Today, we are thrilled to announce that we are unleashing the power of threat intelligence to all Microsoft Defender XDR tenants. Starting at Microsoft Ignite, all Defender XDR users will see Microsoft Defender Threat Intelligence (MDTI) in the threat intelligence blade of Defender XDR. This free experience, which is a limited version of MDTI, enables security professionals of all levels to review recent threat research from Microsoft security experts and open-source (OSINT) feeds, search for and pivot between Indicators of Compromise (IoCs) to augment investigations, and gain actionable threat context by reviewing Microsoft-curated profiles on known threat actors and tools – all within the Microsoft Defender XDR portal.
Augment your Defender and Sentinel investigations using IoC search
Incidents and alerts turn up many potential IoCs, including IP addresses, domains, file hashes, and more - often without context. Incident responders can use the Intel Explorer search within the MDTI free version to surface critical information related to these IoCs, helping to quickly isolate the most important investigations and correlate seemingly unrelated infrastructure.
MDTI’s data sets, built off daily scans and analysis of the entire internet, offer the context incident responders need to determine who is attacking them, how severe the threat might be, and what infrastructure is related to an IoC. Free users receive access to current WHOIS data for all IP addresses and domains as well as Services data for all IPs, helping responders to evaluate the maliciousness of an IoC based on values such as the WHOIS organization and registrar or evidence of a self-signed certificate. We also provide all Subdomains data as well as the last 14 days of Resolutions, Certificates, Trackers, Components, DNS, and Reverse DNS data to provide an up-to-date picture of what infrastructure currently is, and recently was, related to an IoC.
For more information on how to effectively search in MDTI as well as a complete list of what artifact types are supported, review our “Searching and Pivoting” Microsoft Learn documentation. Learn more about the raw data sets we provide for these artifacts in this blog.
Remain informed and optimally focused with daily threat research
We compile trusted vulnerabilities and threat research from a variety of sources into one feed so your team can stay informed on the latest potential threats to your organization. Our Intel Explorer “Recent articles” feed contains open-source intelligence from government organizations, nonprofit research institutions, and leading security providers, providing a critical stream from which cyber threat intelligence analysts and CISOs can discover the latest threat intelligence research, providing insights into new adversaries, tactics, techniques, and procedures (TTPs), CVEs, and heuristics to implement into their security controls. Many of these articles also contain public indicators of compromise, which cyber threat intelligence analysts and threat hunters can use to determine whether these IoCs or any related infrastructure are present within their network.
We also display select Microsoft threat research articles in the Intel Explorer “Featured” section, providing detailed information on the activities of tracked threat actors as well as detection or remediation techniques.
Understand your organization’s threat landscape with intel profiles
As the defender of four of the world’s largest public clouds, Microsoft’s team of more than 10,000 dedicated security researchers and engineers is responsible for making sense of more than 65 trillion security signals per day. These experts convert many of our most valuable findings into Intel Profiles, which offer a near-real-time view of what Microsoft knows about various threat actors and their TTPs.
For the first time, we are releasing over a dozen intel profiles to all Microsoft Defender users, accessible through the Intel Profiles tab, to harden your organization’s network to proactively defend against some of the world’s most advanced and persistent adversaries. Review these profiles to better understand the threat landscape and uncover the TTPs of the threat actor groups which may be targeting your industry or geolocation.
Proactively protect your brand and assets using MDTI
Security teams can remain ahead of vulnerabilities in their infrastructure and thwart phishing and typosquatting attacks by proactively searching for your web assets in the MDTI free version. On the Intel Explorer page, search for your domains to find unwanted resolutions on the “Resolutions” tab, or use the “Services” tab while investigating your organization’s IP addresses to discover unwanted open ports and vulnerable components. You also can pivot off Certificates, Trackers, or Components while searching your domains to find similar domains which scraped your web assets, perhaps with the intent to deceive and harm your customers. Each of these functions can provide critical intelligence to protect your brand and customers, alike.
Additional features
- Search for any CVE-ID within “Intel Explorer” to see a description of the vulnerability, links to known exploits, and a list of affected components
- Save indicators to Projects during searches or within the “Intel Projects” tab to organize and monitor adversary infrastructure
Upgrade to do even more
Fully licensed MDTI users can access the entirety of the data, intelligence, and other content that help them understand the full extent of a threat, take proactive defensive actions, and inoculate their organization from malicious infrastructure. Users can create unique, organization-specific intel via the same internet data sets that today's leading threat researchers use to track and uncover external threats. They can also develop a robust intel-led defense strategy with a rich content library of activity snapshots, Intel Profiles, threat research articles, and more - all continuously enriched with IOCs and updated with new findings.
With the MDTI API, customers can tap into powerful integrations, such as Microsoft Sentinel, to provide outside-the-firewall context to internal security incidents and help the SOC punch above its weight by responding to threats at scale.
For access to these Premium features and more, contact sales to request a free trial or explore licensing options.
Next steps
Whether you are just kick-starting a threat intelligence program or looking to augment your existing threat intelligence toolset, the MDTI free version can add critical context to your existing security investigations, keep your organization informed on current threats through leading research and intel profiles, provide crucial brand intelligence, and help you to collect powerful threat intelligence associated with your organization or others in your industry. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today.
Also, find out about other MDTI innovations launching at Microsoft Ignite.
