Microsoft Defender Threat Intelligence (MDTI) previously known as RiskIQ brings the threat intelligence data together from multiple sources. With the use of Microsoft Defender Threat Intelligence (MDTI) customers will have direct access to data and signals to hunt for threats across their environments, Defender TI relies heavily on AI and machine learning capabilities and is available in a free and paid version.
Recently published the blog: How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid
New to Microsoft Defender Threat Intelligence it is recommended to start reading the blog first. This blog is focused on the integration with Microsoft Sentinel.
Blog information: Blog Published: June 1, 2023 Blog updated: 25 august, 2023 |
Recap: What is Microsoft Defender Threat Intelligence?
Microsoft Defender Threat Intelligence can be used for multiple solutions. It can act as a standalone product and allows the option for ingesting TI data into Microsoft Sentinel or Microsoft 365 Defender. Microsoft Defender Threat Intelligence is a threat intelligence (TI) solution, that helps with additional insights, context, and additional strategies about threat actors and adversary threat infrastructure. Data is based on open-source intelligence (OSINT) combined with threat research articles, threat indicators, and vulnerability intelligence found in the wild.
Microsoft Defender Threat Intelligence collects intelligence/ IOC data from various sources. Input is based on:
- RiskIQ
- Microsoft Threat Intelligence Center (MSTIC)
- Microsoft 365 Defender Security Research
- Other sources
Defender Threat Intelligence is built from the RiskIQ technique. Microsoft integrated RiskIQ technologies in Defender based on two new solutions:
- Microsoft Defender Threat Intelligence
- Microsoft Defender External Attack Surface Management
Microsoft Defender Threat Intelligence collects data from the internet every day and provides security teams with information to understand adversaries and used attack techniques. Customers can access a library of threat intelligence data.
Currently, Microsoft Defender Threat Intelligence is available in two different plans (end-user plans):
- Defender TI Premium
- Defender TI Free community offering (limited)
Without any Defender TI Premium license, it is possible to use the Defender Threat Intelligence Portal and access the context part of the free offering with limited data.
Defender TI Portal
The portal is available via: ti.defender.microsoft.com. The free limited/ community version can be used without any additional pricing or trial activation.
For more information see: How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid
Available integrations with Microsoft Sentinel
It is possible to use the data of Defender TI and integrate it with other solutions. The integration with Microsoft Sentinel is available and enables multiple use cases based on the ingested TI data. Let’s explore the available options based on the complete MDTI dataset.
In Microsoft Sentinel, there are multiple options for integrating MDTI data. Defender TI data can be used via the following methods in Sentinel:
In Microsoft Sentinel, it is possible to enable the Microsoft Defender Threat Intelligence. Defender TI data can be used via the following methods in Sentinel:
- MDTI data connector
- MDTI Sentinel analytics rules
- MDTI API
- MDTI enrichment playbooks
MDTI data connector
Part of Microsoft Sentinel is the MDTI data connector, with the use of the data connector there is the option for ingesting TI data in Sentinel from the MDTI feed.
MDTI Sentinel analytics rules
With analytics rules, it is possible to fetch automatically based on (new) ingested data. The analytics rules support multiple data source types and check automatically against known indicators.
MDTI API
With the use of the MDTI API, there is enrichment possible in Sentinel. The enrichment playbooks for the automated enrichment of data is only working when the MDTI API is correctly configured and registered in the tenant. Without the MDTI API, there is no additional data in Sentinel.
MDTI enrichment playbooks
Enrichment playbooks are available for “automated” enrichment of data based on the MDTI data feed. Examples are enrichment with the insights score or reputation core of the known domain/ indicator.
Difference Analytics rule/ data connector
There is a difference between the MDTI data connector and the MDTI Sentinel analytics rule. The analytics rule is based on the built-in Microsoft Sentinel rules. The analytics rule matches against connected logs. With the Threat Intelligence analytics rule, IOC is populated only when there is a known match based on the data tables/ ingested data for new events (no historic data). IOC data is only visible in the ThreatIntelligenceIndicator table when there is a match.
With the use of the Threat intelligence data connector, it is possible to add TI data in the Threat Intelligence and match against historic logs and match the dataset against ingested logs. IOC data is added based on the configured time frame – all indicators are visible in the ThreatIntelligenceIndicator table and include basic information/ confidence scope and general information.
The following TI data is available:
Threat Intelligence Analytics rule:
- MSTIC Nation State IOCs
- Sonar IOCs
Defender TI data connector:
- MDTI OSINT IOCs
- MSTIC Honeypot indicators
- Other IOCs (not defined exactly)
Difference table between the TI MAP data connector and Threat Intelligence analytics rule:
TI MAP data connector | Threat Intelligence analytics | |
Scenario | ||
Data sources | 50 OOF rules, customers can create rules and match them with any data source | Limited to a pre-defined set of data sources: (DNS, SYSLOG, CEF, OfficeActivity, AzureActivity |
Onboarding | Rules need to be enabled and the data connector itself | Need to enable only one rule |
Data Source | OSINT IOCs, MDTI IOC, MSTIC Honeypots, Any other IOC feed | MSTIC nation state, MDTI IOC, SONOAR IOC |
IOC Raw access | IOCs appear as RAW TI in Sentinel TI table and page | Only if there is a match |
Use cases | Detection Threat Hunting | Detection |
Lookback correlation | Detection – up to 14 days Hunting – depending on custom retention poicy | Detection – live correlation Hunting – not possible |
Cost | Threat feed is feed, customer pays for the Sentinel ingestion price | Free |
Pricing
Some features leverage the MDTI premium instance and MDTI API. In Microsoft Sentinel the following features require additional MDTI licensing:
Free without the usage of MDTI Premium/ API
- MDTI Sentinel analytics rules
- MDTI data connector
Both features have a small cost based on the ingested data in Log Analytics/ Sentinel. A license for MDTI Premium is not needed for the MDTI Sentinel analytics rules and MDTI data connector. Ingested is based on ingested data in the ThreatIntelligenceIndicator table.
Sentinel data connector
With the data connector source for MDTI it is possible to ingest indicators generated by Microsoft Defender Threat Intelligence into the Log Analytics workspace. For enabling the MDTI data connector go to Sentinel and perform the following steps:
- In Sentinel select Data connectors
- Search for the Microsoft Defender Threat Intelligence data connector and open the connector page
- Configure the import configuration
For the import of indicators – it is possible to define the import time range of the indicators. The following options are available for ingesting indicators via the data connector:
- At most one day old
- At most one week old
- At most one month old
- All available
Click Connect to enable the data connector.
When correctly ingested the indicators are visible in the ThreatIntelligenceIndicator table. The analytics rules with the name TI map are supported for enabling against the data source.
Open the Threat Intelligence blade and filter the source Microsoft Defender Threat Intelligence. The Defender TI source contains all indicators synced as part of the data connector.
Use the KQL query below for showing the ThreatintelligenceIndicators with the status active. You can just type ThreatIntelligenceIndicator to look for all the results in the table.
ThreatIntelligenceIndicator
| where Active == true
To better understand the Threatintelligenceindicator tables use the following KQL query:
ThreatIntelligenceIndicator
| getschema
The other way to view the ingested indicator is via the Threat Intelligence workbook in Microsoft Sentinel. In the Threat Intelligence view open the Threat Intelligence workbook.
The workbook is based on the Log Analytics dataset and contains a more visual view of the ingested indicators. With the workbook, it is possible to see the ingested indicators and view the active indicators/ source of the indicators. The workbook is based on the same KQL language; which makes customization in custom workbooks possible.
The indicators are short-lived and contain a valid from and valid until date. Each EDR/ AV/ Security product is ingesting indicators via threat intelligence; which makes indicators for a couple of days in the most common situation completely fine.
Sentinel Defender TI Analytics rule
Defender TI data can be used for free using the Sentinel Analytics rule. With the Threat Intelligence analytics rule IOC is populated only when there is a known match based on the data tables/ ingested data for new events (no historic data). IOC data is only visible in the ThreatIntelligenceIndicator table when there is a match.
For Defender TI the following analytics rule is available in the Analytics library and is completely standalone from the Defender TI data connector. (no requirement of any Defender TI data connector)
- (Preview) Microsoft Defender Threat Intelligence Analytics
Currently, the following tables are supported for the Defender TI analytics rule:
- Common Event Format (CEF)
- DNS (Preview)
- Syslog
- Office activity logs
- Azure activity logs
Microsoft Defender Threat Intelligence (MDTI) Analytics matches logs based on the domain, IP, and URL indicators.
Following docs Microsoft the following logic is behind the analytics rule matching:
- CEF logs ingested into the Log Analytics CommonSecurityLog table match URL and domain indicators if populated in the
RequestURL
field, and IPv4 indicators in theDestinationIP
field. - Windows DNS logs where event
SubType == "LookupQuery"
ingested into the DnsEvents table match domain indicators populated in theName
field, and IPv4 indicators in theIPAddresses
field. - Syslog events where
Facility == "cron"
ingested into the Syslog table match domain and IPv4 indicators directly from theSyslogMessage
field. - Office activity logs ingested into the OfficeActivity table match IPv4 indicators directly from the
ClientIP
field. - Azure activity logs ingested into the AzureActivity table match IPv4 indicators directly from the
CallerIpAddress
field.
Source: Microsoft
Good to know, only when a match is found, the indicator is published to the Log Analytics ThreatIntelligenceIndicators table and displayed in the Threat Intelligence view. Indicators will be published under the source Microsoft Defender Threat Intelligence Analytics.
Analytics rule for MDTI data connector
After connecting the MDTI data connector the TI map analytics rules can be used in Sentinel against the ingested TI data. All analytics rules are part of the analytics blade and started with the name TI MAP.
There is overlap in some of the events. When Defender 365 is connected the TI map IP entity to Network Session Events (ASIM Network Session schema) analytics rule can be used against the ingested Microsoft 365 Defender logs.
Tip: Don’t enable all of the available TI MAP analytics rules directly after enabling the connector; some rules are based on the same dataset; which will result in duplicate alerts for each TI hit.
When the indicator is matched with ingested data the Sentinel incident is visible and contains all information from the ingested TI feed.
Example alert title: A network session Source address 107.170.238.18 matched an IoC.
Available IOC data is limited and contains the IoC description/ IndicatorID/ ThreatType/ ConfidenceScore/ IoCIPDirection and additional event data. With the use of the PlayBooks/ MDTI API the IP can be enriched using the Defender TI data.
For viewing all TI-related alerts it is possible to open the TI Alerts view in the Threat Intelligence section. Click on the number of TI alerts, to open the complete view including all historic alerts part of the Threat intelligence generation:
The count redirects to a Log Analytics query including all alerts and matched indicators.
Enrichment using Logic App Playbooks/ MDTI API
When using the MDTI API incident/IP enrichment is possible based on the available dataset. The MDTI API is part of the Microsoft Graph and is currently in general availability. With the MDTI API, it is possible to enrich the incident or hunt using Azure notebooks.
Currently, the MDTI API license is in trial. Sign up here for a trial of 90 days. Actual pricing is not yet announced, the expectation is a separate product for the MDTI API usage.
MDTI API is part of the Microsoft Graph. For connecting using Logic Apps it is needed to configure a managed identity or app registration for getting permissions to the MDTI API dataset.
On the App registration page, it is needed to add Microsoft Graph API permissions for the type of application.
In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All permission for allowing read-only access to the Defender TI data.
The complete API documentation is available in MS Graph documentation. Tip: Download the MDTI Postman collection for pre-generated examples using the MDTI API. Available here (GitHub).
PlayBooks
When the MDTI API is available it is possible to use the Defender TI Sentinel Playbooks. Recently Microsoft published a couple of Playbooks for incident enrichment using the Defender TI API. Announcement + technical instructions are available here: What’s New: MDTI Microsoft Sentinel Playbooks
All available Playbooks are published in the content hub of Sentinel. Install the Microsoft Defender Threat Intelligence solution in Sentinel. The solution pack includes the following Playbooks:
- MDTI-Automated-Triage
- MDTI-Intel-Reputation
- MDTI-Base (needed for the initial API connection with the Microsoft Graph)
- MDTI-Data-WebComponents
MDTI-Automated-Triage:
This playbook uses the Defender TI Reputation data to automatically enrich incidents with the reputation data of MDTI. The result is the following dataset:
MDTI-Data-WebComponents:
This playbook uses the Defender TI components data to automatically enrich incidents. The result is the following dataset:
Intel-Reputation:
This playbook uses the Defender Threat Defender TI Reputation Data to automatically enrich incidents Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious. The result is the following dataset:
Each Playbook is available via Sentinel incident actions. Via the button Run Playbook, it is possible to run the MDTI PlayBooks for each incident and automatically enrich the incident with MDTI API data.
All data is automatically added and visible in the incident activity log of the incident.
Workbooks
The Azure workbook is created on top of the MDTI API/ Sentinel data and works via an Azure Function App. Using the workbook it is possible to ingest data from the API directly in Sentinel to make it visible via a workbook experience.
More information: MDTI-Solutions/Workbooks/MDTI-Workbook-Solution at master · Azure/MDTI-Solutions · GitHub
Workbook is able to summarize the MDTI indicators part of Sentinel via the data connector:
The workbook is able to collect information when searching for hostname information/ IP address information/ MDTI articles/ Intel Profiles and more.
The example below when searching for a specific IP in the MDTI workbook:
Community Github sources
The Microsoft Defender Threat Intelligence team has launched a new GitHub community. The repository includes sample use cases/ templates/solutions and automation for the Defender TI product.
Azure MDTI Solutions Repository
Conclusion
Microsoft Defender Threat Intelligence/ Defender TI is a great product and includes a good set of data, which is useful during investigations/ enrichment of incidents.
With the use of a couple of features in Microsoft Sentinel, the data can be used for little cost without any license. All the real Defender TI power is available when the license and MDTI API license are activated and available. With the use of the API, data can be easily enriched in Sentinel using the TI dataset.
Sources
Microsoft: What’s New: APIs in Microsoft Graph
Microsoft Postman collection on Github: MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com)
Could you explain the benefits and functionalities of this integration in terms of enhancing threat detection and response capabilities within an organization’s security operations?
Thanks, Noted for next blog
I know this is probably a bit late for a suggestion on this topic, but I have been hoping to get more info on how to get the Graph API working within Sentinel so that you can send Indicators back to Defender. There are pre-made playbooks (“Restrict MDE Domain” for example is one of them), but when I try to set up the permissions for the app, the script breaks, as I believe it needs to be updated. I would love to be able to automate these indicators to just add based on certain Sentinel incidents and even just make a 30 day expiration.