Welcome to Microsoft Ninja training! This blog post will walk you through Microsoft Defender Threat Intelligence (Defender TI) level 400 training and help you become a Defender TI master.
Curriculum
This program is comprised of six training modules that will enable users to get to know and get the most out of their Defender TI instance. Throughout this training, you'll get familiar with Defender TI, how it collects and analyzes threat intelligence, and how to use it to unmask adversaries and their tools and infrastructure. Once complete, you'll be ready to leverage the advanced intelligence in Defender TI to up-level your threat hunting and incident response.
The modules listed below are split into four groups:
Part 1: Overview
Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview
Part 3: Integrated Use Cases
Part 4: Using Defender TI for Cyber Threat Investigations
Part 1: Overview
Module 0: Other Learning and Support Options
The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable:
Think you're a true Microsoft Defender Threat Intelligence Ninja?
Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills!
Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.
Module 1: Use Cases, Users, and How to Get Started
Defender TI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Data sources include both raw data ingested via a world-wide collection engine as well as finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights, which will be utilized to defend themselves against threat actors in cyberspace (read more).
Defender TI aids the following target user functions:
Common tactical use cases include:
For more information regarding Defender TI's target user functions and use cases, see "Microsoft Defender Threat Intelligence's Target User Functions and Use Cases".
If you want to get an initial overview of Microsoft Defender Threat Intelligence's technical capabilities, the Microsoft Security Public Community webinar, "Special Report: Ukraine | A Microsoft Overview of Russia's Cyberattack Activity in Ukraine" and our Microsoft Security Digital Event "Stop Ransomware with Microsoft Security" are good starting points. You might also find the What is Microsoft Defender Threat Intelligence (Defender TI)? useful.
Lastly, want to try it yourself? Defender TI 30-day Premium trials are available to start in the M365 Admin Center (read more). If your organization is not ready to trial the Premium Defender TI experience, you can also register for Community Defender TI access with your standard Microsoft authentication when accessing the Defender TI standalone portal. Community access presents users with limited datasets and data history as well as limited access to articles (read more).
Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview
While the previous section provides an overview of our Defender TI platform, use cases it supports, and how to get started, this section provides thorough information regarding Defender TI's data collection processes, threat analysis, and data sets. It also provides dataset investigative examples to provide more information regarding the value Defender TI's datasets can bring to analysts.
Module 2: Data Collection and Threat Analysis
It is oftentimes difficult to make a determination as to whether a security alert identified truly malicious activity without the ability to conduct additional research into the entities associated with the alert. Entities could include IP addresses, domain names, host names, URLs, file names or hashes, and more. Analysts will have to turn to outside sources in order to gather needed context on these entities to properly triage the activity that has been identified.
Defender TI is built on top of well over a decade's worth of collection against Internet datasets. The technologies in place enable the collection, processing, and storage of data at a scale unmatched by most in the industry. Improvements to the ability to search across and pivot through datasets occur on an ongoing basis, in conjunction with improving the ability for analysts to collaborate across research and investigations. This module will provide an overview of the primary methods by which Internet data is collected.
Defender TI collects internet telemetry data via its' Passive DNS sensor network, web crawling with virtual users, global proxy network, internet scanning, and select 3rd parties. As a result, the following datasets are available in the Defender TI platform:
For more information, see "How Does Microsoft Defender Threat Intelligence Collect Internet Telemetry Data?". Note: As mentioned previously in Module 1, Community users will have access to limited datasets and history of those datasets (read more).
By collecting these internet datasets, Defender TI leverages a ML algorithm to produce real-time reputation scores for IP addresses, domains, and hosts. In addition, analysts can gain more context into these IP addresses, domains, and hosts by leveraging Defender TI's Analyst Insights feature (read more).
Module 3: Understanding Internet Datasets and their Investigative Use
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversaries' infrastructure associated with actor groups targeting their organization. We learned how Defender TI provides raw and finished threat intelligence in Module 2. The focus of this module is to dive into the raw intelligence, in the form of internet datasets, Defender TI includes.
