This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
So, you are ready to use Defender Threat Intelligence to uncover threat actors at scale and enhance your security operations. Defender Threat Intelligence can help identify and eliminate modern threats and their infrastructure with dynamic threat intelligence by applying the following capabilities:
- Identify attackers and their tools.
- Accelerate detection, incident response, investigations, and remediation.
- Enhance your security tools and workflows.
To effectively determine the benefits of adopting Defender Threat Intelligence, you should perform a Proof of Concept (PoC). Before enabling Defender Threat Intelligence, you and your team should go through a planning process to determine a series of tasks that must be accomplished in this PoC.
Below, I’ll highlight the planning phases you and your team should undertake.
Planning for the POC
Persona identification
- Security Operations Teams
- Incident Response Teams
- Threat Hunting Teams
- Cyber Threat Intelligence Teams
- Cybersecurity Research Teams
Requirements
Based on the scope, you can start determining the requirements for this PoC:
- Determining the quality of Internet telemetry
- Fidelity of indicators found in MDTI articles.
- Integrated use cases (SIEM ~ Microsoft Sentinel)
- Ability to collaborate on investigations using Microsoft Defender Threat Intelligence (Defender TI)
- Tracking threat actors and their tooling
Prerequisites
- An Azure Active Directory or personal Microsoft account. Login or create an account
- Note:
- If you have a personal Microsoft account, you will want to perform steps 1-4 in the MDTI Getting Started Tech Community blog, so you can create an Azure tenant to begin an MDTI Premium trial.
- If you log in to MDTI using your Microsoft personal account, you will log in with Community (free) access, limiting your experience throughout the PoC to measure the true value of our platform.
- A Microsoft Defender Threat Intelligence Premium license.
- Note:
Set up a Free 30-day MDTI Premium Trial
You can follow the following guide to set up your Defender Threat Intelligence Premium Trial here: Getting Started with Microsoft Defender Threat Intelligence.
Accessing the MDTI Platform
Login to MDTI: https://aka.ms/DefenderTI
Measuring Success
How to measure success is important to establish before starting your PoC because this will help you set the right expectations to gauge whether your PoC was a success or not.
Preparation
The next “Implementation and Technical Validation” section closely follows our Microsoft Defender Threat Intelligence (MDTI) Ninja Training series. If you aren’t familiar with Defender Threat Intelligence or our legacy RiskIQ PassiveTotal or Illuminate solutions, it is highly encouraged to take the Defender Threat Intelligence Ninja Training and perform the exercises laid out in modules 3 and 6. At the end, if you receive an 80% or higher, you can take the and request a certificate. This is not an official Microsoft certificate. However, it will recognize your efforts in completing the MDTI Ninja Training.
Implementation and Technical Validation
Scenario 1: Identification of existing Threat Intelligence and Data Enrichment
Identify if an artifact (IP, domain, or host) exists in any threat intelligence articles, what the reputation score for the artifact is and why, what information analyst insights are present, and detailed internet telemetry data about this artifact when referencing the Data tab.
- Actions
- View articles: on the homepage to access our research on the latest threats and their known indicators.
- Search for an artifact: Easily search and pivot across our variety of internet datasets to quickly fuel your investigation. Spend more time investigating and less time gathering internet telemetry data to begin your investigation.
- Resources:
- How Internet Telemetry Data Becomes Threat Intelligence
- Using Reputation and Analyst Insights Features For Quick Indicator Assessments
- Microsoft Defender Threat Intelligence (Defender TI) Reputation Scoring | Microsoft Learn
- Microsoft Defender Threat Intelligence (Defender TI) Analyst Insights | Microsoft Learn
- Microsoft Defender Threat Intelligence (Defender TI) Data Sets | Microsoft Learn
- Searching & pivoting with Microsoft Defender Threat Intelligence (Defender TI) | Microsoft Learn
- Sorting, filtering, and downloading data using Microsoft Defender Threat Intelligence (Defender TI) | Microsoft Learn
- Using Tags in Microsoft Defender Threat Intelligence (Defender TI) | Microsoft Learn
- Get to Know the Datasets and How to Use Them During Investigations (microsoft.com)
- Understanding and Using Finished Threat Intelligence
- Tutorial: Gathering vulnerability intelligence | Microsoft Learn
- Tutorial: Gathering Threat Intelligence and Infrastructure Chaining using Microsoft Defender Threat Intelligence (Defender TI) | Microsoft Learn
Scenario 2: Infrastructure Chaining
Infrastructure chaining is a method by which previously unknown relationships between indicators are brought to the surface. The illustration below shows how starting with one artifact—in this case, a malware sample—leads to identifying more entities that could serve as investigative leads for incident response or threat hunting.
Figure: Infrastructure chaining concept
- Actions
- Search an indicator (IP address, domain, or host) in MDTI and use the Data tab to identify related indicators of compromise related to the investigation.
- Note:
- Please reference the resources above to familiarize yourself with how our internet datasets can be used, the questions they can answer during investigations, and sample investigations you can perform before searching your own IoC.
