Connect Microsoft Defender Threat Intelligence (MDTI ) to Microsoft Sentinel and enrich Incidents via the MDTI API
Microsoft Defender Threat Intelligence (MDTI) is the TI solution from Microsoft (previous RiskIQ) to detect 0-day and pre-firewall threats via IOCs (Indicators of Compromise) discovered from pro-active scanning the darkweb (Tor), deepweb (protected) and internet (indexed) for malicious activity.
MDTI is available in the MDTI Portal and the Microsoft 365 Defender portal (requires a trial or paid license, not available with the community edition)
This blog is about the MDTI integration with Microsoft Sentinel to detect malicious IOCs and the MDTI API to enrich incidents.
A MDTI trial license (user needs an assigned MDTI license for the paid version) is available for a period of 90 days available via the Microsoft 365 Admin center
Microsoft Sentinel
The first part of the blog is how to connect MDTI to Microsoft Sentinel and explore all options and features.
Microsoft Sentinel | Microsoft Defender Threat Intelligence Analytics
The Microsoft Defender Threat Intelligence Analytics rule in Microsoft Sentinel detects MDTI IOCs in the following Data sources:
- <Data Connector> -> (<table> -> <field> -> <indicator>)
- Common Event Format (CommonSecurityLog -> RequestURL -> URL & Domain // CommonSecurityLog -> DestinationIP -> IPv4)
- DNS (DnsEvents -> Name & IPAddresses -> IPv4)
- Syslog (Syslog -> SyslogMessage -> IPv4)
- Office activity logs (OfficeActivity -> ClientIP -> IPv4)
- Azure activity logs (AzureActivity -> CallerIpAdress -> IPv4)
And creates high fidelity alerts and incidents.
Disclaimer: the Microsoft Defender Threat Intelligence Analytics rule does not require the MDTI Data Connector but works out of the box.
Microsoft Sentinel | Data Connector
To ingest MDTI IOCs into Microsoft Sentinel | Threat Intelligence to create high fidelity incidents for other (e.g. non-Microsoft) Data sources, configure and connect the Microsoft Defender Threat Intelligence Data Connector.
The Overview | Data page shows the ingested TI data visible by type.
The following (Microsoft and non-Microsoft) Data sources are supported:
- AzureFirewall
- AzureActivity
- Azure Key Vault
- W3CIISLog
- CommonSecurityLog
- DnsEvents
- VMConnection
- AzureNetworkAnalytics_CL
- WireData
- Azure SQL Security AuditEvents
- Web Sessions Events (ASIM)
- AWSCloudTrail
- OfficeActivity
- SigninLogs
- ApPServiceHTTPLogs
- DNS Events (ASIM)
- Duo Security
- Githib_CL
- Network Sessions Events (ASIM)
Microsoft Sentinel | Analytics
Once the TI data is ingested, an Analytics rule for the Data connector(s) in-scope can be configured per IOC type.
Create the TI map <IOC-type> entity to <Data Connector> rules for all data sources in-scope.
Disclaimer: the TI map <IOC-type> entity to <Data Connector> rule does require a Data Connector.
Microsoft Sentinel | Incidents
When TI is ingested and Analytics rules are created, each TI (IOC) match triggers an Incidents visible in the Microsoft Sentinel | Incidents portal.
Microsoft Sentinel | Threat Intelligence
The IOCs (TI indicators) and incident (TI alerts) are also visible in the Microsoft Sentinel | Threat Intelligence portal as TI alerts and TI indicators.
Microsoft Sentinel | Workbooks
A Threat Intelligence workbook is available for TI insights, this information is also available in the Overview and Threat Intelligence page but can be customized if needed.
Microsoft Sentinel | Logs
MDTI logs are available via the ThreatIntelligenceIndicator table.
API
The second part if about Microsoft Defender Threat Intelligence (MDTI) and API (Application Programming Interface) support to query the product data sets (e.g. to be used in Microsoft Sentinel | Playbooks for Automated Triage, Enrichment via Web Component Data or Enrichment via Reputation Score) to enrich Incidents.
The MDTI API add-on requires an add-ons license (Trial available)
Azure AD | App Registration
To use an API you need to register an Azure AD | App Registration (write down the Tenant-Id, Client-Id & Client-Secret) with Defender TI API (Type Application) permissions (see below) and Grant admin consent
Microsoft Sentinel | MDTI Playbook deployment
Visit the MDTI Playbook Guide or Microsoft Sentinel Content Hub Solution for MDTI and deploy the solution.
The solution deploys four playbooks in the Microsoft Sentinel | Automation (Playbook templates) section.
Microsoft Sentinel | MDTI Playbooks configuration
Configure the Defender MDTI-base playbook with the Azure AD | App Registration credentials. Select the MDTI-Base playbook first and configure the Parameters (Client-Secret & Client-Id).
After configuration of the MDTI-Base playbook configure the other three playbooks.
Authorize the connection after deployment (and before Save of the logic app) via API connections -> Edit API connection in the Logic App Designer
The end results are Active playbooks which can be used for Automation.
Microsoft Sentinel | Automation
After deployment of the MDTI playbooks configure permissions for Microsoft Sentinel to run automation rules.
Create automation rule(s) to leverage the MDTI playbooks (see example below).
Individual playbooks can also be used from the Incident page (Incident action)
And select the playbook(s) to Run
The outcome is added to the comments of the Activity Log section.
Defender TI Playbook overview
Playbook Defender TI #1 | Automated Triage enriches incidents with TI Reputation data
Playbook Defender TI #2 | Web Component Data enriches incidents with TI components data
Playbook Defender TI #3 | Intel Reputation enriches incidents with Reputation data
I hope this blogs give some insights on the usage of Microsoft Defender Threat Intelligence and Microsoft Sentinel via the Data Connector and API.
