Microsoft Defender Threat Intelligence
Last updated
Last updated
This section goes over what is Microsoft Defender Threat Intelligence. This service offering includes both Premium and free tier offerings.
Microsoft Defender Threat Intelligence (Defender TI) is a platform developed by Microsoft to improve various cybersecurity workflows, such as triage, incident response, threat hunting, vulnerability management, and threat intelligence analysis. This platform is designed to help security organizations manage and act on large volumes of intelligence and alerts effectively.
Unified Data Access: Defender TI centralizes various data sets, including DNS data, WHOIS information, malware data, and SSL certificates. This aggregation allows analysts to access all relevant information from a single platform, making it easier to assess suspicious domains, hosts, or IP addresses.
Reputation Scoring: The platform provides reputation scores for hosts, domains, or IP addresses. The reputation score includes information such as the first and last seen timestamps, Autonomous System Number (ASN), country or region, associated infrastructure, and specific rules that impact the score. This context helps analysts quickly determine any detected ties to malicious or suspicious infrastructure.
Analyst Insights: Defender TI offers observations from Microsoft's data sets, simplifying investigations for analysts. These insights provide small facts or observations about a domain or IP address, helping analysts assess whether an indicator is malicious, suspicious, or benign.
Vulnerability Management: The platform supports CVE ID searches, resulting in detailed vulnerability articles. Each article includes a description of the CVE, a list of affected components, mitigation procedures and strategies, related intelligence articles, and references from deep and dark web chatter. Defender TI also provides a priority score and severity indicator for each CVE, helping organizations prioritize remediation efforts.
Collaborative Investigations: Defender TI enables analysts to collaborate with other licensed users within their organization. This feature allows sharing of insights and findings, enhancing collective threat intelligence efforts. Users can develop projects to organize indicators of interest and track the history of investigations, improving overall efficiency.
Articles and Narratives: The platform features articles that provide insights into threat actors, their tooling, attacks, and associated vulnerabilities. These articles link to actionable content and key indicators of compromise (IOCs), allowing users to track threats and take appropriate action. Articles are categorized into featured and recent, ensuring analysts have access to relevant and up-to-date information.
Data Aggregation and Enrichment: Defender TI collects, analyzes, and indexes data from various sources, including passive DNS sensors, port scanning, URL and file detonation, and other methods. This aggregated data helps users detect threats, prioritize incidents, and identify infrastructure associated with threat actors.
User-Friendly Interface: The Intel explorer page within the Microsoft Defender portal is designed for ease of use. Analysts can scan new featured articles, perform keyword, indicator, or CVE ID searches, and access relevant data sets for intelligence gathering, triage, incident response, and hunting efforts. This interface reduces the time analysts spend on data discovery and parsing, allowing them to focus on deriving actionable insights.
As of June 30, 2024, the standalone Defender TI portal () will be retired. Customers can continue accessing Defender TI through the Microsoft Defender portal or with Microsoft Copilot for Security. This transition ensures continuous support and access to the features provided by Defender TI, allowing organizations to maintain their security operations without disruption.