Recent Discussions
Advanced threat hunting and multi-layered defense within the Microsoft Cloud ecosystem!
Dear Microsoft Cloud Friends, I think we all agree that cloud services are indispensable today. Whether it is cloud services from Microsoft, Amazon AWS, Google Cloud, etc., the integration of such services are widespread. As great and supportive as these cloud functionalities are, they also bring a big challenge. SECURITY! But this is exactly where the challenge starts. Where do protective measures need to be taken everywhere? Where is the first place to start? Where is it most important to set up protective mechanisms? Honestly, there is no standard solution that can be applied everywhere. This is extremely situational and depends on the cloud services used. This article is about giving you a jump start. The following information, measures, etc. are neither exhaustive nor complete. But they are intended to support you so that you can continue to develop. Identities are an incredibly important element in cloud services (I'm not just talking about user accounts, but also managed identities, service principals, App registration, etc.). This is exactly why we start with this first topic. What could support us, for example the MITRE ATT&CK framework and of course the Microsoft documentation. Identities: Cloud Matrix https://attack.mitre.org/matrices/enterprise/cloud/ Valid Accounts: Cloud Accounts https://attack.mitre.org/techniques/T1078/004/ Modify Authentication Process: Hybrid Identity https://attack.mitre.org/techniques/T1556/007/ Account Manipulation: Additional Cloud Credentials https://attack.mitre.org/techniques/T1098/001/ Azure AD Matrix https://attack.mitre.org/matrices/enterprise/cloud/azuread/ Tactics above represent the "why" of an ATT&CK technique or sub-technique. The following article describes several best practices on how to protect identities. Azure Identity Management and access control security best practices https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices Best practices for Azure AD roles https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices Microsoft identity platform best practices and recommendations https://learn.microsoft.com/en-us/azure/active-directory/develop/identity-platform-integration-checklist Best practices for all isolation architectures https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/secure-with-azure-ad-best-practices Securing identity with Zero Trust https://learn.microsoft.com/en-us/security/zero-trust/deploy/identity All of these safeguards are great, but logging should definitely not be forgotten. For example, if you have log collation set up for Azure Active Directory, you can use KQL (Kusto Query Language) to examine the logs. In the following example, you can investigate why a person was given the Global Administrator role. AuditLogs | where Category == "RoleManagement" | where Result == "success" | where OperationName == "Add member to role" | where (TargetResources has "Company" or TargetResources has "Tenant" or TargetResources has "Global") | project TargetUser = tostring(TargetResources.[0].["userPrincipalName"]) With Microsoft Defender for Identity there is a cloud service to monitor the Active Directory. Attacks like the following pictures show can be detected this way (sorry the screenshots are in German). Email and data information storage: Working with email services and storing data/information in the various cloud environments has become indispensable today. It is self-explanatory that this situation offers a large attack surface. Email Collection https://attack.mitre.org/techniques/T1114/ Compromise Accounts: Email Accounts https://attack.mitre.org/techniques/T1586/002/ Phishing https://attack.mitre.org/techniques/T1566/ Establish Accounts: Email Accounts https://attack.mitre.org/techniques/T1585/002/ Email Collection: Email Forwarding Rule https://attack.mitre.org/techniques/T1114/003/ Email Collection: Remote Email Collection https://attack.mitre.org/techniques/T1114/002/ Email Collection: Local Email Collection https://attack.mitre.org/techniques/T1114/001/ Data from Information Repositories: Sharepoint https://attack.mitre.org/techniques/T1213/002/ Office 365 Matrix https://attack.mitre.org/matrices/enterprise/cloud/office365/ Data from Information Repositories https://attack.mitre.org/techniques/T1213/ Let's take a look together at what Microsoft has to offer in terms of security features on these topics. Secure your data with Microsoft 365 for business https://learn.microsoft.com/en-us/microsoft-365/business-premium/secure-your-business-data Policy recommendations for securing email https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-email-recommended-policies Recommended settings for EOP and Microsoft Defender for Office 365 security https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365 Managing SharePoint Online Security: A Team Effort https://learn.