Microsoft Defender Threat Intelligence (MDTI) previously known as RiskIQ brings the threat intelligence data together from multiple sources. With the use of Microsoft Defender Threat Intelligence (MDTI) customers will have direct access to data and signals to hunt for threats across their environments, Defender TI relies heavily on AI and machine learning capabilities and is available in a free and paid version.

Recently published the blog: How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid

New to Microsoft Defender Threat Intelligence it is recommended to start reading the blog first. This blog is focused on the integration with Microsoft Sentinel.

Blog information:

Blog Published: June 1, 2023
Blog updated: 25 august, 2023

Recap: What is Microsoft Defender Threat Intelligence?

Microsoft Defender Threat Intelligence can be used for multiple solutions. It can act as a standalone product and allows the option for ingesting TI data into Microsoft Sentinel or Microsoft 365 Defender. Microsoft Defender Threat Intelligence is a threat intelligence (TI) solution, that helps with additional insights, context, and additional strategies about threat actors and adversary threat infrastructure. Data is based on open-source intelligence (OSINT) combined with threat research articles, threat indicators, and vulnerability intelligence found in the wild.

Microsoft Defender Threat Intelligence collects intelligence/ IOC data from various sources. Input is based on:

  • RiskIQ
  • Microsoft Threat Intelligence Center (MSTIC)
  • Microsoft 365 Defender Security Research
  • Other sources

Defender Threat Intelligence is built from the RiskIQ technique. Microsoft integrated RiskIQ technologies in Defender based on two new solutions:

  • Microsoft Defender Threat Intelligence
  • Microsoft Defender External Attack Surface Management

Microsoft Defender Threat Intelligence collects data from the internet every day and provides security teams with information to understand adversaries and used attack techniques. Customers can access a library of threat intelligence data.

Currently, Microsoft Defender Threat Intelligence is available in two different plans (end-user plans):

  • Defender TI Premium
  • Defender TI Free community offering (limited)

Without any Defender TI Premium license, it is possible to use the Defender Threat Intelligence Portal and access the context part of the free offering with limited data.

Defender TI Portal

The portal is available via: ti.defender.microsoft.com. The free limited/ community version can be used without any additional pricing or trial activation.

For more information see: How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid


Available integrations with Microsoft Sentinel

It is possible to use the data of Defender TI and integrate it with other solutions. The integration with Microsoft Sentinel is available and enables multiple use cases based on the ingested TI data. Let’s explore the available options based on the complete MDTI dataset.

In Microsoft Sentinel, there are multiple options for integrating MDTI data. Defender TI data can be used via the following methods in Sentinel:

In Microsoft Sentinel, it is possible to enable the Microsoft Defender Threat Intelligence. Defender TI data can be used via the following methods in Sentinel:

  • MDTI data connector
  • MDTI Sentinel analytics rules
  • MDTI API
  • MDTI enrichment playbooks

MDTI data connector

Part of Microsoft Sentinel is the MDTI data connector, with the use of the data connector there is the option for ingesting TI data in Sentinel from the MDTI feed.

MDTI Sentinel analytics rules

With analytics rules, it is possible to fetch automatically based on (new) ingested data. The analytics rules support multiple data source types and check automatically against known indicators.

MDTI API

With the use of the MDTI API, there is enrichment possible in Sentinel. The enrichment playbooks for the automated enrichment of data is only working when the MDTI API is correctly configured and registered in the tenant. Without the MDTI API, there is no additional data in Sentinel.

MDTI enrichment playbooks

Enrichment playbooks are available for “automated” enrichment of data based on the MDTI data feed. Examples are enrichment with the insights score or reputation core of the known domain/ indicator.

Difference Analytics rule/ data connector

There is a difference between the MDTI data connector and the MDTI Sentinel analytics rule. The analytics rule is based on the built-in Microsoft Sentinel rules. The analytics rule matches against connected logs. With the Threat Intelligence analytics rule, IOC is populated only when there is a known match based on the data tables/ ingested data for new events (no historic data). IOC data is only visible in the ThreatIntelligenceIndicator table when there is a match.

With the use of the Threat intelligence data connector, it is possible to add TI data in the Threat Intelligence and match against historic logs and match the dataset against ingested logs. IOC data is added based on the configured time frame – all indicators are visible in the ThreatIntelligenceIndicator table and include basic information/ confidence scope and general information.

