Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon massive signal collected from across the internet, processed by security experts and machine learning. It allows users to uncover and understand their organization's external attack surface, including context around vulnerabilities and the tools and systems adversaries use to attack and exploit them.
Microsoft Defender Threat Intelligence Standard Edition (formerly known as Community) is a free, lightweight version of MDTI, offering the same industry-leading threat-hunting experience with limited access to MDTI's data sets. Users can expedite investigations by connecting internal activity, events, and incident indicators of compromise (IOCs) artifacts to external threats, attackers, and threat tooling.
Below is an overview of the Standard and Premium user experience. Organizations interested in purchasing Premium licenses may do so by getting in touch with their Microsoft Commercial Executive (read more). Any user with a Microsoft account (e.g., hotmail.com, onmicrosoft.com) can sign up for an MDTI Standard account. Users that sign into the MDTI platform, ti.defender.microsoft.com, will go through Microsoft's standard authentication process to log in.
| Feature Category |
Feature |
MDTI Standard (Free) |
* Comment |
MDTI Premium |
* Comment |
| Finished Intelligence |
Articles |
Yes - Limited |
Limited amount of articles are available. |
Yes |
|
| Public Indicators |
Yes |
|
Yes |
|
| Defender TI Indicators |
No |
|
Yes |
|
| Intel Profiles (Actors & Tools) |
Yes - Limited |
Limited amount of intel profiles are available. |
Yes |
|
| Ability to filter intel profiles by industry / vertical |
No |
|
Yes |
|
| Open-source CVEs database |
Yes |
|
Yes |
|
| CVE Priority Score |
Yes |
|
Yes |
|
| Vulnerability (CVE) Profiles |
No* |
Additional content on CVEs added by Microsoft's Cybersecurity Research & Intelligence team is only available with MDTI Premium. |
Yes |
|
| Raw Intelligence (Reputation, Analyst Insights, and Datasets) |
Reputation against IPs, hosts (domains, subdomains, etc.), URLs, and hashes |
No |
|
Yes |
|
| Analyst Insights |
Yes |
|
Yes |
|
| Resolutions (pDNS A records) |
Yes - 14 day history |
|
Yes |
|
| WHOIS |
Yes |
|
Yes |
|
| WHOIS History |
No |
|
Yes |
|
| Certificates |
Yes - 14 day history |
|
Yes |
|
| Subdomains |
Yes |
|
Yes |
|
| Trackers |
Yes - 14 day history |
|
Yes |
|
| Components |
Yes - 14 day history |
|
Yes |
|
| Host Pairs |
No |
|
Yes |
|
| Cookies |
No |
|
Yes* |
|
| |
|
|
|
|
| DNS |
Yes - 14 day history |
|
Yes |
|
| Reverse DNS |
Yes - 14 day history |
|
Yes |
|
| Detonation Intelligence |
Malware sample detonation (snapshot & analysis insights) |
No |
|
Yes |
|
| URL sample detonation (snapshot & analysis insights) |
No |
|
Yes |
|
| Projects (Investigative Case Management) |
Unlimited projects |
Yes* |
Private projects only |
Yes |
|
| Third-Party Integrations |
Silobreaker |
No* |
MDTI Standard does not offer MDTI API access. Therefore, third-party integrations will not be supported. |
Yes |
|
| First-Party Integrations |
Microsoft Defender for Endpoint / M365 |
Yes |
|
Yes |
|
| Microsoft Sentinel |
Yes* |
MDTI Standard users can enable the "Microsoft Defender Threat Intelligence data connector + TI map rules" or the "Microsoft Defender Threat Intelligence" analytic rule to generate more detections to their Microsoft Sentinel Threat Intelligence blade. |
Yes* |
MDTI Premium users can enable the "Microsoft Defender Threat Intelligence data connector + TI map rules" or the "Microsoft Defender Threat Intelligence" analytic rule to generate more detections to their Microsoft Sentinel Threat Intelligence blade. Microsoft Sentinel + MDTI Premium users can also take advantage of MDTI's playbooks for incident triage and enrichment and MDTI's workbook for visualizing and addressing threat intelligence related inquiries. Notebooks may also be deployed in Microsoft Sentinel for advanced threat hunting (searching against various TI sources / automated network hunting investigations). |
| Microsoft Security Copilot |
No |
|
Yes* |
Account will require a Security Copilot subscription to leverage the MDTI integration within Security Copilot. |
| API |
RESTful API associated with product features |
No |
|
Yes* |
MDTI Premium users can access the MDTI API as long as their organization procured that MDTI API SKU. |
MDTI Standard edition puts advanced Microsoft threat intelligence and investigation capabilities in the hands of defenders across the globe, free of charge. By registering, threat hunters and incident responders have instant access to actionable, integrated, and relevant intelligence derived from the trillions of signals collected by Microsoft to become active contributors to defending the internet for all.
Register for MDTI Standard for free today.
