Microsoft Defender Threat Intelligence (MDTI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that MDTI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.
For Defender users, MDTI will now be quickly accessible and easy to reference for swift context about threat actors and their tools and to launch advanced investigations into external threat infrastructure. Licensed users will see the following:
- Threat intelligence navigation blade tab: This new tab, along with threat analytics, has moved under threat intelligence navigation.
- Intel Profiles: These showcase everything Microsoft knows about threat actors. These include Indicators of Compromise (IOCs) and their tools, tactics, and procedures (TTPs).
- Intel Explorer tab: This new tab enables pivots on Internet data to launch advanced investigations across Microsoft's continuously updated map of the entire Internet.
- Detonation Intelligence for Hashes and URL Search: This provides a straightforward way to obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise.
Figure: Microsoft Defender Threat intelligence is now available to license customers within the Microsoft Defender 365 portal
Users will note that the experience between the MDTI standalone portal will differ slightly from what they see in M365 Defender. Namely, they will not see the ability to apply custom tags or project capabilities. Below, I will outline the main features that MDTI users will see in M365 Defender.
New Threat Intelligence Navigation
Within the new Navigation Menu, users will get visibility of the Defender portal on the Threat intelligence blade. Once selected, they will be presented with the three key options: Threat analytics, Intel Profiles, and Intel Explorer (MDTI Homepage).
Figure: New Threat Intelligence Navigation
Intel profiles
This section contains a list of approved Threat Actors and Tools identified and tracked by Microsoft. Security professionals can use Microsoft's Intel Profiles, indicators, and other associated markers to automate the defense of their organizations and track potentially malicious activity targeting their organization or industry. Intel profiles consist of two subgroups, Threat Profiles (including tracked dev-groups) and Tool profiles.
Figure Intel profiles on M365 Defender
Intel Explorer tab
Defenders can use the new Intel Explorer tab to learn about new security topics in the form of articles or research open-source intelligence:
- Homepage: This is the beginning; think of it as your home base.
- Search: This is the gateway to the vast amount of Microsoft security data available, which you can turn into intelligence.
- Featured Articles: These are key research publications that we find relevant based on our intelligence expertise. They're often shown with an image.
- Articles: These ensure every customer has data to hunt across all verticals and topics.
Figure: The New Intel explorer Tab for MDTI on M365 Defender
Detonation Intelligence for Hashes and URL Search
Microsoft Defender Threat Intelligence (MDTI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities.
MDTI leverages Microsoft's threat intelligence through static and dynamic analysis of files and URLs within and outside its ecosystem, providing comprehensive coverage of potential threats. The static study examines the file's code without executing it, while dynamic analysis involves executing it in a controlled environment to observe its behavior. This dual approach enables MDTI to identify and categorize potential threats using static analysis techniques and detect and analyze actual behavior using dynamic analysis techniques. Users can search any hash or URL using the Search bar on the Intel Explorer on M365 Defender
Figure: Detonation intelligence for Full URL and result
Figure: Detonation intelligence for File Hash and result
Note: "Please be aware that the current search capability is limited to public TI and does not include threats that are custom to specific tenants only. However, we have a roadmap in progress to address this by implementing correlations and providing detailed results on threats custom to specific tenants when a searched entity (file hash or a full URL) is only associated with that tenant"
Use Cases
The following are practical threat-hunting and investigation use cases for defenders using MDTI within M365D.
Use Case: Advanced hunting with MDTI IOCs against the logs and Events within Microsoft 365 Defender
To demonstrate this scenario, we will compare identified IOCs from MDTI, specifically the Host Pairs data set related to the widely recognized Phish kit named "Franken-phish" (Franken-phish: TodayZoo built from other phishing kits), and map this information to an advanced hunting query within M365 Defender. This approach can be replicated using IOCs from articles or Intel Profiles of threat actors and their associated tools. We have provided sample queries to aid in your hunting process, which can be found here:
In regard to the following use case, we shall proceed with 3 phases of action:
1. Identify the Dancevida Phish kit Host Pairs and Resolution information and download the IOC.
Proceed to the Intel Explorer blade and type in, and search 'Dancevida.com.' After the results appear, navigate to the Host Pairs tab and download the Host Pair information, which will generate a CSV file.
Figure: Downloading Dancevida.com host pair information
2. Upload IOC to a storage account\public GitHub
The MDTI CSV file that has been exported must be uploaded to an Azure storage container that has a SAS URL token enabled. The SAS-generated access is only valid for a specific time period, which should be utilized for the advanced hunting process. After obtaining the URL access, the exported MDTI data can be utilized in the advanced hunting feature within M365 Defender.
Figure: Uploaded Dancevida.com Host pairs Csv to Azure storage to generate SAS token
3. Using KQL Externaldata operator as correlation source and proactive hunting and enabling custom detection on M365 Defender (The following Query can be found in the MDTI GitHub here)
We have four Kusto queries created for you to use as examples.
Kusto queries link: MDTI-Solutions/M365 Advance hunting queries at master · Azure/MDTI-Solutions (github.com)
|
DTI email based events: |
DTI device based events: |
DTI DNS queries from domain controller: |
DTI device based events for resolutions |
|
E-mails with URL embedded.
|
Search for device click events BrowserLaunchedToOpenUrl SmartScreenUrlWarning ExploitGuardNetworkProtectionBlocked Mark of the Web Referrer Mark of the Web DNS queries |
DNS queries
|
Search for device click events BrowserLaunchedToOpenUrl SmartScreenUrlWarning ExploitGuardNetworkProtectionBlocked Mark of the Web Referrer Mark of the Web DNS queries |
Users will need to modify these queries with the columns in the exported CSV file. Host Pairs was exported, but if you export any other data set, the column header will be different.
Figure: Advanced Hunting against M365 Defender events and alerts with DanceVida Host Pair information
Once we executed the hunting query on M365 Defender, we noticed a correlation between the events data sourced from a device managed by M365 Defender and the exported Dancevida host pair information.
Use Case: M365 Defender Raw Event Detection
To demonstrate this use case, it is necessary to ingest M365 Defender raw events into Microsoft Sentinel through the M365 Defender Data connector. Furthermore, the user must also import Threat indicators from MDTI by utilizing the new MDTI Sentinel Data Connector. Following this, the user needs to execute TI correlation rules, which will compare the raw event tables of M365 Defender. Upon detecting a correlation, an incident will be generated in Microsoft Sentinel, which will incorporate the M365 Defender events and alerts. Let us go through these steps one by one:
1. M365D Raw events flow into Sentinel with the M365 Defender Data connector:
2. MDTI Feeds flow into Sentinel with MDTI Data connector:
3. Manual TI correlation rule
On the Analytics page on Microsoft Sentinel, use the following rule "TI map entity to a network session event "to map the M365 Defender raw events with the Threat intelligence indicator table. Create and enable the rule:
Figure: TI mapping rule for M365 Events and Incident created in sentinel.
Sign Up for a Trial
- Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.
MDTI Support
For any support-related issues regarding Microsoft Defender for Intelligence, please access this portal and select Security -> Microsoft Defender for Intelligence.
We Want to Hear from You!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.