- Resources
- How Microsoft Defender Threat Intelligence Enables Threat Hunting Success
- Exploring Target User Functions and Use Cases
- Microsoft Defender Threat Intelligence Infrastructure Chaining Introductory Video
- Infrastructure Chaining with Microsoft Defender Threat Intelligence - Microsoft Community Hub
- Defender Threat Intelligence | Defender for Cloud in the Field #23 - YouTube
- Note:
- Search an indicator (IP address, domain, or host) in MDTI and use the Data tab to identify related indicators of compromise related to the investigation.
Scenario 3: Collaborate on an investigation using a Project.
Since analysts usually work in collaboration, sharing work is paramount to ensuring people are not duplicating efforts and that there is a record of actions taken for a given case. Defender Threat Intelligence Projects are a lightweight case-management feature that enables analysts to work together when collecting indicators of compromise related to an investigation. This could be in response to an incident or proactively fingerprinting an actor’s infrastructure targeting their industry or organization.
- Actions
- Create a project.
- Add artifacts and collaborators to a project.
- Modify artifacts in a project.
- Note: You will only be able to add collaborators to a project if they are also Premium TI users in the same tenant you are assigned.
- Resources
Figure: Creating a Project in MDTI and adding an artifact to the project
Scenario 4: Integrated Use Case Scenarios (Detections with Microsoft Sentinel)
Microsoft Sentinel users can use Defender Threat Intelligence indicators to generate detections within Microsoft Sentinel. You can see how to integrate with Microsoft Sentinel and identify detections here: Defender TI Detections in Microsoft Sentinel. The key element to ensure this scenario for a PoC is ideal is to have enabled a Sentinel Log Analytics workspace with existing log types (CEF, DNS & Syslog) and the Microsoft Threat Intelligence analytics rule.
- Actions
- Create Microsoft Sentinel resource and Log Analytics workspace (if not already enabled)
- Ingest CEF, DNS, and/or Sys logs in Log Analytics workspace (if these log sources and logs are not already enabled/present)
- Enable Microsoft Threat Intelligence Analytics rule.
- Review ‘Threat Intelligence’ blade with Source: “Microsoft Threat Intelligence Analytics” filter applied. Identify new MDTI TI detected against your logs as new detections arise.
- Review ‘Incidents’ blade for new “Microsoft Threat Intelligence Analytics” incidents.
- Review the incident’s entities and how the incident was triggered. For example, did the indicator exist in an MDTI intel article? What information and related indicators of compromise can you identify by opening the article in MDTI? What additional context can you gather from searching the IP or host entity in MDTI? Review the summary and data tabs for these entities and artifacts you pivot on to unpack related indicators of compromise.
Figure: actions for Microsoft Sentinel and MDTI (IOC and Incident View)
Scenarios to evaluate when integrating with Sentinel.
- Automated enhanced detections in Microsoft Sentinel from a Defender Threat Intelligence article
- Researching an article from enhanced detection in Microsoft Sentinel
- Importing your own threat intelligence into the Threat intelligence blade on Microsoft Sentinel
- Threat Hunting example based on Identified Intelligence
Resources
- Defender TI Detections in Microsoft Sentinel
- If you're setting up a Microsoft Sentinel trial for this PoC and need existing Logs, you can leverage the following ingestion sample data as a service solution New ingestion-SampleData-as-a-service solution, for a great Demos and simulation - Microsoft Community Hub. You can create sample data mirroring IOC found within Defender Threat Intelligence (articles etc.)
Self-Reflection
Identify how the MDTI offering provided value to your organization’s overall business during the PoC.
- Has your organization been able to better prioritize incidents and alerts to focus on the most severe threats?
- Have you identified related indicators of compromise or finished threat intelligence when proactively approaching an investigation or responding to an incident?
- Have you been able to use these related indicators of compromise or finished threat intelligence to build new detection rules to better equip your organization’s defenses moving forward?
- Have you been able to hunt for these indicators in your SIEM logs or EDR? Did you find that these indicators were found elsewhere in your network?
- After the new detection rules were enabled, did any new alerts or incidents emerge because of building out those detection rules?
- How did building stronger defenses and being able to respond to threats have an impact more readily on your organization’s bottom line or reputation by better protecting your employees, suppliers, and/or customers? Were you able to:
- Detect an active threat (such as ransomware or cyber espionage) that would have previously gone unnoticed without using Defender Threat Intelligence?
- Identify a threat against your own infrastructure that would have resulted in a client-side attack against your suppliers or customers?
- Better prioritize incidents and spend less time collecting data before beginning an investigation?
Questions?
We hope you found this blog helpful in understanding the value Defender Threat Intelligence (MDTI) can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a Defender Threat Intelligence Technical Specialist or Global Black Belt, please email mdti-pm@microsoft.com.
Feedback?
We would love to hear any ideas you may have to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security 3rd party applications. Feel free to email mdti-pm@microsoft.com to share that feedback as well. If you are currently working with an MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and/or product feedback to him/her directly.
Interested in learning about new MDTI features?
Please join our Cloud Security Private Community if you’re not a member and follow our MDTI Private & Public Preview events in our MS Defender Threat Intelligence channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit towards respective Microsoft product badges delivered by Credly.
Want to work with our Sales team?
If you are interested in working with an MDTI Technical Specialist or Global Black Belt, please contact our Sales team by filling out this form.