Microsoft Defender Threat Intelligence (Defender TI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities.
Defender TI leverages Microsoft's threat intelligence through static and dynamic analysis of files and URLs within and outside its ecosystem, providing comprehensive coverage of potential threats. The static study examines the file's code without executing it, while dynamic analysis involves executing it in a controlled environment to observe its behavior. This dual approach enables Defender TI to identify and categorize potential threats using static analysis techniques and detect and analyze actual behavior using dynamic analysis techniques. Users can search any hash or URL using the search bar circled below:
In the case of a Hash search, the Hash value would be entered into the search bar:
If there is any Intelligence on that Hash value, the information returned should look something like this:
In the case of an URL search, the URL would be entered into the search bar:
If there is any Intelligence on that URL, the information returned should look like this:
Take note of the intelligence retrieved from the search. The Summary tab displays the reputation score and basic information for the file hash or URL entities, while the Data tab provides detailed insights directly from MDTI. For instance, the returned result may show that the hash has a malicious reputation score, with a list of triggered rules contributing to the score.
This provides a straightforward way to obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise. With this information, security professionals can better understand potential threats and take appropriate action to protect their organization.
In summary, including Hash and URL Intelligence within Defender TI to leverage static and dynamic analysis has been a top customer-requested feature. It enables SOC analysts, threat hunters, and other information security professionals to obtain detailed intelligence on specific hashes or URLs identified within their network. This capability empowers security teams to improve their operations and processes effectively.
By leveraging Defender TI's extensive threat intelligence capabilities, organizations can better comprehend potential threats and respond promptly to mitigate risks, enhancing their overall security posture. Microsoft's continued commitment to providing customers with the necessary tools and resources to protect against cyber threats is exemplified through this valuable addition to Defender TI.
Questions?
We hope you found this blog helpful in understanding the value Defender TI can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a Defender TI Technical Specialist or Global Black Belt, please email discussMDTI@microsoft.com.
Feedback?
We would love to hear your ideas to improve our Defender TI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security third-party applications. Feel free to email discussMDTI@microsoft.com to share that feedback as well. If you are currently working with a Defender TI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and product feedback to them directly.
Learn About New Defender TI Features
Please join our Cloud Security Private Community if you're not a member and follow our Defender TI Private & Public Preview events in our MS Defender TI channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our Defender TI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit for respective Microsoft product badges delivered by Credly.
Work With Our Sales Team
If you want to work with an MDTI Technical Specialist or Global Black Belt, please get in touch with our Sales team by filling out this form.
We want to hear from you!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how Defender TI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about Defender TI and try it today.
Resources
What is Microsoft Defender Threat Intelligence (Defender TI)? | Microsoft Learn
Microsoft Defender Threat Intelligence Blog - Microsoft Community Hub
Become a Microsoft Defender Threat Intelligence Ninja: The complete level 400 training