Microsoft Defender Threat Intelligence Overview, Concepts, and Vocabulary
Published Oct 25 2022 12:06 PM 861 Views

Overview

 

If you are wondering what Microsoft Defender Threat Intelligence (Defender TI) is and who should use it, you've come to the right place! Defender TI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Pivotable is the adjective form of pivot. Merriam-Webster defines pivot as turning on or as if on a pivot. This term ties in nicely with Defender TI's Infrastructure Chaining concept. You'll learn about Infrastructure Chaining in the use cases section of this module. Data sources include both raw data ingested via a worldwide collection engine and finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights that will be utilized to defend themselves against threat actors in cyberspace.

 

Microsoft Defender Threat Intelligence's technology is based on Microsoft's acquisition of RiskIQ. Former users of RiskIQ's PassiveTotal should feel right at home with Defender TI. However, this is not a prerequisite for using the platform. The power of Microsoft resources promises to bring forward the ultimate analyst experience driven by feedback from the community – you! The following modules are a great place to start understanding how to incorporate Internet-derived data into your security operations workflows.

Alexandra_Roland_0-1666215508854.png

Figure 1 – Defender TI Home Page

 

Alexandra_Roland_1-1666194925021.png

Figure 2 – Why threat intelligence?

 

Alexandra_Roland_2-1666194925033.png

Figure 3 – Where does Microsoft's threat intelligence fit in your organization?

 

Alexandra_Roland_3-1666194925049.png

Figure 4 – Where does Microsoft's threat intelligence fit in your organization?

 

Concepts and Vocabulary

 

The following terms have been and will continue to be used throughout this training and the platform. Take some time to familiarize yourself with the below list.

 

Community

A lightweight version of Defender TI that is free and available to all Microsoft users.

Premium

A subscription level that is accessible via a paid and licensed account. Includes access to all features and historical datasets.

Artifact/Entity

A unique data entity that represents identifiable Internet infrastructure.

Dataset

Data collections curated by the Defender TI Research and Intelligence Teams.​

Article

Curated intelligence gathered from around the web (OSINT) or published by a Microsoft intelligence research team.

Indicator of Compromise (IOC)

An artifact that points to a potential security threat if identified within your computing environment.

Project

An organized collection of artifacts, some of which will have monitoring and alerting capabilities.

Reputation

A score calculated by Defender TI to indicate the likelihood that the entity is associated with an elevated level of risk.

Analyst Insights

A feature that provides quick insights about an artifact that may help determine the next step in an investigation.

 

Version history
Last update:
‎Oct 25 2022 12:06 PM
Updated by: