Forum Discussion

RVC's avatar
RVC
Brass Contributor
Dec 02, 2022

Defender TI analytics in Defender for Cloud Apps

I read stuff that MDCA can judge based on Defender TI telemetry.  But how will this data come to MDCA?   Is it injected into Defender 365, and will coming through via that path? Or does this reach ...
RVC's avatar
RVC
Brass Contributor
Dec 02, 2022
Thanks for this reply. I'm aware of the integration of MDCA within M365D. The question is about the telemetry/signals coming from Defender Threat Intelligence.

As far as I can oversee, this is not part of the Defender 365 family. But, it seems the data from Defender TI can be injected into M365D. I'm wondering how this works, and how that information can be received by M365D or MDCA. If it is directly in M365D, I can imagine it is usable within MDCA. But what do I have to do to get that information INTO M365D after purchasing the subscription? Is there a direct API, or does this info feed in via Sentinel, and thus Sentinel needs to be set up as well?
Keith_Fleming's avatar
Keith_Fleming
Icon for Microsoft rankMicrosoft
Dec 02, 2022

RVC generally Defender for Cloud Apps will already use signals from Microsoft Threat Intelligence.  As part of enrichment of activities for instance we will use MTI to categorize IPs as risky and assign geo-location, along with incident correlation in M365D. With this it's already implemented.

 

Were there specific signals that you were seeing that were not present in M365D?

  • RVC's avatar
    RVC
    Brass Contributor
    Dec 07, 2022
    I'm not rationalizing this form experience in a dashboard as I do not have access to such. I try to understand how things should work.
    As MTI is an intelligence service, I try to understand how this telemetry/signals will come into the dashboard/platform. As far I understand there is a free and subscription version. And If I understand the response correctly, the MTI telemetry is there automatically as soon I purchase the service? For me, it sounds a bit strange as I assume there must be a data flow coming from somewhere. But may be I have to accept Microsoft is managing that part.
    And, if I have Sentinel AND M365D running, is this MTI intelligence available in both, or does the one share this with the other?
    • Keith_Fleming's avatar
      Keith_Fleming
      Icon for Microsoft rankMicrosoft
      Dec 07, 2022

      RVC speaking more to the cloud apps perspective here. Today we already use signals from threat intelligence to enrich what we display.  For instance, when an activity is ingested from an API threat intelligence is what allows us to categorize an IP as risky or flag a file as containing malware to name a few examples (this happens as the data flows through the system).

       

       

      • RVC's avatar
        RVC
        Brass Contributor
        Dec 08, 2022

        Keith_Fleming , thanks for your tremendous support 🙂

         

        If there are Threat intelligence signals available within Microsoft 365 Defender, what will be the added value for subscribing to Microsoft Defender Threat Intelligence? What intelligence will have access more to than the " default"?

        And is Defender TI part of E5, or is this a separate subscription?