Unleash the Power of Threat Intel: Introducing the MDTI GitHub

We are excited to announce that the Microsoft Defender (MDTI) team has launched our official GitHub Community. There, we share technical solutions with customers to help the SOC maximize Microsoft in MDTI for a wide range of common incident response and threat hunting scenarios. In this blog post, we'll explore access GitHub and run several custom scenarios that can easily enhance your security processes through powerful enrichment and that boost efficiency and understanding of threats.

Sean_Wasonga_0-1690373271270.jpeg

Access to the GitHub repository

To access our GitHub repository, customers can go to: aka.ms/MDTIGitHub

Users will be presented with a range of technical solutions that can enhance their ability to manage security processes and situations with an emphasis on the following areas:

Folder on GitHub repository Technical Solution and information
M365 Advance hunting queries This provides a series of M365 Defender queries that support advanced hunting through querying Indicators of Compromise (IoCs) identified in MDTI articles and Intel Profiles. You can see an in-depth overview of how this can be done here: aka.ms/MDTINowInM365DBlog
MDTI playbooks These provide a view of different playbooks that can be leveraged in the following areas:

·       Enrichment use cases with Microsoft Sentinel

·       Brand intelligence scenarios

·       Third-party enrichment

Notebooks This provides a view of different Jupyter notebooks that address the need for advanced use cases, enabling advanced hunting for customers: In this folder, customers

·       Introductory notebooks that provide guidance on running Threat intelligence calls with the MDTI API

·       The MDTI Heatmap generates a visualization to display the first and last seen dates of various DNS record types (NS, SOA, and AAAA) associated with the specified domain.

Postman Collection A collection that provides guidance on how customers can use the MDTI API.

·       You can see more guidance on use the API in the blog post here: aka.ms/MDTIAPIBlog

·       Visit the MDTI Video Tutorial here: aka.ms/MDTIAPIPracticalGuideVideo

Workbooks This dashboard provides a user-friendly interface that enables organizations to easily access and analyze threat intelligence data. With this new tool, decision-makers can make informed decisions to strengthen their security posture and protect against potential threats. Visit the blog post for more: aka.ms/MDTIIntelReportingBlog

MDTI GitHub 

Sean_Wasonga_0-1690373468996.png

Figure: The MDTI GitHub repository

Custom Scenarios for Microsoft TI

Use Case Scenario 1: Brand Intelligence

This use case involves monitoring and analyzing online activity related to a particular brand or organization to detect potential risks or threats. Brand Intelligence can include monitoring social media, online forums, and other sources for negative comments or mentions of the brand, as well as tracking attempts to impersonate the brand or steal sensitive information.

To help with brand protection, the MDTI team developed the Typosquat playbook,. This playbook enables security teams to quickly prioritize their domain takedown activities based on the level of risk posed by each domain with a systematic approach for detecting and taking down typo squat domains. It leverages an open-source tool called openSquat to identify new domains that are created with slight variations of legitimate domain names in relation to a keyword selected by the user. Once these domains are identified, the Typosquat playbook automatically runs them against the MDTI Reputation endpoint. This platform provides real-time reputation scoring for domains (malicious or suspicious), and the results are provided in an email, showcasing the domains against the reputation endpoint.

To use this playbook, you will need to go to the playbook on our GitHub Page, ensure you have your MDTI API credentials, and click the “Deploy to Azure” button. This action will proceed to deploy a playbook based on your specifications of keywords and generate a result based on the response.

Sean_Wasonga_1-1690373524215.png

Figure: Deploy Typosquat playbook

Sean_Wasonga_2-1690373561374.png

Figure: add credentials to run the playbook

In this case, we'll use the keyword “Microsoft” to determine if any domains that have been created and are potential typo squats. After adding all the details, we proceed to create the playbook and run it. Once the playbook has run, users will see the following:

Sean_Wasonga_3-1690373657529.png

Figure: Consolidated table for typosquat domains enriched with reputation endpoint from MDTI. In this example, if we narrow down to one of these domains that have been identified as malicious directly, we can understand what we need to prioritize for a domain takedown activity.

Sean_Wasonga_4-1690373693559.png

Figure: Email result for Typosquat playbook

Use Case Scenario 2: Latest Threat Trends

Threat intelligence is a critical component of any effective strategy, and organizations that prioritize it are better positioned to protect their systems and data from potential threats. Therefore, it's crucial for organizations to get visibility of the latest threat trends because it helps them stay ahead of new threats. By collecting and analyzing data from various sources, organizations can identify the latest threat trends and intel, prioritize the threats based on their severity and relevance and take appropriate action to mitigate the risks.

In this use case, we have the MDTI Articles Newsletter playbook. This playbook uses the MDTI article data to provide the latest articles generated by Microsoft Threat Intelligence and sends the user an email summary. To use this playbook, customers will need to ensure they have their MDTI API credentials, and click the “deploy to Azure” button.

Sean_Wasonga_5-1690373777199.png

Figure: The MDTI Article newsletter playbook

After deploying the playbook and adding the defined API connection credentials, please proceed to run the playbook. The following is the defined result (email summary).

Sean_Wasonga_6-1690373845299.png

Figure : New MDTI Articles from the last 7 Days, result of MDTI playbook  

Get Started

Get access to our GitHub repository and work with our technical solutions team, provide feedback, areas of improvement, etc. We are also keen on people looking to contribute to our GitHub repository. If you have a solution leveraging MDTI that you would like to see on our GitHub repository, please kindly send an email here: mdti-pm@microsoft.com

Sign Up for a Trial

  • Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.

Questions 

We hope this blog helps you understand the value MDTI can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a MDTI Technical Specialist or Global Black Belt, please comment below or email mdti-pm@microsoft.com

Feedback 

We would love to hear your ideas to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security third-party applications. Feel free to comment below or email mdti-pm@microsoft.com to share that feedback. If you are currently working with a MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and product feedback to them directly. 

Learn About New MDTI Features 

Please join our Cloud Security Private Community. Users that would like to help influence the direction and strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit for respective Microsoft product badges delivered by Credly.

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.