Relevant Details
The default polling interval for TAXII connectors is 5 minutes.
Indicators can have a ConfidenceScore from 0 to 100.
The ThreatIntelligenceIndicator table has a retention period of 90 days by default (configurable).
To create a threat intelligence analytics rule, you must have at least Microsoft Sentinel Contributor permissions.
The Severity field can be Low, Medium, High, or Critical.
Sentinel supports STIX 2.0 and STIX 2.1 indicator formats via TAXII.
Step-by-Step Configuration
Enable a Threat Intelligence Connector:
Go to Data connectors.
Select Threat Intelligence - TAXII (or MDTI).
Click Open connector page.
Enter the TAXII server URL, Collection ID, and polling frequency (minimum 5 minutes).
Click Add.
Verify Ingestion:
Wait a few minutes, then query ThreatIntelligenceIndicator | take 10.
Create an Analytics Rule:
Go to Analytics > Create > Scheduled query rule.
Under Rule query, paste your KQL.
Set Entity mappings (e.g., IP mapping).
Set Alert enrichment to include indicator details.
Configure Schedule (e.g., run every 5 minutes, look at last 5 minutes).
Enable the rule.
Test:
If possible, simulate a known IOC (e.g., resolve a test domain) and verify an alert is generated.
Enable TAXII Connector
First, navigate to the Microsoft Sentinel workspace and select 'Data connectors' under Configuration. Search for 'Threat Intelligence - TAXII' and click 'Open connector page'. You must have the TAXII server URL and Collection ID from your threat intelligence provider. Enter these details along with a polling interval (default 5 minutes, minimum 5 minutes). The connector uses the TAXII 2.0 or 2.1 protocol to pull indicators. Once added, Sentinel begins polling immediately. You can verify by checking the connector status; it should show 'Connected'. The connector creates a data collection rule that ingests indicators into the ThreatIntelligenceIndicator table. This step is critical because without a connector, no external indicators are available for matching.
Verify Indicator Ingestion
After enabling the connector, wait for the first polling cycle (up to 5 minutes). Then run a KQL query in the Logs blade: `ThreatIntelligenceIndicator | take 10`. This should return rows with fields like IndicatorId, IndicatorType, ThreatType, and ConfidenceScore. If no data appears, check the connector health; common issues include incorrect TAXII URL or network restrictions. The table is automatically created and indexed. Indicators are stored with an expiration date; expired indicators are not returned in the default query unless you include them. Verification ensures that the feed is working and that indicators are available for rule creation.
Create Analytics Rule
Navigate to Analytics under Configuration and click 'Create' then 'Scheduled query rule'. In the General tab, give the rule a name like 'TI Map IP to CommonSecurityLog'. Set the severity based on indicator severity (e.g., High). In the Set rule logic tab, write the KQL query that joins ThreatIntelligenceIndicator with your data table. For example, use `ipv4_lookup` to match IP addresses. Configure entity mappings: for IP indicators, map the Source IP or Destination IP to the appropriate entity type. Set the query scheduling: run every 5 minutes and look at data from the last 5 minutes. Enable alert grouping if needed. Finally, review and create the rule. This rule will now generate alerts every time a log event matches an indicator.
Configure Alert Enrichment
In the analytics rule wizard, under 'Alert enrichment', you can add custom details from the query results to the alert. For example, include the ThreatType, ConfidenceScore, and IndicatorId. This enrichment allows analysts to see context directly in the alert without querying the logs. You can also map entities to link alerts to incidents. For instance, map the matched IP to the IP entity so that incident investigation shows related alerts. Proper enrichment reduces mean time to respond (MTTR). Without enrichment, analysts must manually query the indicator table, slowing down response.
Test with Simulated IOC
To validate the rule, you can simulate a match. For example, if you have a test domain indicator, generate a DNS query from a test VM. Alternatively, manually insert a test indicator using the Upload Indicators connector or via API. Then check if an alert is generated within the polling interval. In the Sentinel portal, go to Incidents and look for a new incident. Open it to see the alert details, including the matched indicator. This step confirms that the entire chain—ingestion, rule execution, and alert generation—works. If no alert appears, troubleshoot the query by running it manually in Logs. Common issues: time range mismatch or incorrect entity mapping.
Enterprise Scenario 1: Threat Intelligence Feed Integration for SOC
A large financial institution subscribes to multiple threat intelligence feeds, including Microsoft Defender for Threat Intelligence (MDTI) and a third-party TAXII feed from a commercial provider. Their SOC team needs to detect when internal hosts connect to known malicious IPs. They deploy Sentinel and configure the MDTI connector (using the built-in connector) and the TAXII connector for the third-party feed. They create a TI Map analytics rule that joins the ThreatIntelligenceIndicator table with CommonSecurityLog from their firewalls. The rule runs every 5 minutes and alerts on any match with a confidence score above 60. In production, they ingest approximately 500,000 indicators daily. Performance is acceptable because Sentinel uses optimized lookups. However, they notice that some alerts are false positives due to stale indicators. To mitigate, they set a shorter expiration (e.g., 30 days) for indicators from less reliable sources. They also use entity mapping to group alerts by source IP, which helps the SOC prioritize incidents. Misconfiguration example: setting the polling interval too high (e.g., 60 minutes) causes delayed detection, allowing attackers more time. The SOC learned to set the interval to 5 minutes for critical feeds.
Enterprise Scenario 2: Custom Threat Intelligence for Insider Threat Detection
A technology company wants to detect insider threats by monitoring file hashes of proprietary documents. They create custom indicators using the Upload Indicators connector. They manually upload a CSV with SHA256 hashes of sensitive files and set the threat type to 'Insider Threat' and severity to High. They create an analytics rule that joins ThreatIntelligenceIndicator with SecurityEvent (for file creation events). When a user creates a file matching the hash, an alert fires. In production, they have about 1,000 custom indicators. They use expiration dates to automatically remove indicators after 90 days. A common pitfall: they initially forgot to set the indicator type correctly, causing the rule to not match because the query filtered by a specific type. They also learned that file hash matching is exact, so any modification to the file changes the hash and bypasses detection. They now use fuzzy hashing (SSDEEP) for similarity matching, which Sentinel supports if the indicator includes a fuzzy hash value.
Scenario 3: Sharing Indicators with Microsoft Defender XDR
A managed security service provider (MSSP) uses Sentinel to manage multiple customers. They create custom indicators in Microsoft Defender for Endpoint (MDE) for known malicious domains. They enable the bidirectional sharing via the Microsoft Graph Security API. These indicators automatically appear in Sentinel for all customers. They create a TI Map rule that matches these domains against Azure DNS logs. In production, they share about 10,000 indicators. They notice that indicators from MDE have a confidence score of 75 by default. They adjust the rule to only alert on confidence > 80 to reduce noise. A misconfiguration: they enabled sharing but forgot to assign the appropriate permissions (Threat Intelligence Read/Write) in Microsoft Graph, causing sync failures. They resolved by granting the Sentinel service principal the required permissions.
What SC-200 Tests on This Topic
The SC-200 exam objective 2.2 focuses on 'Manage threat intelligence indicators in Microsoft Sentinel'. Specific sub-objectives include:
Configure threat intelligence connectors (TAXII, MDTI, upload)
Create and manage threat intelligence analytics rules
Use KQL to join indicator tables with log tables
Understand indicator lifecycle (expiration, confidence, severity)
Interpret TI match results in incidents
Common Wrong Answers and Why Candidates Choose Them
Selecting 'Threat Intelligence' data connector type instead of 'Analytics Rule': Candidates often confuse the data connector (which ingests indicators) with the analytics rule (which uses them). The exam may ask: 'What do you need to create to detect matches against threat intelligence?' The wrong answer is 'Enable the Threat Intelligence connector' because that only ingests data, not detect. The correct answer is 'Create a scheduled analytics rule with a TI query.'
