Forum Discussion

RVC's avatar
RVC
Brass Contributor
Dec 02, 2022

Defender TI analytics in Defender for Cloud Apps

I read stuff that MDCA can judge based on Defender TI telemetry.  But how will this data come to MDCA?

 

Is it injected into Defender 365, and will coming through via that path? Or does this reach MDCA via a Sentinel integration?

 

9 Replies

  • BarryGoblon's avatar
    BarryGoblon
    Iron Contributor
    Feb 14, 2024

    RVC The key benefit DTI provides to MDCA is automatic enrichment of activity data with additional threat intelligence signals. For example, when an activity such as a risky IP login or malware file download is detected by MDCA, DTI automatically tags that activity with threat categories, geographic info, and other telemetry.

     

    This enrichment happens by default within the Microsoft 365 Defender data pipelines that MDCA leverages. So no explicit configuration or data injection into MDCA is needed - the integration is handled behind the scenes. Of course MDCA can also take advantage of DTI data surfaced in solutions like Microsoft Sentinel through their bi-directional connection. But even without that, MDCA is continually enhanced by DTI to improve threat detection and response for cloud apps.

  • Keith_Fleming's avatar
    Keith_Fleming
    Icon for Microsoft rankMicrosoft
    Dec 02, 2022

    RVC Defender for Cloud Apps is now part of the Microsoft 365 Defender portal.  So anything you can do in the stand-alone portal you can now do in M365D directly.  The signals from cloud apps are generally going to be sourced from app connectors and then enriched and combined with signals from the rest of the Defender stack to create incidents.

     

    This can also be integrated with Sentinel through the M365D connector for bi-directional synchronization of incidents alerts (along with other data available in advanced hunting)

    • RVC's avatar
      RVC
      Brass Contributor
      Dec 02, 2022
      Thanks for this reply. I'm aware of the integration of MDCA within M365D. The question is about the telemetry/signals coming from Defender Threat Intelligence.

      As far as I can oversee, this is not part of the Defender 365 family. But, it seems the data from Defender TI can be injected into M365D. I'm wondering how this works, and how that information can be received by M365D or MDCA. If it is directly in M365D, I can imagine it is usable within MDCA. But what do I have to do to get that information INTO M365D after purchasing the subscription? Is there a direct API, or does this info feed in via Sentinel, and thus Sentinel needs to be set up as well?
      • Keith_Fleming's avatar
        Keith_Fleming
        Icon for Microsoft rankMicrosoft
        Dec 02, 2022

        RVC generally Defender for Cloud Apps will already use signals from Microsoft Threat Intelligence.  As part of enrichment of activities for instance we will use MTI to categorize IPs as risky and assign geo-location, along with incident correlation in M365D. With this it's already implemented.

         

        Were there specific signals that you were seeing that were not present in M365D?