Utilizing Microsoft Defender Threat Intelligence IoCs in Sentinel
It’s been a few years since Microsoft acquired RiskIQ and recently released Microsoft Defender for Threat Intel (MDTI).
What is MDTI?
I’ve already discussed a few times about IoCs, or indicators of compromise in English, and how they can be integrated, as in the case of VirusTotal ( Marcelo Sincic | Enriching Sentinel with data from Virus Total ).
In this post, we are going to talk about the MDTI solution and how to integrate its base with Senitnel and use it for hunting and analysis of incidents and alerts in your environment.
First, it is important to know that the MDTI service is paid per user in a contract licensing model, but the database can be imported into Sentinel through a connector.
Connecting Sentinel to MDTI Base
For this you will need to install the Microsoft Defender for Threat Intel solution on Sentinel from Content Hub and then configure the Data Connector as below:
Once configured, MDTI data will be ingested daily into Sentinel’s Threat Intelligence base:
It is important to remember that MDTI ingested IoCs will be added to custom IoCs or imported from other bases that you have configured.
Configuring Log integrations with TIs
After installing the solution and configuring the data connector, the next step is to configure and install the data crossing rules using Sentinel Analytics .
There are several different rules that you can use that are already ready:
These rules are composed of KQL queries that analyze an alert and incident to cross-check with the base of imported IoCs, resulting in data enrichment when validating that a certain IP or malicious URL was accessed or tried to access your environment.
Of course, this can be done manually, it would be enough to run a manual or custom KQL query in Sentinel in hunting queries to cross IPs and URLs with the different existing Sentinel logs. An example of this was a recent client where we discussed crossing Umbrella DNS logging with MDTI to detect malicious websites accessed by users.
Visualizing incidents with MDTI data
Now comes the practical part. Once configured, you will have new alerts and incidents in your environment:
Let’s open the details of the first one and see the IP that indicates a potential attack:
Since in the incident itself I already know that the IP is considered suspicious, we can investigate the details imported into the base to view the details:
And finally, I will use the MDTI interface to query the IP data, remembering that in this case I need to have an MDTI license to see the details:
Let’s now do the same process with the second example incident I have on my list and open the details in MDTI:
Conclusion
The Microsoft Defender for Intel Threat (MDTI) service will help you detect various forms of attacks coming from professional or previously identified offenders and groups.
In addition, its base is rich in details of the type of attack, targets and groups that work with that specific IoC that was used to try to access its environment.
Marcelo Sincic 
Exceptional post! I’m so glad to have come across this site and read this blog post. It’s been a real help to me and I’m sure it will be for numerous others, too. Thanks for putting in the effort.
Microsoft Defender for Threat Intel (MDTI) is a paid service that can be integrated with Microsoft Sentinel for hunting and analyzing incidents and alerts. MDTI data can be ingested into Sentinel’s Threat Intelligence base and used to enrich data by cross-checking with imported IoCs. The MDTI interface allows users to query IP data and view details of potential attacks. Overall, MDTI helps detect various forms of attacks and provides details about the type of attack and the groups involved.
Wayne