How works Microsoft Defender Threat Intelligence / Defender TI – and what is the difference between free and paid
Microsoft Defender Threat Intelligence (MDTI), previously known as RiskIQ brings threat Intelligence data together from multiple sources.
With Microsoft Defender Threat Intelligence (MDTI), customers will have direct access to real-time data and signals to hunt for threats across their environments. It is built with AI and machine learning capabilities. Defender TI is available in a free and paid version.
Blog updated 18 august 2022
What is Microsoft Defender Threat Intelligence?
Microsoft Defender Threat Intelligence can be used for multiple solutions. It can act as a standalone product and allows the option for ingesting TI data into Microsoft Sentinel or Microsoft 365 Defender. Microsoft Defender Threat Intelligence is a threat intelligence (TI) solution, that helps with additional insights, context, and additional strategies about threat actors and adversary threat infrastructure. Data is based on open-source intelligence (OSINT) combined with threat research articles, threat indicators, and vulnerability intelligence found in the wild.
Microsoft Defender Threat Intelligence collects intelligence/ IOC data from various sources. Input is based on:
- Microsoft Threat Intelligence Center (MSTIC)
- Microsoft 365 Defender Security Research
Defender Threat Intelligence is built from the RiskIQ technique. Microsoft integrated RiskIQ technologies in Defender based on two new solutions:
- Microsoft Defender Threat Intelligence
- Microsoft Defender External Attack Surface Management
Microsoft Defender Threat Intelligence collects data from the internet every day and provides security teams with information to understand adversaries and used attack techniques. Customers can access a library of threat intelligence data.
Currently, Microsoft Defender Threat Intelligence is available in two different plans:
- Defender TI Premium
- Defender TI Free community offering
Without any Defender TI Premium license, it is possible to use the Defender Threat Intelligence Portal and access the context part of the free offering.
Price and trial
For the Defender TI Premium solution, the license is currently available for €3513 license/month or €42.165 license/year. The trial can be activated via admin.microsoft.com. The license is user/assigned. Trial enables 5 licenses.
Defender TI Portal
The portal is available via: ti.defender.microsoft.com. The free limited version can be used without any additional pricing or trial activation.
Microsoft centralized a couple of different data sets into the Defender TI platform. Microsoft provides as much data as possible which gives useful insights from analysts/security points of view. Microsoft collects internet data via its’ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
The following data sets are available:
- Host pairs
- Reverse DNS
Microsoft explains all the futures more in-depth for each data set. Defender TI Data sets | Microsoft Docs
Defender TI Premium vs Defender TI Free
Defender TI Premium contains more features in comparison with the Defender TI Free solution. Without any premium license, only free content is available. Of course; there is a difference between the two offerings.
Note: Currently there is no official comparison available. Let’s compare the portals.
Free version: Shows 1796 articles
Paid version: Shows 1831 articles
Logincyberdemo(.)com is used as a test site for the Evilginx/ AiTM blog post. Interesting is the difference between the free and premium plan for the newly discovered domain name.
- Light theme = free
- Dark theme = premium
In Defender TI Premium there is more data based on reputation and insights. Defender TI Premium shows Reputation based score and analytics insights. The domain is newly registered and shows the label; New subdomain 6 days ago. Microsoft gives the domain a reputation score of 65; calculated based on Registar/ Resolving IP Address rule. ( 0-100 higher more suspicious)
Interesting is the data section. Part of the data is additional RAW data which is discovered based on the domain. Here is a difference; where the free version shows loadings errors for Whois, Host Pairs, and Cookies, (not loading when copying the same URL).
For Defender TI Premium it is interesting to see the additional Cookies information. When using for AiTM phishing Defender TI detected the used cookies and shows for example, the used Microsoft cookies; MicrosoftApplications and other Microsoft cookies
When clicking on the cookie it is possible to see the additional relations and view other detected websites where the cookie is used.
Defender TI Premium shows more historic data. Where the freemium is showing only 8 resolutions for the domain Microsoft.com; Defender TI Premium shows 39 resolutions.
Based on more data it seems the freemium version only checks data in for a couple of days (15 days of data). Premium versions show more historic data.
Defender TI Premium shows more articles. Newer articles are only available in the premium plan and released after some weeks in the free plan. Based on the available indicators (Public indicators / Defender TI indicators) only the premium plans shows the Defender TI Indicators. Article descriptions contain more information about the attack or attacker profile. Longer descriptions may contain images, links, and preventions.
The Defender TI indicators section covers the indicators that Defender TI’s research team has found and added to the articles.
All articles are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by creation date (descending). The featured article section of the Defender TI Home Page shows the featured Microsoft content.
Differences Free vs Paid
Compare Malicious domains
Based on SEABORGIUM’s ongoing phishing activity there are some interesting differences. In free and premium the description of the article is the same and contains intelligence brief information/ references. Same for the public indicators. Interesting is when opening one of the indicators. Based on premium there is some nice addition based on the reputation calculation and analytics insights.
Free version: Shows only basic information and attached articles
Paid version: Shows additional reputation and analytics insights.
Based on the reputation score there is directly more visibility – where you can see the indicator is part of the RiskIQ Intel article and more information.
Compare WHOIS data
WHOIS information is only available in Defender TI Premium. In Defender TI Free there is no additional WHOIS data available.
Defender TI shows the current Whois lookup and historical Whois lookups. Defender TI’s Whois History repository provides all known historical domain associations to Whois attributes based on the system’s observations.
Part of Defender TI Premium is the reputation scoring. Reputation Scores are determined by a series of factors. Microsoft explains the scoring based on the following order:
Reputation Scores are displayed as a numerical score with a range from 0 to 100. An entity with a score of “0” has no known associations to suspicious activity or known indicators of compromise; a score of “100” indicates that the entity is malicious.
|75+||Malicious||The entity has confirmed associations to known malicious infrastructure that appears on our blocklist and matches machine learning rules that detect suspicious activity.|
|50 – 74||Suspicious||The entity is likely associated to suspicious infrastructure based on matches to three or more machine learning rules.|
|25 – 49||Neutral||The entity matches at least two machine learning rules.|
|0 – 24||Unknown (Green)||If the score is “Unknown” and green, the entity has returned at least one matched rule.|
|0 – 24||Unknown (Grey)||If the score is “Unknown” and grey, the entity has not returned any rule matches.|
More information can be founded here: Defender TI Reputation scoring | Microsoft Docs
Analyst Insights gives quick insights about the artifacts to help during the investigation. Currently the following Analyst insight types are available in Defender TI;
|Analyst insight types||Questions they can address|
|Blocklisted||Is/when was the domain, host, or IP address blocklisted?|
|How many times has Defender TI blocklisted the domain, host, or IP?|
|Registered & Updated||How many days, months, years ago was the domain registered?|
|When was the domain WHOIS Record updated?|
|Subdomain IP count||How many different IPs are associated with the subdomains of the domain?|
|New subdomain observations||When was the last time Microsoft observed a new subdomain for the domain in question?|
|Registered & Resolving||Does the domain queried exist?|
|Does the domain resolve to an IP address?|
|Number of Domains sharing the WHOIS record||What other domains share the same WHOIS record?|
|Number of domains sharing the Name Server||What other domains share the same name server record?|
|Crawled by RiskIQ||When was this host or domain last crawled by Microsoft?|
|International Domain||Is the domain queried for an international domain name (IDN)?|
|Blocklisted by Third Party||Is this indicator blocklisted by a third-party?|
|Tor Exit Node Status||Is the IP address in questions associated with The Onion Router Network (Tor)?|
|Open Ports Detected||When did Microsoft last port scan this IP address?|
|Proxy Status||What is the proxy status of this indicator?|
|Host Last Observed||Is the IP address in question internet accessible?|
|Hosts a Web Server||Does the IP address have a DNS server that uses its resources to resolve the name into it for the appropriate web server?|
Comparison table ( Free vs Paid)
Notice: There is currently no official comparison table between the free and paid service. Based on compare between Free and Premium it seems the following is the difference:
|Feature||Defender TI Free||Defender TI Premium|
|Articles||✅New articles first in Premium||✅Directly available|
|Articles Public indicators||✅||✅|
|Articles Defender TI indicators||❌||✅|
|Data: Historic data||❌||✅|
|Data: Whois information||❌||✅|
|Data: Whois historic information||❌||✅|
|Data: Host pairs||❌||✅|
|Data: Reverse DNS||✅||✅|
Defender Threat Intelligence combines multiple sources in one platform and correlates data in articles and additional sources. Microsoft Defender Threat Intelligence (Defender TI) makes the platform interactive and combines multiple sources in one single view which saves time and security resources.
Hopefully, more features are coming for more in-depth integration with other products. Next blog; more information scoped on Microsoft Sentinel, Microsoft 365 Defender, and Defender for Cloud integrations based on Microsoft Defender Threat Intelligence.
Stay tuned for more content around Microsoft Defender Threat Intelligence.
Microsoft Sentinel: New Threat Intelligence features in Microsoft Sentinel