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort Policy recommendations for securing SharePoint sites and files https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/sharepoint-file-access-policies What is Microsoft 365 Defender? https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender Check last login to a mailbox https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Exchange_Online/Exchange_Mailbox_LastLogin.ps1 Check Sharepoint Online Library for specific file extensions https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_SharePoint_Online/SharePoint_Online_specific_files.ps1 Virtual machines: Virtual machines are not only used in the on-premises infrastructure, but also in the cloud. In many cases, there are even hybrid infrastructures. Hide Artifacts: Run Virtual Instance https://attack.mitre.org/techniques/T1564/006/ Virtualization/Sandbox Evasion https://attack.mitre.org/techniques/T1497/ Virtualization/Sandbox Evasion: System Checks https://attack.mitre.org/techniques/T1497/001/ Compromise Infrastructure: Virtual Private Server https://attack.mitre.org/techniques/T1584/003/ Modify Cloud Compute Infrastructure: Create Cloud Instance https://attack.mitre.org/techniques/T1578/002/ Modify Cloud Compute Infrastructure: Delete Cloud Instance https://attack.mitre.org/techniques/T1578/003/ Acquire Infrastructure: Virtual Private Server https://attack.mitre.org/techniques/T1583/003/ Instance https://attack.mitre.org/datasources/DS0030/ Cloud Administration Command https://attack.mitre.org/techniques/T1651/ In such an infrastructure (IaaS Infrastructure-as-a-service) there are an incredible number of different threats, making them all visible is a real challenge. Azure Virtual Desktop Security best practices https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide Security best practices for IaaS workloads in Azure https://learn.microsoft.com/en-us/azure/security/fundamentals/iaas Best practices for defending Azure Virtual Machines https://www.microsoft.com/en-us/security/blog/2020/10/07/best-practices-for-defending-azure-virtual-machines/ Security recommendations for virtual machines in Azure https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations Azure Virtual Machines security overview https://learn.microsoft.com/en-us/azure/security/fundamentals/virtual-machines-overview Security considerations for SQL Server on Azure Virtual Machines https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/security-considerations-best-practices Azure best practices for network security https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices Azure security baseline for Windows Virtual Machines https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-machines-windows-security-baseline Plan your Defender for Servers deployment https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers With Microsoft Defender for Servers, you can not only monitor systems in Azure, no, you also get support for Amazon AWS and Google Cloud. Networking: Systems but also cloud services want to communicate. Networks are therefore at high risk and require special attention. Network Service Discovery https://attack.mitre.org/techniques/T1046/ Network Segmentation https://attack.mitre.org/mitigations/M0930/ Network Sniffing https://attack.mitre.org/techniques/T1040/ Network Traffic https://attack.mitre.org/datasources/DS0029/ Network Allowlists https://attack.mitre.org/mitigations/M0807/ Data from Network Shared Drive https://attack.mitre.org/techniques/T1039/ Let's look together that we can make the networks more secure. Azure best practices for network security https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices Azure Virtual Network concepts and best practices https://learn.microsoft.com/en-us/azure/virtual-network/concepts-and-best-practices Azure security baseline for Virtual Network https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline Azure security best practices and patterns https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns Network security https://learn.microsoft.com/en-us/azure/well-architected/security/design-network Azure network security overview https://learn.microsoft.com/en-us/azure/security/fundamentals/network-overview Best practices to set up networking for workloads migrated to Azure https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-networking Security best practices for IaaS workloads in Azure https://learn.microsoft.com/en-us/azure/security/fundamentals/iaas Azure security best practices https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-top-10 What is Zero Trust? https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview Advanced Hunting: These were a few examples and make directly visible how enormous the whole environment is. Installing protection mechanisms, setting up logging, monitoring the systems, examining log data is one thing, but how do you "master" this flood of information? One tool that can help us do this is Microsoft Sentinel. The Microsoft Sentinel is a is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud. But not only can cloud environments be monitored, no, local infrastructures can also be integrated. In addition, other cloud providers and there are more than 100 connectors and third-party providers can be integrated. With Sentinel you get a tool with which you can search for threats in a targeted, fast and efficient way. Hunt for threats with Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/hunting Use Hunts to conduct end-to-end proactive threat hunting in Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/hunts Keep track of data during hunting with Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/bookmarks If you have included the sources in Sentinel, you can create queries with KQL since only the sky is the limit (if at all). Here are a few examples: // Failed Signin reasons // The query list the main reasons for sign in failures. SigninLogs | where ResultType != 0 | summarize Count=count() by ResultDescription, ResultType | sort by Count desc nulls last // Failed MFA challenge // Highlights sign in failures caused by failed MFA challenge. SigninLogs | where ResultType == 50074 | project UserDisplayName, Identity,UserPrincipalName, ResultDescription, AppDisplayName, AppId, ResourceDisplayName | summarize FailureCount=count(), FailedResources=dcount(ResourceDisplayName), ResultDescription=any(ResultDescription) by UserDisplayName // All SiginLogs events // All Azure signin events. SigninLogs | project UserDisplayName, Identity,UserPrincipalName, AppDisplayName, AppId, ResourceDisplayName // Successful key enumaration // Lists users who performed key enumeration, and their location. AzureActivity | where OperationName == "List Storage Account Keys" | where ActivityStatus == "Succeeded" | project TimeGenerated, Caller, CallerIpAddress, OperationName let lookback = 2d; SecurityEvent | where TimeGenerated >= ago(lookback) | where EventID == 4688 and Process =~ "powershell.exe" | extend PwshParam = trim(@"[^/\\]*powershell(.exe)+" , CommandLine) | project TimeGenerated, Computer, SubjectUserName, PwshParam | summarize min(TimeGenerated), count() by Computer, SubjectUserName, PwshParam | order by count_ desc nulls last DeviceEvents | where ingestion_time() > ago(1d) | where ActionType == "AntivirusDetection" | summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId | where count_ > 5 I hope that this information is helpful to you and that you have received a good "little" foundation. This is certainly not an exhaustive list. But I still hope that this information is helpful for you. Thank you for taking the time to read the article. Happy Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
New blog post | Seeking Dead and Dying Servers with the MDEASM APIs
This post follows Seeking Dead and Dying Servers blog and introduces the https://learn.microsoft.com/en-us/rest/api/defenderforeasm/. You should start with the previous post if you haven't already done so or are brand new to Defender EASM. Defender EASM APIs provide much more capability than the UI (user interface) alone, enabling users to work with large numbers of assets in one action or piece of code. The pro of APIs is they provide an unencumbered interface between the application and the code or app interacting with it to enable exciting capabilities. However, leveraging an API usually involves significant coding work, even for experienced users. Luckily, I've written sample Jupyter Notebooks in Python and PowerShell you can download and use regardless of your experience level. Seeking Dead and Dying Servers with the MDEASM APIs - Microsoft Community HubFor enterprise APIs, is Zero-Copy Integration the David to big data’s Goliath?
