Forum Discussion

RVC's avatar
RVC
Brass Contributor
Dec 02, 2022

Defender TI analytics in Defender for Cloud Apps

I read stuff that MDCA can judge based on Defender TI telemetry.  But how will this data come to MDCA?   Is it injected into Defender 365, and will coming through via that path? Or does this reach ...
Keith_Fleming's avatar
Keith_Fleming
Icon for Microsoft rankMicrosoft
Dec 02, 2022

RVC Defender for Cloud Apps is now part of the Microsoft 365 Defender portal.  So anything you can do in the stand-alone portal you can now do in M365D directly.  The signals from cloud apps are generally going to be sourced from app connectors and then enriched and combined with signals from the rest of the Defender stack to create incidents.

 

This can also be integrated with Sentinel through the M365D connector for bi-directional synchronization of incidents alerts (along with other data available in advanced hunting)

  • RVC's avatar
    RVC
    Brass Contributor
    Dec 02, 2022
    Thanks for this reply. I'm aware of the integration of MDCA within M365D. The question is about the telemetry/signals coming from Defender Threat Intelligence.

    As far as I can oversee, this is not part of the Defender 365 family. But, it seems the data from Defender TI can be injected into M365D. I'm wondering how this works, and how that information can be received by M365D or MDCA. If it is directly in M365D, I can imagine it is usable within MDCA. But what do I have to do to get that information INTO M365D after purchasing the subscription? Is there a direct API, or does this info feed in via Sentinel, and thus Sentinel needs to be set up as well?
    • Keith_Fleming's avatar
      Keith_Fleming
      Icon for Microsoft rankMicrosoft
      Dec 02, 2022

      RVC generally Defender for Cloud Apps will already use signals from Microsoft Threat Intelligence.  As part of enrichment of activities for instance we will use MTI to categorize IPs as risky and assign geo-location, along with incident correlation in M365D. With this it's already implemented.

       

      Were there specific signals that you were seeing that were not present in M365D?

      • RVC's avatar
        RVC
        Brass Contributor
        Dec 07, 2022
        I'm not rationalizing this form experience in a dashboard as I do not have access to such. I try to understand how things should work.
        As MTI is an intelligence service, I try to understand how this telemetry/signals will come into the dashboard/platform. As far I understand there is a free and subscription version. And If I understand the response correctly, the MTI telemetry is there automatically as soon I purchase the service? For me, it sounds a bit strange as I assume there must be a data flow coming from somewhere. But may be I have to accept Microsoft is managing that part.
        And, if I have Sentinel AND M365D running, is this MTI intelligence available in both, or does the one share this with the other?