So, you are ready to use Defender Threat Intelligence to uncover threat actors at scale and enhance your security operations. Defender Threat Intelligence can help identify and eliminate modern threats and their infrastructure with dynamic threat intelligence by applying the following capabilities:
- Identify attackers and their tools.
- Accelerate detection, incident response, investigations, and remediation.
- Enhance your security tools and workflows.
To effectively determine the benefits of adopting Defender Threat Intelligence, you should perform a Proof of Concept (PoC). Before enabling Defender Threat Intelligence, you and your team should go through a planning process to determine a series of tasks that must be accomplished in this PoC.
Below, I’ll highlight the planning phases you and your team should undertake.
Planning for the POC
Persona identification
- Security Operations Teams
- Incident Response Teams
- Threat Hunting Teams
- Cyber Threat Intelligence Teams
- Cybersecurity Research Teams
Requirements
Based on the scope, you can start determining the requirements for this PoC:
- Determining the quality of Internet telemetry
- Fidelity of indicators found in MDTI articles.
- Integrated use cases (SIEM ~ Microsoft Sentinel)
- Ability to collaborate on investigations using Microsoft Defender Threat Intelligence (MDTI)
- Tracking threat actors and their tooling
Prerequisites
- An Entra or personal Microsoft account. Login or create an account.
- Note: If you have a personal Microsoft account (e.g. email address with hotmail.com domain), you will want to create an Entra tenant to begin an MDTI Premium trial.
- If you login to MDTI using your Microsoft personal account, you will login with Microsoft Standard edition access, limiting your experience throughout the PoC to measure the value of our platform.
- A Microsoft Defender Threat Intelligence Premium license.
Set up a free MDTI Premium Trial
- Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.
Accessing the MDTI Platform
- Standalone experience:
- Login to MDTI: https://aka.ms/DefenderTI
- M365D MDTI Features:
- Navigate to the "Threat Intelligence" blade in your M365 tenant and access "Intel profiles" or "Intel explorer": https://aka.ms/MDTINowInM365DBlog
Measuring Success
How to measure success is important to establish before starting your PoC because this will help you set the right expectations to gauge whether your PoC was a success or not.
Preparation
The next “Implementation and Technical Validation” section closely follows our Microsoft Defender Threat Intelligence (MDTI) Ninja Training series. If you aren’t familiar with Defender Threat Intelligence or our legacy RiskIQ PassiveTotal or Illuminate solutions, it is highly encouraged to take the Defender Threat Intelligence Ninja Training and perform the exercises laid out in modules 3 and 6. At the end, if you receive an 80% or higher, you can take the and request a certificate. This is not an official Microsoft certificate. However, it will recognize your efforts in completing the MDTI Ninja Training.
Implementation and Technical Validation
Scenario 1: Identification of existing Threat Intelligence and Data Enrichment
Identify if an artifact (IP, domain, or host) exists in any threat intelligence articles, what the reputation score for the artifact is and why, what information analyst insights are present, and detailed internet telemetry data about this artifact when referencing the Data tab.
- Actions
- View articles: on the homepage to access our research on the latest threats and their known indicators.
- Search for an artifact: Easily search and pivot across our variety of internet datasets to quickly fuel your investigation. Spend more time investigating and less time gathering internet telemetry data to begin your investigation.
- Resources:
- How Internet Telemetry Data Becomes Threat Intelligence
- Using Reputation and Analyst Insights Features For Quick Indicator Assessments
- Microsoft Defender Threat Intelligence (MDTI) Reputation Scoring | Microsoft Learn
- Microsoft Defender Threat Intelligence (MDTI) Analyst Insights | Microsoft Learn
- Microsoft Defender Threat Intelligence (MDTI) Data Sets | Microsoft Learn
- Searching & pivoting with Microsoft Defender Threat Intelligence (MDTI) | Microsoft Learn
- Sorting, filtering, and downloading data using Microsoft Defender Threat Intelligence (MDTI) | Micro...
- Using Tags in Microsoft Defender Threat Intelligence (MDTI) | Microsoft Learn
- Get to Know the Datasets and How to Use Them During Investigations (microsoft.com)
- Understanding and Using Finished Threat Intelligence
- Tutorial: Gathering vulnerability intelligence | Microsoft Learn
- Tutorial: Gathering Threat Intelligence and Infrastructure Chaining using Microsoft Defender Threat ...
Scenario 2: Infrastructure Chaining
Infrastructure chaining is a method by which previously unknown relationships between indicators are brought to the surface. The illustration below shows how starting with one artifact—in this case, a malware sample—leads to identifying more entities that could serve as investigative leads for incident response or threat hunting.
