Microsoft Defender Threat Intelligence (MDTI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that MDTI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.
For Defender users, MDTI will now be quickly accessible and easy to reference for swift context about threat actors and their tools and to launch advanced investigations into external threat infrastructure. Licensed users will see the following:
Figure: Microsoft Defender Threat intelligence is now available to license customers within the Microsoft Defender 365 portal
Users will note that the experience between the MDTI standalone portal will differ slightly from what they see in M365 Defender. Namely, they will not see the ability to apply custom tags or project capabilities. Below, I will outline the main features that MDTI users will see in M365 Defender.
Within the new Navigation Menu, users will get visibility of the Defender portal on the Threat intelligence blade. Once selected, they will be presented with the three key options: Threat analytics, Intel Profiles, and Intel Explorer (MDTI Homepage).
Figure: New Threat Intelligence Navigation
This section contains a list of approved Threat Actors and Tools identified and tracked by Microsoft. Security professionals can use Microsoft's Intel Profiles, indicators, and other associated markers to automate the defense of their organizations and track potentially malicious activity targeting their organization or industry. Intel profiles consist of two subgroups, Threat Profiles (including tracked dev-groups) and Tool profiles.
Figure Intel profiles on M365 Defender
Defenders can use the new Intel Explorer tab to learn about new security topics in the form of articles or research open-source intelligence:
Figure: The New Intel explorer Tab for MDTI on M365 Defender
Microsoft Defender Threat Intelligence (MDTI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities.
MDTI leverages Microsoft's threat intelligence through static and dynamic analysis of files and URLs within and outside its ecosystem, providing comprehensive coverage of potential threats. The static study examines the file's code without executing it, while dynamic analysis involves executing it in a controlled environment to observe its behavior. This dual approach enables MDTI to identify and categorize potential threats using static analysis techniques and detect and analyze actual behavior using dynamic analysis techniques. Users can search any hash or URL using the Search bar on the Intel Explorer on M365 Defender
Figure: Detonation intelligence for Full URL and result
Figure: Detonation intelligence for File Hash and result
Note: "Please be aware that the current search capability is limited to public TI and does not include threats that are custom to specific tenants only. However, we have a roadmap in progress to address this by implementing correlations and providing detailed results on threats custom to specific tenants when a searched entity (file hash or a full URL) is only associated with that tenant"
The following are practical threat-hunting and investigation use cases for defenders using MDTI within M365D.
Use Case: Advanced hunting with MDTI IOCs against the logs and Events within Microsoft 365 Defender
To demonstrate this scenario, we will compare identified IOCs from MDTI, specifically the Host Pairs data set related to the widely recognized Phish kit named "Franken-phish" (Franken-phish: TodayZoo built from other phishing kits), and map this information to an advanced hunting query within M365 Defender. This approach can be replicated using IOCs from articles or Intel Profiles of threat actors and their associated tools. We have provided sample queries to aid in your hunting process, which can be found here:
In regard to the following use case, we shall proceed with 3 phases of action:
1. Identify the Dancevida Phish kit Host Pairs and Resolution information and download the IOC.
Proceed to the Intel Explorer blade and type in, and search 'Dancevida.com.' After the results appear, navigate to the Host Pairs tab and download the Host Pair information, which will generate a CSV file.
Figure: Downloading Dancevida.com host pair information
2. Upload IOC to a storage account\public GitHub
The MDTI CSV file that has been exported must be uploaded to an Azure storage container that has a SAS URL token enabled. The SAS-generated access is only valid for a specific time period, which should be utilized for the advanced hunting process. After obtaining the URL access, the exported MDTI data can be utilized in the advanced hunting feature within M365 Defender.
Figure: Uploaded Dancevida.com Host pairs Csv to Azure storage to generate SAS token
3. Using KQL Externaldata operator as correlation source and proactive hunting and enabling custom detection on M365 Defender (The following Query can be found in the MDTI GitHub here)
We have four Kusto queries created for you to use as examples.
Kusto queries link: MDTI-Solutions/M365 Advance hunting queries at master · Azure/MDTI-Solutions (github.com)
DTI email based events: |
DTI device based events: |
DTI DNS queries from domain controller: |
DTI device based events for resolutions |
E-mails with URL embedded.
|
Search for device click events BrowserLaunchedToOpenUrl SmartScreenUrlWarning ExploitGuardNetworkProtectionBlocked Mark of the Web Referrer Mark of the Web DNS queries |
DNS queries
|
Search for device click events BrowserLaunchedToOpenUrl SmartScreenUrlWarning ExploitGuardNetworkProtectionBlocked Mark of the Web Referrer Mark of the Web DNS queries |
Users will need to modify these queries with the columns in the exported CSV file. Host Pairs was exported, but if you export any other data set, the column header will be different.
Figure: Advanced Hunting against M365 Defender events and alerts with DanceVida Host Pair information
Once we executed the hunting query on M365 Defender, we noticed a correlation between the events data sourced from a device managed by M365 Defender and the exported Dancevida host pair information.
Use Case: M365 Defender Raw Event Detection
To demonstrate this use case, it is necessary to ingest M365 Defender raw events into Microsoft Sentinel through the M365 Defender Data connector. Furthermore, the user must also import Threat indicators from MDTI by utilizing the new MDTI Sentinel Data Connector. Following this, the user needs to execute TI correlation rules, which will compare the raw event tables of M365 Defender. Upon detecting a correlation, an incident will be generated in Microsoft Sentinel, which will incorporate the M365 Defender events and alerts. Let us go through these steps one by one:
1. M365D Raw events flow into Sentinel with the M365 Defender Data connector:
2. MDTI Feeds flow into Sentinel with MDTI Data connector:
3. Manual TI correlation rule
On the Analytics page on Microsoft Sentinel, use the following rule "TI map entity to a network session event "to map the M365 Defender raw events with the Threat intelligence indicator table. Create and enable the rule:
Figure: TI mapping rule for M365 Events and Incident created in sentinel.
For any support-related issues regarding Microsoft Defender for Intelligence, please access this portal and select Security -> Microsoft Defender for Intelligence.
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.