Microsoft Defender Threat Intelligence (MDTI)
Connector Category: API Feed Source
About Integration
Microsoft Defender Threat Intelligence (MDTI) enables security professionals to directly access, ingest, and act on a powerful repository of threat intelligence. Using MDTI, you can streamline triage, threat hunting, and cyber threat intelligence analyst workflows.
Intel Exchange integrates with MDTI to retrieve threat intel feeds about the following threat objects:
Report
Indicator
Attack Pattern
Identity
Benefits
Stay informed with up-to-date alerts on evolving adversary tactics, techniques, and procedures (TTPs) to enhance defense strategies.
Keep pace with the latest analysis derived from over 78 trillion daily threat signals, ensuring you’re equipped with current threat intelligence.
Achieve comprehensive threat detection and remediation by ingesting MDTI threat intelligence into Intel Exchange.
Configure MDTI as Feed Source
Configure MDTI as an API feed source to receive threat data feeds.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL, tenant ID, client ID, and client secret of your MDTI account.
The Microsoft Graph API for MDTI requires an active Defender Threat Intelligence Portal license and API add-on license for the tenant.
Steps
To configure MDTI as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Click Add API Source.
Search and select Microsoft Defender Threat Intelligence.
Click Add Instance.
Instance Name: Enter a unique name to identify the instance name. For example, MDTI-Prod.
Base Url: Enter the base URL of your MDTI instance. The default base URL is https://graph.microsoft.com/v1.0/.
Client ID: Enter the client ID to authenticate with the server. For example, c2xxxx94-149e-4xx2-bxxd-5f29ef878b97.
Client Secret: Enter the client secret.
Tenant ID: Enter the tenant ID. For example, 0xxxxbc1-4xxe-4xx1-9xx9-9e7a8xxxxf9c.
Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and MDTI servers. By default, the verification is enabled.
Note
Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly and you will not be notified in case of a broken or improper connection.
The MDTI instance is configured and you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure MDTI Feed Channels
Configure the feed channel to retrieve threat data feeds from MDTI and store the feeds in a collection.
Steps
To configure the feed channels, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Search and select the Microsoft Defender Threat Intelligence app.
Click the vertical ellipsis, and select Manage.
Click Manage Feed Channels.
Select the Fetch Article Feeds channel and turn on the toggle. Use the following information while configuring the channel:
Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Collection Name: Enter the name of the collection to group the feed data. For example, MDTI Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.
Enter a frequency in minutes between 60 and 10080 in Polling Time. The default polling time is 240 minutes.
TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.
Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.
Custom Scores: Select the Relevance and Severity Score for the channel.
Default Tags: Select any tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels and poll feeds and view the feeds.
Note
The Fetch Article Feeds channel retrieves all available feeds. However, only feeds updated on or after the configured polling start date and time are ingested.
Test Feed Channel Connectivity
Test the connectivity of the Microsoft Defender Threat Intelligence API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.
Before you Start
Ensure that the Microsoft Defender Threat Intelligence API integration is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Search and select the Microsoft Defender Threat Intelligence app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times per hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
Microsoft Defender Threat Intelligence Feed Channels
The following table lists the feed channel and the API endpoint used to retrieve feeds from Microsoft Defender Threat Intelligence:
Feed Channel | API Endpoint |
|---|---|
Fetch Article Feeds |
|