Threat Intelligence

Intelligence lifecycle management, IoC handling via MDE APIs, threat hunting based on CTI feeds, MITRE ATT&CK mapping, and report templates.

7 KQL Queries 4 Templates 6 Procedures

1 Intelligence Lifecycle

The threat intelligence lifecycle provides a structured framework for producing actionable intelligence. Each phase builds on the previous one, creating a continuous feedback loop that improves intelligence quality over time.

Planning & Direction Phase 1

Planning & Direction

  • Define Priority Intelligence Requirements (PIRs) based on organizational risk profile
  • Identify key stakeholders and their intelligence needs (SOC, IR, Management, IT Ops)
  • Establish collection priorities aligned with MITRE ATT&CK threat landscape
  • Review and update PIRs quarterly
PIR ID Requirement Priority Consumer Review Cycle
PIR-001 Track ransomware groups targeting our industry sector Critical SOC, IR Monthly
PIR-002 Monitor for exploits targeting our exposed software stack High Vuln Mgmt, IT Ops Weekly
PIR-003 Identify credential harvesting campaigns targeting our domain High SOC, Identity Team Weekly
PIR-004 Track nation-state actors relevant to our geography/sector Medium CISO, IR Monthly
PIR-005 Monitor dark web for leaked organizational data Medium IR, Legal Monthly
Collection Phase 2

Collection

Maintain a comprehensive inventory of intelligence sources. Prioritize sources that align with PIRs and validate source reliability regularly.

Source Type Source Name Data Type Collection Frequency Integration Method
Open Source AlienVault OTX IoCs, Threat Reports Real-time API Feed
Open Source Abuse.ch (URLhaus, MalwareBazaar) Malicious URLs, Malware Samples Real-time API Feed
Commercial Microsoft Threat Intelligence IoCs, Threat Analytics Real-time Native MDE Integration
Commercial VirusTotal Enterprise File/URL Analysis, Hunting On-demand API
Internal MDE Alert Data Detections, IoCs Real-time Advanced Hunting (KQL)
Internal Incident Reports TTPs, IoCs, Lessons Learned Per Incident Manual
Industry ISACs/ISAOs Sector-specific Threat Reports Daily/Weekly Email, Portal
Government CISA Advisories Vulnerability, Threat Advisories As published RSS, Email
Processing Phase 3

Processing

Transform raw intelligence data into a standardized, enriched format ready for analysis. Follow these steps for every incoming intelligence feed.

1
Normalize incoming IoC data to standard formats (STIX 2.1 preferred)
2
Deduplicate against existing IoC database
3
Validate IoC freshness — discard indicators older than 90 days without recent activity
4
Enrich with context: source confidence, first/last seen, associated TTPs
5
Categorize by type: File Hash, IP, Domain, URL, Email Address
6
Tag with MITRE ATT&CK techniques where applicable
7
Assign confidence score: High (confirmed malicious), Medium (likely malicious), Low (suspicious)
Analysis Phase 4

Analysis

Apply confidence scoring to all intelligence products. Use the following definitions consistently across the team to ensure standardized assessment.

Level Score Criteria Action
High 80–100 Multiple independent sources confirm, observed in active attacks, correlated with known threat actor Block immediately, alert on detection
Medium 40–79 Single reliable source, associated with suspicious activity, matches known TTP patterns Alert and investigate, consider blocking
Low 1–39 Single unverified source, aged intelligence, weak correlation Monitor only, do not block
Dissemination Phase 5

Dissemination

Deliver intelligence products to the right consumers at the right time using the appropriate classification level. Follow TLP markings strictly.

Report Type Audience Frequency Classification Format
Tactical Alert SOC Analysts As needed TLP:GREEN 1-page brief
Daily Threat Brief SOC Team Daily TLP:GREEN Email/Dashboard
Weekly Intelligence Summary Security Leadership Weekly TLP:AMBER PDF Report
Strategic Intelligence Brief CISO, CTO Monthly TLP:AMBER Executive presentation
Threat Actor Profile IR Team, SOC As needed TLP:AMBER Detailed dossier
Campaign Tracking Report SOC, IR, Management As needed TLP:RED Restricted report
Feedback Phase 6

Feedback

Continuously improve the intelligence program by collecting structured feedback from consumers. Complete this checklist as part of each quarterly review cycle.

2 MDE Threat Analytics Integration

Microsoft Defender for Endpoint Threat Analytics provides curated intelligence reports with direct visibility into your tenant's exposure. Use this procedure to operationalize threat analytics data.

