Properly Setting Up the New MDTI Solution for Microsoft Sentinel

Baby steps

Mar 30, 2023

I’m writing this blog post for no other reason than to highlight and point folks to the proper steps for installing and configuring the Microsoft Defender Threat Intelligence solution announced this week in public preview. You’d think a blog post like this wouldn’t be necessary, but you’d think wrong.

We weren’t as clear communicative as we should be about how to get this to work properly and I’ve heard from many who got stuck in one spot or another.

There is a page in the Docs that does the best job in explaining this. It’s located here: Enable data connector for Microsoft Defender Threat Intelligence

But there’s still a couple things that aren’t called out in the Doc.

The things to highlight are (where I’ve seen folks get stuck):

Even though we’re in a motion to centralize everything into the Content Hub, the connector and the solution are two separate things at this point.
RBAC is important: Along with the normal read and write permissions to the Microsoft Sentinel workspace, the Template Spec Contributor role at the resource group level is required.
The Microsoft Defender Threat Intelligence Solution from Content Hub should be installed first.
Then, in the Data Connectors blade, locate the Microsoft Defender Threat Intelligence (Preview) connector, and enable it.
Locate the MDTI-Base Playbook that was installed by the Solution and edit and configure the connections. The other Playbooks that are installed by the Solution won’t work until MDTI-Base is configured correctly.

Found another area where you are stuck? Let me know at @rodtrent

[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]