rss.livelink.threads-in-node

What’s New at Ignite: Powerful Enhancements in Unified Threat Intelligence

PrateekTaneja — Tue, 18 Nov 2025 16:18:26 GMT

At Microsoft Ignite 2025, we’re unveiling transformative upgrades in threat intelligence designed to empower security teams. With the Threat Intelligence Briefing Agent now fully integrated into the Defender portal, defenders can shift from reactive to proactive security strategies, using Microsoft’s global intelligence combined with insights tailored to their organization. Additionally, the latest phase of the integration of Microsoft Defender Threat Intelligence (MDTI) with Defender XDR and Sentinel brings together unified, real-time threat intelligence and advanced analytics, streamlining the SecOps experience and equipping organizations with powerful tools to anticipate and address emerging threats more effectively.

Threat Intelligence Briefing Agent in Defender

Launched in March, the Threat Intelligence Briefing Agent has already enabled security teams to shift from reactive defense to proactive threat anticipation. At Ignite, we’re excited to announce that this agent is now fully integrated into the Microsoft Defender portal, currently available in Public Preview. It delivers daily, customized briefings, combining Microsoft’s global threat intelligence with insights specific to each organization, in just minutes. Instead of spending hours piecing together information from multiple sources, analysts now receive automated, up-to-date intelligence summaries. These briefings help analysts quickly prioritize actions by providing risk assessments, clear recommendations, and direct links to vulnerable assets, empowering organizations to address exposures proactively.

MDTI Convergence into the Defender Portal

In July, we announced the integration of Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel. This integration delivers world-class, real-time threat intelligence within a unified SecOps experience, all at no additional cost. We are pleased to share that the first phase of this convergence is now available in Public Preview. It features Microsoft’s comprehensive threat intelligence library within Threat Analytics, and new enhancements making it easier than ever for users to access, understand, and act on this critical information.

Threat Intelligence Library in the Defender Portal

Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in i ntel profiles. Threat reports are automatically correlated with related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions.

Threat analytics in Defender enables and empowers customers to get threat insights around emerging threats on a global scale . Threat analytics provides contextual and operational information about the relevance of each threat for an organization, which allows security teams to organize and prioritize their operations and triage processes based on impact, available as in-product reports.

Threat reports published in Threat analytics include threat activity such as:

Active threat actors and their campaigns
Popular and new attack techniques
Critical vulnerabilities
Common attack surfaces
Prevalent malware

Threat reports provide analysts with insights into the methods and attack patterns employed by threat actors, along with details on vulnerabilities, zero-day exploits, and potentially harmful tools. These findings are correlated with relevant contextual information from the customer's environment to assess the specific impact each threat may have on their organization.

Threat Analytics library now also available to Sentinel-only customers

Sentinel-only customers now have access to Microsoft’s threat intelligence library through reports in Threat Analytics (TA), currently in Public Preview. This upgrade, now in Public Preview, brings Microsoft’s world-class threat intelligence and actionable indicators to Sentinel without a Defender XDR license. While incident correlation and automated response remain exclusive to Defender XDR, standalone Sentinel deployments gain improved threat visibility and integrated security options.

What’s new in Threat Analytics

Threat reports within Threat Analytics have been upgraded with enhanced insights—previously accessible exclusively through an MDTI license—to provide Defender customers with improved context regarding finished intelligence on prevalent threats. The following contextual insights for each report are now available within Threat Analytics:

Indicators of Compromise: Each threat report now includes a comprehensive list of indicators attributed to the specific threat. This feature allows customers to review all relevant indicators and access detailed entity information within Defender directly from the report, streamlining navigation to support efficient investigation and triage.
MITRE ATT&CK Mapping: By mapping threats’ tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, customers can proactively identify, detect, and mitigate persistent techniques, ultimately enhancing overall security posture.
Targeted Industries & Actor Origin: Reports provide insight into targeted industries and threat actor origins, enabling analysts to prioritize intelligence and contextualize motivations and observed TTPs.
Related Intelligence & Aliases: Threat Analytics offers links to related intelligence and presents actor or tool aliases, allowing customers to cross-reference reports and understand the alignment between Microsoft Threat Intelligence and broader industry developments.

All these additional insights are available in the overview of a threat report

Furthermore, finding threat reports is now easier. The reports are systematically organized and can be filtered by Actor, Tool, Technique, Vulnerability, Activity, or Core threat, making it quicker to locate specific reports.

Read more about threat analytics report and the information available here.

Access to Indicators of Compromise

Indicators of Compromise linked to specific threats provide SOC Analysts with valuable insight into the most common risks faced by their organization. For Defender customers, threat analytics now makes it easier to filter this data according to particular threats. Because information about indicators is vital, unauthorized access poses a risk of data theft or exploitation by malicious actors. Recognising its sensitivity, access to Indicators is restricted to verified customers only.

Customers who do not have access to indicators will see the following when attempting to access it:

In scenarios where access is restricted, customers will have the option to verify themselves by submitting business information to get access on successful verification. Read more about access to indicators.

Customers with access to indicators (with or without the need to submit additional verification) will be able to see the entire list.

The improvements to Threat analytics described above are designed to deliver a unified threat intelligence experience. By integrating MDTI features into Microsoft Defender and Sentinel, customers will progressively have access to more valuable insights that were previously available only with paid MDTI licenses. Read more about MDTI convergence here.

Link Cases to IOCs for Complete Threat Context

You can now link a case directly to relevant Indicators of Compromise (IOCs), ensuring investigations and response workflows stay connected. This feature improves visibility and collaboration, enabling faster, more informed decisions during threat investigations.

Conclusion

The integration of the Threat Intelligence Briefing agent into the Defender Portal and the convergence of MDTI into Microsoft Defender and Sentinel represents a major leap forward for security teams, delivering unified threat intelligence and streamlined workflows. With enhanced access to threat reports, indicators of compromise, and contextual insights, organizations are better equipped to proactively defend against emerging threats and respond with greater speed and confidence. These advancements ensure that valuable intelligence is accessible to all, strengthening security operations and empowering defenders to stay ahead in an ever-evolving threat landscape.

My companies app incorrectly detected as a trojan

bffan44 — Sat, 18 Oct 2025 00:46:56 GMT

Hi Team.

I am the developer of a gaming geo fence and your system had falsely detected my app as Trojan:Script/Wacatac.C!ml

I need help to remove it as it seems like analysts are no longer checking false detections anymore? ( at least to me it seems automatic now )?

My app is a geo fence which creates firewall rules and use npcaap for packet capture to display server locations and the exe is encrypted to help fight against software pirates.

Here is an example submission of my exe for my application https://www.microsoft.com/en-us/wdsi/submission/5ab00c91-ea84-4fbb-a739-613316b32dfe

Please get an analyst to manually inspect the file and whitelist it as its a pain telling my customers to turn off their anti virus and also its not advice i should have to give to be honest.

My company is called sbmmoff ltd

https://papagal.bg/eik/207176266/58b9

Website is bflocker.com

I really would appreciate a speedy response to resolve the situation and thank you for your time.

Microsoft Defender doesn't, Spy hunter shows a Hijacker

JKFISH — Thu, 18 Sep 2025 19:46:42 GMT

Spy Hunter indicates a "Elex Hijacker" and three other problems were as Defender and McAfee do not show any problem.

Is Spy Hunter legitimate?

I did have a Search engine redirect problem that has a name "ext.ladispatcher.com" and "search-load.com" while using Chrome browser with Chrome search engine. But no problem with Microsoft Edge and Bing.

My monitor screen occasionally momentary collapses and reverts back to normal in a split second. Could there be a connection to malware.?

Please let me know if i am posting on the wrong site.

Need information on generating sample events for Threat Intelligence

aslin — Thu, 04 Sep 2025 13:35:29 GMT

Hi community,

I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype

I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence.

Can someone please help me here for generating events and viewing the content using Management APIs?

Need information on generating sample events for Threat Intelligence

swaradajalukar — Thu, 28 Aug 2025 04:04:42 GMT

Hi community,

Can someone please help me here for generating events and viewing the content using Management APIs?

MDTI is Converging into Microsoft Sentinel and Defender XDR

Mike_Browning — Wed, 30 Jul 2025 14:58:58 GMT

In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions.

With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats.

Key Features Arriving Soon

The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include:

Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in i ntel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions.

The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment.

Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture.

Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability.

IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise.

What to Expect from the Fully Unified Threat Intelligence Experience

Once MDTI is fully converged into Defender XDR and Sentinel, customers' alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets.

Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost).

The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel.

This chart shows how MDTI features will converge into Defender XDR and Sentinel

For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog.

Actions for Existing MDTI Customers

Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions.

Additional Information

Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources:

Read our blog announcing the expanded Sentinel data lake offering

Disable Defender TI access to end user

DarioMWS — Tue, 27 May 2025 16:44:08 GMT

Hi,

When our users access Defender quarantine (or access Defender Admin Center directly), they also get access to Microsoft Defender Threat Intelligence.

Is it possible to disable it and allow access only to the Quarantine?

Thanks,

Dario Woitasen

Can the Microsoft Defender portal show the server details as per security group?

jr-rout — Mon, 12 May 2025 04:38:25 GMT

I'm using Microsoft Defender to monitor the servers.

I have multiple groups of people working from various other vendors. I would like create multiple security groups and add people based on their company and configure the defender such a manner that only people from Company "A" can see their own servers and people working from Campany "B" can see their respective servers. Also, I as admin can see both "A's" and "B's" servers.