Defender TI's internet data is categorized into two distinct groups: core and derived. Core datasets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived datasets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies datasets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. To learn more and practice working with Defender TI's datasets, see "Microsoft Defender Threat Intelligence's Datasets and How to Use Them During Investigations."
Part 3: Integrated Use Cases
Now that we have a foundational understanding of Defender TI's use cases, features, and raw and finished intelligence, let's learn how Defender TI's threat intelligence can be used to drive more detections within Microsoft Sentinel.
As Defender TI evolves, more integrated use cases will come to speed up security operations, incident response, threat hunting, and threat intelligence workflows. Be on the lookout for new content in this section as new integrated use cases present themselves natively across the Microsoft Security ecosystem or through configuration. In addition, if you have ideas for new integrated use cases, feel free to email mdti-pm@microsoft.com, add a comment in the Module 4's blog, or join our Cloud Security Private Community and start a discussion in the MS Defender Threat Intelligence channel.
Module 4: Defender TI Detections in Microsoft Sentinel
Defender TI provides free threat intelligence indicators to Microsoft Sentinel customers. These indicators come from Defender TI's malware and phishing indicator feeds as well as indicators from Defender TI's articles. While users cannot export the indicators and ingest them into their TIP or SIEM, they can enable "TI map*" Analytic rules in Sentinel. These rules run every hour and correlate these indicators against logs stored in their Log Analytics workspace to generate more high-confidence detections. Once a detection happens, they will be able to view the associated entities (threat intelligence indicators from Defender TI) in their Microsoft Sentinel Threat Intelligence blade (read more).
Part 4: Using Defender TI for Cyber Threat Investigations
At this point, you've learned a great deal about how Defender TI can be used within its user interface and how it can integrate with Microsoft Sentinel to generate more detections. These next modules will focus on how you can apply what you've learned from the previous modules by putting those teachings into practice.
Note: For those of you with Defender TI Community access, your dataset, dataset history, and feature access will be limited compared to our Defender TI Premium experience. As such, many of the exercises below in Module 6 may be difficult to execute without a Defender TI Premium license. Module 1 covers how you can work with your team to start a Defender TI Premium Trial if you'd like to practice the following exercises and evaluate full access to our Defender TI solution.
Module 5: Making Use of Projects
The Microsoft Defender Threat Intelligence (Defender TI) platform allows users to develop private personal or team project types for organizing indicators of interest and indicators of compromise from an investigation (read more).
Module 6: Understanding and Utilizing Finished Threat Intelligence
Threat intelligence is the data that organizations need in order to map threats to the enterprise and enable the best possible decision making related to risk. Defender TI serves as a valuable source of attack surface threat intelligence on global, industry, and local threats, with content from hundreds of OSINT sources complementing original research shared from Microsoft's own Defender, MSTIC, and Section52 research groups. As an analyst working with threat intelligence, it's easy to become overwhelmed by the volume of data out there, but within the Defender TI portal, the ability to quickly find data relevant to your needs is kept top of mind. For more information regarding Defender TI's articles, vulnerability articles, and exercises to practice gathering raw intelligence, see "Understanding and Utilizing Finished Threat Intelligence with Microsoft Defender Threat Intelligence".
Continue reading...
Curriculum
This program is comprised of six training modules that will enable users to get to know and get the most out of their Defender TI instance. Throughout this training, you'll get familiar with Defender TI, how it collects and analyzes threat intelligence, and how to use it to unmask adversaries and their tools and infrastructure. Once complete, you'll be ready to leverage the advanced intelligence in Defender TI to up-level your threat hunting and incident response.
