Microsoft Defender Threat Intelligence (MDTI), previously known as RiskIQ brings threat Intelligence data together from multiple sources.

With Microsoft Defender Threat Intelligence (MDTI), customers will have direct access to real-time data and signals to hunt for threats across their environments. It is built with AI and machine learning capabilities. Defender TI is available in a free and paid version.

Blog updated 18 august 2022

What is Microsoft Defender Threat Intelligence?

Microsoft Defender Threat Intelligence can be used for multiple solutions. It can act as a standalone product and allows the option for ingesting TI data into Microsoft Sentinel or Microsoft 365 Defender. Microsoft Defender Threat Intelligence is a threat intelligence (TI) solution, that helps with additional insights, context, and additional strategies about threat actors and adversary threat infrastructure. Data is based on open-source intelligence (OSINT) combined with threat research articles, threat indicators, and vulnerability intelligence found in the wild.

Microsoft Defender Threat Intelligence collects intelligence/ IOC data from various sources. Input is based on:

  • RiskIQ
  • Microsoft Threat Intelligence Center (MSTIC)
  • Microsoft 365 Defender Security Research

Defender Threat Intelligence is built from the RiskIQ technique. Microsoft integrated RiskIQ technologies in Defender based on two new solutions:

  • Microsoft Defender Threat Intelligence
  • Microsoft Defender External Attack Surface Management

Microsoft Defender Threat Intelligence collects data from the internet every day and provides security teams with information to understand adversaries and used attack techniques. Customers can access a library of threat intelligence data.

Currently, Microsoft Defender Threat Intelligence is available in two different plans:

  • Defender TI Premium
  • Defender TI Free community offering

Without any Defender TI Premium license, it is possible to use the Defender Threat Intelligence Portal and access the context part of the free offering.

Price and trial

For the Defender TI Premium solution, the license is currently available for €3513 license/month or €42.165 license/year. The trial can be activated via admin.microsoft.com. The license is user/assigned. Trial enables 5 licenses.

Defender TI Portal

The portal is available via: ti.defender.microsoft.com. The free limited version can be used without any additional pricing or trial activation.

Data sets

Microsoft centralized a couple of different data sets into the Defender TI platform. Microsoft provides as much data as possible which gives useful insights from analysts/security points of view. Microsoft collects internet data via its’ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.

The following data sets are available:

  • Resolutions
  • Whois
  • Certificates
  • Subdomains
  • Trackers
  • Components
  • Host pairs
  • Hashes
  • Cookies
  • Services
  • DNS
  • Reverse DNS

Microsoft explains all the futures more in-depth for each data set. Defender TI Data sets | Microsoft Docs


Defender TI Premium vs Defender TI Free

Defender TI Premium contains more features in comparison with the Defender TI Free solution. Without any premium license, only free content is available. Of course; there is a difference between the two offerings.

Note: Currently there is no official comparison available. Let’s compare the portals.

Free version: Shows 1796 articles

Paid version: Shows 1831 articles

Compare indicator

Logincyberdemo(.)com is used as a test site for the Evilginx/ AiTM blog post. Interesting is the difference between the free and premium plan for the newly discovered domain name.

  • Light theme = free
  • Dark theme = premium

In Defender TI Premium there is more data based on reputation and insights. Defender TI Premium shows Reputation based score and analytics insights. The domain is newly registered and shows the label; New subdomain 6 days ago. Microsoft gives the domain a reputation score of 65; calculated based on Registar/ Resolving IP Address rule. ( 0-100 higher more suspicious)

Interesting is the data section. Part of the data is additional RAW data which is discovered based on the domain. Here is a difference; where the free version shows loadings errors for Whois, Host Pairs, and Cookies, (not loading when copying the same URL).

For Defender TI Premium it is interesting to see the additional Cookies information. When using for AiTM phishing Defender TI detected the used cookies and shows for example, the used Microsoft cookies; MicrosoftApplications and other Microsoft cookies

When clicking on the cookie it is possible to see the additional relations and view other detected websites where the cookie is used.

Defender TI Premium shows more historic data. Where the freemium is showing only 8 resolutions for the domain Microsoft.com; Defender TI Premium shows 39 resolutions.

Based on more data it seems the freemium version only checks data in for a couple of days (15 days of data). Premium versions show more historic data.

Compare articles

Defender TI Premium shows more articles. Newer articles are only available in the premium plan and released after some weeks in the free plan. Based on the available indicators (Public indicators / Defender TI indicators) only the premium plans shows the Defender TI Indicators. Article descriptions contain more information about the attack or attacker profile. Longer descriptions may contain images, links, and preventions.

The Defender TI indicators section covers the indicators that Defender TI’s research team has found and added to the articles.

All articles are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by creation date (descending). The featured article section of the Defender TI Home Page shows the featured Microsoft content.

Differences Free vs Paid

Compare Malicious domains

Based on SEABORGIUM’s ongoing phishing activity there are some interesting differences. In free and premium the description of the article is the same and contains intelligence brief information/ references. Same for the public indicators. Interesting is when opening one of the indicators. Based on premium there is some nice addition based on the reputation calculation and analytics insights.

Free version: Shows only basic information and attached articles

Paid version: Shows additional reputation and analytics insights.

Based on the reputation score there is directly more visibility – where you can see the indicator is part of the RiskIQ Intel article and more information.

Compare WHOIS data

WHOIS information is only available in Defender TI Premium. In Defender TI Free there is no additional WHOIS data available.

Defender TI shows the current Whois lookup and historical Whois lookups. Defender TI’s Whois History repository provides all known historical domain associations to Whois attributes based on the system’s observations. 


Reputation scoring

Part of Defender TI Premium is the reputation scoring. Reputation Scores are determined by a series of factors. Microsoft explains the scoring based on the following order:

Reputation Scores are displayed as a numerical score with a range from 0 to 100. An entity with a score of “0” has no known associations to suspicious activity or known indicators of compromise; a score of “100” indicates that the entity is malicious.

ScoreCategoryDescription
75+MaliciousThe entity has confirmed associations to known malicious infrastructure that appears on our blocklist and matches machine learning rules that detect suspicious activity.
50 – 74SuspiciousThe entity is likely associated to suspicious infrastructure based on matches to three or more machine learning rules.
25 – 49NeutralThe entity matches at least two machine learning rules.
0 – 24Unknown (Green)If the score is “Unknown” and green, the entity has returned at least one matched rule.
0 – 24Unknown (Grey)If the score is “Unknown” and grey, the entity has not returned any rule matches.

More information can be founded here: Defender TI Reputation scoring | Microsoft Docs


Analyst insights

Analyst Insights gives quick insights about the artifacts to help during the investigation. Currently the following Analyst insight types are available in Defender TI;

Analyst insight typesQuestions they can address
BlocklistedIs/when was the domain, host, or IP address blocklisted?
How many times has Defender TI blocklisted the domain, host, or IP?
Registered & UpdatedHow many days, months, years ago was the domain registered?
When was the domain WHOIS Record updated?
Subdomain IP countHow many different IPs are associated with the subdomains of the domain?
New subdomain observationsWhen was the last time Microsoft observed a new subdomain for the domain in question?
Registered & ResolvingDoes the domain queried exist?
Does the domain resolve to an IP address?
Number of Domains sharing the WHOIS recordWhat other domains share the same WHOIS record?
Number of domains sharing the Name ServerWhat other domains share the same name server record?
Crawled by RiskIQWhen was this host or domain last crawled by Microsoft?
International DomainIs the domain queried for an international domain name (IDN)?
Blocklisted by Third PartyIs this indicator blocklisted by a third-party?
Tor Exit Node StatusIs the IP address in questions associated with The Onion Router Network (Tor)?
Open Ports DetectedWhen did Microsoft last port scan this IP address?
Proxy StatusWhat is the proxy status of this indicator?
Host Last ObservedIs the IP address in question internet accessible?
Hosts a Web ServerDoes the IP address have a DNS server that uses its resources to resolve the name into it for the appropriate web server?

More information can be founded here: Defender TI Analyst Insights | Microsoft Docs


Comparison table ( Free vs Paid)

Notice: There is currently no official comparison table between the free and paid service. Based on compare between Free and Premium it seems the following is the difference:

FeatureDefender TI FreeDefender TI Premium
Articles✅New articles first in Premium✅Directly available
Articles description
Articles Public indicators
Articles Defender TI indicators
Reputation
Analytics insights
Data: Historic data
Data: Whois information
Data: Whois historic information
Data: Resolutions
Data: Certificates
Data: Subdomains
Data: Trackers
Data: Components
Data: Host pairs
Data: Hashes
Data: Cookies
Data: DNS
Data: Reverse DNS

Conclusion

Defender Threat Intelligence combines multiple sources in one platform and correlates data in articles and additional sources. Microsoft Defender Threat Intelligence (Defender TI) makes the platform interactive and combines multiple sources in one single view which saves time and security resources.

Hopefully, more features are coming for more in-depth integration with other products. Next blog; more information scoped on Microsoft Sentinel, Microsoft 365 Defender, and Defender for Cloud integrations based on Microsoft Defender Threat Intelligence.

Stay tuned for more content around Microsoft Defender Threat Intelligence.


Sources

Microsoft: What is Defender Threat Intelligence (Defender TI)

Microsoft Sentinel: New Threat Intelligence features in Microsoft Sentinel