Figure: Infrastructure chaining concept
- Actions
- Search an indicator (IP address, domain, or host) in MDTI and use the Data tab to identify related indicators of compromise related to the investigation.
- Note:
- Please reference the resources above to familiarize yourself with how our internet datasets can be used, the questions they can answer during investigations, and sample investigations you can perform before searching your own IoC.
- Resources
- How Microsoft Defender Threat Intelligence Enables Threat Hunting Success
- Exploring Target User Functions and Use Cases
- Microsoft Defender Threat Intelligence Infrastructure Chaining Introductory Video
- Infrastructure Chaining with Microsoft Defender Threat Intelligence - Microsoft Community Hub
- Defender Threat Intelligence | Defender for Cloud in the Field #23 - YouTube
- Note:
- Search an indicator (IP address, domain, or host) in MDTI and use the Data tab to identify related indicators of compromise related to the investigation.
Scenario 3: Collaborate on an investigation using a Project.
Since analysts usually work in collaboration, sharing work is paramount to ensuring people are not duplicating efforts and that there is a record of actions taken for a given case. Defender Threat Intelligence Projects are a lightweight case-management feature that enables analysts to work together when collecting indicators of compromise related to an investigation. This could be in response to an incident or proactively fingerprinting an actor’s infrastructure targeting their industry or organization.
- Actions
- Create a project.
- Add artifacts and collaborators to a project.
- Modify artifacts in a project.
- Note: You will only be able to add collaborators to a project if they are also Premium TI users in the same tenant you are assigned.
- Resources
Figure: Creating a Project in MDTI and adding an artifact to the project
Scenario 4: Integrated Use Case Scenarios (Detections with Microsoft Sentinel)
Microsoft Sentinel users can use Defender Threat Intelligence indicators to generate detections within Microsoft Sentinel. You can see how to integrate with Microsoft Sentinel and identify detections here: MDTI Detections in Microsoft Sentinel. The key element to ensure this scenario for a PoC is ideal is to have enabled a Sentinel Log Analytics workspace with existing log types (CEF, DNS & Syslog) and the Microsoft Threat Intelligence analytics rule.
- Actions
- Create Microsoft Sentinel resource and Log Analytics workspace (if not already enabled)
- Ingest CEF, DNS, and/or Sys logs in Log Analytics workspace (if these log sources and logs are not already enabled/present)
- Enable Microsoft Threat Intelligence Analytics rule.
- Review ‘Threat Intelligence’ blade with Source: “Microsoft Threat Intelligence Analytics” filter applied. Identify new MDTI TI detected against your logs as new detections arise.
- Review ‘Incidents’ blade for new “Microsoft Threat Intelligence Analytics” incidents.
- Review the incident’s entities and how the incident was triggered. For example, did the indicator exist in an MDTI intel article? What information and related indicators of compromise can you identify by opening the article in MDTI? What additional context can you gather from searching the IP or host entity in MDTI? Review the summary and data tabs for these entities and artifacts you pivot on to unpack related indicators of compromise.
Figure: actions for Microsoft Sentinel and MDTI (IOC and Incident View)
Scenarios to evaluate when integrating with Sentinel.
- Automated enhanced detections in Microsoft Sentinel from a Defender Threat Intelligence article
- Analytic rules: use the inbuilt analytic rule and TI Mapping rules.
- Researching an article from enhanced detection in Microsoft Sentinel
- Importing your own threat intelligence into the Threat intelligence blade on Microsoft Sentinel using the Microsoft Sentinel Data connector
- Threat Hunting example based on Identified Intelligence
- Using the MDTI Sentinel Playbooks : What's New: MDTI Microsoft Sentinel Playbooks - Microsoft Community Hub
Resources
- MDTI Detections in Microsoft Sentinel
- If you're setting up a Microsoft Sentinel trial for this PoC and need existing Logs, you can leverage the following ingestion sample data as a service solution New ingestion-SampleData-as-a-service solution, for a great Demos and simulation - Microsoft Communi.... You can create sample data mirroring IOC found within Defender Threat Intelligence (articles etc.)
Scenario 5: Detonation Intelligence (File Hash and URL Search)
File Hash and URL Search in MDTI will enable researchers, analysts, hunters, and security responders to search for high-quality threat intelligence (verdict and associated metadata) for and use this TI in their threat hunting and investigation activities. This capability will leverage the threat intelligence that Microsoft produces through static and dynamic analysis of and URLs in and outside its ecosystem. This capability has been missing in MDTI, and it’s one of the top customers requested features.
Common Use-Cases & Scenarios:
1. As an MDTI user, when I encounter a suspicious file I want to search the file hash to MDTI to obtain meaningful TI about this file, so that I can use it in my research analysis and hunting activities.
