Microsoft Defender Threat Intelligence honeypot

Romar 106 Reputation points


I've added the Microsoft Defender Threat Intelligence Data Connector to Sentinel and I get thousands of honeypot alerts in the Threat Intelligence page, how can I filter these notifications?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,051 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,841 Reputation points Microsoft Employee

    I don't have MDTI in my lab but as Vlad said, look at the connector options. There is a drop down to select the types of indicators. This sends IOCs to the threat intelligence table. Alerting comes from your TI Map rules. So, you can also drill into the rule(s) generating these alerts for more options. Consider changing the KQL, threshold, or adding alert grouping.

    You also have the option to use automation rules to auto close.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vlad Costa 860 Reputation points

    Hi Romar,

    Here’s how you can filter these notifications:

    1. Create a Filtering Rule: You can create a rule in Sentinel to filter out these specific alerts. Go to the Analytics section, click on + Create, and then select Scheduled alert rule. In the rule, you can specify the conditions that match the honeypot alerts you want to filter.
    2. Modify the Threat Intelligence Connector: If the honeypot alerts are not relevant to your environment, you might want to modify the settings of the Microsoft Defender Threat Intelligence Data Connector. You can adjust the Import Severity Level to a higher level to reduce the number of imported alerts.

    If this answers your question, please click Accept Answer and Yes if this answer was helpful. Doing so would help other community members with similar issues identify the solution. I highly appreciate your contribution to the community.

    1 person found this answer helpful.