Azure Sentinel — Microsoft Defender ATP: Automatic Advanced Hunting
How to automate threat hunting based on Threat Intelligence feeds using Azure Sentinel and MDATP
This article is the 4th in my Microsoft security integrations serie. It started with a post about Microsoft Intelligence Security Graph and Security API, then I posted an article about Microsoft Defender ATP and MineMeld integration, closing with article about Azure Sentinel and MineMeld integration.
Now I’d like to share how to consume your threat intelligence feeds to automatically start threat hunting processes in Microsoft Defender ATP.
Building blocks:
- Onboarding Azure Sentinel. Ref here
- Microsoft Defender ATP service up and running
- Integrate your Threat Intelligence provider app in Azure Sentinel. An example here
- Configuring Security Playbook using Azure Logic App
Scenario:
Let’s assume your TI provider notifies new IPv4 IoCs. You can leverage this information pushing it automatically into Microsoft Defender ATP through Threat Intelligence Platform integration, making TI information really actionable. As an example Minemeld by Palo Alto Networks can be easily integrated, more info here.
Starting from IoCs pushing time, MDATP will produce alerts if endpoints start connections to IPs, URLs, domains or hashes…