In Rodgers and Hammerstein’s “The King and I,” the King explains to “I” that the bee always flies from flower to flower, the flower never flies from bee to bee. That justification for philandering didn’t fly with Mrs. Anna, but it does make sense when applied to the relationship between applications and data: Should data fly from application to application, or should the data stay put like a flower and let applications approach it on its terms? A new framework, formulated as an open standard that has just received the imprimatur of the Canadian government, is keeping data firmly rooted. What is Zero-Copy Integration? Zero-Copy Integration is an initiative championed by the Canadian collaborative data company Cinchy. It aims to overturn the enterprise software https://technologyadvice.com/blog/information-technology/how-to-use-an-api/ paradigm with a totally new model — the company calls it dataware — that keeps data effectively rooted while removing complexity and data redundancy from the enterprise software integration process. Benefits of Zero-Data Integration Proponents of zero-copy integration and dataware say the framework will lower data storage costs, improve performance of IT teams, improve privacy and security of data, and drive innovation in systems for public health, social research, open banking and sustainability through innovations in: Application development and enrichment. Predictive analytics. Digital twins. Customer 360 technology. Artificial intelligence and machine learning. Workflow automation. Legacy system modernization. On Tuesday, Canada’s Digital Governance Council and the not-for-profit Data Collaboration Alliance, created by Cinchy, announced CAN/CIOSC 100-9, Data governance – Part 9: Zero-Copy Integration, a national standard approved by the Standards Council of Canada, to be published as an open standard. Zero-Copy Integration seeks to eliminate API-driven data silos The basic idea, according to Dan DeMers, Cinchy’s CEO, is that the framework aims to remove application data silos by using access-based data collaboration versus standard API-base data integration that involves copying data and branding it with complex app-specific coding. This would be done by access controls set in the data layer. It would also involve: Data governance via data products and https://www.techrepublic.com/article/data-stewardship-vs-data-governance/, not centralized teams. Prioritization of “data-centricity” and active metadata over complex code. Prioritization of solution modularity over monolithic design. The initiative said viable projects for Zero-Copy Integration include the development of new applications, predictive analytics, https://www.techrepublic.com/article/digital-twins-are-moving-into-the-mainstream/, customer 360 views, AI/ML operationalization and workflow automations as well as legacy system modernization and SaaS application enrichment. DeMers, who is also technical committee member for the standard, promises a revolution in data. “At some point in a world of increasing complexity, you fall off a cliff, so we believe we’re at the beginning of the simplification revolution,” he said. “The fact is that data is becoming increasingly central, and the way that we share it is with APIs and https://www.techrepublic.com/article/what-is-etl/, which involves creating copies and vastly increases complexity and cost. It amounts to half the IT capacity of every complex organization on the planet, and every year it gets more expensive.” He said even more concerning is that every time a copy is generated, a degree of control is lost. “If I run a bank, and I have a thousand applications, and they all need to interact with some representation of my customer, and by doing that are copying that representation, I now have a thousand copies of that customer,” DeMers said. “How do I protect that?” Security through Zero-Copy frameworks Laws describing ownership of data limit how organizations or governments can use that data — but they are laws, not systematic controls, noted DeMers. A key point of the Zero-Data Integration argument, and Canada’s adoption of a framework in principle, is that it makes data security easier by limiting access and control. “Zero Copy is a paradigm shift because it allows you to embed controls in the data itself,” DeMers said. “Because it’s access based, not copy based, access can be granted and it can be revoked, whereas copies are forever and you can quickly lose control over who has them, and any attempt to limit what organizations do when they obtain a copy is hard. “ Cinchy is aiming for a “data fabric architecture” to transform data warehouses, lakes and/or https://www.techrepublic.com/article/top-5-things-to-know-about-data-lakehouses/ into repositories that can actualize both analytics and operational software. This is so apps can come to it, not carry copies of data back to the application walled garden. DeMers argued that the creation and storage of copies costs money, both because of storage and data pipelines and the time IT has to spend managing the iterations of data generated by hundreds or thousands of apps an enterprise may host. “Copies of data require storage; the creation of the copy and synchronizing it not only uses storage, but also uses computation,” he said. “If you imagine most of the processes running on servers in the bank right now, they’re moving and reconciling copies of data, which constitutes energy use.” He added that copying and moving data creates opportunities to introduce errors. If two systems connected by a data pipeline desync, then data can be lost or corrupted, reducing data quality. With one copy of the