Welcome to Microsoft Ninja training! This blog post will walk you through Microsoft Defender Threat Intelligence (MDTI) level 400 training and help you become an MDTI master.
This program is comprised of fourteen training modules that will enable users to get to know and get the most out of their MDTI instance. Throughout this training, you'll get familiar with MDTI, how it collects and analyzes threat intelligence, and how to use it to unmask adversaries and their tools and infrastructure. Once complete, you'll be ready to leverage the advanced intelligence in MDTI to up-level your threat hunting and incident response.
The modules listed below are split into five groups:
Part 1: Overview
Part 2: Data Collection, Threat Analysis, and MDTI's Feature Overview
Part 3: Capitalizing on MDTI's Microsoft Graph API, Github Repository & Solutions
Part 4: Integrated Use Cases
Part 5: Using MDTI for Cyber Threat Investigations
Module 14: Understanding & Utilizing Finished Threat Intelligence
The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable:
Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills!
Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.
MDTI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Data sources include both raw data ingested via a worldwide collection engine as well as finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights, which will be utilized to defend themselves against threat actors in cyberspace (read more).
MDTI aids the following target user functions:
Common tactical use cases include:
For more information regarding MDTI's target user functions and use cases, see "Microsoft Defender Threat Intelligence's Target User Functions and Use Cases."
If you want to get an initial overview of threat intelligence and why it's so critical to prevent and respond to threats, check out John Lambert's Microsoft Tech Talk, "Demystifying Threat Intelligence." If you already have a foundational understanding of threat intelligence and would like to learn about our MDTI product's technical capabilities, the Microsoft Security Public Community webinars, "Microsoft Defender Threat Intelligence Overview" and "What's New in Microsoft Defender Threat Intelligence" are good starting points. You might also find the "What is Microsoft Defender Threat Intelligence (MDTI)?" article useful.
Lastly, want to try it yourself? Please work with your Microsoft Commercial Executive or select "Contact Sales" on this page to inquire about starting your MDTI Premium trial. Follow this PoC guide to effectively measure the value of our MDTI product. If your organization is not ready to trial the MDTI Premium experience, you can also register for Microsoft Standard (formerly known as Community) edition access with your Microsoft authentication when accessing our MDTI portal. Microsoft Standard access presents users with limited datasets and data history as well as limited access to articles (read more).
While the previous section provides an overview of our MDTI platform, the use cases it supports, and how to get started, this section provides thorough information regarding MDTI's data collection processes, threat analysis, and features. It also provides dataset investigative examples to provide more information regarding the value MDTI's datasets can bring to analysts.
It is oftentimes difficult to make a determination as to whether a security alert identified truly malicious activity without the ability to conduct additional research into the entities associated with the alert. Entities could include IP addresses, domain names, host names, URLs, file names or hashes, and more. Analysts will have to turn to outside sources in order to gather needed context on these entities to properly triage the activity that has been identified.
MDTI is built on top of well over a decade's worth of collection against Internet datasets. The technologies in place enable the collection, processing, and storage of data at a scale unmatched by most in the industry. Improvements to the ability to search across and pivot through datasets occur on an ongoing basis, in conjunction with improving the ability for analysts to collaborate across research and investigations. This module will provide an overview of the primary methods by which Internet data is collected.
MDTI collects internet telemetry data via its' Passive DNS sensor network, web crawling with virtual users, global proxy network, internet scanning, and select 3rd parties. As a result, the following datasets are available in the MDTI platform:
For more information, see "How Does Microsoft Defender Threat Intelligence Collect Internet Telemetry Data?". Note: As mentioned previously in Module 1, MDTI Standard users will have access to limited datasets and the history of those datasets (read more).
By collecting these internet datasets, MDTI leverages an ML algorithm to produce real-time reputation scores for IP addresses, domains, and hosts. In addition, analysts can gain more context into these IP addresses, domains, and hosts by leveraging MDTI's Analyst Insights feature (read more).
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversaries' infrastructure associated with actor groups targeting their organization. We learned how MDTI provides raw and finished threat intelligence in Module 2. The focus of this module is to dive into the raw intelligence, in the form of internet datasets, MDTI includes.
MDTI's internet data is categorized into two distinct groups: core and derived. Core datasets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived datasets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies datasets are collected by observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. To learn more and practice working with MDTI's datasets, see "Microsoft Defender Threat Intelligence's Datasets and How to Use Them During Investigations."
The Microsoft Defender Threat Intelligence (MDTI) platform allows users to develop private personal or team project types for organizing indicators of interest and indicators of compromise from an investigation (read more).
The MDTI and M365D Portal utilize Intel Profiles to classify threat actors based on location, targeted industries, and operational methods. These profiles encompass all known Indicators of Compromise (IoCs) related to their infrastructure and tactics, techniques, and procedures (TTPs), which are updated daily. In addition, Intel Profiles track the tools utilized in attacks, such as CobaltStrike. Organizations can proactively prevent potential threats from interacting with their resources by identifying the source of the malicious infrastructure, including domains and IP addresses.
Intel Profiles are divided into two categories: Threat actors and Tools. These categories provide organizations with a comprehensive understanding of threat actors on the internet, including their targets, attack methods, infrastructure, tooling, and backdoors. Unlike static lists or feeds produced by other Threat Intel firms, Intel Profiles are continually updated with the latest threat intelligence to ensure that organizations have the most current and accurate information to inform their security decisions.
MDTI enables organizations to detect adversary-threat infrastructures on any scale, from a single threat actor to thousands, allowing them to respond quickly and effectively to potential threats. Intel within MDTI provides detailed information about threat actor groups, including their aliases, targets, CVEs they typically exploit, their TTPs, and IoCs (read more).
Microsoft has expanded the capabilities of its Defender Threat Intelligence (MDTI) by including File Hash and URL Search features. These capabilities allow security professionals such as researchers, analysts, hunters, and responders to search for high-quality threat intelligence, including verdicts and associated metadata. With this new feature, security professionals can effectively utilize threat intelligence in their threat-hunting and investigation activities.
MDTI harnesses the power of Microsoft's threat intelligence through static and dynamic analysis of files and URLs, both within and outside its ecosystem. This comprehensive approach provides a wide range of coverage to identify potential threats. Static analysis examines the file's code without executing it, while dynamic analysis involves executing it in a controlled environment to observe its behavior. This dual approach enables MDTI to categorize potential threats using static analysis techniques and analyze their behavior using dynamic analysis techniques.
By incorporating File Hash and URL Search capabilities into MDTI, security professionals can quickly and efficiently search for high-quality threat intelligence related to files and URLs. This information can be used to identify and prioritize potential threats and help inform security decisions. With Microsoft's powerful threat intelligence capabilities and comprehensive approach to analyzing potential threats, security professionals can have confidence in the accuracy and relevance of the threat intelligence provided by MDTI (read more).
While the previous modules highlight the value MDTI can offer within its user interface, this module can empower analysts to address more unique use cases or develop solutions to automate or speed up their workflows leveraging the MDTI API or solutions provided in the MDTI-Solutions Github repository.
The Microsoft Defender Threat Intelligence (MDTI) API for Incidents, Alerts, and Hunting is a valuable tool that enables organizations to access MDTI data and utilize the intelligence gathered from threat actors, tools, and vulnerabilities. With the ability to query MDTI data, security teams can better understand entities within security incidents and improve their ability to identify and respond to potential threats.
By utilizing the MDTI API, security teams can enrich their understanding of entities inside security incidents, such as devices, IPs, URLs, and files, by cross-referencing them with threat intelligence. This helps teams quickly identify and prioritize incidents that may pose a risk to their organization. Additionally, automation of the triage process allows teams to focus their efforts on high-priority tasks, saving time and resources.
MDTI API integrates with a broad ecosystem of security tools, including Microsoft Sentinel, allowing security teams to maximize the effectiveness of their security stack. By connecting with these tools, teams can streamline their security operations and enhance their ability to detect and respond to potential threats.
In summary, the Microsoft Defender Threat Intelligence (MDTI) API for Incidents, Alerts, and Hunting is an essential tool that helps organizations to operationalize the intelligence gleaned from MDTI data. It provides a comprehensive understanding of entities within security incidents, automates triage efforts, and integrates with various security tools, ultimately improving an organization's overall security posture (read more).
The Microsoft Defender Threat Intelligence GitHub repository provides technical solutions for common scenarios, including advanced hunting queries, brand intelligence, and analyzing the latest threat trends. Access the MDTI-Solutions repository and run custom scenarios to unleash the power of threat intelligence and strengthen your security posture to protect against potential threats (read more).
Microsoft has launched a new dashboard that enhances its threat intelligence reporting capabilities, providing a user-friendly interface to access and analyze data. This dashboard enables organizations to make informed decisions to strengthen their security posture and protect against potential threats. It includes features such as Sentinel Incident View, Hostname Information, IP Information, MDTI Articles, Vulnerabilities Information, and Intel Profiles, allowing users to gain insight into the threat ecosystem and take proactive measures to mitigate risks (read more).
Now that we have a foundational understanding of MDTI's use cases, features, and raw and finished intelligence, let's learn how MDTI's threat intelligence and internet data can be used to drive more use cases with Microsoft Sentinel, Microsoft 365 Defender, and Microsoft Defender for Cloud.
As MDTI evolves, more integrated use cases will come to speed up security operations, incident response, threat hunting, and threat intelligence workflows. Be on the lookout for new content in this section as new integrated use cases present themselves natively across the Microsoft Security ecosystem or through configuration. In addition, if you have ideas for new integrated use cases, feel free to email firstname.lastname@example.org, add a comment in this blog, or join our Cloud Security Private Community and start a discussion in the MS Defender Threat Intelligence channel.
MDTI provides free threat intelligence indicators to Microsoft Sentinel customers. These indicators come from MDTI's malware and phishing indicator feeds as well as indicators from MDTI's articles. While users cannot export the indicators and ingest them into their TIP or SIEM, they can enable the "Microsoft Threat Intelligence Analytics" Analytic rule in Sentinel. This rule runs every hour and correlates these indicators against event logs stored in their Log Analytics workspace to generate more high-confidence detections. Once a detection happens, they will be able to view the associated entities (threat intelligence indicators from MDTI) in their Microsoft Sentinel Threat Intelligence blade (read more).
MDTI now offers new ways to boost interoperability and help the SOC respond to threats at scale with the introduction of its own Graph API and Microsoft Sentinel Playbooks. These playbooks enable defenders to tap into MDTI's raw and finished intelligence at scale to quickly boost their understanding of threats and automatically triage incidents to reduce their investigation time. The playbooks focus on automated triage, entity enrichment via MDTI’s component endpoint, and entity enrichment via MDTI’s reputation score endpoint. Installation and configuration of the playbooks requires an Azure AD client app with permissions to the MDTI API. Once deployed, they can be used within Microsoft Sentinel by creating an automation rule. Conversely, entity enrichment can be performed manually within Microsoft Sentinel by running these playbooks against specific incidents leveraging the ‘Run playbook on incident’ feature (read more).
For an overview of all MDTI integrated solutions with Microsoft Sentinel, please check out "Microsoft Defender Threat Intelligence and Sentinel integration - Microsoft Secure Tech Accelerator" and "Microsoft Defender for Threat intelligence integrations | Microsoft Sentinel in the Field #15".
MDTI helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows by aggregating and enriching critical threat information in an easy-to-use interface. Licensed customers can now access MDTI within the Microsoft 365 Defender (M365 Defender) portal, which includes features such as Threat Intelligence Navigation blade, Intel Profiles, Intel Explorer, and Detonation Intelligence for Hashes and URL Search. These features enable users to launch advanced investigations into external threat infrastructure, search for high-quality threat intelligence, and map M365 Defender raw events with Microsoft Sentinel’s Threat intelligence indicator table (read more).
Microsoft Defender for Cloud (MDC) and Microsoft Defender Threat Intelligence (MDTI) can be used together to provide organizations with the visibility and context needed to identify and mitigate modern threats, accelerate detection, incident response, and investigations, and enhance security tools and workflows. MDC provides proactive exploration capabilities with the Cloud Security Graph, while MDTI provides actionable content and critical indicators of compromise to help security professionals act quickly against threats. Together, these tools can help organizations protect their attack surface and reduce the risk of a breach (read more).
At this point, you've learned a great deal about how MDTI can be used within its user interface and how it can integrate with Microsoft Sentinel to generate more detections. These next modules will focus on how you can apply what you've learned from the previous modules by putting those teachings into practice.
Note: For those of you with MDTI Standard (formerly known as Community) access, your dataset, dataset history, and feature access will be limited compared to our MDTI Premium experience. As such, many of the exercises below in Module 14 may be difficult to execute without a MDTI Premium license. Module 1 covers how you can work with your team and Microsoft Commercial Executive to start a MDTI Premium Trial if you'd like to practice the following exercises and evaluate full access to our MDTI Premium solution. For a lightweight guide on how to effectively measure the value of our MDTI product, please reference our "Performing a Successful Proof of Concept (PoC)" MDTI blog.
Threat intelligence is the data that organizations need in order to map threats to the enterprise and enable the best possible decision-making related to risk. MDTI serves as a valuable source of attack surface threat intelligence on global, industry, and local threats, with content from hundreds of OSINT sources complementing original research shared from Microsoft's own Defender, MSTIC, and Section52 research groups. As an analyst working with threat intelligence, it's easy to become overwhelmed by the volume of data out there, but within the MDTI portal, the ability to quickly find data relevant to your needs is kept top of mind. For more information regarding MDTI's articles, vulnerability articles, and exercises to practice gathering raw intelligence, see "Understanding and Utilizing Finished Threat Intelligence with Microsoft Defender Threat Intelligence."
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.