Choosing 'CommonSecurityLog' as the only table for matching: While CommonSecurityLog is common, the exam tests that you can match against any table, like SigninLogs, AzureActivity, or SecurityEvent. A question might say: 'You need to detect when a user logs in from a malicious IP. Which table should you join?' Wrong answer: CommonSecurityLog. Correct: SigninLogs.
Setting the polling interval to 1 minute: The minimum interval for TAXII connector is 5 minutes. Candidates may think they can set it lower for faster ingestion. The exam includes this as a trap.
Assuming indicators are automatically matched without an analytics rule: Some candidates think that once a connector is enabled, Sentinel automatically alerts on matches. In reality, you must create an analytics rule. The exam may present a scenario where a connector is enabled but no alerts appear, and ask why.
Specific Numbers and Terms
Default polling interval: 5 minutes
Minimum polling interval: 5 minutes
ConfidenceScore range: 0-100
Severity levels: Low, Medium, High, Critical
Indicator expiration: set by source or custom; default retention of table: 90 days
TAXII versions: 2.0 and 2.1
Kusto functions for IP matching: ipv4_lookup, ipv6_lookup
Entity types for TI: Account, Host, IP, URL, FileHash
Edge Cases and Exceptions
IPv6 matching: Use ipv6_lookup instead of ipv4_lookup. The exam may test that you know the difference.
Subdomain matching: For domain indicators, if the indicator is 'evil.com', it matches 'sub.evil.com' by default. But if you want exact match only, you must use a different KQL technique.
Multiple indicators in one alert: If a log event matches multiple indicators, Sentinel can generate a single alert with all matches. The exam might ask how to avoid duplicate alerts.
Indicator types other than IP/Domain/FileHash: Sentinel also supports Email, URL, RegistryKey, etc. A question may test that you can match registry keys against SecurityEvent.
How to Eliminate Wrong Answers
If a question asks about 'ingesting' threat intelligence, the answer is about connectors (TAXII, MDTI). If it asks about 'detecting' or 'alerting', the answer is about analytics rules.
When given a list of tables, choose the one that contains the relevant data. For example, for network connections, CommonSecurityLog; for logins, SigninLogs; for process creation, SecurityEvent.
If the scenario mentions 'confidence score', look for options that filter by confidence in the KQL query. The exam may ask how to reduce false positives.
Remember that the ThreatIntelligenceIndicator table is in the Log Analytics workspace, not in a separate database. Queries join this table with other tables.
Exam Tips
Practice writing KQL queries that join ThreatIntelligenceIndicator with other tables. Know the evaluate plugin syntax for ipv4_lookup.
Understand that analytics rules can be either 'Scheduled' or 'Microsoft Security' type. Threat intelligence rules are always 'Scheduled'.
Be familiar with the 'TI Map' pre-built rule templates. The exam may ask about customizing them.
Threat intelligence indicators are stored in the ThreatIntelligenceIndicator table in Log Analytics.
To generate alerts, you must create a scheduled analytics rule that joins the indicator table with other log tables.
The default polling interval for TAXII connectors is 5 minutes; minimum is 5 minutes.
Indicators have a ConfidenceScore (0-100) and Severity (Low/Medium/High/Critical).
Expired indicators remain in the table but are not matched unless the query includes them.
Use ipv4_lookup and ipv6_lookup Kusto functions for efficient IP matching.
Entity mapping in analytics rules enables incident correlation and investigation.
Bidirectional sharing with Microsoft Defender XDR is possible via Microsoft Graph Security API.
These come up on the exam all the time. Here's how to tell them apart.
TAXII Connector
Connects to any TAXII 2.0 or 2.1 compatible feed (e.g., AlienVault OTX, Anomali).
Requires manual configuration of server URL, Collection ID, and polling interval.
Indicators are ingested with the source's confidence and severity.
Supports both free and commercial feeds.
No additional licensing cost beyond Sentinel.
Microsoft Defender Threat Intelligence (MDTI) Connector
Connects exclusively to Microsoft's premium threat intelligence feed.
Automatically configured with no manual server details needed.
Provides enriched indicators with context like threat actor profiles and articles.
Requires a valid license for Microsoft Defender Threat Intelligence (add-on).
Includes high-confidence indicators from Microsoft's global telemetry.
Mistake
Once a threat intelligence connector is enabled, Sentinel automatically generates alerts for all matches.
Correct
Connectors only ingest indicators into the ThreatIntelligenceIndicator table. To generate alerts, you must create a scheduled analytics rule that queries this table and matches against other log tables. Without an analytics rule, no alerts are created.
Mistake
TAXII connector can be set to poll every 1 minute for real-time detection.
Correct
The minimum polling interval for TAXII connectors is 5 minutes. Setting it lower than 5 minutes is not allowed in the UI and will fail. This is a hard limit enforced by the connector.
Mistake
Indicators with high confidence always generate high severity alerts.
Correct
ConfidenceScore and Severity are separate fields. Confidence indicates how likely the indicator is accurate (0-100), while Severity defines the alert's criticality. An analytics rule can be configured to map severity based on indicator severity, but by default, the rule's severity is used. You can override severity in the rule logic.
Mistake
Expired indicators are automatically deleted from the ThreatIntelligenceIndicator table.
Correct
Expired indicators are not deleted; they remain in the table for historical analysis. However, they are marked as inactive and are excluded from matching in analytics rules by default (if the query filters `ExpirationDateTime > now()`). The table retention is 90 days by default, after which data is purged.
Mistake
You can only match threat intelligence against CommonSecurityLog data.
Correct
Threat intelligence can be matched against any table in the Log Analytics workspace, including SigninLogs, SecurityEvent, AzureActivity, OfficeActivity, and custom logs. The choice of table depends on the type of indicator and the data source.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A threat intelligence connector (e.g., TAXII, MDTI) ingests indicators from external sources into the ThreatIntelligenceIndicator table. It does not generate alerts. An analytics rule is a scheduled query that joins the indicator table with other log tables to detect matches and create alerts. You need both: a connector to bring in indicators, and an analytics rule to use them for detection.
Use a KQL query that joins ThreatIntelligenceIndicator with your log table (e.g., CommonSecurityLog) using the ipv4_lookup function. Example: `let iocs = ThreatIntelligenceIndicator | where ExpirationDateTime > now() and Active == true; CommonSecurityLog | where TimeGenerated > ago(5m) | evaluate ipv4_lookup(iocs, DestinationIP, NetworkIP, return_unmatched=false)`. Then configure entity mapping for IP and schedule the rule to run every 5 minutes.
Yes. File hashes (MD5, SHA1, SHA256) are common indicator types. In your analytics rule query, join ThreatIntelligenceIndicator on the FileHash field with your log table (e.g., SecurityEvent where EventID=4688 for process creation). Use exact match: `where FileHash == IndicatorValue`. For fuzzy matching, use SSDEEP if the indicator includes a fuzzy hash.
Expired indicators are not automatically deleted. They remain in the ThreatIntelligenceIndicator table but are marked with an ExpirationDateTime in the past. By default, analytics rules filter `ExpirationDateTime > now()` to exclude expired indicators. You can modify the query to include them if needed for historical analysis. The table has a default retention of 90 days.
You can reduce false positives by: (1) Filtering indicators by confidence score (e.g., `ConfidenceScore > 70`), (2) Using only high-severity indicators, (3) Setting shorter expiration times for less reliable feeds, (4) Whitelisting known false positive indicators in the rule query, and (5) Using entity grouping to correlate multiple matches before alerting.
Yes, via the Microsoft Graph Security API. You can create indicators in Sentinel (using the Upload Indicators connector or API) and then use the API to share them with Microsoft Defender XDR. This requires appropriate permissions (ThreatIndicators.ReadWrite.All). The shared indicators can then be used in Defender for Endpoint, Office 365, etc.
Use the `ipv6_lookup` function, which is analogous to `ipv4_lookup` for IPv6 addresses. Example: `evaluate ipv6_lookup(iocs, SourceIPv6, NetworkIPv6, return_unmatched=false)`. Ensure your indicator table contains IPv6 addresses in the NetworkIP field.
You've just covered Threat Intelligence Indicators in Sentinel — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?