Event banner
Event details
- Trevor_Rusher
Community Manager
Thank you for watching this session! We would love to hear your feedback on this event, tell us what you thought here: https://aka.ms/TechAccelSurvey3 - i am learning a lot from these sessions.
- Trevor_RusherThank you for the feedback Nessa! We're really enjoying bringing these to you!
- Trevor_Rusher
Thanks for joining us today! We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back through the end of the week. Thanks to everyone who was able to join us live - and to those catching up on demand!
Up next: Protecting your user identities
- Heather_Poulsen
- Is there a way to run the hunting queries against these TIs?
RijutaKapoorMicrosoft
Yes we do provide some sample TI hunting queries that all start with "TI map" keyword. The TI Map hunting queries are all part of the "Threat Intelligence" solution on the content hub. You can get these queries by installing the solution. The queries are completely customizable incase you need to run them against a particular data type. The queries get all indicators from the ThreatIntelligenceIndicators table in log analytics and the MDTI indicators are part of the table when you enable the MDTI connector.
- Trevor_RusherHope you are enjoying this deep dive into Microsoft Defender Threat Intelligence and Sentinel integration. What do you like about this event? Share your feedback here in the Comments and help shape the direction of our future events on the Tech Community!
- is it possible to connect to the threat intelligence api and pull down the same TI data?
- RijutaKapoorYes these indicators are accessible through the Sentinel TI "Get API": https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator/get?tabs=HTTP
I don't see MDTI as a Content Hub solution in Sentinel, how do I get it? Never mind, the search in the Content Hub is not very good. I searched for threat intelligence and the solution was not found, but when I searched for Microsoft Defender, it was found.
- RijutaKapoor
The Microsoft Defender Threat Intelligence data connector is part of the "Threat Intelligence" solution in the content hub. The data connector is free for all Sentinel customers. Here are all the steps to enable the connector: https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector The Microsoft Defender Threat Intelligence playbooks are part of the "MDTI" solution and require a MDTI license.
- Check this documentation https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators
- how do we get MDTI if we don't have O365?
dennismercerYou can sign up for the MDTI Premium License with the link that Michael posted.
- TI exist in M365 and as well in Microsoft Sentinel in Azure. Some customers do not have M365 but only Azure subscriptions. Then Microsoft Sentinel will be answer.
- Mike_BrowningHi Dean, MDTI is a separately licensed product. You can learn more and begin a free trial here: https://aka.ms/try-it-today
- we are a MSSP, do we need to buy MDTI for each Sentinel workspace we monitor or is there a way to share it across multiple workspaces?
- RijutaKapoorHi Dean, Yes the connector is a per workspace connector. You will have to enable it in all workspaces. There are ways to manage your workspaces as a MSSP that you can utilize. https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
- Thanks, but these instructions don't provide any guidance about how to work with MDTI for multiple workspaces, some guidance on this specific topic would be helpful.
