Welcome to this first video in this series on empowering security analysts with Microsoft Defender Threat Intelligence MDTI. My name is Terry Clancy. In this MDTI overview and demo video, we'll briefly discuss how MDTI fits into Microsoft's security portfolio, and then we'll overview MDTI's main benefits and functions and demonstrate its use. Following that, we'll look into the use of Security Copilot with MDTI and Threat Analytics, which are both included in Security Copilot. In later videos in this sub series, we'll go into more detail about Threat Hunting, integration with Sentinel, Defender XDR, and Threat Analytics, and making the most from the use of Security Copilot with MDTI and Threat Analytics.
I'm also producing a video going into technical detail about the application and use of the Microsoft Defender Threat Intelligence APIs. Today, organisations are faced with the incredibly difficult task of trying to protect their expanding digital estate from increasing cyber threats. The move to the cloud and a mobile workforce have pushed the border of your digital estate beyond the boundary of your physical network. Your data and users and systems are everywhere.
Meanwhile, the frequency and sophistications of attacks are ever growing. In such an era, it is crucial to have a strong security posture. Microsoft delivers this with a robust and comprehensive security portfolio which we can segment into three main areas, Compliance and Privacy with Microsoft Purview and Preva, Identity and Management with Microsoft Intra and Intune, and finally security. In the area of security, Microsoft Defender is a comprehensive solution designed to provide end to end threat protection across various platforms and devices. Microsoft Defender products focus on endpoints, collecting and analysing data from sources such as Windows, Linux, Office 365, cloud deployments and external attacks.
These products are then integrated with Microsoft Defender XDR and Sentinel, which can enrich the collected data with intelligence from Microsoft Defender Threat Intelligence, enabling more effective threat hunting and incident response. Sentinel is a scalable cloud native security information and event management, or SIEM, solution. As such, it collects analysis, correlates and reports on security feeds, including log data from across an organization's IT infrastructure, and provides real time monitoring and historical analysis of security events. It also incorporates security orchestration, automation and response or SOAR capabilities, meaning that it provides automation and orchestration security operations, enabling faster and more efficient incident response. Defender XDR is an extended detection and response, or XDR, solution, and as such, it provides integrated threat detection and response across multiple security layers, including endpoints like EDR systems do, but also networks and cloud environments.
With a deeper understanding of each of these layers, it combines data from multiple security tools into a single interface for comprehensive threat visibility. It also uses AI and analytics to detect sophisticated threats across various attack vectors and includes automation capabilities to quickly respond to threats. Microsoft has developed a unique solution that combines the strengths of SIEM and XDR into a single comprehensive, integrated platform with over 300 data sources. This platform acts as a central hub for importing and analysing event and log data from various endpoint products. It provides robust tools to prevent, detect, investigate, and respond to cyber threats across your enterprise.
In this presentation, we will focus on Defender Threat Intelligence or MDTI. It provides continuous threat intelligence and exposes adversaries. Together with Defender threat analytics, it helps prioritize, guide, and accelerate alert and incident response.
As highlighted in yellow here, MDTI is also integrated with Microsoft Sentinel and Defender XDR, which are essential components in the defender incident response and threat hunting environment. This integration is crucial because to enable the incident response and threat hunting capabilities, most Sentinel and Defender XDR connectors gather logs, incidents, and endpoint data from various sources like your external attack surface, Office 365 and numerous other endpoints. When connected to MDTI, Sentinel and Defender XDR can enrich that incident and log data with the wealth of external intelligence MDTI provides, So this connectivity significantly enhances the overall effectiveness and speed of your incident response and threat hunting. So in summary, Microsoft's security portfolio offers a comprehensive and integrated suite of solutions designed to protect your organization from a wide range of cyber threats and helps you maintain regulatory compliance and build trust with your customers. As cyber threats continue to evolve, these tools will help you stay ahead of potential risks and ensure the safety and integrity of your organization's digital assets.
