MDTIThreat Intelligence

Microsoft Defender Threat Intelligence (MDTI) overview

What is MDTI?

Microsoft Defender Threat Intelligence (MDTI) is a threat hunting and investigation solution that provides context on cyber threats, IoCs, threat actors, and related infrastructure via raw data sets and finished TI (Threat Intelligence) necessary to accelerate investigations. It can provide finished intelligence with actionable IOCs authored by Microsoft researchers with the ability to query hosts, domains, and IPs to identify adversarial infrastructure and enrich alerts. MDTI can also integrate with Sentinel for correlating malicious IOCs with internal telemetry from logs. Also, to add more context, MDTI is based on the RiskIQ acquisition by Microsoft in 2021.

I’ve added MDTI to my Mind Map to help you understand the big picture in a visual form and links you can access to know more about the solution.

Also, you can start with the Landing page. It will offer you an overview of the key features and links to the documentation – Microsoft Defender Threat Intelligence | Microsoft Security.

Why MDTI?

If you have been working with Microsoft Security products in the last few years, you have noticed that Microsoft has been hugely investing in the security space, including threat intelligence. I’ve been writing a series of blog posts explaining how you can integrate some TIP (Threat Intelligence Platforms) into your Azure/Microsoft environment – you can access the series here.

With the inclusion of RiskIQ into Microsoft’s security portfolio, Microsoft is adding an “outside-in” perspective, a view beyond the firewall. With this outside-in context, we can have a broader and complete picture of a cyber-attack.

How does MDTI work?

MDTI uses a proprietary network of crawlers (virtual users) that simulate human-web interactions and the full composition of internet assets without an agent requirement and sensors to scan the entire Internet daily to look for adversaries and their infrastructure. It collects, analyzes, and indexes internet data to help security teams detect and respond to threats, prioritize incidents, and proactively identify adversaries’ infrastructure associated with actor groups that can potentially target your organization. In addition, Microsoft performs 2 billion HTTP requests per day to crawl the web and mobile pages across the Internet. Check this link to learn more about the web crawl process.

It also leverages infrastructure chaining, analyzing the relationships between highly connected datasets to build out an investigation. This means it can correlate with other interconnected assets from a mapped connection, such as an IP, domain, certificate, and more. For example, a host pair can reveal important shared connections between websites and enables you to see where your resources are being used and vice versa.

As a result, you will have the following datasets available in the platform:

  • Resolutions
  • Whois
  • Certificates
  • Subdomains
  • Trackers
  • Host pairs
  • Components
  • Cookies
  • Reverse DNS
  • DNS
  • Services

You can access more information and the images above in this link: How Internet Telemetry Data Becomes Threat Intelligence (microsoft.com).

Who can benefit from MDTI?

Typical users are:

  • Security Operations
  • Incident Response
  • Threat Hunting
  • Cyber Threat Intelligence Analysis
  • Cybersecurity Research

Ref.: Exploring Target User Functions and Use Cases

MDTI Use Cases

Below, you can see some of the use cases you can implement with MDTI:

MDTI Portal and trial

First, if you want to try MDTI, you will need to have an Azure Active Directory or personal Microsoft account and you can spin up a trial for 30-days. 

To know how to do this, follow the instructions in the following link:

https://aka.ms/MDTIGettingStarted

After the trial is created, you can access the portal using the address – https://ti.defender.microsoft.com

Below, you can see the home page:

Now, I suggest you follow the instructions in the article “Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal” to start using the portal.

MDTI Mind Map

I’ve built this mind map to help you to visually understand some important concepts around MDTI. I hope it helps.

You can also download the file HERE.

How can I learn more?

The good news is, MDTI has its own L400 Ninja Training. It is the best resource to learn more about the product.

Become a Microsoft Defender Threat Intelligence Ninja: The complete level 400 training

Microsoft docs – What is Microsoft Defender Threat Intelligence (Defender TI)? | Microsoft Learn

Tiago Souza

Tiago Souza

Security Technical Specialist
Cyber Security Technical Specialist at Microsoft | Cloud Security & Threat Protection | Blog content creator at CyberGeeks.Cloud - https://linktr.ee/tiagovf