Can this be achieved using Microsoft Defender? If yes, how to achieve this? Any step-by-step approach would help. Or if there are any other ways, please suggest. Thanks

Introducing the Threat Intelligence Briefing Agent

Mike_Browning — Thu, 07 Aug 2025 17:58:46 GMT

As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing the Security Copilot Threat Intelligence Briefing Agent—a powerful new tool that slashes the time to produce actionable threat reports from hours or days to just minutes. Now in Public Preview, the agent delivers prioritized insights, mapping the latest adversary activity to your unique attack surface so you know exactly which vulnerabilities demand attention now.

Looking ahead, we’re planning even deeper integrations, such as automated remediation, exposure trend analysis, and more, to empower security teams to stay one step ahead of attackers.

Analysis at Machine Speed

This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. The agent dynamically builds briefings based on the latest threat actor activity from Microsoft security research and both internal and external vulnerability data sourced from Microsoft Defender Vulnerability Management (MDVM) and Microsoft Defender External Attack Surface Management (EASM). It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such your organization’s evolving attack surface, your industry, and geographic location.

These briefings, which can be scheduled or run ad-hoc, offer regular executive summaries and technical analysis accessible via the UI or directly to a CISO's inbox. They determine whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, cyberthreat intelligence (CTI) analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies.

How the Agent Works

Setting up the Agent

The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and third parties offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically at an interval of their choosing. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls (RBAC):

Customers can choose an existing identity or create an agent-specific identity.

They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile.

Currently, the Threat Intelligence Briefing Agent is best suited for MDEASM and Microsoft Defender for Endpoint (MDE), as it relies on telemetry and insights from these first-party integrations to deliver accurate and context-rich reports.

For organizations with E5 licenses, the agent can also incorporate insights from MDVM to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes MDEASM, the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information):

Customers can choose up to three plugins to provide the agent with threat intelligence to build briefings.

Once set up, the agent is ready to run in the background to generate the briefing:

Once the agent is set up, it's ready to run!

Agent in Action

A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand:

Customers can look into any run the agent has made to read past briefings.

Here, we can see the briefing highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks:

Briefings show the latest threats that are most relevant to an organization with a summary of recent campaigns and recommended actions.

The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action:

The briefing also shows the most critical vulnerabilities identified by the agent, mitigation steps, and the affected assets across the organization's IT setup and external attack surface.

The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence:

Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority:

The agent shows the path it took to build each briefing. It makes dynamic decision based on its threat intelligence expertise every step of the way.

What’s Next

The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. We are continuously listening to our customers and rolling out new updates regularly. This powerful agent will soon be available alongside the rich, continuously updated threat intelligence in the Threat Analytics blade of Defender XDR to enable Defender customers to create these briefings with the click of a button.

Learn More

Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness.

To learn more about this agent and the rest of the first and third-party agents now available, watch our Microsoft Secure digital event. For a closer look at this agent, watch our deep dive in the Microsoft Security Copilot Content Hub. Read this blog to learn more about Security Copilot agents at RSA.

New at Ignite: TI Guided Experience in Security Copilot

Mike_Browning — Fri, 22 Nov 2024 17:27:22 GMT

The Security Copilot team is consistently improving the threat intelligence (TI) experience for customers. At Microsoft Ignite 2024, we're thrilled to unveil two out-of-the-box promptbooks that create guided experiences for cyberthreat intelligence and SOC analysts for investigating and responding to threats affecting their organization, simplifying complex workflows and making difficult, repetitive tasks easier to do for all experience levels.

Below, we’ll cover each of these promptbooks in more detail:

Threat 'Intelligence 360' report on MDTI article

With Security Copilot able to tap into powerful threat intelligence from more sources, customers get a much more holistic view of threats, better understand how they impact the organization, have more recommendations and guidance to respond faster and more effectively. This promptbook shows customers the full impact a threat covered in a Microsoft Defender Threat Intelligence article has on their organization to streamline and accelerate response.

These prompts help map content from the article back to CVE and vulnerability data related to their organization’s attacks surface, surface related incidents, and provide recommendations for remediation. Below, we’ll examine what an analyst sees when they run the 'Threat Intelligence 360 Report' promptbook for the MDTI article “Attack Abuses Victim Resources to Reap Rewards from Titan Network.”

The first step of the promptbook pulls up all indicators of compromise (IoCs) added to the article by Microsoft researchers. Below, you can see the prompt return a list of IoCs that includes two IP addresses and several URLs:

Copilot extracts the IoCs from the MDTI article.

The next step of the promptbook asks Security Copilot to create a KQL query to hunt across the organization’s network for activity related to the indicators from the article. In the example below, Security Copilot created a query for IPV4 indicators in the article returned by Security Copilot. The promptbook will create KQL queries for every indicator type and return all relevant intelligence.