The modules listed below are split into four groups:
Part 1: Overview
- Module 0: Other Learning and Support Options
- Module 1: Use Cases, Users, and How to Get Started
Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview
- Module 2: Data Collection and Threat Analysis
- Module 3: Understanding Internet Datasets and their Investigative Use
Part 3: Integrated Use Cases
- Module 4: Microsoft Defender Threat Intelligence Detections in Microsoft Sentinel
Part 4: Using Defender TI for Cyber Threat Investigations
- Module 5: Making Use of Projects
- Module 6: Understanding & Utilizing Finished Threat Intelligence
Part 1: Overview
Module 0: Other Learning and Support Options
The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable:
- Already a Ninja? Join our Private Preview program to be informed of new features. We will update this Ninja training as new features or integrated use cases are introduced.
- Have a good feature idea you want to share with us? Let us know on the MS Defender Threat Intelligence channel of the Cloud Security Private Community [EXTERNAL] Teams site.
Think you're a true Microsoft Defender Threat Intelligence Ninja?
Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills!
Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.
- Take the knowledge check here.
- If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got wrong, study more, and take the assessment again.
Module 1: Use Cases, Users, and How to Get Started
Defender TI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Data sources include both raw data ingested via a world-wide collection engine as well as finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights, which will be utilized to defend themselves against threat actors in cyberspace (read more).
Defender TI aids the following target user functions:
- Security Operations
- Incident Response
- Threat Hunting
- Cyber Threat Intelligence Analysis
- Cybersecurity Research
Common tactical use cases include:
- Identify Existing Threat Intelligence
- Data Enrichment
- Infrastructure Chaining
- Monitoring Internet Infrastructure Changes
- Collaborating on Investigations
For more information regarding Defender TI's target user functions and use cases, see "Microsoft Defender Threat Intelligence's Target User Functions and Use Cases".
If you want to get an initial overview of Microsoft Defender Threat Intelligence's technical capabilities, the Microsoft Security Public Community webinar, "Special Report: Ukraine | A Microsoft Overview of Russia's Cyberattack Activity in Ukraine" and our Microsoft Security Digital Event "Stop Ransomware with Microsoft Security" are good starting points. You might also find the What is Microsoft Defender Threat Intelligence (Defender TI)? useful.
Lastly, want to try it yourself? Defender TI 30-day Premium trials are available to start in the M365 Admin Center (read more). If your organization is not ready to trial the Premium Defender TI experience, you can also register for Community Defender TI access with your standard Microsoft authentication when accessing the Defender TI standalone portal. Community access presents users with limited datasets and data history as well as limited access to articles (read more).
Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview
While the previous section provides an overview of our Defender TI platform, use cases it supports, and how to get started, this section provides thorough information regarding Defender TI's data collection processes, threat analysis, and data sets. It also provides dataset investigative examples to provide more information regarding the value Defender TI's datasets can bring to analysts.
Module 2: Data Collection and Threat Analysis
It is oftentimes difficult to make a determination as to whether a security alert identified truly malicious activity without the ability to conduct additional research into the entities associated with the alert. Entities could include IP addresses, domain names, host names, URLs, file names or hashes, and more. Analysts will have to turn to outside sources in order to gather needed context on these entities to properly triage the activity that has been identified.
Defender TI is built on top of well over a decade's worth of collection against Internet datasets. The technologies in place enable the collection, processing, and storage of data at a scale unmatched by most in the industry. Improvements to the ability to search across and pivot through datasets occur on an ongoing basis, in conjunction with improving the ability for analysts to collaborate across research and investigations. This module will provide an overview of the primary methods by which Internet data is collected.
Defender TI collects internet telemetry data via its' Passive DNS sensor network, web crawling with virtual users, global proxy network, internet scanning, and select 3rd parties. As a result, the following datasets are available in the Defender TI platform:
- Resolutions
- Whois
- Certificates
- Subdomains
- Trackers
- Host pairs
- Components
- Cookies
- Reverse DNS
- DNS
- Services
For more information, see "How Does Microsoft Defender Threat Intelligence Collect Internet Telemetry Data?". Note: As mentioned previously in Module 1, Community users will have access to limited datasets and history of those datasets (read more).
