New at Secure: MDTI in Defender XDR Global Search
Published Mar 13 2024 09:01 AM 1,685 Views
Microsoft

On the heels of introducing Microsoft Defender Threat Intelligence (MDTI) premium and standard editions into the Microsoft Defender XDR portal, we are thrilled to introduce an even greater integrated threat intelligence experience by making results for MDTI content available within Defender XDR’s global search bar.

 

Users will notice that they can now use the top-level Defender XDR search to discover results from MDTI on indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), articles, threat actors and more. From anywhere in the portal, customers now can readily find MDTI raw intelligence including IPs, domains, hashes, and URLs as well as finished intelligence in the form of articles, intel profiles, and CVEs alongside their other content from Defender XDR when conducting searches, helping to accelerate investigations with critical threat intelligence context.

 

Results from MDTI and Threat Analytics will appear within the “Intel Explorer” list in the results page:

 

MDTI results are now available under the “Intel Explorer” tab when searching via Defender XDR’s global search bar. You may search and see results for indicators such as IP addresses or file hashes, intel profiles, CVEs, threat articles and more.MDTI results are now available under the “Intel Explorer” tab when searching via Defender XDR’s global search bar. You may search and see results for indicators such as IP addresses or file hashes, intel profiles, CVEs, threat articles and more.

 

Searching for indicators of compromise (IoCs)

 

Search for any IOC, including IP addresses, domains, URLs, and file hashes within the global search bar to see all associated information from MDTI. This includes the indicator's reputation score (under “Description”), last active date (under “Created/last seen time”), tags from Analyst Insights, related articles, and related intel profiles. Click into the indicator to visit the IoC’s page in the MDTI interface (under the Threat Intelligence tab) to discover more information and pivot to related artifacts.

 

Searching for indicators of compromise quickly returns critical context such as the reputation score, the last active date, and Analyst Insights, as well as related articles and intel profiles.Searching for indicators of compromise quickly returns critical context such as the reputation score, the last active date, and Analyst Insights, as well as related articles and intel profiles.

 

Searching for files

 

Customers can search for file names or file hashes of interest from Defender incidents or elsewhere to discover whether they are mentioned in intel profiles or articles from MDTI. This information can quickly help SOC analysts determine the severity of an incident and provide critical context about their adversaries to determine the next steps to combat, protect against, and hunt for threat actor exposure and address adversarial persistence within their environment. Conversely, search for file names or file hashes of interest from MDTI to discover prevalence in your organization via the “Files” tab. You can also do this with more parameters via Advanced Hunting. 

 

Searching for CVEs

 

Search directly for a CVE-ID to see all MDTI results which include the given vulnerability. This includes any Vulnerability Profiles pertaining to the CVE; our open-source information on the CVE; threat actor profiles for groups who are actively exploiting the CVE; and any other intel profiles or articles containing a mention of the vulnerability. Visit the “Vulnerabilities” tab to see results from Microsoft Defender Vulnerability Management (MDVM) and evaluate the impact of the CVE on your organization. 

 

Learn more about our recent efforts to improve discovery of information on CVEs within MDTI.

 

Searching for detections from other Microsoft Defender products

 

Search for behavioral, threat, or other components from Microsoft Defender Antivirus such as “Backdoor:Win32/CobaltStrike”; malware families such as “WhisperGate”; or Microsoft Defender for Endpoint alerts such as “Suspicious WMI process creation” to find articles or intel profiles containing mention of the detections. This can help Threat Intelligence analysts perform threat actor attribution and identify appropriate next steps to stifle a threat, such as building detection or analytic rules to detect threat actor TTPs as well as proactively blocking that adversary’s infrastructure from their network.  

 

Searching for articles, intel profiles, keywords, and more

 

Search for article titles; threat actor and tool names or aliases from other security providers; MITRE ATT&CK techniques; keywords such as “DLL sideloading”, “universities”, or “Iran”; command names and more via global search to discover the breadth of content available in MDTI on any topic of interest.

 

We want to hear from you!

 

Learn more about what else is rolling out at Microsoft Secure 2024, and be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI and learn how to access the MDTI standard version at no cost. 

Version history
Last update:
‎Mar 13 2024 09:25 AM
Updated by: