Latest Threat Intelligence (15 December, 2020) - FireEye and SolarWinds Events



Microsoft has been monitoring a sophisticated attack involving compromised 3rd-party software, including an intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. For further details, please refer to the SolarWinds advisory and the FireEye advisory. 


Additionally, FireEye Red Team tools were recently stolen from the company. For further details, please refer to the FireEye blog post. 


To help Azure Defender for IoT detect these latest threats, we strongly recommend deployment of the attached threat intelligence (TI) package as soon as possible (dated 2020-12-15).  


To deploy the TI, please follow the following instructions.  

Please note that your sensor version must be 2.8.10 and up:
  1. Download the TI file from the Azure Defender for IoT:
  2. If you have a Stand-Alone sensor, in the System Settings screen locate the "Intelligence Data Update" tile.
    • Upload the file. once the upload is finished successfully - that's it!

  3. If you have a Central Manager that controls several appliances, go to the "System Settings" screen:
    • Upload the file in the "Intelligence Data" tile.
    • Once the upload is completed, mark the appliances that you want to update and click "save changes"


If you need support deploying the TI package, please contact your customer success manager, or visit the Microsoft support site:


  1. Visit the Defender for IoT by Microsoft "help and support" page (URL)
  2. To log in to customers will be prompted to enter any valid Microsoft Account (MSA) or Office 365 account. (An MSA is an Outlook/Hotmail account, or any email linked to a Microsoft account. Customers can create or configure an MSA from
  3. During the first login, customers will be prompted to verify details to be registered in the Microsoft Services hub portal
  4. Select the category, problem, enter additional information and submit your ticket. Upload any attachments (optional)


Microsoft has also published updates to Microsoft Defender to help block related attacks, and to Azure Sentinel that provide additional signals for post-compromise techniques observed in these intrusions. For more details, please see the Microsoft blog post titled “Customer Guidance on Recent Nation-State Cyber Attacks.” 


It is our goal to continue to provide world-class support to our customers as part of the broader security ecosystem. This situation is evolving, so we will provide updates as they become available. 

For further information:


0 Replies