OK, so now let's focus on Microsoft Defender Threat Intelligence or MDTI. So at a high level, MDTI is a product that enhances triage, incident response, threat hunting, vulnerability management, and threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. When combined with Microsoft Sentinel, Defender XDR and other Defender endpoint products, this intelligence can be specifically focused on your particular IT assets. MDTI is integrated as a user interface or UI blade within the Microsoft Defender XDR Portal alongside other Defender products. This integration surfaces raw and finished intelligence, threat hunting tools and an in context UI helper via the Security Copilot sidecar. This unified interface streamlines security management across various domains.
Centralizing security operations into the Microsoft Defender XDR Portal reduces the complexity of managing multiple tools and interface. MDTI serves as a complement to these products by providing threat intelligence that enriches the data from the other products, providing more context and intelligence around incidents and queries. While Defender XDR consumes and presents data from the various Defender products already mentioned before, the UI is arranged functionally, not by product, as you can see by the functional menu sections, or blades on the left of this screen.
Let's look briefly at each of these blades. Exposure Management provides visibility into your organization's digital attack surface, helping security and IT teams identify unknowns, prioritize risks, and eliminate threats. The Investigation and Response Blade centralizes incident investigation and response activities, allowing security teams to analyse alerts, correlate incidents, and take action. The Threat Intelligence Blade is the subject of this video, but in summary, it surfaces raw and finished threat intelligence, including indicators of compromise or IOCs, threat actor profiles and attack techniques. This blade helps security teams stay informed about the latest threats and leverage intelligence for proactive defence. The Assets Blade provides an inventory of all assets within the organization, including devices, applications and users.
It helps in tracking and managing assets, ensuring they are secure and compliant with organizational policies. Microsoft Sentinel delivers a comprehensive SIEM and SOAR solution. It collects and analysis data from various sources to detect, investigate and respond to threats across the enterprise.
The Identity Blade focuses on identity protection by monitoring and analysing user activities and behaviours. The Endpoints Blade manages and protects endpoints by providing real time visibility, threat detection, and response capabilities. The E-mail and Collaboration Blade protects e-mail and collaboration tools from threats such as phishing, malware, and data breaches. The Cloud Apps Blade monitors and secures cloud applications by providing visibility into app usage, detecting risky behaviours, and enforcing policies. And finally, the Operational Technology Blade focuses on securing operational technology environments, including industrial control systems and IoT devices.
OK, let's dig a little deeper into the value that MDTI provides. The primary value it offers is providing you with a vast amount of up to date relevant intelligence at your fingertips. This can be categorized into raw intelligence and finished intelligence. MDTI telemetry captures over 78 trillion security signals. That massive amount of data makes up MDTI's raw intelligence, or intelligence provides unique security data sets, which helps in pinpointing relationships to known malicious infrastructure, tooling and backdoors at incredible scale. We provide customers with the same raw signals that Microsoft systems and researchers use.
Customers can query these threat infrastructure relationships directly or at scale via the API so that in most cases they can instantly know everything they need to know about a piece of threat tooling. Is it malicious? Is it tied to known threat groups, attackers or tooling? What other infrastructure in general is it tied to? Finished Intelligence on the other hand, is created by our Microsoft Threat Intelligence Centre MSTIC research team who layer their research to create the Finished Intelligence. This includes articles, Intel profiles about actors and tooling and activity snapshots from thousands of experts informed by 10s of trillions of signals. That research also includes updated tactics, techniques and procedures or TTPs, recommendations, targeting and associated indicators of compromise or IOCs.
The Finished Intelligence in MDTI represents a significant advancement and added value that will be highly valued by customers transitioning from other solutions including RiskIQ, Passive Total. Our threat research teams comprise thousands of experts across more than 75 countries. Those experts span a massive range of specializations, which helps us understand all types of threats.
We are currently tracking over 300 threat actor groups, including 160 nation states. We also have a partner network of more than 15,000 partners, across which we are continuously sharing crucial information and intelligence. Now let's look at a demo of Microsoft Defender Threat Intelligence. After that, we'll look in more detail at Security Copilot. Microsoft Defender Threat Intelligence can be accessed at security.microsoft.com. To use it, you'll need a Microsoft Entra ID (previously Azure Active Directory) or personal Microsoft account to sign in, and an available Defender Threat Intelligence Premium license.
And finally, you'll need someone who is a Global Administrator or Identity Governance Administrator to assign the Defender Threat Intelligence license to you using the Microsoft Entra Admin Center at entra.microsoft.com. Note that the cost is per user license and is not influenced by how much that user uses the product. While all MDTI data can be accessed by API, in this demo we'll focus on using the portal to access both raw and finished intelligence.
I'll discuss the use of the API in a later video. MDTI comprises the following three sections in the Threat Intelligence Blade, Threat Analytics, Intel Profiles, Intel Explorer, and Intel Projects. Threat Analytics is purchased separately and is included with some of the Defender Endpoint products. I mention it here because it installs as a plugin for the Threat Intelligence Blade in Microsoft Defender XDR, so it may appear to be part of Threat Intelligence. Threat Analytics uses your asset data from products such as Defender for Endpoint, Defender for O365, and correlates that with Defender Threat Intelligence data to provide threat intelligence focused and prioritized based on your actual inventory of assets. The Intel Profiles Blade is a home for all shareable knowledge on tracked threat actors, malicious tools and vulnerabilities, curated and continuously updated by Microsoft threat intelligence experts to provide relevant and actionable threat information and context.
Whereas the Threat Analytics Blade combines different types of threats into one list combined with asset data, the Intel Profiles Blade provides a separate list for published intelligence for each of threat actors, tools and vulnerabilities. Having separate lists means the lists are more optimised for the content. As you can see for example here the Threat Actors list gives a summary country or region of origin and target industry summary.
The Vulnerability list is also optimised for that data type with fields for priority and common vulnerability scoring system or CVSS scores. And the Tools tab provides a searchable list of tools. You can open any of the listed items and drill in for more detail. For example, profiles provides sections providing a snapshot, targeting details, recommendations, detection and hunting queries, references, and on a separate tab, Tactics, Techniques and procedures or TTPS. Reports on tools also provide detailed information, including a snapshot and detailed description, including source code, IOCs, MITRE, ATT and CK techniques observed, recommendations, detections and hunting queries, advanced granting guidance and references. Reports on Common Vulnerability Exposures or CVEs are similarly detailed with a snapshot and sections on impacted technologies, detailed description, recommendations, detections, and hunting queries and references.
If available, it also provides links for POC chatter observed, and info on active exploitations. This finished intelligence and the depth of details in these reports really helps set Defender Threat Intelligence apart in the market. Let's now move on and look at Intel Explorer. It allows you to search across the entire MDTI data set including hosts, domains, IP addresses, reports, tags, components, trackers, who is data, certificate data, and cookie data. Often this will be your starting point for investigations.
Defender Threat Intelligence is designed to let you search and pivot across various indicators from different data sources, making it easier than ever to discover relationships between disparate infrastructure. Let's look at an example scenario for MDTI. We'll usually start with Intel Explorer Search, which is both simple and powerful, designed to surface immediate insights while also letting you directly interact with the data sets that comprise these insights. You can manually constrain the search by specifying the search scope, or where possible, Intel Explorer will recognize the type of data you are searching for and constrain its search accordingly. For example, when you search for an IP address, that automatically results in an IP address search, and when you search for fabrikam.com, for example, it results in a domain
search, whereas if you search for canaryfabrikam.com it results in a host search. If you search for a CVE ID, it results in a CVE ID keyword search. This is useful, for example, if you're using EASM and find that one of your assets on your external attack surface has a CVE vulnerability. In EASM you can only see the freely available CVE data, which is quite limited.
But when you come into MDTI and enter the CVE info here, you can then drill into the much more detailed MDTI Premium data on that CVE. On the other hand, if you search for APT29 for example, it does not recognize a data type and it results in a keyword search across many data types. And so in this case, it returns a threat actor articles, certificates, and components on both hosts and IP addresses. Often the results of one query will raise questions, leading you to run another query, and the results of that query will in turn raise more questions and lead you to another query. And so on it goes. The process is effectively guided infrastructure chaining.
For example, you might be looking at the premium data on a CVE and look at the affected components and then jump across to look at the data on the threat actors that are known to be exploiting that vulnerability. Then jump to a related article. You might then look at the public and defender threat intelligence indicators for that attack. Let's now move on and look at Intel projects.
You can create multiple projects for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a list of associated indicators and a detailed history that retains the names, descriptions, and collaborators. When you search for an IP address, domain, or host in MDTI, If that indicator is listed within a project you have access to, you can see the link to the project from the Intel Projects tab. From there, you can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information.
You can therefore avoid reinventing the wheel of an investigation that one of your Defender TI tenant users might have already started. If someone adds you as a collaborator to a project, you can also add on to that project by adding new IOCs. OK, let's move on and discuss Microsoft Security Copilot.
Security Copilot, when used with Microsoft Defender Threat Intelligence Premium MDI, acts as an AI powered assistant that enhances the capabilities of security analysts. It provides real time contextual threat intelligence, including information about threat actors, indicators of compromise or IOCs, and vulnerabilities. By leveraging natural language processing, Copilot helps users rapidly investigate incidents, enrich threat hunting activities, and gain deeper insights into the threat landscape. This integration streamlines workflows, making it easier for security teams to respond to threats efficiently and effectively. When you are licensed for Security Copilot, you get access to both Microsoft Defender Threat Intelligence and Microsoft Threat Analytics, both included. Threat Analytics relates, or connects, the dots between MDTI's universal threat intelligence and your organization's actual inventory of IT assets as collected by Defender XDR, which collects from other Defender endpoint products.
This combination in turn allows Copilot to then customize its responses based on your installed IT infrastructure. When licensed for Security Copilot you will then also have access to the Microsoft Defender Threat Intelligence Premium Copilot Sidecar which constrains Copilot to only reason over the combination of Microsoft Defender Threat Intelligence and Threat Analytics data. This focuses Copilot which can then relate and prioritise threat intelligence from MDTI based on the inventory of what you actually have in your environment from threat analytics. By contrast, when using the stand alone Security Copilot it also reasons over all other data based on what Microsoft and 3rd party plugins are active, giving it a broader awareness and scope. Copilot automatically uses available plugins which will often include Defender XDR which collects and presents data from most of the other Defender products, Defender External Attack Surface Area Management, Sentinel and many more, including third party plugins as you can see here. Let's now look at a demo of Security Copilot.
We'll start by looking at the Defender Threat Intelligence Copilot sidecar experience and then look at the stand alone Security Copilot. If you're enabled for Security Copilot, then when using MDTI you will be able to use this Copilot button to open this Copilot sidecar which you can now see on the right hand side of the page. This includes some ready to use prompts that vary depending on what blade you are viewing. By clicking on the prepopulated Summarize prompt to give me an overview of the latest threats to my organization Copilot returns the latest Intel profiles and activity snapshots that contain mentions of your vulnerabilities, TTPS, tactics, techniques and procedures, that includes reference to the infrastructure that your organization actually runs and other relevant factors such as intelligence that mentions your industry and region.
If we then click the new chat button we can start over, and choose a prioritised prompt which asks Copilot which threat should I focus on based on their exposure scores. Copilot then uses threat analytics and MDTI and looks across your organizations attack surface and delivers intelligence most relevant based on the exposures and vulnerabilities you have across your attack surface. Clicking the new chat button again, we can choose the Ask prompt which asks the question Which threat actors are targeting infrastructure in my industry? Copilot returns summaries of the top threat actors implicated in attacks involving your industry.
This information provides an excellent starting point for threat research and building out a robust defence strategy. Of course, you're also free to go ahead and ask different questions, but this gives you a flavour of the power of this tool. OK, let's move on and look at a demo of Security Copilot Standalone, which you can access at securitycopilot.microsoft.com. Let's take a moment to focus on the homepage. Here, you'll notice that the last three queries we made in the MDTI sidecar are displayed.
Each query is treated as a separate session, allowing you to easily return to any of them by clicking on the respective item. Additionally, you can click on the View All Sessions link to access your session history, and resume any previous session with a single click. At the bottom of the screen you can see the Security Copilot Prompt Books section with recently used Prompt Books shown and a link to the View Prompt Book library. Each is a collection of prebuilt prompts designed to accomplish specific security related tasks. They provide ready to use workflows that automate repetitive steps such as incident response or investigations.
In many cases, you need to insert a piece of information, such as a piece of script or a vulnerability ID to customize it to your circumstance. Note that the appearance of the home page may change as new features are introduced. As you can see here, it is now showing prompts to try. Also, by using this button in the prompt bar, you can view, activate and deactivate plugins as needed. This feature also allows you to upload files such as internal policies, ensuring that your organizational knowledge informs Copilots responses. When prompting, specify a file name or uploaded files to ensure that Copilot utilises them.
Only you will have access to your uploaded files. OK, moving on. Let's assume you want to know the threat with the biggest impact to your organization. You can simply ask. Show me the threat with the highest impact to my organization.
Copilot identifies Golden SAML as the biggest threat and provides a count of related alerts and impacted users. So we could then ask Copilot to show me a list of impacted users. It provides a truncated list with a link to access a full list and more info. That link takes us to Defender Threat Intelligence, where we can see that the number of impacted users has been climbing over time. We can click on the Users link to see the full list of users. Back in Security Copilot, we may be interested to ask what threat actors are involved.
It identifies Midnight Blizzard, Octo Tempest, and Peach Sandstorm and provides details on each of them. We then ask is there a recommended remediation and Copilot lists the recommended mitigations, giving us an actionable way forward. OK, now let's look at another scenario. Let's assume we want to know more about an incident alert we got from Defender XDR.
We can ask Copilot to tell me more about Defender XDR Incident 3285. As you can see, it returns a lot of information. It looks like a fictitious user clicked a phishing link and a suspicious forwarding rule was set on a user's inbox. A malicious URL was involved, a risky sign in, and a suspicious credential dump. There is a short summary and a link to the incident in XDR. Following the link, we can see a lot more info, including the fact that automatic attack disruption has already been taken, a graph of the incident, a list of related alerts, assets, investigations, evidence and response, and recommended actions.
But, retaining our focus on Copilot, we might want to ask to, share the entities associated with this incident. As you can see, it provides a comprehensive result listing the user involved, related IP addresses, 2 devices, related processes, URLs, cloud apps, mailboxes and Azure resources. As you can see, it has joined a lot of dots to determine the entities involved with this incident. So I might want to then ask, are there any related IP addresses or URLs known to be malicious? And sure enough, one URL is indeed malicious, recently active and known to be involved in phishing campaigns, another is classified as suspicious.
And the most important thing you usually want to ask is, what remediations are recommended. It looks like in this case, the actions have already been taken and this fictitious user account has already been suspended. OK.
These two demo scenarios clearly illustrate the immense value that Security Copilot offers to security analysts. It enhances your ability to respond to incidents and hunt for threats effectively. In conclusion, Microsoft Defender Threat Intelligence plays a critical role in enhancing threat detection, incident response, and threat hunting with unique finished intelligence, which provides actionable insights and helps prioritize incident response effort.
By leveraging MDTI's continuous threat intelligence, particularly when used with Security Copilot, Threat Analytics and other Microsoft Defender products, organisations can effectively manage and respond to cyber threats, ensuring the safety and integrity of their digital assets. I hope that this presentation and these demos have provided some insights into the use and value of MDTI, particularly when used with Security Copilot, and so will help you maximise the benefits of these tools. This concludes our MDTI overview and demo video. Thanks very much for watching. I hope you found it helpful.
Future videos in this series will delve deeper into threat hunting, the MDTI APIs, maximizing the use of Copilot, and MDTI's integration with other products like Sentinel. I hope you'll join us for those videos as well. Thanks again and all the best.
2025-01-06 03:47