Introducing the MDTI Premium Data Connector for Sentinel by info.odysseyx@gmail.com August 16, 2024 written by info.odysseyx@gmail.com August 16, 2024 0 comment 16 views 16 The MDTI and Unified Security Operations Platform teams are excited to announce the MDTI Premium Data Connector, available for use with the Unified Security Operations Platform and standalone Microsoft Sentinel environments. This connector allows customers with MDTI Premium licenses and API licenses to apply MDTI’s powerful raw and mature threat intelligence, namely high-fidelity Indicators of Compromise (IoCs), across their security operations to detect and respond to the latest threats. Microsoft researchers received support from: An interdisciplinary team of thousands of experts across 77 countries MDTI continuously adds new insights into threat activity observed across over 78 trillion threat signals, including powerful indicators directly extracted from the threat infrastructure. In Sentinel, this intelligence provides enhanced threat detection, incident enrichment for rapid triage, and the ability to initiate investigations that proactively surface external threat infrastructure before it is used in campaigns. This blog highlights exciting use cases for the MDTI Premium Data Connector, including enhanced hardening, threat detection, and hunting that customers can leverage when enabling both the Standard and Premium MDTI Data Connectors. We also cover how customers can easily use this out-of-the-box connector. Dynamic event reinforcement The MDTI Data Connector can help analysts respond to large-scale threats by automatically enriching incidents with MDTI premium threat intelligence, evaluating the incident’s indicators with dynamic reputation data (everything Microsoft knows about your online infrastructure), and automatically classifying them based on severity. Incidents are annotated with reputation details and provide links to additional information about associated threat actors, tools, and vulnerabilities. Threat Detection Simply turn on the switch to instantly detect threats, including activity from over 300 named threat actor groups tracked by Microsoft, through the MDTI Premium Data Connector. When enabled in Microsoft Sentinel, this connector pulls URLs, domains, and IPs from your environment via log data and compares them to MDTI’s dynamic list of known bad IOCs. When a match occurs, an incident is automatically created and data is logged to the Microsoft Sentinel TI blade. Enabling this rule will ensure that Microsoft Sentinel users are aware that detections are running for threats known to Microsoft. Hunting external threats Customers can transform their IoC to leverage MDTI’s raw and finished intelligence to conduct deeper investigations and gain greater insight into threats. Completed or written information and analysis includes articles, activity snapshots. Intel Profile Information about actor tooling and vulnerabilities. Provides important context and essential information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs. Customers can also explore:Advanced Internet data sets generated by the amass collection network Map Threat Infrastructure Every day, we uncover massive amounts of relationships between entities on the web, including malicious infrastructure, tools, and backdoors outside of the network, across the Internet. Below is an example of how you can effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with the MDTI Premium Connector enabled. Follow these steps to get started: MDTI Source-Specific IoC Filtering – Set the Source Filter to “Premium Microsoft Defender Threat Intelligence” within the Sentinel TI Blade. Tags allow filtering IoCs by specific threat actors, for example `ActivityGroup:AQUA BLIZZARD` IoCs sorted by threat actor group Next, customers can leverage the rich data from MDTI feeds in their Log Analytics workspaces using KQL queries. They can also create custom analytics rules. Query about IoC related to Aqua Blizzard Users can also create analysis rules to better fit their hunting workflow. A simple rule to generate a notification when an IoC from Aqua Blizzard is detected. For this example, our detection rule is very simple, but customers can enhance the rule with their own detection logic. Custom detection logic Customers can take indicator values and perform searches in the global search functionality to expand investigations within their Unified Security Operations Platform MDTI environment and gather more information about threat actors. Intel profiles related to the searched indicators Customers can click directly on the Intel profile to learn more about the actor and access additional IoCs compiled by the Microsoft Threat Research team. MDTI’s Aqua Blizzard Intel Profile Getting Started with MDTI Connector To install/access the UX of the Premium MDTI Data Connector:Users must install the Threat Intelligence (Preview) solution. Register here to participate. We will activate this personal preview in your customer environment within three (3) business days of submission. The customer then needs to select the subscription, resource group, and workspace name to which they want to add the solution. When you select Create, the customer will be taken to the solution deployment page. Please wait a few minutes for the deployment to complete. Then use this feature flag: https://aka.ms/MDTIPremiumFeedPrPFeatureFlagLog back into Microsoft Sentinel. After installing the preview solution and adding the feature flag to the URL, users will have access to the premium Microsoft Defender for Threat Intelligence data connector. Below is a screenshot of what the data connector page looks like. sentry It should be as follows: Connecting Data Connectors In Sentinel, go to the Data Connectors blade. Please select Premium Microsoft Defender Threat Intelligence (Preview)Connector: Choose Open the Connector page: Choose Connect Connect the data connector (if already connected, the customer can disconnect the data connector by pressing the disconnect button): After connecting the data connector, customers should navigate to the Threat Intelligence Blade in their Sentinel Workspace, where premium indicators will be added soon. conclusion Microsoft provides leading threat intelligence built on visibility across the global threat landscape, enabling us to secure Azure and other massive cloud environments, manage billions of endpoints and emails, and maintain a continuously updated graph of the Internet. Microsoft processes an incredible 78 trillion security signals every day, providing threat intelligence from MDTI to provide a comprehensive view of attack vectors across multiple platforms, ensuring Sentinel customers have comprehensive threat detection and remediation. If you would like to learn more about MDTI and how it can help you expose and neutralize modern adversaries and cyber threats such as ransomware, and explore the capabilities and benefits of MDTI, Please visit the MDTI product web page.. Also, please contact us. sales Request a demo or quote from our team. Learn how to get started with MDTI. Buy just one Copilot for your Security SCU here. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Gatekeeper: Enforcing security policy on your Kubernetes clusters next post Gautam Buddha University is hiring Assistant Professor (on fixed term contract). Department of Information Technology. Department of Information and Communication Technology – Faculty | Faculty Recruitment 2024 You may also like The Sonos Arc Ultra raises the bar for home theater audio December 5, 2024 Aptera Motors will showcase its solar EV at CES 2025 December 3, 2024 How Chromebook tools strengthen school cybersecurity December 2, 2024 Nvidia unveils the ‘Swiss Army Knife’ of AI audio tools: Fugato November 26, 2024 Nvidia Blackwell and the future of data center cooling November 25, 2024 Enterprise productivity is the easiest AI sell November 20, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.