Skip to main content

Cyware Threat Intelligence eXchange

Microsoft Defender Threat Intelligence

Notice

This integration is available in Intel Exchange starting v3.6.3.3 onwards

Connector Category: Enrichment Tool

About Integration

Intel Exchange integrates with Microsoft Defender Threat Intelligence to enhance threat data by delivering critical insights into IPs, domains, and vulnerabilities. This enrichment helps you gain a deeper context about cyber threats, enabling more informed decision-making and improved response to potential security incidents.

To configure MDTI as an enrichment tool, follow these steps:

To enable Intel Exchange to access Microsoft Defender Threat Intelligence (MDTI), you must register an app in Azure Active Directory. This app provides the credentials and permissions required to authenticate API requests.

Before you Start

You must have one of the following permissions to create an app in Azure:

  • The Application Administrator role in Azure Active Directory.

  • Any other role that includes the Application.ReadWrite.All permission to register an application and assign roles to it. (Recheck the permission and the role)

Steps

To create an app in Azure, follow these steps:

  1. Sign in to the Azure portal.

  2. Search and select App registrations.

  3. To register a new app, click New Registration.

  4. In Name, enter a name for the app. For example, Intel Exchange MDTI Integration.

  5. Click Register to create the application. After registration, go to the Overview section to view and copy the following:

    • Application (client) ID

    • Directory (tenant) ID

  6. To create a client secret and assign API permissions, use the following information:

    • To create a client secret, go to Manage > Certificates & secret. Click New client secret and use the following information:

      1. Enter a description and select an expiration period. By default, the expiration is set to 180 days.

      2. Click Add. Copy and store the Value of the client secret securely. You will not be able to view it again after you leave the page.

    • To assign permissions to the application, go to Manage > API permissions. Use the following information:

      1. Click Add a permission, and select Microsoft Graph under Microsoft APIs.

      2. Select Application permissions and select the ThreatIntelligence.Read.All permission.

      3. Click Grant admin consent to apply the permissions.

  7. After you create the app and configure its credentials and permissions, use the generated details to configure Microsoft Defender Threat Intelligence in Intel Exchange.

Configure MDTI in Intel Exchange to enrich IP address, domain and vulnerabilities.

Before you Start

  • Ensure that you have the base URL and API token of your MDTI account.

  • Ensure that your user group has Create, Update, and View permissions for enrichment tools and their associated policies in Intel Exchange.

    Note

    Ensure that the API key includes the permissions to retrieve threat data details.

Steps

To configure MDTI as an enrichment tool in Intel Exchange, follow these steps:

  1. Sign in to Intel Exchange and go to Administration > Enrichment Management > Enrichment Tools

  2. Search and select the Microsoft Defender Threat Intelligence enrichment tool. 

  3. Click Add Account and enter the following details:

    • Account Name: Enter a unique account name to identify the instance. For example, Microsoft Defender Threat Intelligence Prod.

    • Base URL: Enter the base URL of your Microsoft Defender Threat Intelligence instance. The default base URL is https://graph.microsoft.com/v1.0/security/threatIntelligence.

    • Client ID: Enter the client ID to authenticate your application on the server.

    • Client Secret: Enter the client secret to authenticate your client APIs.

    • Tenant ID: Enter the tenant ID associated with your Microsoft Defender Threat Intelligence account to establish the connection.

    • Verify SSL: Enable this option to validate the SSL certificate and secure the connection between Intel Exchange and MDTI servers. This option is enabled by default.

      Note

      Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

After you save the account, you can use Microsoft Defender Threat Intelligence to enrich IPs, domains and vulnerabilities.

After successfully adding an account, you can view and enable the MDTI feed enrichment type.

Configure Enrichment Quota

You can also configure a quota to define a limit on the number of enrichment requests Intel Exchange makes to MDTI. After the quota expires, you cannot make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.

The following table shows the number of API calls and quota units consumed by the MDTI enrichment tool for each enrichment:

Enrichment Tool

Feed Enrichment Type

Number of API Calls

Quota Consumed

MDTI 

Domain

3

3

IP

3

3

Vulnerability

1

1

You can configure an enrichment policy to automatically enrich threat data objects using the MDTI enrichment tool. For more information, see Enrichment Policy

You can use MDTI to enrich IPs, domains and vulnerabilities with verdicts, and contextual threat intelligence to support faster and more accurate investigation.

To enrich a threat data object using MDTI, follow these steps:

  1. Go to Main Menu > Collection > Threat Data and filter threat data objects by Indicator object type.

  2. Select the object you want to enrich.

  3. In the Enrichment tab, select Microsoft Defender Threat Intelligence under Enrichment Details, then click Enrich.

You can view the enrichment details in Enrichment Payload. You can also click Re-Enrich to enrich the threat data object again.

Enhance threat data in the Threat Investigation Canvas by interacting directly with nodes. This allows you to gain deeper insights into observable or threat objects and visualize enriched data for more informed analysis.

Before you Start

Ensure that you have Create, View, and Update Threat Investigations permissions.

Steps

To enrich a threat data object using the threat investigation canvas, follow these steps:

  1. Go to Main Menu > Analysis > Threat Investigations.

  2. Enter a unique title for the canvas. For example, MDTI Analysis.

  3. Click the Add Node icon on the left. You can view the Indicator, Domain Objects, and Observables.

  4. Select an object type required for your investigation or drag it to the canvas. For MDTI, you can select IP, or domain from the Indicator object type. For example, IPv4.

  5. Enter the value of the object. For example, 192.168.1.10.

  6. To enrich the object, right-click the node, expand Enrich, select MDTI, and click Enrich.

After a successful enrichment, double-click the node and go to the Enrichments tab to view the enrichment details.