data used collectively by all systems, there’s no chance of records appearing differently in different contexts. Is Zero-Copy Integration an L.A. subway dream? Matt McLarty, chief technology officer of Salesforce’s MuleSoft, agrees that data replication is a perennial issue. “Not even data replication, but the existence of semantically equivalent data in different places,” he said. He sees it as a bit like Los Angeles and subways: A great idea in principle, but nobody is going to tear Los Angeles down and rebuild it around mass transit. “It’s both a huge issue but also an unavoidable reality,” he said. “From a problem statement, yes, but I would say there are multiple categories of software in the space, including Salesforce Genie, all about how you harness all of the customer data widely dispersed across the ecosystem.” Operational elephants and analytical zebras drinking from the same data lake Most enterprises, explained McLarty, have two massive areas of data that, while not at cross purposes, need to live separately: operational data and https://www.techrepublic.com/article/data-analytics-growth-in-down-market/. Operational data is employed by such user-facing applications as mobile banking; analytical data takes data out of the flow of operational activities and uses it for business analytics and intelligence. “They have historically lived separately because of the processing differences,” he said. “Operationally, there’s high speed, high-scale processing and analytically, small internal groups crunching big numbers.” DeMers explained that what dataware does, among other things, is to incorporate “operational data fabric.” This, he said, makes “last time” integration from external data sources to an architecture based on a “network of datasets” that’s capable of powering unlimited business models. “Once created, these models can be readily operationalized as metadata-based experiences or exposed as APIs to power low code and pro code UX designs,” he said, adding that it eliminates the need to stand up new databases, perform point-to-point data integration or set app-specific data protections. “Another core concept associated with dataware technology is ‘collaborative intelligence,’ which is created as a result of users and connected systems, simultaneously enriching the information within the dataset network,” he said. DeMers said users granted access to a dataset by its owners get an interface called a “data browser” offering a “self-serve experience.” “In principle, this works a bit like Google Docs, where multiple colleagues collaborate on a white paper or business proposal while the software automatically offers grammatical suggestions and manages roles, permissions, versioning and backup,” he said. DeMers added that the end result is super-enriched and auto-protected data that can be instantly queried by teams to power unlimited dashboards, 360 views and other analytics projects. Will companies simplify or “embrace the chaos?” By some estimates, companies are taking the “embrace the chaos” route to find new approaches that concede that the enterprise data frameworks will remain complex and L.A.-like. These include https://www.eweek.com/enterprise-apps/data-mesh/ frameworks and automation and machine learning systems creating models that integrate different kinds of data. “I think the biggest shift right now in the world of data is that the two worlds — analytical and operational — are colliding,” McLarty said. “What’s happening now, because of the big data movement and machine learning, is data-derived coding — writing code with data, ingesting data and producing machine learning models based on the data that I can put into my applications.” DeMers said that the dataware paradigm enables data mesh concepts. “Requiring a single team to manage every dataset in the organization is a sure path to failed https://www.techrepublic.com/article/data-governance-framework/,” he said. He also argued that in a data-centric organization, data stewards should reflect the granularity of your organization chart. “This approach to federated data governance organized around data domains and data products is the data mesh, and it’s a big part of establishing a more agile enterprise,” DeMers said. Data silos make this difficult because of the unrestricted point-to-point data integration that it involves. Liberating data from the application Sylvie Veilleux, former chief information officer of Dropbox, said data silos are a fundamental part of the ecosystem, but that is a problem dataware can solve. “Every app solves a specific and unique purpose, and they are tending toward more and more specialization, she said. “The more SaaS adoption continues, which is very healthy in terms of how the business gets access to tools, the more it’s continuously creating a hundred, thousand or more data silos in larger corporations. This number will continue to grow without us taking a whole new approach to how we think about data applications.” She said dataware and Zero-Data Integration allows enterprises to eliminate extra data integrations by having the app connect to a network data source. “It changes how we work by pivoting the process from data being the captive of an application to keeping it on a network, thereby letting users collaborate, and giving businesses real-time access to it,” Veilleux said. With data repositories moving to the cloud, a boon to collaboration, companies have more flexibility and reduced costs, but at what cost to security and threats? which includes guidelines that will help you achieve secure cloud data management for integrity and privacy of company-owned information.
