Listen to this Post

Introduction:
Open-source intelligence (OSINT) has long been a cornerstone of proactive cyber defense, but manually sifting through disparate threat reports wastes critical time. Microsoft Defender for Endpoint now integrates curated OSINT articles directly alongside its native Threat Analytics reports, merging external intelligence with Microsoft’s own activity profiles and tracked actor data. This unified view empowers security teams to correlate real-time alerts with community-sourced insights, accelerating threat validation and incident response.
Learning Objectives:
- Navigate and consume OSINT articles within Microsoft Defender’s Threat Analytics preview.
- Leverage PowerShell, KQL, and CLI tools to automate OSINT feed extraction and enrichment.
- Build custom detection rules by fusing Microsoft-authored threat intelligence with external indicators.
You Should Know:
- Accessing the New OSINT Hub in Microsoft Defender
The post highlights three critical URLs that form the backbone of Defender’s integrated threat intelligence. The direct portal for OSINT articles (https://lnkd.in/dr_fVyac) is now in preview, allowing you to read curated, actionable intelligence from open sources alongside Microsoft’s own research. Microsoft-authored articles and activity profiles (https://lnkd.in/drRuBiQk) provide vetted adversary behavior patterns, while the tracked actors repository (https://lnkd.in/d8cQw6Qc) lists active threat groups with TTPs.
Step‑by‑step guide to enable and use:
- Log into Microsoft 365 Defender portal (security.microsoft.com) with Global Reader or Security Admin rights.
- Navigate to Threat analytics > OSINT articles (preview) – if not visible, ensure your tenant has opted into preview features under Settings > Microsoft 365 Defender > Preview features.
- Click any OSINT article to view summary, IOCs, and related Microsoft-authored reports. Use the “Compare with tracked actors” side panel to correlate open‑source findings with Microsoft’s attribution.
- To automate access, generate an API token via Azure AD App Registration with permissions for
ThreatIntelligence.Read.All. Use PowerShell to pull article metadata:
PowerShell script to list OSINT articles via Defender API
$tenantId = "your-tenant-id"
$clientId = "your-app-id"
$clientSecret = "your-secret" | ConvertTo-SecureString -AsPlainText -Force
$token = Get-MsalToken -ClientId $clientId -TenantId $tenantId -ClientSecret $clientSecret -Scopes "https://api.security.microsoft.com/.default"
$headers = @{Authorization = "Bearer $($token.AccessToken)"}
$uri = "https://api.security.microsoft.com/api/threatanalytics/osintarticles"
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json -Depth 10
On Linux, use `curl` with the same Bearer token after obtaining it via `msal-cli` or `jq` for parsing.
2. Extracting IOCs from OSINT Articles Using KQL
Once you have OSINT articles in Defender, you can directly hunt for indicators of compromise across your endpoints using Kusto Query Language (KQL). Microsoft automatically maps many OSINT-derived IOCs (IPs, domains, hashes) to the `IdentityInfo` and `DeviceNetworkEvents` tables.
Step‑by‑step hunting guide:
- From any OSINT article, click “Hunt with KQL” – this opens a custom query template.
- Example query to find connections to a malicious IP listed in an OSINT article:
// Replace <malicious_ip> with IOC from OSINT article let MaliciousIP = "185.130.5.253"; DeviceNetworkEvents | where RemoteIP == MaliciousIP | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName | order by Timestamp desc
- For hash-based hunting (e.g., SHA256 from OSINT), use:
let MaliciousHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; DeviceProcessEvents | where SHA256 == MaliciousHash | project Timestamp, DeviceName, FileName, ProcessCommandLine
- Save custom detection rules by navigating to Investigation & response > Custom detection and creating an alert based on the KQL query. Set frequency to daily and response actions to isolate infected devices.
-
Automating OSINT Feed Enrichment with Microsoft Graph API
To scale OSINT consumption, integrate the Defender OSINT API into your SOAR playbooks. Microsoft Graph API (beta endpoint) now supports security/threatIntelligence/osintArticles. This allows you to pull fresh articles every hour and cross‑correlate with your SIEM.
Step‑by‑step automation (Windows/Linux):
- Register an Azure AD app and grant `ThreatIntelligence.Read.All` (application permission).
- Use Python to fetch articles and parse IOCs:
import requests
import json
tenant = "your_tenant_id"
client_id = "your_client_id"
client_secret = "your_secret"
Obtain token
url = f"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token"
data = {
"client_id": client_id,
"client_secret": client_secret,
"scope": "https://api.security.microsoft.com/.default",
"grant_type": "client_credentials"
}
token_resp = requests.post(url, data=data).json()
access_token = token_resp["access_token"]
Fetch OSINT articles
headers = {"Authorization": f"Bearer {access_token}"}
api_url = "https://api.security.microsoft.com/api/threatanalytics/osintarticles"
articles = requests.get(api_url, headers=headers).json()
Extract domains and IPs
iocs = []
for article in articles.get("value", []):
for indicator in article.get("indicators", []):
if indicator["type"] in ["ip", "domain"]:
iocs.append(indicator["value"])
print(f"Found {len(iocs)} IOCs")
- Schedule this script as a Windows Task Scheduler task or Linux cron job (
crontab -e;0 /usr/bin/python3 /opt/osint_fetcher.py). - Forward extracted IOCs to your firewall or EDR via API (e.g., using `Invoke-RestMethod` for Defender for Endpoint indicators).
4. Hardening Cloud Defenses with OSINT-Derived Indicators
OSINT articles often reveal infrastructure used in active campaigns – cloud IP ranges, malicious OAuth apps, or phishing domains. Use these to harden Azure AD and conditional access policies.
Step‑by‑step cloud hardening:
- From an OSINT article, note any IP addresses associated with adversary C2. Create a named location in Azure AD: Azure AD > Security > Conditional Access > Named locations > New IP ranges location.
- Add the malicious IP block as a “blocked” location. Then create a Conditional Access policy:
– Assign to all users.
– Under Conditions > Locations > Include “Any location” and exclude trusted corporate IPs, then add the malicious named location.
– Set Access controls > Block access.
3. For OAuth app threats (e.g., consent phishing articles), use Microsoft Graph PowerShell to audit and block apps:
Connect-MgGraph -Scopes "Application.Read.All", "Policy.ReadWrite.Authorization"
Get-MgServicePrincipal | Where-Object { $_.DisplayName -match "suspicious" } | Remove-MgServicePrincipal
- Enable App consent policies in Azure AD to restrict user consent to verified publishers only – a common mitigation highlighted in OSINT reports.
5. Exploitation & Mitigation: Simulating OSINT-Based TTPs
To validate your defenses, emulate techniques described in OSINT articles. For instance, if an article details a new phishing delivery method (e.g., HTML smuggling), use Atomic Red Team or Caldera to test detection.
Step‑by‑step simulation (Linux attacker VM, Windows target):
- Download Atomic Red Team: `git clone https://github.com/redcanaryco/atomic-red-team.git`
- Navigate to the technique matching the OSINT article (e.g., T1566.001 – Phishing). Run on Windows:
PowerShell as Admin cd C:\atomic-red-team\atomics\T1566.001 Import-Module .\Invoke-AtomicRedTeam.psd1 Invoke-AtomicTest T1566.001 -TestNumbers 1
- Monitor Defender for Endpoint alerts: The simulation should generate an alert that includes the OSINT article reference if detection rules are up to date.
- Mitigation: If detection fails, create a custom indicator in Defender via PowerShell:
$indicator = New-Object -TypeName Microsoft.OpenAPIGraph.IntelligentSecurity.Models.Indicator $indicator.Value = "example-malicious-domain.com" $indicator.Action = "Block" New-MpThreatIndicator -Indicator $indicator
6. Correlating OSINT with Tracked Actors
The post’s third URL (https://lnkd.in/d8cQw6Qc) lists tracked actors. Use this to map OSINT articles to specific threat groups (e.g., APT28, Lazarus). This enriches incident response with known TTPs.
Step‑by‑step correlation:
- Open the tracked actors portal and search for an actor mentioned in an OSINT article.
- Export actor TTPs as JSON: Use browser DevTools to capture the API response or manually document MITRE ATT&CK techniques.
- Write a KQL query to hunt for those techniques across your environment:
// Hunt for registry persistence (T1547) used by actor
DeviceRegistryEvents
| where RegistryKey contains "Run" or RegistryKey contains "RunOnce"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData
- Create an alert rule that triggers when an OSINT article mentions a tracked actor and that actor’s TTPs are observed on a high-value asset. Use Logic Apps to send a critical Slack alert.
-
Training Course Integration: Build Your Own OSINT-to-Defender Pipeline
For blue teams seeking deeper skills, design a training module around these APIs. Recommended self‑study path:
– Microsoft Learn: “Threat intelligence in Microsoft 365 Defender” module.
– Practice with the “MS-500” security administration labs.
– Build a real‑time dashboard using Power BI that queries the OSINT API and Defender advanced hunting.
Linux/Windows command example to test connectivity:
Linux: Test API endpoint with curl curl -X GET "https://api.security.microsoft.com/api/threatanalytics/osintarticles" -H "Authorization: Bearer $TOKEN" | jq '.value[].title'
:: Windows: Use PowerShell to count articles
powershell -Command "(Invoke-RestMethod -Uri 'https://api.security.microsoft.com/api/threatanalytics/osintarticles' -Headers @{Authorization=('Bearer '+$env:TOKEN)}).value.Count"
What Undercode Say:
- Key Takeaway 1: Microsoft Defender’s OSINT integration eliminates tool sprawl by embedding community intelligence directly into native analytics, reducing mean time to detection (MTTD) by hours.
- Key Takeaway 2: Automating OSINT feed retrieval via Graph API and KQL hunting transforms reactive alert triage into proactive threat hunting – but requires strict API credential management and conditional access policies to avoid leaking sensitive telemetry.
The convergence of open-source intelligence with first‑party threat analytics marks a paradigm shift: defenders no longer choose between speed and depth. By consuming OSINT articles alongside Microsoft’s vetted activity profiles, teams can spot emerging campaigns before signature updates land. However, the real power lies in automation – scheduled scripts that pull IOCs and push them into custom detection rules create a living, breathing defense layer. As adversaries increasingly use ephemeral infrastructure, this OSINT-to-action pipeline becomes non‑negotiable. The featured URLs are not just bookmarks; they are your new threat intelligence API endpoints. Start by exploring the OSINT preview today, then build the hunting queries that turn raw articles into incident response wins.
Prediction:
Within 12 months, Microsoft will expand this OSINT integration to include real‑time feeds from commercial threat intel providers (e.g., Recorded Future, CrowdStrike) and enable bidirectional sharing – allowing Defender users to submit their own anonymized detections back into the OSINT repository. This will create a community‑driven threat intelligence loop, but will also demand robust validation layers to prevent false indicator poisoning. Organizations that master the API and KQL workflows now will gain a decisive advantage in the coming wave of AI‑generated, polymorphic threats.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Markolauren Osint – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