The following TI data is available:

Threat Intelligence Analytics rule:

  • MSTIC Nation State IOCs
  • Sonar IOCs

Defender TI data connector:

  • MDTI OSINT IOCs
  • MSTIC Honeypot indicators
  • Other IOCs (not defined exactly)

Difference table between the TI MAP data connector and Threat Intelligence analytics rule:

TI MAP data connectorThreat Intelligence analytics
Scenario
Data sources50 OOF rules, customers can create rules and match them with any data sourceLimited to a pre-defined set of data sources: (DNS, SYSLOG, CEF, OfficeActivity, AzureActivity
OnboardingRules need to  be enabled and the data connector itselfNeed to enable only one rule
Data SourceOSINT IOCs, MDTI IOC, MSTIC Honeypots, Any other IOC feedMSTIC nation state, MDTI IOC, SONOAR IOC
IOC Raw accessIOCs appear as RAW TI in Sentinel TI table and pageOnly if there is a match
Use casesDetection Threat HuntingDetection
Lookback correlationDetection – up to 14 days Hunting – depending on custom retention poicyDetection – live correlation Hunting – not possible
CostThreat feed is feed, customer pays for the Sentinel ingestion priceFree

Pricing

Some features leverage the MDTI premium instance and MDTI API. In Microsoft Sentinel the following features require additional MDTI licensing:

Free without the usage of MDTI Premium/ API

  • MDTI Sentinel analytics rules
  • MDTI data connector

Both features have a small cost based on the ingested data in Log Analytics/ Sentinel. A license for MDTI Premium is not needed for the MDTI Sentinel analytics rules and MDTI data connector. Ingested is based on ingested data in the ThreatIntelligenceIndicator table.


Sentinel data connector

With the data connector source for MDTI it is possible to ingest indicators generated by Microsoft Defender Threat Intelligence into the Log Analytics workspace. For enabling the MDTI data connector go to Sentinel and perform the following steps:

  • In Sentinel select Data connectors
  • Search for the Microsoft Defender Threat Intelligence data connector and open the connector page
  • Configure the import configuration

For the import of indicators – it is possible to define the import time range of the indicators. The following options are available for ingesting indicators via the data connector:

  • At most one day old
  • At most one week old
  • At most one month old
  • All available

Click Connect to enable the data connector.

When correctly ingested the indicators are visible in the ThreatIntelligenceIndicator table. The analytics rules with the name TI map are supported for enabling against the data source.

Open the Threat Intelligence blade and filter the source Microsoft Defender Threat Intelligence. The Defender TI source contains all indicators synced as part of the data connector.

Use the KQL query below for showing the ThreatintelligenceIndicators with the status active. You can just type ThreatIntelligenceIndicator to look for all the results in the table.

ThreatIntelligenceIndicator
| where Active == true

To better understand the Threatintelligenceindicator tables use the following KQL query:

ThreatIntelligenceIndicator
| getschema

The other way to view the ingested indicator is via the Threat Intelligence workbook in Microsoft Sentinel. In the Threat Intelligence view open the Threat Intelligence workbook.

The workbook is based on the Log Analytics dataset and contains a more visual view of the ingested indicators. With the workbook, it is possible to see the ingested indicators and view the active indicators/ source of the indicators. The workbook is based on the same KQL language; which makes customization in custom workbooks possible.

The indicators are short-lived and contain a valid from and valid until date. Each EDR/ AV/ Security product is ingesting indicators via threat intelligence; which makes indicators for a couple of days in the most common situation completely fine.


Sentinel Defender TI Analytics rule

Defender TI data can be used for free using the Sentinel Analytics rule. With the Threat Intelligence analytics rule IOC is populated only when there is a known match based on the data tables/ ingested data for new events (no historic data). IOC data is only visible in the ThreatIntelligenceIndicator table when there is a match.

For Defender TI the following analytics rule is available in the Analytics library and is completely standalone from the Defender TI data connector. (no requirement of any Defender TI data connector)

  • (Preview) Microsoft Defender Threat Intelligence Analytics

Currently, the following tables are supported for the Defender TI analytics rule:

  • Common Event Format (CEF)
  • DNS (Preview)
  • Syslog
  • Office activity logs
  • Azure activity logs

Microsoft Defender Threat Intelligence (MDTI) Analytics matches logs based on the domain, IP, and URL indicators.

Following docs Microsoft the following logic is behind the analytics rule matching:

  • CEF logs ingested into the Log Analytics CommonSecurityLog table match URL and domain indicators if populated in the RequestURL field, and IPv4 indicators in the DestinationIP field.
  • Windows DNS logs where event SubType == "LookupQuery" ingested into the DnsEvents table match domain indicators populated in the Name field, and IPv4 indicators in the IPAddresses field.
  • Syslog events where Facility == "cron" ingested into the Syslog table match domain and IPv4 indicators directly from the SyslogMessage field.
  • Office activity logs ingested into the OfficeActivity table match IPv4 indicators directly from the ClientIP field.
  • Azure activity logs ingested into the AzureActivity table match IPv4 indicators directly from the CallerIpAddress field.

Source: Microsoft

Good to know, only when a match is found, the indicator is published to the Log Analytics ThreatIntelligenceIndicators table and displayed in the Threat Intelligence view. Indicators will be published under the source Microsoft Defender Threat Intelligence Analytics.


Analytics rule for MDTI data connector

After connecting the MDTI data connector the TI map analytics rules can be used in Sentinel against the ingested TI data. All analytics rules are part of the analytics blade and started with the name TI MAP.

There is overlap in some of the events. When Defender 365 is connected the TI map IP entity to Network Session Events (ASIM Network Session schema) analytics rule can be used against the ingested Microsoft 365 Defender logs.

Tip: Don’t enable all of the available TI MAP analytics rules directly after enabling the connector; some rules are based on the same dataset; which will result in duplicate alerts for each TI hit.

When the indicator is matched with ingested data the Sentinel incident is visible and contains all information from the ingested TI feed.

Example alert title: A network session Source address 107.170.238.18 matched an IoC.

Available IOC data is limited and contains the IoC description/ IndicatorID/ ThreatType/ ConfidenceScore/ IoCIPDirection and additional event data. With the use of the PlayBooks/ MDTI API the IP can be enriched using the Defender TI data.

For viewing all TI-related alerts it is possible to open the TI Alerts view in the Threat Intelligence section. Click on the number of TI alerts, to open the complete view including all historic alerts part of the Threat intelligence generation:

The count redirects to a Log Analytics query including all alerts and matched indicators.


Enrichment using Logic App Playbooks/ MDTI API

When using the MDTI API incident/IP enrichment is possible based on the available dataset. The MDTI API is part of the Microsoft Graph and is currently in general availability. With the MDTI API, it is possible to enrich the incident or hunt using Azure notebooks.

Currently, the MDTI API license is in trial. Sign up here for a trial of 90 days. Actual pricing is not yet announced, the expectation is a separate product for the MDTI API usage.

MDTI API is part of the Microsoft Graph. For connecting using Logic Apps it is needed to configure a managed identity or app registration for getting permissions to the MDTI API dataset.

On the App registration page, it is needed to add Microsoft Graph API permissions for the type of application.

In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All permission for allowing read-only access to the Defender TI data.

The complete API documentation is available in MS Graph documentation. Tip: Download the MDTI Postman collection for pre-generated examples using the MDTI API. Available here (GitHub).

PlayBooks

When the MDTI API is available it is possible to use the Defender TI Sentinel Playbooks. Recently Microsoft published a couple of Playbooks for incident enrichment using the Defender TI API. Announcement + technical instructions are available here: What’s New: MDTI Microsoft Sentinel Playbooks

All available Playbooks are published in the content hub of Sentinel. Install the Microsoft Defender Threat Intelligence solution in Sentinel. The solution pack includes the following Playbooks:

  • MDTI-Automated-Triage
  • MDTI-Intel-Reputation
  • MDTI-Base (needed for the initial API connection with the Microsoft Graph)
  • MDTI-Data-WebComponents

MDTI-Automated-Triage:

This playbook uses the Defender TI Reputation data to automatically enrich incidents with the reputation data of MDTI. The result is the following dataset:

MDTI-Data-WebComponents:

This playbook uses the Defender TI components data to automatically enrich incidents. The result is the following dataset:

Intel-Reputation:

This playbook uses the Defender Threat Defender TI Reputation Data to automatically enrich incidents  Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious. The result is the following dataset:

Each Playbook is available via Sentinel incident actions. Via the button Run Playbook, it is possible to run the MDTI PlayBooks for each incident and automatically enrich the incident with MDTI API data.

All data is automatically added and visible in the incident activity log of the incident.


Workbooks

The Azure workbook is created on top of the MDTI API/ Sentinel data and works via an Azure Function App. Using the workbook it is possible to ingest data from the API directly in Sentinel to make it visible via a workbook experience.

More information: MDTI-Solutions/Workbooks/MDTI-Workbook-Solution at master · Azure/MDTI-Solutions · GitHub

Workbook is able to summarize the MDTI indicators part of Sentinel via the data connector:

The workbook is able to collect information when searching for hostname information/ IP address information/ MDTI articles/ Intel Profiles and more.

The example below when searching for a specific IP in the MDTI workbook:


Community Github sources

The Microsoft Defender Threat Intelligence team has launched a new GitHub community. The repository includes sample use cases/ templates/solutions and automation for the Defender TI product.

Azure MDTI Solutions Repository

Link: GitHub – Azure/MDTI-Solutions: Repository to publish sample use cases, templates, solutions, automations for Microsoft Defender Threat Intelligence (MDTI) product


Conclusion

Microsoft Defender Threat Intelligence/ Defender TI is a great product and includes a good set of data, which is useful during investigations/ enrichment of incidents.

With the use of a couple of features in Microsoft Sentinel, the data can be used for little cost without any license. All the real Defender TI power is available when the license and MDTI API license are activated and available. With the use of the API, data can be easily enriched in Sentinel using the TI dataset.

Blog tip: How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid


Sources

Microsoft: What’s New: APIs in Microsoft Graph

Microsoft Postman collection on Github: MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com) 

Microsoft: What’s New: MDTI Microsoft Sentinel Playbooks