2. As an MDTI user, when I encounter a suspicious URL I want to search the URL to MDTI to obtain meaningful TI about this URL, so that I can use it in my research analysis and hunting activities.
Actions
1. Detonation TI on URL search
As an MDTI user, I can search by the full associated URL of a suspicious URL/domain, in order to obtain relevant Threat Intelligence (TI) that can be used in my research analysis and hunting activities.
- Identify the Full URL you want to investigate, take the URL and place it on the Search bar on the MDTI Workbench
figure URL added on the Search bar for the MDTI Workbench
- Click search icon , and the URL should detonate providing the results in relation to the URL
Figure: detonation analysis results (Detonation screen shots, Reputation scoring, original URL, Last Seen)
2. Detonation TI on File Hash search
As an MDTI user, I can search by the file hash of a suspicious file, in order to obtain relevant Threat Intelligence (TI) that can be used in my research analysis and hunting activities.
- Identify the File Hash you want to investigate, take the Hash and place it on the Search bar on the MDTI Workbench
figure File Hash added on the Search bar for the MDTI Workbench
- Click search icon , and the File Hash should detonate providing the results in relation to the URL
Figure: detonation analysis results (File hash, Reputation, Score, Last Seen, Detonation analysis, Detonation screenshot, File name)
Resources
What's New: Hash and URL Search Intelligence - Microsoft Community Hub
Scenario 6: Leveraging MDTI Intel Profiles
Intel Profiles are active finished intelligence on threats facing you and your organization. Profiles are updated daily when new information has been discovered. Intel Profiles are broken into two different sections, Threat actors and Tools. These specialties allow organization understanding of the threat actors on the internet, their observed targets, methods of attack, along with the infrastructure and tooling they have been observed to be utilizing.
Common Use-Cases & Scenarios for Intel Profiles
| MDTI users: | Security Operations Center (SOC): | Cyber threat intelligence (CTI) analysts: | Threat hunters: |
| - Identify intel profiles by searching an artifact or keyword |
- Triage events raised within their security tooling - Enriching these events with TI context, including the threat actor - Saves SOC analyst's time - Helps them evaluate the response(s) and increase their understanding of the threat(s) |
- Allows for synthesize adversary intelligence which can bypass it along to their hunting counterparts |
- Search for threat activity within their ecosystems using behaviors and IoCs to guide their analyses - Have a catalog of threat actors allows threat hunters to better understand the threat landscape - Allow for prioritize which actors their team should focus on most. - Detailed information of threat actor gives threat hunters starting points to conduct a proactive investigation. |
Action
- Listing the Threat actors within the Intel profiles
- Narrowing down to a specific Threat actor
- Narrowing down to specific tooling
Resources
Self-Reflection
Identify how the MDTI offering provided value to your organization’s overall business during the PoC.
- Has your organization been able to better prioritize incidents and alerts to focus on the most severe threats?
- Have you identified related indicators of compromise or finished threat intelligence when proactively approaching an investigation or responding to an incident?
- Have you been able to use these related indicators of compromise or finished threat intelligence to build new detection rules to better equip your organization’s defenses moving forward?
- Have you been able to hunt for these indicators in your SIEM logs or EDR? Did you find that these indicators were found elsewhere in your network?
- After the new detection rules were enabled, did any new alerts or incidents emerge because of building out those detection rules?
- How did building stronger defenses and being able to respond to threats have an impact more readily on your organization’s bottom line or reputation by better protecting your employees, suppliers, and/or customers? Were you able to:
- Detect an active threat (such as ransomware or cyber espionage) that would have previously gone unnoticed without using Defender Threat Intelligence?
- Identify a threat against your own infrastructure that would have resulted in a client-side attack against your suppliers or customers?
- Better prioritize incidents and spend less time collecting data before beginning an investigation?
Questions?
We hope you found this blog helpful in understanding the value Defender Threat Intelligence (MDTI) can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a Defender Threat Intelligence Technical Specialist or Global Black Belt, please email mdti-pm@microsoft.com.
Feedback?
We would love to hear any ideas you may have to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security 3rd party applications. Feel free to email mdti-pm@microsoft.com to share that feedback as well. If you are currently working with an MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and/or product feedback to him/her directly.
Interested in learning about new MDTI features?
Please join our Cloud Security Private Community if you’re not a member and follow our MDTI Private & Public Preview events in our MS Defender Threat Intelligence channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit towards respective Microsoft product badges delivered by Credly.
Want to work with our Sales team?
If you are interested in working with an MDTI Technical Specialist or Global Black Belt, please contact our Sales team by filling out this form.