30 Nov Microsoft Defender Threat Intelligence (MDTI)
Microsoft Defender Threat Intelligence (MDTI) is a threat hunting and investigation solution that provides context on cyber threats, IoCs, threat actors, and related infrastructure via raw data sets and finished TI (Threat Intelligence) necessary to accelerate investigations. It can provide finished intelligence with actionable IOCs authored by Microsoft researchers with the ability to query hosts, domains, and IPs to identify adversarial infrastructure and enrich alerts. MDTI can also integrate with Sentinel for correlating malicious IOCs with internal telemetry from logs. Also, to add more context, MDTI is based on the RiskIQ acquisition by Microsoft in 2021.
Also, you can start with the Landing page. It will offer you an overview of the key features and links to the documentation – Microsoft Defender Threat Intelligence | Microsoft Security.
If you have been working with Microsoft Security products in the last few years, you have noticed that Microsoft has been hugely investing in the security space, including threat intelligence. I’ve been writing a series of blog posts explaining how you can integrate some TIP (Threat Intelligence Platforms) into your Azure/Microsoft environment – you can access the series here.
With the inclusion of RiskIQ into Microsoft’s security portfolio, Microsoft is adding an “outside-in” perspective, a view beyond the firewall. With this outside-in context, we can have a broader and complete picture of a cyber-attack.
How does MDTI work?
MDTI uses a proprietary network of crawlers (virtual users) that simulate human-web interactions and the full composition of internet assets without an agent requirement and sensors to scan the entire Internet daily to look for adversaries and their infrastructure. It collects, analyzes, and indexes internet data to help security teams detect and respond to threats, prioritize incidents, and proactively identify adversaries’ infrastructure associated with actor groups that can potentially target your organization. In addition, Microsoft performs 2 billion HTTP requests per day to crawl the web and mobile pages across the Internet. Check this link to learn more about the web crawl process.
It also leverages infrastructure chaining, analyzing the relationships between highly connected datasets to build out an investigation. This means it can correlate with other interconnected assets from a mapped connection, such as an IP, domain, certificate, and more. For example, a host pair can reveal important shared connections between websites and enables you to see where your resources are being used and vice versa.
As a result, you will have the following datasets available in the platform:
- Host pairs
- Reverse DNS
You can access more information and the images above in this link: How Internet Telemetry Data Becomes Threat Intelligence (microsoft.com).
Who can benefit from MDTI?
Typical users are:
- Security Operations
- Incident Response
- Threat Hunting
- Cyber Threat Intelligence Analysis
- Cybersecurity Research
MDTI Use Cases
Below, you can see some of the use cases you can implement with MDTI:
- Identify Existing Threat Intelligence
- Data Enrichment
- Infrastructure Chaining
- Monitoring Internet Infrastructure Changes
- Collaborating on Investigations using Projects
- Integration with Microsoft Sentinel
MDTI Portal and trial
First, if you want to try MDTI, you will need to have an Azure Active Directory or personal Microsoft account and you can spin up a trial for 30-days.
To know how to do this, follow the instructions in the following link:
After the trial is created, you can access the portal using the address – https://ti.defender.microsoft.com.
Below, you can see the home page:
The good news is, MDTI has its own L400 Ninja Training. It is the best resource to learn more about the product.