We are excited to announce that the Microsoft Defender Threat Intelligence (MDTI) team has launched our official GitHub Community. There, we share technical solutions with customers to help the SOC maximize Microsoft Threat Intelligence in MDTI for a wide range of common incident response and threat hunting scenarios. In this blog post, we'll explore how to access GitHub and run several custom scenarios that can easily enhance your security processes through powerful enrichment and automation that boost efficiency and understanding of threats.
Access to the GitHub repository
To access our GitHub repository, customers can go to: aka.ms/MDTIGitHub
Users will be presented with a range of technical solutions that can enhance their ability to manage security processes and situations with an emphasis on the following areas:
|
Folder on GitHub repository |
Technical Solution and information |
|
M365 Advance hunting queries |
This provides a series of M365 Defender queries that support advanced hunting through querying Indicators of Compromise (IoCs) identified in MDTI articles and Intel Profiles. You can see an in-depth overview of how this can be done here: aka.ms/MDTINowInM365DBlog |
|
MDTI playbooks |
These provide a view of different playbooks that can be leveraged in the following areas: · Enrichment use cases with Microsoft Sentinel · Brand intelligence scenarios · Third-party enrichment |
|
Notebooks |
This provides a view of different Jupyter notebooks that address the need for advanced use cases, enabling advanced hunting for customers: In this folder, customers · Introductory notebooks that provide guidance on running Threat intelligence calls with the MDTI API · The MDTI Heatmap generates a visualization to display the first and last seen dates of various DNS record types (NS, SOA, and AAAA) associated with the specified domain. |
|
Postman Collection |
A collection that provides guidance on how customers can use the MDTI API. · You can see more guidance on how to use the API in the blog post here: aka.ms/MDTIAPIBlog · Visit the MDTI Video Tutorial here: aka.ms/MDTIAPIPracticalGuideVideo |
|
Workbooks |
This dashboard provides a user-friendly interface that enables organizations to easily access and analyze threat intelligence data. With this new tool, decision-makers can make informed decisions to strengthen their security posture and protect against potential threats. Visit the blog post for more: aka.ms/MDTIIntelReportingBlog |
MDTI GitHub
Figure: The MDTI GitHub repository
Custom Scenarios for Microsoft TI
Use Case Scenario 1: Brand Intelligence
This use case involves monitoring and analyzing online activity related to a particular brand or organization to detect potential risks or threats. Brand Intelligence can include monitoring social media, online forums, and other sources for negative comments or mentions of the brand, as well as tracking attempts to impersonate the brand or steal sensitive information.
To help with brand protection, the MDTI team developed the Typosquat playbook,. This playbook enables security teams to quickly prioritize their domain takedown activities based on the level of risk posed by each domain with a systematic approach for detecting and taking down typo squat domains. It leverages an open-source tool called openSquat to identify new domains that are created with slight variations of legitimate domain names in relation to a keyword selected by the user. Once these domains are identified, the Typosquat playbook automatically runs them against the MDTI Reputation endpoint. This platform provides real-time reputation scoring for domains (malicious or suspicious), and the results are provided in an email, showcasing the domains against the reputation endpoint.
To use this playbook, you will need to go to the playbook on our GitHub Page, ensure you have your MDTI API credentials, and click the “Deploy to Azure” button. This action will proceed to deploy a playbook based on your specifications of keywords and generate a result based on the response.
Figure: Deploy Typosquat playbook
Figure: add credentials to run the playbook
In this case, we’ll use the keyword "Microsoft" to determine if any domains that have been created and are potential typo squats. After adding all the details, we proceed to create the playbook and run it. Once the playbook has run, users will see the following:
Figure: Consolidated table for typosquat domains enriched with reputation endpoint from MDTI. In this example, if we narrow down to one of these domains that have been identified as malicious directly, we can understand what we need to prioritize for a domain takedown activity.
Figure: Email result for Typosquat playbook
Use Case Scenario 2: Latest Threat Trends
Threat intelligence is a critical component of any effective cybersecurity strategy, and organizations that prioritize it are better positioned to protect their systems and data from potential threats. Therefore, it’s crucial for organizations to get visibility of the latest threat trends because it helps them stay ahead of new threats. By collecting and analyzing data from various sources, organizations can identify the latest threat trends and intel, prioritize the threats based on their severity and relevance and take appropriate action to mitigate the risks.
In this use case, we have the MDTI Articles Newsletter playbook. This playbook uses the MDTI article data to provide the latest articles generated by Microsoft Threat Intelligence and sends the user an email summary. To use this playbook, customers will need to ensure they have their MDTI API credentials, and click the “deploy to Azure” button.
Figure: The MDTI Article newsletter playbook
After deploying the playbook and adding the defined API connection credentials, please proceed to run the playbook. The following is the defined result (email summary).
Figure : New MDTI Articles from the last 7 Days, result of MDTI playbook
Get Started
Get access to our GitHub repository and work with our technical solutions team, provide feedback, areas of improvement, etc. We are also keen on people looking to contribute to our GitHub repository. If you have a solution leveraging MDTI that you would like to see on our GitHub repository, please kindly send an email here: mdti-pm@microsoft.com
Sign Up for a Trial
- Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.
Questions
We hope this blog helps you understand the value MDTI can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a MDTI Technical Specialist or Global Black Belt, please comment below or email mdti-pm@microsoft.com.
Feedback
We would love to hear your ideas to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security third-party applications. Feel free to comment below or email mdti-pm@microsoft.com to share that feedback. If you are currently working with a MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and product feedback to them directly.
Learn About New MDTI Features
Please join our Cloud Security Private Community. Users that would like to help influence the direction and strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit for respective Microsoft product badges delivered by Credly.