The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. The connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.
Microsoft researchers, with the backing of interdisciplinary teams of thousands of experts spread across 77 countries, continually add new analysis of threat activity observed across more than 78 trillion threat signals to MDTI, including powerful indicators drawn directly from threat infrastructure. In Sentinel, this intelligence enables enhanced threat detection, enrichment of incidents for rapid triage, and the ability to launch investigations that proactively surface external threat infrastructure before it can be used in campaigns.
This blog will highlight the exciting use cases for the MDTI premium data connector, including enhanced enrichment, threat detection, and hunting to ensure customer organizations are protected against the most critical threats. It will also cover how you can easily get started with this out-of-the-box connector.
Getting started
Use Cases
Dynamic Incident Enrichment
The MDTI premium data connector can help analysts respond to threats at scale by automatically enriching incidents with MDTI premium threat intelligence, evaluating indicators in an incident with dynamic reputation data (everything Microsoft knows about a piece of online infrastructure) to mark its severity and automatically triage it accordingly. Comments are added to the incident outlining the reputation details with links to further information about associated threat actors, tools, and vulnerabilities.
Threat Detection
With a flip of the switch, the MDTI premium data connector immediately enables detections for threats, including activity from the more than 300 named threat actor groups tracked by Microsoft. When enabled in Microsoft Sentinel, this connector takes URLs, domains, and IPs from a customer environment via log data and checks them against a dynamic list of known bad IOCs from MDTI. When a match occurs, an incident is automatically created, and the data is written to the Microsoft Sentinel TI tab. By enabling this rule, Microsoft Sentinel users know they have detections in place for threats known to Microsoft.
External Threat Hunting
Customers can pivot off the IoCs to investigate further and boost their understanding of the threat with MDTI's repository of raw and finished intelligence. Finished intelligence, or written intelligence and analysis, includes articles, activity snapshots, and Intel Profiles about actors tooling and vulnerabilities. It provides crucial context and vital information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs.
Customers can also explore advanced internet data sets created by amass collection network that maps threat infrastructure across the internet every day to locate relationships between entities on the web to malicious infrastructure, tooling, and backdoors outside the network at incredible scale. Below is an example of how to effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with MDTI connector enabled.
Begin by following these steps:
- Filter IoCs by MDTI Source - Set the source filter to "Premium Microsoft Defender Threat Intelligence" within Sentinel TI tab
- By using tags, you can filter IoCs by specific threat actors, for example, `ActivityGroup:AQUA BLIZZARD`
Filtering tags based on threat actor for the group Aqua Blizzard
Leverage the enriched data from the MDTI feed in your Log Analytics workspace using KQL queries to hunt and create custom analytic rules.
A custom analytics rule to filter on the threat actor Aqua Blizzard
To create an analytics rule, fill out the fields under the 'general tab' as shown below:
Creating a custom trigger for IoCs related to Aqua Blizzard
For the sake of this demo, our detection rule is very simple. However, you can enhance it with your own detection logic:
Creating custom logic to run a query every 5 hours
Customers can extend their investigation even further and gather more intelligence on the threat actor by using the Unified Security Operations platform premium MDTI experience. Simply take an indicator value and perform a search in the global search feature:
Searching on Aqua Blizzard in the global search feature
Clicking into an Intel Profile for Aqua Blizzard provides the full corpus of intelligence, data, and analysis related to the threat actor, including TTPs and IoCS, continuously updated by Microsoft threat researchers:
The Aqua Blizzard Intel Profile
Conclusion
Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.
If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page.
Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.
Microsoft