What Changed
New Strider Shield solution from NVISO providing threat intelligence ingestion capabilities for Microsoft Sentinel through a CCF-based connector.
Data Source
Strider Shield platform delivers threat intelligence focused on email-based threats including:
- Email addresses and domains with threat indicators
- Risk signals and signal definitions for threat classification
- Terms and keywords associated with threat activity
Ingestion Mechanism
CCF-based connector using OAuth2 authentication with the following configuration:
- Five separate data streams targeting different threat intelligence categories
- DCR transforms split ingested data into dedicated tables: StriderShieldEmailAddresses_CL, StriderShieldEmailDomains_CL, StriderShieldRiskSignals_CL, StriderShieldRiskSignalsDefinitions_CL, StriderShieldTerms_CL
- 24-hour polling window with 1 QPS rate limiting
- OAuth2 client credentials flow with configurable authentication endpoint
Detection Surface Unlocked
Enhanced visibility into email-based threat vectors including:
- Malicious email addresses and domains from threat intelligence feeds
- Risk scoring and categorization for email security events
- Threat terminology tracking for campaign attribution
- Integration points for existing email security detections and hunting queries
Solution includes sample queries but no bundled analytic rules — organizations must develop custom detections leveraging the ingested threat intelligence data.
Affected Files
Logos/StriderShield.svg
Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_ConnectorDefinition.json
Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_DCR.json
Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_PollingConfig.json
Solutions/Strider Shield/Data Connectors/StriderShieldCCF/StriderShield_Table.json
Solutions/Strider Shield/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_StriderShield.json, createUiDefinition.json, mainTemplate.json)