Introducing MDTI Free Experience for Microsoft Defender XDR

Today, we are thrilled to announce that we are unleashing the power of threat intelligence to all Microsoft XDR tenants. Starting at Microsoft Ignite, all XDR users will see Microsoft Threat Intelligence (MDTI) in the threat intelligence blade of Defender XDR. This free experience, which is a limited version of MDTI, enables security professionals of all levels to review recent threat research from Microsoft security experts and open-source (OSINT) feeds, search for and pivot between Indicators of Compromise (IoCs) to augment your investigations, and gain actionable threat context by reviewing Microsoft-curated profiles on known threat actors and tools – all within the Microsoft Defender XDR portal.

The MDTI free version is available to all Defender tenants on the “Intel profiles”, “Intel explorer”, and “Intel projects” tabs in the “Threat intelligence” blade.The MDTI free version is available to all Defender tenants on the “Intel profiles”, “Intel explorer”, and “Intel projects” tabs in the “Threat intelligence” blade.

Augment your Defender and Sentinel investigations using IoC search

Incidents and alerts turn up many potential IoCs, including IP addresses, domains, file hashes, and more – often without context. Incident responders can use the Intel Explorer search within the MDTI free version to surface critical information related to these IoCs, helping to quickly isolate the most important investigations and correlate seemingly unrelated infrastructure.

MDTI's data sets, built off daily scans and analysis of the entire internet, offer the context incident responders need to determine who is attacking them, how severe the threat might be, and what infrastructure is related to an IoC. Free users receive access to current WHOIS data for all IP addresses and domains as well as Services data for all IPs, helping responders to evaluate the maliciousness of an IoC based on values such as the WHOIS organization and registrar or evidence of a self-signed . We also provide all Subdomains data as well as the last 14 days of Resolutions, Certificates, Trackers, Components, DNS, and Reverse data to provide an up-to-date picture of what infrastructure currently is, and recently was, related to an IoC.

For more information on effectively search in MDTI as well as a complete list of what artifact types are supported, review our “Searching and Pivoting” Microsoft Learn documentation. Learn more about the raw data sets we provide for these artifacts in this blog.

Search for indicators of compromise and pivot off related artifacts to augment your security investigations.Search for indicators of compromise and pivot off related artifacts to augment your security investigations.

Remain informed and optimally focused with daily threat research

We compile trusted vulnerabilities and threat research from a variety of sources into one feed so your team can stay informed on the latest potential threats to your organization. Our Intel Explorer “Recent articles” feed contains open-source intelligence from government organizations, nonprofit research institutions, and leading security providers, providing a critical stream from which cyber threat intelligence analysts and CISOs can discover the latest threat intelligence research, providing insights into new adversaries, tactics, techniques, and procedures (TTPs), CVEs, and heuristics to implement into their security controls. Many of these articles also contain public indicators of compromise, which cyber threat intelligence analysts and threat hunters can use to determine whether these IoCs or any related infrastructure are present within their .

We also display select Microsoft threat research articles in the Intel Explorer “Featured” section, providing detailed information on the activities of tracked threat actors as well as detection or remediation techniques.

The intel explorer tab contains a stream of open-source intelligence articles (“Recent articles”) as well as Microsoft-curated threat research (“Featured”) to keep your team informed.The intel explorer tab contains a stream of open-source intelligence articles (“Recent articles”) as well as Microsoft-curated threat research (“Featured”) to keep your team informed.

Understand your organization's threat landscape with intel profiles

As the defender of four of the world's largest public clouds, Microsoft's team of more than 10,000 dedicated security researchers and engineers is responsible for making sense of more than 65 trillion security signals per day. These experts convert many of our most valuable findings into Intel Profiles, which offer a near-real-time view of what Microsoft knows about various threat actors and their TTPs.

For the first time, we are releasing over a dozen intel profiles to all Microsoft Defender users, accessible through the Intel Profiles tab, to harden your organization's to proactively defend against some of the world's most advanced and persistent adversaries. Review these profiles to better understand the threat landscape and uncover the TTPs of the threat actor groups which may be targeting your industry or geolocation.

Visit the “Intel Profiles” page to learn detailed information on over a dozen threat actors, including their TTPs.Visit the “Intel Profiles” page to learn detailed information on over a dozen threat actors, including their TTPs.

Proactively protect your brand and assets using MDTI

Security teams can remain ahead of vulnerabilities in their infrastructure and thwart phishing and typosquatting attacks by proactively searching for your web assets in the MDTI free version. On the Intel Explorer page, search for your domains to find unwanted resolutions on the “Resolutions” tab, or use the “Services” tab while investigating your organization's IP addresses to discover unwanted open ports and vulnerable components. You also can pivot off Certificates, Trackers, or Components while searching your domains to find similar domains which scraped your web assets, perhaps with the intent to deceive and harm your customers. Each of these functions can provide critical intelligence to protect your brand and customers, alike.

Discover suspicious infrastructure on or associated with your web assets to protect your brand and customers.Discover suspicious infrastructure on or associated with your web assets to protect your brand and customers.

Additional features

  • Search for any CVE-ID within “Intel Explorer” to see a description of the vulnerability, links to known exploits, and a list of affected components
  • Save indicators to Projects during searches or within the “Intel Projects” tab to organize and monitor adversary infrastructure

Upgrade to do even more

Fully licensed MDTI users can access the entirety of the data, intelligence, and other content that help them understand the full extent of a threat, take proactive defensive actions, and inoculate their organization from malicious infrastructure. Users can create unique, organization-specific intel via the same internet data sets that today's leading threat researchers use to track and uncover external threats. They can also develop a robust intel-led defense strategy with a rich content library of activity snapshots, Intel Profiles, threat research articles, and more – all continuously enriched with IOCs and updated with new findings.

With the MDTI API, customers can tap into powerful integrations, such as Microsoft Sentinel, to provide outside-the-firewall context to internal security incidents and help the SOC punch above its weight by responding to threats at scale.

For access to these Premium features and more, contact sales to request a free trial or explore licensing options.

Next steps

Whether you are just kick-starting a threat intelligence program or looking to augment your existing threat intelligence toolset, the MDTI free version can add critical context to your existing security investigations, keep your organization informed on current threats through leading research and intel profiles, provide crucial brand intelligence, and help you to collect powerful threat intelligence associated with your organization or others in your industry. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today.

Also, find out about other MDTI innovations launching at Microsoft Ignite

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.