Threat Analytics Review Procedure

1
Navigate to Microsoft 365 Defender portal → Threat Analytics
2
Review "Latest Threats" for new threat analytics reports
3
For each relevant report, review: Analyst Report (detailed write-up), Impacted Assets (affected devices), Mitigations (recommended actions)
4
Check "Exposed Devices" count and identify specific devices at risk
5
Review and implement recommended mitigations
6
Create custom detection rules from threat analytics IoCs if not already covered
7
Update internal threat tracking with new intelligence

Threat Analytics Review Checklist

3 IoC Management via MDE APIs

Programmatically manage indicators of compromise in Microsoft Defender for Endpoint using the Threat Intelligence API. Automate IoC submission, lifecycle management, and hygiene.

API Reference

Action Method Endpoint Required Permission Notes
Submit Indicator POST /api/indicators Ti.ReadWrite Supports batch submission
List All Indicators GET /api/indicators Ti.ReadWrite Paginated, filter by type
Get Indicator by ID GET /api/indicators/{id} Ti.ReadWrite Returns full indicator detail
Update Indicator PATCH /api/indicators/{id} Ti.ReadWrite Update action, severity, etc.
Delete Indicator DELETE /api/indicators/{id} Ti.ReadWrite Soft delete, can be restored

IoC Types and Actions

IoC Type Supported Actions Example Value Recommended TTL
FileSha1 Alert, AlertAndBlock, Allowed, Audit, Block, Warn a1b2c3d4... 90 days
FileSha256 Alert, AlertAndBlock, Allowed, Audit, Block, Warn a1b2c3d4e5f6... 90 days
IpAddress Alert, AlertAndBlock, Allowed, Audit, Block, Warn 203.0.113.50 30 days
DomainName Alert, AlertAndBlock, Allowed, Audit, Block, Warn malicious-domain.com 60 days
Url Alert, AlertAndBlock, Allowed, Audit, Block, Warn https://evil.com/payload 30 days
CertificateThumbprint Alert, AlertAndBlock, Allowed, Block AB:CD:EF:12... 180 days
IoC Hygiene

Review and expire stale indicators monthly. Excessive indicators degrade endpoint performance. Target maximum 15,000 active indicators. Remove IoCs that have not triggered any detections in 60 days.

4 Threat Hunting KQL Queries

Use these KQL queries in MDE Advanced Hunting to proactively hunt for threats based on CTI feeds, IoC matches, and behavioral indicators.

Hunt for Known Malicious File Hashes

Hunt for Known Malicious File Hashes Threat Hunting IoC Matching

Search for files matching known malicious SHA256 hashes received from CTI feeds. Uses an inline datatable for quick IoC lookups without external data sources.

let maliciousHashes = datatable(SHA256:string, ThreatName:string) [
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "EmptyFile",
    "abc123def456...", "Cobalt Strike Beacon",
    "789xyz...", "Mimikatz Variant"
];
DeviceFileEvents
| where Timestamp > ago(30d)
| join kind=inner maliciousHashes on SHA256
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ThreatName,
         InitiatingProcessFileName, AccountName
| sort by Timestamp desc
Expected Output

Devices with files matching known malicious hashes, enriched with threat name, file location, and the process that created the file.

When to Use

When new IoC hashes are received from CTI feeds. Update the datatable with current indicators before running.

Hunt for C2 Domain Communication

Hunt for C2 Domain Communication Critical Threat Hunting

Identify devices communicating with known command-and-control domains. Cross-references network events against a list of threat-actor-attributed C2 infrastructure.

let c2Domains = datatable(Domain:string, ThreatActor:string) [
    "evil-c2-server.com", "APT-Example",
    "malware-callback.net", "Ransomware-Group-X"
];
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemoteUrl has_any (c2Domains | project Domain)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Expected Output

Devices communicating with known C2 domains, with full network connection details and initiating process information.

When to Use

Proactive hunting against C2 infrastructure. Update domain list with current intelligence before running.

Hunt for Suspicious IP Connections

Hunt for Suspicious IP Connections Investigation Threat Hunting

Detect connections to suspicious IP addresses flagged by intelligence sources. Enriches results with context from the intelligence feed including traffic volume.

let suspiciousIPs = datatable(IP:string, Context:string) [
    "203.0.113.50", "Known C2 Infrastructure",
    "198.51.100.25", "Phishing Campaign Server"
];
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemoteIP in (suspiciousIPs | project IP)
| join kind=leftouter suspiciousIPs on $left.RemoteIP == $right.IP
| project Timestamp, DeviceName, RemoteIP, Context, RemotePort,
         InitiatingProcessFileName, SentBytes = tolong(SentBytes),
         ReceivedBytes = tolong(ReceivedBytes)
| sort by Timestamp desc
Expected Output

Connections to flagged IPs enriched with intelligence context, data transfer volumes, and responsible process details.

When to Use

When suspicious IPs are received from threat intelligence feeds or ISAC advisories.