New Blog | Introducing Automatic File and URL (Detonation) Analysis
The Microsoft Defender Threat Intelligence (MDTI) team continuously adds new threat intelligence capabilities to MDTI and Defender XDR, giving customers new ways to hunt, research, and contextualize threats. Read up on a new feature that enhances our file and URL analysis (detonation) capabilities in the threat intelligence blade within the Defender XDR user interface. If MDTI cannot return any results when a customer searches for a file or URL, MDTI now automatically detonates it to improve search coverage and add to our corpus of knowledge of the global threat landscape. See the blog post here: Introducing Automatic File and URL (Detonation) Analysis - Microsoft Community Hub
Python Update Recommendation Not Desapearing from Microsoft Vulnerability Management list
Hello, Microsoft Defender Vulnerability Management is recommending to update Python in my Azure VM Machines since version 3.9 has some critical vulnerabilities. We did the update to version 3.12 but only the Windows 2019 Datacenter machine is not appearing as Exposed Device anymore. The procedure to update Python in all machines was the same but the Windows 2016 Datacenter VM´s remains in the Exposed Device list. Because Python relies on Anaconda, it is not possible to remove the older version completely. The strange thing is why the same proceduro to update the software is seen as diferent by Microsoft Defender Vulnerability Management apparently. Any advice is highly appreciated. Thanks in advance MirellaNew blog post | What's New: Hash and URL Search Intelligence
Microsoft Defender Threat Intelligence (Defender TI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities. What's New: Hash and URL Search Intelligence - Microsoft Community HubNew Blog Post | Defender for Cloud and Defender for Threat Intelligence are Better Together
Full blog post: Microsoft Defender for Cloud and Defender for Threat Intelligence are Better Together Organizations today face the continually changing and complicated task of protecting their ever-expanding attack surface from cyber-attacks. The move to the Cloud and remote workspaces has pushed the boundary of their digital ecosystem well beyond their traditional physical network. Data, users, and systems are in multiple locations, creating significant challenges for security operations teams tasked with defending their organizational assets. Information Security personnel need to be equipped with solutions to identify new adversaries and threats like ransomware. It's now crucial for defenders to have unique visibility across both their organization's attack surface and the threat infrastructure used to target it. In this blog, I will highlight key capabilities in Microsoft Defender for Cloud (MDC) and Microsoft Defender Threat Intelligence (MDTI) that, when used together, enable analysts to quickly understand exposures and equip them with crucial context about threat actors likely to target them. Original Post: New Blog Post | Defender for Cloud and Defender for Threat Intelligence are Better Together - Microsoft Community HubSurvey Opportunity: Understanding your use of Microsoft Defender Threat Intelligence content
At Microsoft Security, our goal is for Microsoft Defender Threat Intelligence (MDTI) to be a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. We would like to: Learn how our customers are operationalizing Microsoft threat intelligence Understand the value that existing content adds to your workflows Learn about your experience as a user Gather your feedback for areas we need to focus on To help us, simply complete this survey before 06/16/2023: https://forms.microsoft.com/r/wa3er3Ftk4New blog post | What’s New: MDTI Interoperability with Microsoft 365 Defender
Microsoft Defender Threat Intelligence (Defender TI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that Defender TI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender. What’s New: MDTI Interoperability with Microsoft 365 Defender - Microsoft Community Hub
New Blog | A Copilot for Security Customer’s Guide to MDTI
By Michael Browning With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. This compendium of high-fidelity intelligence developed by Microsoft's team of more than 10,000 multidisciplinary security experts and informed by over 78 trillion security signals enables teams to unmask and neutralize adversaries quickly and efficiently. In this blog, we will review what MDTI is, what you get as a Copilot for Security customer, and how you can immediately tap into this powerful intelligence. What is MDTI? MDTI is a threat intelligence product that enables security professionals to directly access, ingest, and act upon trillions of daily security signals in Microsoft's telemetry. MDTI's finished intelligence, including threat articles and intel profiles, provides the latest on cyber threat actors and their tools, tactics, and procedures. Its unique security data sets enable advanced investigations that uncover malicious infrastructure connections across the global cyberthreat landscape to highlight where an organization is vulnerable and address the tools and systems used in cyberattacks. MDTI is a powerful complement to Microsoft's SIEM, XDR, and AI solutions. Copilot for Security customers can use the incredible depth and breadth of Microsoft threat intelligence in MDTI with Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations. They can immediately begin using MDTI in the Copilot for Security standalone experience or embedded experience in Defender XDR. They can also use MDTI directly via the MDTI' analyst workbench' experience in the Threat Intelligence blade in Defender XDR. Copilot for Security customers can tap into MDTI’s powerful threat intelligence in a variety of ways Read the full post here: A Copilot for Security Customer’s Guide to MDTIBlog | Using Microsoft Defender Threat Intelligence with the Diamond Model for Threat Intelligence
Cybersecurity incidents can be complex and challenging to investigate, requiring advanced tools and techniques to identify the scope of the attack, determine the adversary's tactics and procedures, and develop an effective response strategy. Microsoft Defender Threat Intelligence (MDTI) provides robust tools and features that enable security analysts to quickly investigate incidents and respond to cyber threats by applying the Diamond Model for Intrusion Analysis Framework to threat intelligence. Read the full update here: Using Microsoft Defender Threat Intelligence with the Diamond Model for Threat Intelligence - Microsoft Community HubNew Blog | Unleash the Power of Threat Intel: Introducing the MDTI GitHub
We are excited to announce that the Microsoft Defender Threat Intelligence (Defender TI) team has launched our official GitHub Community. There, we share technical solutions with customers to help the SOC maximize Microsoft Threat Intelligence in Defender TI for a wide range of common incident response and threat hunting scenarios. In this blog post, we'll explore how to access GitHub and run several custom scenarios that can easily enhance your security processes through powerful enrichment and automation that boost efficiency and understanding of threats. Read the full blog post: Unleash the Power of Threat Intel: Introducing the MDTI GitHub - Microsoft Community HubNew blog post | What's New: Defender TI Intel Reporting Dashboard and Workbook
Strategic threat intelligence involves gathering and analyzing information to identify potential threats to an organization's security. This proactive approach helps companies anticipate and mitigate potential security risks. Reporting plays a crucial role in strategic threat intelligence by providing insights and data-driven recommendations to decision-makers. Threat intelligence reports are designed to deliver accurate and actionable information, enabling organizations to take appropriate measures to protect against potential threats. What's New: Defender TI Intel Reporting Dashboard and Workbook - Microsoft Community HubNew Blog | Introducing MDTI Free Experience for Microsoft Defender XDR
Today, we are thrilled to announce that we are unleashing the power of threat intelligence to all Microsoft Defender XDR tenants. Starting at Microsoft Ignite, all Defender XDR users will see Microsoft Defender Threat Intelligence (MDTI) in the threat intelligence blade of Defender XDR. This free experience, which is a limited version of MDTI, enables security professionals of all levels to review recent threat research from Microsoft security experts and open-source (OSINT) feeds, search for and pivot between Indicators of Compromise (IoCs) to augment your investigations, and gain actionable threat context by reviewing Microsoft-curated profiles on known threat actors and tools – all within the Microsoft Defender XDR portal. Read the full blog here: Introducing MDTI Free Experience for Microsoft Defender XDR
New Blog Post | What's New at Microsoft Secure 2024
At Microsoft Secure, we are excited to announce several new innovations from the Microsoft Defender Threat Intelligence (MDTI) team. These updates enable our customers to access valuable, high-fidelity threat intelligence where, when, and how they need it: To optimize MDTI content for customers, we have enhanced the look and feel of vulnerability profiles and are releasing the full corpus of Microsoft’s intel profiles to the MDTI standard version. We are keeping pace with Copilot for Security as it evolves, launching a new side card experience in the threat intelligence blade of Defender XDR. We have also introduced new MDTI skills and promptbooks for Copilot that deliver more of Microsoft's world-class threat intelligence to the SOC at machine speed. Finally, as we continue to build a more comprehensive threat intelligence experience across Microsoft Defender XDR, we’re proud to announce that MDTI content is now available via the global search function. Read more about what's rolling out at Microsoft Secure 2024 below: New MDTI skills and workbooks for Copilot for Security MDTI is making more threat intelligence available via new Copilot for Security skills and workbooks to help customers understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations at machine speed and scale. These include: Correlate MDTI data with Defender XDR information: These out-of-the-box prompt books correlate MDTI data with other critical security information from Defender XDR such as incidents and hunting activities to help a user understand the broader scope of an attack. Correlate MDTI Content with Threat Analytics (TA) content: When prompted, this skill reasons over threat intelligence content from MDTI and Threat Analytics, and provides a summary of the two, e.g., "Tell me everything Microsoft knows about [this threat actor]." Obtain current reputation TI for file hashes, URLs, Domains, and IPs: This skill shows the full information for hashes and URLs, including MDTI and SONAR data. https://aka.ms/SecurityCommunity to learn more about how MDTI enables Copilot to deliver threat intelligence at machine speed. Read the full post here: What's New at Microsoft Secure 2024- Tech CommunityNew Blog | How MDTI Helps Power Security Copilot
Today's cybersecurity challenges mandate that security teams invest more in high-quality threat intelligence to understand the mechanics of sophisticated attacks led by cybercriminals, nation-state actors, and others. With the introduction of Microsoft Security Copilot, security professionals can use Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations - all amid the intense, challenging time during an attack. This blog post will delve into Security Copilot, focusing on the strategic utilization of Microsoft Defender Threat Intelligence (MDTI), a comprehensive threat intelligence product designed to enhance triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows. It will explore how this integral part of Copilot can be effectively harnessed to facilitate comprehensive understanding, investigation, and maneuvering through threat intelligence. Read the full blog here: How MDTI Helps Power Security Copilot - Microsoft Community HubNew Blog | Unified MDTI APIs in Microsoft Graph Now GA
We’re thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel. Read the full blog post here: Unified MDTI APIs in Microsoft Graph Now GA - Microsoft Community HubNew Blog Post| MDTI Ninja Training has been updated!
We recently updated our Microsoft Defender Threat Intelligence (MDTI) Ninja Training series! Come check out our new modules which include information on MDTI's Intel Profiles, Hash and URL Search Intelligence, Microsoft Graph API, Github Repository, Intel Reporting Dashboard/Workbook, Microsoft Sentinel Playbooks, MDTI's integration with M365D, integrated use cases with MDC, and information on MDTI's self-guided PoC! MDTI Ninja Training: https://aka.ms/BecomeAnMDTINinja Our Ninja Certificate Knowledge Check has also been updated to incorporate questions associated with our new content! Find links to our MDTI Ninja Certificate Knowledge Check and Attestation in the MDTI Ninja Training link above.New Blog | What's New at Microsoft Ignite 2023
The Microsoft Defender Threat Intelligence team (MDTI) continuously introduces innovations that make its strategic, tactical, and operational threat intelligence - built from 65 trillion signals and over 10,000 multidisciplinary experts - more accessible to access, ingest, and act upon. Today, we are excited to announce several new features that enhance Microsoft's comprehensive security offering and AI-powered security with crucial context around threat actors, vulnerabilities, and the tools and systems they use to attack and exploit organizations. Read the full update here: What's New at Microsoft Ignite 2023 - Microsoft Community Hub
Recent Blogs
- In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it ma...Jul 22, 2025
- As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing t...Mar 24, 2025
