Microsoft has shared some exciting news that’s set to revolutionise the way security analysts handle incident response, threat hunting, vulnerability management, and triage workflows. Microsoft Defender Threat Intelligence (MDTI) is taking a giant leap forward with its seamless integration into Microsoft 365 Defender, creating a powerhouse combination of robust threat intelligence capabilities and the advanced Extended Detection and Response (XDR) functionality of M365D.

What’s New?

1. Defender TI Integration with Microsoft 365 Defender

  • For licensed customers, Defender TI is now intricately woven into the fabric of Microsoft 365 Defender.
  • This integration empowers security analysts by providing a unified interface for handling critical threat information, making incident response more efficient and effective.

2. Accessibility and Reference Made Easy

  • With Defender TI now within M365 Defender, security analysts can quickly access and reference threat intelligence.
  • This facilitates a speedy understanding of threat actors, their tools, and the launch of advanced investigations into external threat infrastructure.

3. Features for Licensed Users

  • Threat Intelligence Navigation Blade Tab:
    • A new tab has been introduced, consolidating threat intelligence navigation along with threat analytics.
  • Intel Profiles:
    • Enjoy comprehensive profiles that delve into threat actors, their Indicators of Compromise (IOCs), and detailed insights into their tools, tactics, and procedures (TTPs).
  • Intel Explorer Tab:
    • This new tab opens up possibilities for pivots on Internet data, allowing advanced investigations across Microsoft’s continuously updated map of the entire Internet.

Practical Use Cases

1. Advanced Hunting with Defender TI IOCs in M365 Defender Logs and Events

  • Learn how to leverage identified IOCs from Defender TI, specifically focusing on the Host Pairs data set related to the infamous “Franken-phish” Phish kit.
  • Map this information to an advanced hunting query within M365 Defender, a useful approach replicable with IOCs from articles or Intel Profiles.

2. M365 Defender Raw Event Detection

  • Dive into the process of ingesting M365 Defender raw events into Microsoft Sentinel through the M365 Defender Data connector.
  • Import Threat indicators from Defender TI using the new Defender TI Sentinel Data Connector and execute TI correlation rules.
  • Detect correlations in the raw event tables of M365 Defender, generating incidents in Microsoft Sentinel that incorporate M365 Defender events and alerts.

Exciting times lie ahead for defenders using Microsoft Defender Threat Intelligence within Microsoft 365 Defender. As we continue to break new ground in cybersecurity, stay tuned for more updates on how this integration is reshaping the landscape of threat management and response. Your security just got a major upgrade!

Check out the full article @ the MS Tech Community here