Hunt for ATT&CK T1059 — Command & Scripting Interpreter

Hunt for ATT&CK T1059 — Command & Scripting Interpreter Critical MITRE ATT&CK

Detect suspicious use of scripting interpreters with obfuscation or download indicators. Targets encoded commands, execution policy bypasses, and common living-off-the-land techniques.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "pwsh.exe", "cmd.exe",
    "wscript.exe", "cscript.exe", "mshta.exe", "bash.exe")
| where ProcessCommandLine has_any (
    "-enc", "-EncodedCommand", "bypass", "hidden",
    "Invoke-Expression", "IEX", "downloadstring",
    "Net.WebClient", "Start-BitsTransfer",
    "certutil", "bitsadmin"
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Expected Output

Suspicious use of scripting interpreters with command lines containing obfuscation, download cradles, or execution policy bypasses.

When to Use

Regular threat hunting for living-off-the-land techniques. Run weekly or when CTI indicates active campaigns using script-based payloads.

Correlate Threat Analytics with Device Activity

Correlate Threat Analytics with Device Activity Investigation Threat Analytics

Correlate MDE alerts tagged with specific ATT&CK techniques against device activity. Identifies devices with the highest concentration of technique-specific alerts.

AlertInfo
| where Timestamp > ago(7d)
| where AttackTechniques has_any ("T1059", "T1547", "T1003")
| join kind=inner AlertEvidence on AlertId
| where EntityType == "Machine"
| summarize AlertCount = count(),
            Titles = make_set(Title),
            Techniques = make_set(AttackTechniques)
    by DeviceName, Severity
| sort by AlertCount desc
Expected Output

Devices ranked by alert count for specified ATT&CK techniques, with alert titles and severity for prioritization.

When to Use

After reviewing Threat Analytics reports to identify which devices in your tenant are most affected by specific threats.

IoC Indicator Detections (Last 24h)

IoC Indicator Detections (Last 24h) Critical IoC Matching

Review all IoC indicator detections from the past 24 hours. Shows which submitted indicators triggered on endpoints, including the action taken and initiating process.

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "IndicatorDetected"
| project Timestamp, DeviceName,
         IndicatorValue = tostring(AdditionalFields.IndicatorValue),
         IndicatorType = tostring(AdditionalFields.IndicatorType),
         IndicatorAction = tostring(AdditionalFields.IndicatorAction),
         InitiatingProcessFileName
| sort by Timestamp desc
Expected Output

All IoC detections with indicator value, type (hash, IP, domain, URL), action taken (alert, block), and the process that triggered the detection.

When to Use

Daily monitoring to validate IoC effectiveness and identify active threats matching submitted indicators.

Detect New Potential C2 Beaconing Patterns

Detect New Potential C2 Beaconing Patterns Critical Threat Hunting

Identify potential C2 beaconing by detecting regular-interval connections to public IPs. Looks for patterns consistent with ~60-second beacon intervals commonly used by implants.

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| summarize ConnectionCount = count(),
            AvgInterval = avg(datetime_diff('second', Timestamp, prev(Timestamp)))
    by DeviceName, RemoteIP, InitiatingProcessFileName, bin(Timestamp, 1h)
| where ConnectionCount > 20
| where AvgInterval between (50 .. 70) // Regular 60-second beaconing
| sort by ConnectionCount desc
Expected Output

Devices exhibiting regular-interval connections to public IPs that match beaconing patterns, with connection counts and average intervals.

When to Use

Proactive threat hunting for undiscovered C2 channels. Adjust the interval range based on known implant beacon configurations.

5 MITRE ATT&CK Mapping

Map observed threat behaviors and MDE alert categories to the MITRE ATT&CK framework for standardized threat documentation, detection gap analysis, and threat actor attribution.

Mapping Procedure

1
Identify observed behaviors from MDE alerts and investigation
2
Map each behavior to ATT&CK technique(s) using the Enterprise Matrix
3
Document the specific sub-technique where applicable (e.g., T1059.001 for PowerShell)
4
Record evidence supporting the mapping (alert ID, KQL query results, artifacts)
5
Update the organization's ATT&CK Navigator heat map
6
Cross-reference with known threat actor profiles for attribution support
7
Identify gaps in detection coverage for observed tactics

MDE Alert Category to ATT&CK Mapping

MDE Alert Category ATT&CK Tactic Common Techniques Detection Source
Initial Access Initial Access (TA0001) T1566 Phishing, T1190 Exploit Public-Facing App Email events, Network events
Execution Execution (TA0002) T1059 Command & Scripting, T1204 User Execution Process events
Persistence Persistence (TA0003) T1547 Boot/Logon Autostart, T1053 Scheduled Task Registry, File events
Privilege Escalation Privilege Escalation (TA0004) T1068 Exploitation, T1134 Access Token Manipulation Process events
Defense Evasion Defense Evasion (TA0005) T1055 Process Injection, T1036 Masquerading Image load, Process events
Credential Access Credential Access (TA0006) T1003 OS Credential Dumping, T1558 Kerberos Process, Device events
Discovery Discovery (TA0007) T1087 Account Discovery, T1082 System Info Process events
Lateral Movement Lateral Movement (TA0008) T1021 Remote Services, T1570 Lateral Tool Transfer Logon, Network events
Collection Collection (TA0009) T1560 Archive Data, T1005 Data from Local System File, Process events
Command and Control C2 (TA0011) T1071 Application Layer Protocol, T1095 Non-App Layer Network events
Exfiltration Exfiltration (TA0010) T1041 Exfil Over C2, T1567 Exfil Over Web Service Network events
Impact Impact (TA0040) T1486 Data Encrypted for Impact, T1489 Service Stop File, Process events

6 Report Templates

Standardized templates for threat intelligence products. Use these templates to ensure consistency across all intelligence outputs and facilitate rapid dissemination.

Tactical Alert Template

Tactical Alert
TLP CLASSIFICATION
[TLP:GREEN / TLP:AMBER / TLP:RED]
DATE
[YYYY-MM-DD]
TITLE
[Brief descriptive title]
SUMMARY
[2-3 sentence overview of the threat]
THREAT ACTOR
[Name or "Unknown" with cluster designation]
TARGET SECTORS
[Industries/sectors targeted]
TTPs (MITRE ATT&CK)
[Technique IDs and names]
INDICATORS OF COMPROMISE
[Table: Type | Value | Context]
RECOMMENDED ACTIONS
[Numbered list of actions]
REFERENCES
[Source links]
ANALYST | CONFIDENCE
[Name] | [High/Medium/Low]

Strategic Intelligence Brief

Strategic Intelligence Brief
CLASSIFICATION
[TLP level]
PERIOD
[Reporting period]
EXECUTIVE SUMMARY
[3-5 sentence landscape overview]
KEY TRENDS
[Bulleted trend analysis]
THREAT ACTOR UPDATES
[New/changed actor activity]
EMERGING THREATS
[New TTPs, vulnerabilities, campaigns]
INDUSTRY IMPACT
[Relevance to organization's sector]
RISK ASSESSMENT
[Current risk posture evaluation]
RECOMMENDED STRATEGIC ACTIONS
[Long-term recommendations]
OUTLOOK
[Prediction for next reporting period]

Threat Actor Profile

Threat Actor Profile
ACTOR NAME
[Primary name and aliases]
ALSO KNOWN AS
[Alternative designations]
ORIGIN
[Assessed country/region of origin]
MOTIVATION
[Financial, Espionage, Hacktivism, Destruction]
TARGET SECTORS
[Industries targeted]
TARGET REGIONS
[Geographies targeted]
ACTIVE SINCE
[First observed date]
LAST ACTIVITY
[Most recent observed activity]
TTPs SUMMARY
[Key MITRE ATT&CK techniques]
KNOWN TOOLS
[Malware, frameworks, utilities used]
IoCs
[Table of key indicators]
ASSESSMENT
[Analyst assessment of threat level to org]

Campaign Tracking

Campaign Tracking Report
CAMPAIGN ID
[Internal tracking ID]
CAMPAIGN NAME
[Descriptive name]
ATTRIBUTED TO
[Threat actor or "Unattributed"]
STATUS
[Active / Concluded / Monitoring]
FIRST OBSERVED
[Date]
LAST OBSERVED
[Date]
TARGET
[Who is being targeted]
ATTACK VECTOR
[Initial access method]
OBJECTIVE
[Assessed goal of campaign]
IoCs
[Table of campaign-specific indicators]
TIMELINE
[Key events in chronological order]
ORGANIZATIONAL EXPOSURE
[Are we affected? How?]
ACTIONS TAKEN
[What we've done in response]

7 Microsoft Threat Intelligence Integration

Leverage Microsoft's native threat intelligence capabilities within Defender for Endpoint to enhance detection, investigation, and response. This section covers integration procedures for maximizing the value of Microsoft TI data.

Integration Procedure

1
Ensure Microsoft Threat Intelligence data connector is enabled in Defender XDR
2
Navigate to Threat Intelligence → Intel Profiles to review Microsoft's threat actor tracking
3
Check Threat Analytics for reports matching organizational risk profile
4
Leverage Microsoft TI enrichment in Advanced Hunting by joining with ThreatIntelligenceIndicator table
5
Configure automated actions for high-confidence Microsoft TI indicators
6
Review Microsoft Security Blog and MSRC for emerging threat intelligence
7
Correlate Microsoft TI with internal observations for higher confidence assessments
Microsoft Threat Intelligence

Microsoft Threat Intelligence provides enriched context on threat actors, campaigns, and tools. This data is automatically integrated into MDE alerts and can be queried via Advanced Hunting for proactive threat hunting.