On June 30th, 2024, the Microsoft Defender Threat Intelligence (MDTI) standalone portal will reach end-of-life and the Microsoft Defender XDR portal will become MDTI’s exclusive home for both standard and premium users. In this blog, we’ll guide customers using the standalone portal that wish to continue using MDTI in Defender XDR through the simple migration process. We’ll also help customers, and their teams, prepare to take advantage of the benefits MDTI brings to Microsoft’s XDR, SIEM, and AI solutions.
What is happening to the MDTI standalone portal?
On June 30th, 2024, the MDTI standalone portal at ti.defender.microsoft.com will be decommissioned. However, all existing MDTI licenses will carry over to its permanent home in the Microsoft Defender XDR portal, where customers can seamlessly use the same features and content in in both premium and free capacities. Customers can also access MDTI content and data via natural language prompts by purchasing Copilot for Security.
How do I use MDTI within the Defender XDR portal?
Within Microsoft Defender XDR, users will see the familiar MDTI homepage under the “Threat Intelligence” blade in the left-hand navigation menu (pictured below).
- On the “Intel explorer” tab within Defender XDR (pictured above), you will find the same features and content from the standalone portal home page. This includes threat intelligence search, featured articles, and recent threat article streams.
- The content from the 'Profiles' page on the standalone portal is available on the “Intel Profiles” tab in Defender XDR.
- Users can create or access their team and individual projects from the “Intel Projects” tab and continue working on the same projects they created in the standalone portal simply by logging into Defender XDR with the same account.
Customers with an MDTI license may begin using the premium experience within Defender XDR immediately. Those without a license can continue using the standard version at no cost or explore MDTI licensing options to receive unlimited access to Microsoft’s award-winning threat intelligence.
If you do not have Defender XDR but want to continue using MDTI, explore licensing options or set up a trial environment.
Note: Please contact your tenant administrator if you believe you should have access to Defender XDR within your organization, but do not. The Microsoft Entra roles which grant access to Defender XDR can be found here.
What else can I do with MDTI within Defender XDR?
Since launching MDTI into the XDR portal early last year and opening the standard version to all Defender XDR customers at Microsoft Ignite in November, thousands of MDTI and Defender XDR customers have experienced the benefits of aligning the high-fidelity threat intelligence in MDTI with their investigation and response tools under a single pane of glass. MDTI complements other products and features in Defender XDR in a number of ways:
- Use Threat Analytics to prioritize threats and content related to ongoing campaigns and your organization’s top exposures.
- Find MDTI results from anywhere in the Defender portal using Defender XDR global search functionality (search bar at the top of the page in Defender XDR). MDTI results will appear under the “Intel Explorer” tab, alongside results from Microsoft Defender for Endpoint, Office, Identity, Cloud Apps, Vulnerability Management, and more, on other tabs.
- Enrich discovered artifacts (IP addresses, domains, hosts, URLs and more) from Microsoft Defender incidents and alerts with more information by searching in MDTI.
- In Advanced Hunting, use IOCs sourced from MDTI to hunt across logs and events in your environment (see “Use Cases” section in this blog).
MDTI also enhances Microsoft Defender for Cloud and Microsoft Sentinel to help deliver a unified threat intelligence experience for customers:
- In Microsoft Defender for Cloud, proactively discover vulnerable assets in Cloud Security Explorer using knowledge from MDTI content.
- In Microsoft Sentinel, improve your mean time to detect (MTTD) by:
- Enabling the MDTI data connector to ingest, monitor, alert and hunt based on MDTI’s IOCs.
- Configuring MDTI analytics rules to create alerts and incidents when your logs match our domain, IP and URL indicators.
- And installing our pre-built Microsoft Sentinel Playbooks to enrich incidents with reputation scores and other data from MDTI (users with MDTI API license only).
- Parlayed with Sentinel’s analytic or automation rules, incidents can be automatically enriched against these MDTI playbooks, which facilitate incident triage and provide context to those observed IP and host entities. This greatly improves your SOC’s mean time to respond (MTTR).
How do I use MDTI through Copilot for Security?
Microsoft Copilot for Security enables customers to access, operate on, and integrate Microsoft’s raw and finished threat intelligence via natural language. With Copilot for Security, users can leverage MDTI’s data sets and content anytime, anywhere within Defender XDR to provide additional context and aid in investigations:
MDTI powers Copilot for Security via a wide range of Threat Intelligence skills, enabling customers to quickly retrieve information on indicators including IP addresses and domains, and contextualize artifacts with content such as threat articles and intel profiles. Additionally, out-of-the-box promptbooks correlate MDTI content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers quickly understand the broader scope of an attack. These capabilities will be available within both the standalone and embedded Copilot for Security experiences.
Learn more about the MDTI skills available in Copilot here, and check back to this blog following Microsoft Secure next week to learn more about MDTI’s role in Copilot for Security.
New to MDTI? Here's where to start
If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. Also, be sure to contact our sales team to request a demo or a quote.
