Home NewsX Introducing the MDTI Premium Data Connector for Sentinel

Introducing the MDTI Premium Data Connector for Sentinel

by info.odysseyx@gmail.com
0 comment 16 views


The MDTI and Unified Security Operations Platform teams are excited to announce the MDTI Premium Data Connector, available for use with the Unified Security Operations Platform and standalone Microsoft Sentinel environments. This connector allows customers with MDTI Premium licenses and API licenses to apply MDTI’s powerful raw and mature threat intelligence, namely high-fidelity Indicators of Compromise (IoCs), across their security operations to detect and respond to the latest threats.

Microsoft researchers received support from: An interdisciplinary team of thousands of experts across 77 countries MDTI continuously adds new insights into threat activity observed across over 78 trillion threat signals, including powerful indicators directly extracted from the threat infrastructure. In Sentinel, this intelligence provides enhanced threat detection, incident enrichment for rapid triage, and the ability to initiate investigations that proactively surface external threat infrastructure before it is used in campaigns.

This blog highlights exciting use cases for the MDTI Premium Data Connector, including enhanced hardening, threat detection, and hunting that customers can leverage when enabling both the Standard and Premium MDTI Data Connectors. We also cover how customers can easily use this out-of-the-box connector.

Dynamic event reinforcement

The MDTI Data Connector can help analysts respond to large-scale threats by automatically enriching incidents with MDTI premium threat intelligence, evaluating the incident’s indicators with dynamic reputation data (everything Microsoft knows about your online infrastructure), and automatically classifying them based on severity. Incidents are annotated with reputation details and provide links to additional information about associated threat actors, tools, and vulnerabilities.

Threat Detection

Simply turn on the switch to instantly detect threats, including activity from over 300 named threat actor groups tracked by Microsoft, through the MDTI Premium Data Connector. When enabled in Microsoft Sentinel, this connector pulls URLs, domains, and IPs from your environment via log data and compares them to MDTI’s dynamic list of known bad IOCs. When a match occurs, an incident is automatically created and data is logged to the Microsoft Sentinel TI blade. Enabling this rule will ensure that Microsoft Sentinel users are aware that detections are running for threats known to Microsoft.

Hunting external threats

Customers can transform their IoC to leverage MDTI’s raw and finished intelligence to conduct deeper investigations and gain greater insight into threats. Completed or written information and analysis includes articles, activity snapshots. Intel Profile Information about actor tooling and vulnerabilities. Provides important context and essential information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs.

Customers can also explore:Advanced Internet data sets generated by the amass collection network Map Threat Infrastructure Every day, we uncover massive amounts of relationships between entities on the web, including malicious infrastructure, tools, and backdoors outside of the network, across the Internet. Below is an example of how you can effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with the MDTI Premium Connector enabled.

Follow these steps to get started:

  1. MDTI Source-Specific IoC Filtering – Set the Source Filter to “Premium Microsoft Defender Threat Intelligence” within the Sentinel TI Blade.
  2. Tags allow filtering IoCs by specific threat actors, for example `ActivityGroup:AQUA BLIZZARD`

IoCs sorted by threat actor groupIoCs sorted by threat actor group

Next, customers can leverage the rich data from MDTI feeds in their Log Analytics workspaces using KQL queries. They can also create custom analytics rules.


Query about IoC related to Aqua BlizzardQuery about IoC related to Aqua Blizzard

Users can also create analysis rules to better fit their hunting workflow.

A simple rule to generate a notification when an IoC from Aqua Blizzard is detected.A simple rule to generate a notification when an IoC from Aqua Blizzard is detected.

For this example, our detection rule is very simple, but customers can enhance the rule with their own detection logic.

Custom detection logicCustom detection logic

Customers can take indicator values ​​and perform searches in the global search functionality to expand investigations within their Unified Security Operations Platform MDTI environment and gather more information about threat actors.

Intel profiles related to the searched indicatorsIntel profiles related to the searched indicators

Customers can click directly on the Intel profile to learn more about the actor and access additional IoCs compiled by the Microsoft Threat Research team.

MDTI's Aqua Blizzard Intel ProfileMDTI’s Aqua Blizzard Intel Profile

Getting Started with MDTI Connector

To install/access the UX of the Premium MDTI Data Connector:Users must install the Threat Intelligence (Preview) solution.

  • Register here to participate. We will activate this personal preview in your customer environment within three (3) business days of submission.
  • The customer then needs to select the subscription, resource group, and workspace name to which they want to add the solution.

Mike Browning 6-1723759378399.png

  • When you select Create, the customer will be taken to the solution deployment page. Please wait a few minutes for the deployment to complete.

Then use this feature flag: https://aka.ms/MDTIPremiumFeedPrPFeatureFlagLog back into Microsoft Sentinel.

After installing the preview solution and adding the feature flag to the URL, users will have access to the premium Microsoft Defender for Threat Intelligence data connector. Below is a screenshot of what the data connector page looks like. sentry It should be as follows:

Mike Browning 7-1723759378401.png

Connecting Data Connectors

In Sentinel, go to the Data Connectors blade.

Mike Browning 8-1723759378402.png

Please select Premium Microsoft Defender Threat Intelligence (Preview)Connector:

Mike Browning 9-1723759378406.png

Choose Open the Connector page:

Mike Browning 10-1723759378412.png

Choose Connect Connect the data connector (if already connected, the customer can disconnect the data connector by pressing the disconnect button):

Mike Browning 11-1723759378416.png

After connecting the data connector, customers should navigate to the Threat Intelligence Blade in their Sentinel Workspace, where premium indicators will be added soon.

conclusion

Microsoft provides leading threat intelligence built on visibility across the global threat landscape, enabling us to secure Azure and other massive cloud environments, manage billions of endpoints and emails, and maintain a continuously updated graph of the Internet. Microsoft processes an incredible 78 trillion security signals every day, providing threat intelligence from MDTI to provide a comprehensive view of attack vectors across multiple platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

If you would like to learn more about MDTI and how it can help you expose and neutralize modern adversaries and cyber threats such as ransomware, and explore the capabilities and benefits of MDTI, Please visit the MDTI product web page..

Also, please contact us. sales Request a demo or quote from our team. Learn how to get started with MDTI. Buy just one Copilot for your Security SCU here.





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX