Defender Threat Intelligence
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Defender Threat Intelligence: Mapping the Adversary Infrastructure
In the modern security landscape, knowing your own network is only half the battle. To effectively defend an organization, you must also understand the world outside your perimeter—the infrastructure, tools, and tactics used by those who intend to do harm. Microsoft Defender Threat Intelligence (Defender TI) is the bridge between internal telemetry and the global internet ecosystem. It provides security professionals with a massive, curated library of raw and finished intelligence that reveals how threat actors operate, where they host their malicious sites, and how their infrastructure evolves over time.
Think of Defender TI as a massive historical archive of the internet. It doesn't just tell you that a domain is "bad" today; it tells you who owned it three years ago, what SSL certificates were associated with it last month, and which other malicious domains share the same unique tracking code. This depth of visibility is what transforms a reactive security team into a proactive hunting force. By understanding the adversary's "digital footprint," you can anticipate their next move and block their infrastructure before they even launch an attack against your specific environment.
Understanding the Core of Defender Threat Intelligence
Defender Threat Intelligence is built upon the foundation of what was formerly known as RiskIQ. Microsoft integrated this technology to provide a comprehensive view of the global threat landscape. At its heart, Defender TI is a platform that continuously scans the entire internet, mapping relationships between domain names, IP addresses, web technologies, and the entities that control them.
Most security tools focus on what is happening inside your network—which user clicked a link or which server has a missing patch. Defender TI focuses on the outside. It answers questions like: "Is this IP address part of a known command-and-control (C2) network?" or "Has this specific SSL certificate been used in phishing campaigns targeting other industries?"
The Difference Between Internal and External Intelligence
It is important to distinguish between the telemetry generated by your own devices and the intelligence provided by Defender TI.
- Internal Telemetry: This is the data generated by your endpoints, identity providers, and cloud apps. It tells you that
workstation-01connected tobad-domain.com. - External Intelligence (Defender TI): This tells you that
bad-domain.comwas registered 48 hours ago using a specific email address that has been linked to 500 other phishing domains, and it is currently hosted on a server in a region known for hosting "bulletproof" infrastructure.
By combining these two perspectives within the Microsoft Defender XDR ecosystem, security analysts gain a 360-degree view of an incident. You aren't just cleaning up a single infected machine; you are uncovering the entire campaign.
Callout: Finished Intel vs. Raw Data
Finished Intelligence consists of curated reports and "Intel Profiles" created by Microsoft's threat researchers. These provide context about threat actors (like APT29 or LACE-08) and their known behaviors.
Raw Data consists of the actual building blocks of the internet: DNS records, WHOIS data, SSL certificates, and web components. While finished intel tells you the "who" and "why," raw data allows you to perform your own investigations to find the "what else."
The Building Blocks: Defender TI Data Sets
To use Defender TI effectively, you must understand the types of data it collects. Each data set acts as a different lens through which you can view an adversary's infrastructure.
Passive DNS (PDNS)
Standard DNS tells you what an IP address is right now. Passive DNS is a historical record of all name-to-IP mappings observed over time. This is critical because threat actors frequently change their IP addresses to evade detection. By looking at PDNS, an analyst can see that a domain used to point to a legitimate hosting provider but suddenly shifted to a suspicious IP range right before an attack began.
WHOIS Data
WHOIS information provides registration details for domains, including the registrar, the registration date, and (sometimes) the contact information of the owner. While many threat actors use privacy protection services to hide their identity, they often make mistakes. They might reuse the same phone number or physical address across multiple "burner" domains. Defender TI allows you to pivot on these details to find related infrastructure.
SSL Certificates
SSL certificates are a goldmine for threat hunters. Certificates often contain unique information in the Subject Alternative Name (SAN) or the organization field. If a threat actor generates a self-signed certificate for their C2 server, that certificate has a unique "fingerprint" (SHA-1 hash). If you find that same hash on five other IP addresses across the internet, you have just discovered five more pieces of the attacker's infrastructure.
Trackers and Cookies
When you visit a website, it often uses small pieces of code for analytics or tracking (like Google Analytics IDs or Facebook Pixel IDs). Threat actors often copy-paste their website code from one phishing site to another, inadvertently including the same tracking IDs. Defender TI indexes these IDs, allowing analysts to search for every website on the internet that uses a specific, malicious tracking code.
