Since introducing Microsoft Defender Threat Intelligence (Defender TI) in August, our customers have made their organizations safer by proactively addressing threats with its array of raw intelligence and having unparalleled insight into the threat ecosystem with its extensive library of finished intelligence. Today, we are excited to announce several new features and capabilities that put more threat actor insights at our customers' fingertips and enhance SIEM and XDR capabilities in their existing tools and workflows, including the integration of Defender TI into Microsoft 365 Defender.
M365 Defender Integration
Threat Intelligence is a foundational component of any security operations platform. Defender TI is now available to licensed customers directly within the Microsoft 365 Defender portal to deliver powerful intelligence that helps analysts correlate information and provides immediate context about threats during their investigations, all within a unified experience. Licensed users will see the following:
- A new threat intelligence navigation tab and threat analytics merged with Defender TI articles, Intel Profiles, and IOCs.
- Threat Analytics merged with Defender TI articles and IoCs written and compiled by Microsoft's award-winning threat researchers.
- An Intel Explorer tab enables pivots on Internet data to launch advanced investigations across Microsoft's continuously updated map of the entire internet.
Intel Profiles are a form of finished intelligence putting the wealth of information collected from the award-winning Microsoft Threat Intelligence team about threat actors and their tools all in one place. Intel profiles are updated daily with analyses of threat actor tools, tactics, and procedures (TTPS) mapped to the MITRE framework and industry-specific guidance, target profile information, and indicators of compromise (IOCs) related to threat groups or tooling. Microsoft 365 Defender and Microsoft Sentinel customers can quickly access this information to analyze, investigate, and hunt threats.Profiles are updated whenever new information is discovered.
Intel Profiles focus on three key areas:
- Actors: Threat actors Microsoft has previously publicly disclosed.
- Tools: Analysis of the capabilities of specific tools leveraged by actor groups.
- Activity: Original research around actors, campaigns, and vulnerabilities.
Defender TI now has an API to boost interoperability and help the SOC punch above its weight by responding to threats at scale. The Defender TI API allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.
New Sentinel playbooks will leverage the API to enable defenders to query Defender TI's raw and finished intelligence at scale to quickly boost their understanding of threats. These playbooks evaluate indicators in an incident with Defender TI's reputation data—everything we know about a piece of online infrastructure—to mark its severity and automatically triage it accordingly.
Playbooks will also automatically enrich incidents with Defender TI's web component data, leveraging Microsoft's map of the internet to show the makeup of a webpage or the technology and services driving a specific piece of infrastructure. These show the extent of an actor's infrastructure or additional sites that have been compromised so teams can understand the full extent of a threat.
IOCs from Defender TI finished intelligence are already natively integrated with Microsoft Sentinel, but now there are new ways to leverage them. Via a Microsoft Sentinel Data Connector and Microsoft Threat Intelligence Analytics rule, customers can leverage IOCs surfaced in Microsoft Threat Intelligence to ensure their organizations are protected from the latest threats.
Microsoft Sentinel Data Connector: Microsoft researchers will continually add all publicly available indicators of compromise (IOCs) from Defender TI finished intelligence to the Microsoft Sentinel TI blade. Microsoft Sentinel users can access these valuable IOCs for free to drive analytics, hunting, and investigations.
Microsoft Defender Threat Intelligence Analytics Rule: When enabled in Microsoft Sentinel, this built-in rule takes URLs, domains, and IPs from a customer environment via log data and checks them against a dynamic list of known bad IOCs from Defender TI. When a match occurs, an incident is automatically created, and the data is written to the Microsoft Sentinel TI blade. By enabling this rule, Microsoft Sentinel users know they have detections in place for threats known to Microsoft.
We want to hear from you!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how Defender TI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about Defender TI and try it today.