Microsoft opens up Defender threat intel library with file hash, URL search

Security researchers and analysts can now search Microsoft's Threat Intelligence Defender database using file hashes and URLs when pulling together information for network intrusion investigations and whatnot.

The capabilities, unveiled on Monday, are the latest for a platform designed to aggregate information about malware and other malicious stuff from multiple and disparate streams to give researchers a single place to analyze reams of threat intelligence.

You know, kinda like Google-owned VirusTotal.

"Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address," Redmond wrote earlier about Defender Threat Intelligence, aka Defender TI.

"DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and don't always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure."

Defender Threat Intelligence, we note, can perform both static (examining file code without executing it) and dynamic (executing code in a controlled environment) analysis of files and URLs both within Microsoft's environment and outside of it.

"This dual approach enables Defender TI to identify and categorize potential threats using static analysis techniques and detect and analyze actual behavior using dynamic analysis techniques," Dennis Mercer, senior program manager at Microsoft, said this week about the service.

With the added search capability, researchers can put a hash value for a file or URL to a file into the search bar and Microsoft's system will return whatever threat intelligence is held or can be ascertained through analysis about that particular data, displaying it under the Summary tab, which includes the document's reputation score and basic information.

The Data tab gives more details from Defender Threat Intelligence, such as what rules were triggered to contribute to the malicious reputation score.

• Microsoft widens enterprise access to its threat intelligence pool
• Microsoft to beef up security portfolio with reported half-billion-dollar RiskIQ buyout
• Microsoft continues cyber security spending spree with Miburo buy
• Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang

"This provides a straightforward way to obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise," Mercer described, adding that the new capability has been a "top customer-requested feature."

"With this information, security professionals can better understand potential threats and take appropriate action to protect their organization."

Microsoft launched Defender Threat Intelligence, along with Defender External Attack Surface Management, in August, with both platforms including technology from cybersecurity firm RiskIQ, which Redmond bought a year earlier for $500 million.

The software behemoth, through its security tools and operating system base, gathers massive amounts of signal and threat intelligence. Redmond is increasingly using its products and cloud security features in Azure to process the intelligence and make it more easily available to threat hunters and security operation centers (SOCs). ®