Practical Application: Investigating a Suspicious Domain
Let’s look at how a SOC analyst would use Defender TI in a real-world scenario. Imagine your automated systems flag an outbound connection to a domain called updates-microsoft-security.top.
Step 1: Initial Reputation Check
The first step is to enter the domain into the Defender TI search bar. The platform immediately provides a Reputation Score. This score is calculated based on factors like the age of the domain, its hosting provider, and whether it has appeared in known blocklists. A score of "Malicious" or "Suspicious" gives you immediate justification to isolate the affected endpoint.
Step 2: Analyzing Infrastructure Transitions
Next, you look at the Resolutions tab (Passive DNS). You notice that for the last year, the domain didn't resolve to anything. Then, three days ago, it suddenly pointed to an IP address in a non-standard hosting environment. This "parked to active" transition is a classic indicator of a staged attack.
Step 3: Pivoting on SSL Certificates
You click on the SSL Certificates tab and find a certificate associated with the domain. You notice the certificate's Common Name is c2.internal.attacker.com. By clicking on that certificate's SHA-1 hash, Defender TI shows you three other IP addresses that are currently using that exact same certificate. You have now identified the broader C2 network, not just the one domain your user visited.
Step 4: Creating a Project
To keep your findings organized, you create a Project within Defender TI. You add the original domain, the new IP addresses you found, and the SSL certificate hash to this project. You can now share this project with your colleagues, allowing the entire team to collaborate on the investigation and add their own notes.
Note: Projects are essential for team-based investigations. They act as a shared workspace where you can save indicators (IoCs) and build a timeline of the threat actor's activity without losing your data when you close your browser.
Advanced Hunting with KQL and Defender TI
While the Defender TI portal is excellent for manual investigations, the real power comes from integrating this data into your automated hunting workflows. Microsoft provides ways to access threat intelligence data through the Microsoft Graph API and via specific tables in Advanced Hunting (KQL).
Example: Hunting for Malicious Certificates
If you have identified a malicious SSL certificate thumbprint through Defender TI, you can use KQL in Microsoft Defender XDR to see if any device in your organization has encountered it.
// Search for connections to IPs associated with a specific malicious SSL thumbprint
let MaliciousThumbprint = "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0";
DeviceNetworkEvents
| where RemoteIP in (
// This subquery simulates pulling IP addresses associated with a thumbprint
// In a real scenario, you would use the Defender TI API to populate this list
"192.168.10.5", "10.0.0.50", "172.16.5.11"
)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc
Example: Identifying DGA (Domain Generation Algorithm) Patterns
Threat actors often use DGAs to create hundreds of random-looking domains. Defender TI's raw data can help you identify these patterns. While the following is a simplified logic, it demonstrates how you might filter for suspicious domains in your environment:
// Look for DNS queries to domains with suspicious TLDs often used in phishing
let SuspiciousTLDs = dynamic(['.top', '.xyz', '.pw', '.cc', '.club']);
DeviceNetworkEvents
| where RemoteUrl has_any (SuspiciousTLDs)
| extend DomainLength = strlen(RemoteUrl)
| where DomainLength > 20 // DGAs often result in long, complex strings
| summarize Count = count() by RemoteUrl, DeviceName
| where Count > 1
| order by Count desc
Best Practices for Using Threat Intelligence
Using threat intelligence effectively requires a disciplined approach. It is easy to get overwhelmed by the sheer volume of data available. Follow these best practices to stay focused:
1. Start with an Internal Lead
Don't just browse Defender TI looking for "bad things." Start with an alert or a suspicious event from your own environment. Use Defender TI to enrich that specific lead. This ensures your time is spent on threats that are actually relevant to your organization.
2. Verify Before Acting
A "Suspicious" reputation score is a warning, not a conviction. Always look at the underlying data. Is the domain suspicious because it's new, or because it's hosted on a known malware distribution server? Understanding the why helps you determine the appropriate response (e.g., blocking the domain vs. just monitoring it).
3. Use the "Pivot" Technique
The most successful threat hunters are "pivoteers." When you find a piece of information (like an email address in WHOIS), don't stop there. Click on it to see what else is connected. This lateral movement through the data is how you uncover the full scope of an attacker's infrastructure.
4. Automate the Routine
If you find yourself manually checking the reputation of every IP address in your firewall logs, you are doing it wrong. Use the Defender TI API to automate reputation checks for high-volume logs. Save your manual investigation time for complex, high-severity incidents.
Tip: You can integrate Defender TI with Microsoft Sentinel. This allows you to automatically correlate your log data with Defender TI indicators, creating "TI Map" alerts that trigger whenever a known malicious entity interacts with your network.
Common Pitfalls and How to Avoid Them
Even experienced analysts can make mistakes when working with threat intelligence. Being aware of these pitfalls will help you maintain the integrity of your investigations.
Over-Reliance on Reputation Scores
A reputation score is a snapshot in time. A domain that is "Clean" today could be used for a phishing campaign tomorrow. Conversely, a "Malicious" domain might have been cleaned up and re-assigned to a legitimate user. Always look at the Last Observed dates in the PDNS and SSL records to ensure the data is current.
Ignoring the Context of "Shared" Infrastructure
Many malicious sites are hosted on shared platforms like Content Delivery Networks (CDNs) or popular cloud providers (AWS, Azure, GCP). If you see a malicious domain pointing to an IP address owned by Cloudflare, do not block that IP address. Doing so could inadvertently block thousands of legitimate websites. Instead, focus on the domain name or the specific URL.
Confirmation Bias
It is easy to fall into the trap of looking for evidence that confirms your initial theory while ignoring evidence that contradicts it. If you believe a domain is part of a specific APT group's campaign, you might only focus on the data points that link them. Always play "devil's advocate" and look for reasons why the domain might not be related to that group.
Integrating Defender TI into the Incident Response Lifecycle
To get the most value out of Defender TI, it should be woven into every stage of your Incident Response (IR) process.
Preparation
In the preparation phase, use Intel Profiles to understand the threat actors most likely to target your industry. If you work in finance, study the profiles of groups known for banking trojans. Learn their common infrastructure patterns so you know what to look for before an incident occurs.
Detection and Analysis
When an alert triggers in Defender XDR, use the "Threat Intelligence" tab within the alert to get immediate context. This tab often provides a summary of what Defender TI knows about the entities involved. This helps you quickly triage the alert—is this a commodity malware infection or a targeted attack by a sophisticated actor?
Containment and Eradication
During containment, use Defender TI to find "sibling" infrastructure. If you find one malicious domain, use PDNS and SSL pivots to find the other five domains the attacker is using. Block all of them simultaneously. If you only block the one you found in your logs, the attacker will simply switch to one of their backup domains, and the infection will persist.
Post-Incident Activity
After the threat is neutralized, use the data you gathered to improve your defenses. Update your internal blocklists and share your findings (the projects you created) with the broader security community or through Information Sharing and Analysis Centers (ISACs).
Comparison: Defender TI vs. Standard Threat Feeds
Many organizations subscribe to third-party threat feeds that provide lists of IoCs. While these are useful, Defender TI offers several advantages over traditional feeds.
| Feature | Standard Threat Feeds | Microsoft Defender TI |
|---|---|---|
| Data Type | Mostly static lists of IPs/Domains. | Dynamic, historical mapping of the internet. |
| Context | Often provides "what" but not "how" or "who." | Provides deep context via Intel Profiles and infrastructure relationships. |
| Searchability | Limited to searching for specific IoCs. | Ability to pivot on trackers, components, and SSL fingerprints. |
| Integration | Requires manual ingestion or SIEM integration. | Natively integrated into the Defender XDR and Sentinel experience. |
| Update Frequency | Varies by provider (can be delayed). | Real-time scanning and continuous updates from Microsoft's global signal. |
Step-by-Step: Setting Up Your First Investigation
If you are new to the platform, follow these steps to conduct a basic investigation.
- Access the Portal: Navigate to the Microsoft Defender portal and look for the "Threat Intelligence" section in the left-hand navigation menu.
- Perform a Search: In the search bar, type a domain or IP address you want to investigate.
- Review the Summary: Look at the Reputation Score and the "First Seen" / "Last Seen" dates.
- Explore Data Sets: Click through the tabs:
- Resolutions: Look for IP changes over time.
- WHOIS: Check for registrant consistency.
- Certificates: Look for unique fingerprints.
- Trackers: See if the site shares IDs with other domains.
- Check Intel Profiles: See if the indicator is already associated with a known threat actor or campaign by looking at the "Related Intel Profiles" section.
- Create a Project: Click the "Add to Project" button to save your findings for later analysis.
Callout: The Power of Trackers
Scenario: You find a phishing page that looks exactly like a Microsoft 365 login. The domain is
login-microsoft-secure.com.Investigation: You check the Trackers tab in Defender TI and find a JARM hash (a fingerprint of the server's TLS handshake).
The Pivot: You click the JARM hash and discover 45 other IP addresses across three different countries all using the same TLS configuration. Even though the domains are different, the underlying server setup is identical. You have just uncovered the attacker's entire phishing hosting cluster.
Using API and Automation for Enrichment
For organizations with high-maturity SOCs, manual searching is not enough. You can use the Microsoft Graph API to pull Defender TI data into your own tools or scripts.
Python Example: Fetching Domain Reputation
This conceptual script shows how you might use the API to check the reputation of a list of domains automatically.
import requests
# Note: This requires proper Azure AD authentication/token acquisition
def get_domain_reputation(domain, access_token):
url = f"https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{domain}"
headers = {
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/json'
}
response = requests.get(url, headers=headers)
if response.status_status == 200:
data = response.json()
reputation = data.get('reputation', {}).get('score', 'Unknown')
print(f"Domain: {domain} | Reputation Score: {reputation}")
else:
print(f"Error fetching data for {domain}")
# Example usage
# domains_to_check = ['example-malicious.com', 'safe-site.net']
# for d in domains_to_check:
# get_domain_reputation(d, my_token)
By automating this process, you can enrich every alert that enters your SIEM with Defender TI data before an analyst even looks at it. This "pre-triage" saves valuable minutes during a critical incident.
Vulnerability Intelligence
Defender TI isn't just about domains and IPs; it also provides deep insights into vulnerabilities (CVEs). When a new high-profile vulnerability is discovered (like Log4j or PrintNightmare), the Defender TI team publishes a Vulnerability Profile.
These profiles go beyond the basic CVSS score. They provide:
- Adversary Activity: Which threat actors are currently exploiting this vulnerability?
- Exploitability: Is there public exploit code available?
- Remediation Guidance: Specific steps to mitigate the risk beyond just "install the patch."
- Hunting Queries: KQL queries you can run in your environment to find evidence of exploitation.
This allows vulnerability management teams to prioritize patching based on real-world threat intelligence rather than just the theoretical severity of the bug.
Summary and Key Takeaways
Microsoft Defender Threat Intelligence is a sophisticated platform that provides a "god's eye view" of the internet's infrastructure. By leveraging historical DNS, WHOIS, SSL, and web component data, it allows security teams to move beyond simple IoC blocking and begin true adversary infrastructure mapping.
The integration of this external intelligence with the internal telemetry of Microsoft Defender XDR creates a powerful ecosystem for detection, investigation, and response. Whether you are a SOC analyst triaging a daily alert or a threat hunter proactively searching for the next big campaign, Defender TI provides the context needed to stay ahead of the adversary.
Key Takeaways:
- Visibility Beyond the Perimeter: Defender TI maps the global internet, providing historical context that internal logs cannot see.
- Infrastructure Pivoting: Use unique data points like SSL fingerprints, JARM hashes, and tracking IDs to uncover an attacker's entire network from a single lead.
- Reputation is Just the Start: Don't rely solely on a "Malicious" or "Clean" score; look at the underlying data (PDNS, WHOIS) to understand the context and timing of the threat.
- Collaborative Investigation: Use Projects to organize indicators, build timelines, and share findings across the security team.
- Proactive Vulnerability Management: Use Vulnerability Profiles to prioritize patching based on which CVEs are actually being exploited by threat actors in the wild.
- Automation is Essential: Use the Microsoft Graph API and KQL to integrate threat intelligence into your automated workflows, reducing the manual burden on analysts.
- Context is King: Always verify if a suspicious IP is part of a shared infrastructure (like a CDN) before taking disruptive actions like blocking.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons