The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Copilot. At Microsoft Ignite 2024, we’re excited to announce several powerful innovations that provide a more comprehensive and integrated TI experience for customers. Now generally available, Security Copilot customers can build a '360-degree' view of threats by tapping into a wider range of TI sources for more insight into attacker tooling and methodology and how they may impact the organization.
Below, we’ll cover these innovations in more detail.
Now Public Preview: MDTI Indicator Data
Ten new indicators skills can now leverage the full corpus of raw and finished threat intelligence in MDTI to link any indicator of compromise (IoC) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities that give defenders a head start on adversaries. This automated infrastructure chaining is a crucial function for a security analyst or threat hunter to investigate the relationships between connected data sets, which allows them to kick off and expand their investigations into events or incidents on their network.
These skills call upon two main categories of threat intelligence:
In-depth Indicators data: Security Copilot can now automatically link any IoC with all threat intelligence linked to it in MDTI, including intel profiles, articles, and summary data, which includes detonation and reputation information from Microsoft’s file and URL analysis. This context is critical when responding to an incident, providing instant information on the attacker and nature of the attack. This data can also level-up analysts by providing the necessary next steps outlined in MDTI to help them deal with the incident quickly and efficiently.
Indicators metadata: Security Copilot can link any IoC to associated infrastructure across the internet via MDTI’s advanced internet data sets. These data sets are developed by collecting and analyzing internet data at a global scale and are comprised of core and derived data sets. Core data sets include Resolutions, WHOIS information, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived data sets including Trackers, Components, Host Pairs, and Cookies. When linked to related infrastructure, analysts can make connections between related threat activity and preemptively uncover new threat tooling before it can be used against the organization.
In this example, you can see an indicator has been linked to several IP addresses, two articles, and three intel profiles. Copilot has also pulled up its reputation, WHOIS, and passive DNS data.
Now GA: Expanded Unified Vulnerability Intelligence
Recently, we announced the expansion of the Threat Intelligence plugin in Security Copilot. Now generally available, Security Copilot can also reason over vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Mangement (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. Through this holistic experience, customers get a deeper view of threats, better understand how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.
Above, we can see the threat intelligence sidecar in Defender XDR showing the key details around CVE – 2023-6119, including its severity, impact on the organization in number of exposed devices, and other important information, such as affected versions.
In a single view, customers can understand the impact of a vulnerability or exposure, including exposed and unmanaged assets, risk-based prioritization, and steps for remediation. Customers can also see all threat intelligence related to the vulnerability to better understand the threat actors leveraging it so they can take preemptive steps to secure their organization.
With the integration of threat intelligence sources in Security Copilot that are otherwise separate, customers get a much more holistic view of threats, sharper clarity on how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.
Conclusion
Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.
If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here.
Learn more about other threat intelligence innovations being announced at Ignite here.
Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.
Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.
Updated Nov 22, 2024
Version 2.0
Mike_Browning
Microsoft
Microsoft
