Edit

Using tags

  • Article

Microsoft Defender Threat Intelligence (Defender TI) tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis.

The Defender TI platform offers two types of tags: system and custom tags.

Using Tags Chrome HomePage

Prerequisites

  • A Microsoft Entra ID or personal Microsoft account. Login or create an account
  • A Microsoft Defender Threat Intelligence (Defender TI) Premium license.

    Note

    Users without a Defender TI Premium license will still be able to log into the Defender Threat Intelligence Portal and access our free Defender TI offering.

System tags

These tags are automatically generated by the platform for users to guide their analysis and require no input or effort on the user's part.

System tags can include:

  • Routable: indicates that the artifact is accessible.
  • ASN: pulls an abbreviated portion of an IP address ASN description into a tag to provide analysts context into who the IP address belongs to.
  • Dynamic: indicates if a domain is owned by a dynamic DNS service such as No-IP or Change IP.
  • Sinkhole: indicates that an IP address is a research sinkhole used by security organizations to investigate attack campaigns and therefore the domains associated will not be directly connected to each other.

Tags System

Custom tags

Custom Tags inside of Defender TI to bring context to indicators of compromise (IOCs) and make analysis even simpler by identifying those domains that are known bad from public reporting or that have been categorized by your company's analysts. These tags are created manually by users based on their own investigations. These tags enable users to share key insights about an artifact with other Defender TI Premium license users within their tenant.

Tags Custom

Adding, Modifying, and Removing Tags

Users have the ability to add their custom own tags to the tag cluster by entering them into the tag bar. These tags are viewable to the individual user and the user's team members if their organization is a Defender TI customer. Tags entered into the system are private and not shared with the larger community.

Just as users can add tags, they can also modify or remove them. Once a tag is added by a user, it can be modified or removed by that same user or by another paid licensed user within their Enterprise organization. This allows for easy collaboration amongst the Security team.

  1. Access the Defender Threat Intelligence Portal .

  2. Complete Microsoft authentication to access portal.

  3. Search an indicator in the Threat Intelligence search bar that you would like to add tag(s) for.

    Tags Search

  4. Select the ‘Edit Tags’ drop-down in the upper left-hand corner of the Defender TI portal.

    Tags Search Edit Tags

  5. Add any tags you would like to associate with this indicator.

    Note

    Press the Tab key to add a new indicator.

    Tags Search Add Tags

  6. Once all your tags have been added, save your changes by selecting the Save button.

    Tags Search Save Tags

  7. To edit tags, repeat step 3. Remove any tags by selecting the ‘X’ at the end of the tag name or add new tags as you did in step 4.

  8. Save your changes.

    Tags Search Tags

Viewing and Searching Tags

Users can view tags that were added by themselves or others within their tenant after searching an IP, domain, or host artifact.

Tags Custom

  1. Access the Defender Threat Intelligence Portal.

  2. Complete Microsoft authentication to access portal.

  3. Users can search against custom tags via Defender TI’s Threat Intelligence Search by selecting the Tag search type in the Threat Intelligence search bar drop-down and searching against the tag value to identify all other indicators that share that same tag value.

    Search Tag

Common Tag Use Case Workflow Let’s say a triage analyst investigates an incident and finds that it is related to phishing. That analyst can add “phish” as a tag to the indicators of compromise related to that incident. Later, the incident response and threat hunting team can further analyze these indicators of compromise and work with their cyber threat intelligence counterparts to identify which actor group was responsible for their phishing incident. They can then add another “[actor name]” tag to those indicators of compromise or what infrastructure was used that connected them to other related indicators of compromise, such as a “[SHA-1 hash]” custom tag.

Next steps

For more information, see: