Introducing the MDTI Premium Data Connector for Sentinel
The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI premium data connector available in the Unified Security Operations Platform and standalone Microsoft Sentinel experiences. This connector enables customers with an MDTI premium license and API license to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.
Microsoft researchers, with the backing of interdisciplinary teams of thousands of experts spread across 77 countries, continually add new analysis of threat activity observed across more than 78 trillion threat signals to MDTI, including powerful indicators drawn directly from threat infrastructure. In Sentinel, this intelligence enables enhanced threat detection, enrichment of incidents for rapid triage, and the ability to launch investigations that proactively surface external threat infrastructure before it can be used in campaigns.
This blog will highlight the exciting use cases for the MDTI premium data connector, including enhanced enrichment, threat detection, and hunting that customers can tap into when enabling both the standard and premium MDTI data connectors. It will also cover how customers can easily get started with this out-of-the-box connector.
Dynamic Incident Enrichment
The MDTI data connector can help analysts respond to threats at scale by automatically enriching incidents with MDTI premium threat intelligence, evaluating indicators in an incident with dynamic reputation data (everything Microsoft knows about a piece of online infrastructure) to mark its severity and automatically triage it accordingly. Comments are added to the incident outlining the reputation details with links to further information about associated threat actors, tools, and vulnerabilities.
Threat Detection
With a flip of the switch, the MDTI premium data connector immediately enables detections for threats, including activity from the more than 300 named threat actor groups tracked by Microsoft. When enabled in Microsoft Sentinel, this connector takes URLs, domains, and IPs from a customer environment via log data and checks them against a dynamic list of known bad IOCs from MDTI. When a match occurs, an incident is automatically created, and the data is written to the Microsoft Sentinel TI blade. By enabling this rule, Microsoft Sentinel users know they have detections in place for threats known to Microsoft.
External Threat Hunting
Customers can pivot off the IoCs to investigate further and boost their understanding of the threat with MDTI’s repository of raw and finished intelligence. Finished intelligence, or written intelligence and analysis, includes articles, activity snapshots, and Intel Profiles about actors tooling and vulnerabilities. It provides crucial context and vital information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs.
Customers can also explore advanced internet data sets created by amass collection network that maps threat infrastructure across the internet every day to locate relationships between entities on the web to malicious infrastructure, tooling, and backdoors outside the network at incredible scale. Below is an example of how to effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with MDTI premium connector enabled.
Begin by following these steps:
Filter IoCs by MDTI Source – set the source filter to “Premium Microsoft Defender Threat Intelligence” within the Sentinel TI Blade
Tags enable filtering on IoCs by specific threat actors. For example, `ActivityGroup:AQUA BLIZZARD`
Next, customers can leverage the enriched data from the MDTI feed in their Log Analytics workspace using KQL queries to hunt. They can also create custom analytic rules:
Users can also create an Analytics Rule to better align with their hunting workflow:
For the sake of this example, our detection rule is very simple. However, customers can enhance rules with their own detection logic:
Customers can then extend their investigation and gather more intelligence on the threat actor in the Unified Security Operations Platform MDTI experience by taking the indicator value and perform a search in the global search feature:
Customers can click on the intel profiles directly to learn more about the actor and access additional IoCs compiled by Microsoft’s threat research teams:
Getting started with MDTI Connector
To install/access the UX for the Premium MDTI data connector, users will need to install the Threat Intelligence (Preview) Solution:
Sign up here to participate. We will enable this private preview in the customer environment three (3) business days after submission.
Three business days after the previous step, customers should navigate to this Threat Intelligence (Preview)Solution and select Create
Customers should then select the subscription, resource group, and workspace name for which they wish to add this solution.
Select Review + create
Select Create
After selecting Create, customers will be navigated to the page with the deployment of the solution. Please allow a couple minutes for the deployment to be completed.
Then, use this feature flag, https://aka.ms/MDTIPremiumFeedPrPFeatureFlag, to login again to Microsoft Sentinel.
After installing the preview solution and adding the feature flag to the URL – users will be able to access the Premium Microsoft Defender for Threat Intelligence Data Connector. Below is a screenshot showing what the Data Connector page in Sentinel should look like:
Connecting the Data Connector
Navigate to the Data Connectors blade in Sentinel:
Select the Premium Microsoft Defender Threat Intelligence (Preview)Connector:
Select Open connector page:
Select Connect to connect the data connector (note, if already connected, the disconnect button will allow customers to disconnect the data connector):
After connecting the data connector, customers should navigate to the Threat Intelligence Blade in their Sentinel Workspace, and soon premium indicators will be added.
Conclusion
Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.
If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page.
Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.
Microsoft Tech Community – Latest Blogs –Read More