By collecting these internet datasets, Defender TI leverages a ML algorithm to produce real-time reputation scores for IP addresses, domains, and hosts. In addition, analysts can gain more context into these IP addresses, domains, and hosts by leveraging Defender TI's Analyst Insights feature (read more).
Module 3: Understanding Internet Datasets and their Investigative Use
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversaries' infrastructure associated with actor groups targeting their organization. We learned how Defender TI provides raw and finished threat intelligence in Module 2. The focus of this module is to dive into the raw intelligence, in the form of internet datasets, Defender TI includes.
Defender TI's internet data is categorized into two distinct groups: core and derived. Core datasets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived datasets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies datasets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. To learn more and practice working with Defender TI's datasets, see "Microsoft Defender Threat Intelligence's Datasets and How to Use Them During Investigations."
Part 3: Integrated Use Cases
Now that we have a foundational understanding of Defender TI's use cases, features, and raw and finished intelligence, let's learn how Defender TI's threat intelligence can be used to drive more detections within Microsoft Sentinel.
As Defender TI evolves, more integrated use cases will come to speed up security operations, incident response, threat hunting, and threat intelligence workflows. Be on the lookout for new content in this section as new integrated use cases present themselves natively across the Microsoft Security ecosystem or through configuration. In addition, if you have ideas for new integrated use cases, feel free to email mdti-pm@microsoft.com, add a comment in the Module 4's blog, or join our Cloud Security Private Community and start a discussion in the MS Defender Threat Intelligence channel.
Module 4: Defender TI Detections in Microsoft Sentinel
Defender TI provides free threat intelligence indicators to Microsoft Sentinel customers. These indicators come from Defender TI's malware and phishing indicator feeds as well as indicators from Defender TI's articles. While users cannot export the indicators and ingest them into their TIP or SIEM, they can enable "TI map*" Analytic rules in Sentinel. These rules run every hour and correlate these indicators against logs stored in their Log Analytics workspace to generate more high-confidence detections. Once a detection happens, they will be able to view the associated entities (threat intelligence indicators from Defender TI) in their Microsoft Sentinel Threat Intelligence blade (read more).
Part 4: Using Defender TI for Cyber Threat Investigations
At this point, you've learned a great deal about how Defender TI can be used within its user interface and how it can integrate with Microsoft Sentinel to generate more detections. These next modules will focus on how you can apply what you've learned from the previous modules by putting those teachings into practice.
Note: For those of you with Defender TI Community access, your dataset, dataset history, and feature access will be limited compared to our Defender TI Premium experience. As such, many of the exercises below in Module 6 may be difficult to execute without a Defender TI Premium license. Module 1 covers how you can work with your team to start a Defender TI Premium Trial if you'd like to practice the following exercises and evaluate full access to our Defender TI solution.
Module 5: Making Use of Projects
The Microsoft Defender Threat Intelligence (Defender TI) platform allows users to develop private personal or team project types for organizing indicators of interest and indicators of compromise from an investigation (read more).
Module 6: Understanding and Utilizing Finished Threat Intelligence
Threat intelligence is the data that organizations need in order to map threats to the enterprise and enable the best possible decision making related to risk. Defender TI serves as a valuable source of attack surface threat intelligence on global, industry, and local threats, with content from hundreds of OSINT sources complementing original research shared from Microsoft's own Defender, MSTIC, and Section52 research groups. As an analyst working with threat intelligence, it's easy to become overwhelmed by the volume of data out there, but within the Defender TI portal, the ability to quickly find data relevant to your needs is kept top of mind. For more information regarding Defender TI's articles, vulnerability articles, and exercises to practice gathering raw intelligence, see "Understanding and Utilizing Finished Threat Intelligence with Microsoft Defender Threat Intelligence".
Continue reading...
