Microsoft Defender Threat Intelligence honeypot

Question

Hi,

I've added the Microsoft Defender Threat Intelligence Data Connector to Sentinel and I get thousands of honeypot alerts in the Threat Intelligence page, how can I filter these notifications?

Answer 1

I don't have MDTI in my lab but as Vlad said, look at the connector options. There is a drop down to select the types of indicators. This sends IOCs to the threat intelligence table. Alerting comes from your TI Map rules. So, you can also drill into the rule(s) generating these alerts for more options. Consider changing the KQL, threshold, or adding alert grouping.

You also have the option to use automation rules to auto close.

Answer 2

Hi Romar,

Here’s how you can filter these notifications:

1. Create a Filtering Rule: You can create a rule in Sentinel to filter out these specific alerts. Go to the Analytics section, click on + Create, and then select Scheduled alert rule. In the rule, you can specify the conditions that match the honeypot alerts you want to filter.
2. Modify the Threat Intelligence Connector: If the honeypot alerts are not relevant to your environment, you might want to modify the settings of the Microsoft Defender Threat Intelligence Data Connector. You can adjust the Import Severity Level to a higher level to reduce the number of imported alerts.

If this answers your question, please click Accept Answer and Yes if this answer was helpful. Doing so would help other community members with similar issues identify the solution. I highly appreciate your contribution to the community.