KQL query to hunt for malicious domains referenced in the article on the network.

The promptbook will then search for Defender incidents related to the article. In this example, it returns four incidents that contain indicators or tactics, techniques, and procedures (TTPs) that are covered in the article. Grouping the incidents by activity make them easy to reference for incident responders and provide important context and a clear path forward for cyberthreat intel analysts' investigation.

Related incidents involving the IoCs and TTPs covered in the MDTI article

Finally, the promptbook shows the analyst details of the CVEs listed in the articles and its impact to the organization by listing their organization's vulnerable assets and resources to help them understand how their attack surface is exposed and the steps they need to take to address and remediate the vulnerabilities:

List of impacted assets from Threat Analytics.

Overall, this information rapidly summarizes a threat analyzed in a threat intelligence article so analysts can quickly and efficiently understand the nuances of the threat and its impact to the organization.

Impact of external article

This promptbook shows analysts the impact of an external threat intelligence article from a third-party source (not found in Microsoft products) on their organization. This promptbook extracts indicators from the article to check against all Microsoft’s intelligence to show all relevant information and the impact on the organization.

Below, the analyst deploys this promptbook to better understand a threat intelligence article from a third-party source about the latest campaigns leveraging the 'Silent Skimmer':

IoCs extracted from third-party article

Next, the promptbook takes the indicators extracted from the article and queries Microsoft's compendium of threat intelligence to show all related content and data to give analysts a broader understanding of the threat activity. Below, the promptbook checks each IoC's reputation against Microsoft Threat Intelligence. The analyst can see that several of the indicators from the article are known to be malicious to Microsoft and are associated with several Microsoft threat intelligence articles in MDTI:

Microsoft reputation scoring for each third-party IoC

After uncovering related intelligence, the promptbook asks Security Copilot to create KQL queries to automatically hunt across the network for the malicious indicators from the article, as well as the ones newly surfaced in Microsoft threat intelligence. In the example below, it’s searching for the file hashes listed in the article:

KQL query automatically generated by the promptbook to hunt across the network for threat activity covered in the article

Finally, the promptbook asks Security Copilot to create a table showing any reference in Microsoft threat intelligence to the indicators mentioned in the article, as well as any devices in the customer organization that are affected by CVEs listed in the article based on Threat Analytics data:

Query automatically generated to show the impact of this third-party article to the organization from data in Threat Analytics and MDVM.

These powerful new promptbooks will create guided experiences for a variety of personas, simplifying complex workflows and making difficult, repetitive tasks easier to do.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Copilot for Security providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Learn more about other Microsoft threat intelligence innovations launching at Ignite here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

New at Ignite: Unified Threat Intelligence Experience in Security Copilot

Mike_Browning — Fri, 22 Nov 2024 17:26:48 GMT

The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Copilot. At Microsoft Ignite 2024, we’re excited to announce several powerful innovations that provide a more comprehensive and integrated TI experience for customers. Now generally available, Security Copilot customers can build a '360-degree' view of threats by tapping into a wider range of TI sources for more insight into attacker tooling and methodology and how they may impact the organization.

Below, we’ll cover these innovations in more detail.

Now Public Preview: MDTI Indicator Data

Ten new indicators skills can now leverage the full corpus of raw and finished threat intelligence in MDTI to link any indicator of compromise (IoC) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities that give defenders a head start on adversaries. This automated infrastructure chaining is a crucial function for a security analyst or threat hunter to investigate the relationships between connected data sets, which allows them to kick off and expand their investigations into events or incidents on their network.

These skills call upon two main categories of threat intelligence:

In-depth Indicators data: Security Copilot can now automatically link any IoC with all threat intelligence linked to it in MDTI, including intel profiles, articles, and summary data, which includes detonation and reputation information from Microsoft’s file and URL analysis. This context is critical when responding to an incident, providing instant information on the attacker and nature of the attack. This data can also level-up analysts by providing the necessary next steps outlined in MDTI to help them deal with the incident quickly and efficiently.

Indicators metadata: Security Copilot can link any IoC to associated infrastructure across the internet via MDTI’s advanced internet data sets. These data sets are developed by collecting and analyzing internet data at a global scale and are comprised of core and derived data sets. Core data sets include Resolutions, WHOIS information, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived data sets including Trackers, Components, Host Pairs, and Cookies. When linked to related infrastructure, analysts can make connections between related threat activity and preemptively uncover new threat tooling before it can be used against the organization.

In this example, you can see an indicator has been linked to several IP addresses, two articles, and three intel profiles. Copilot has also pulled up its reputation, WHOIS, and passive DNS data.

Now GA: Expanded Unified Vulnerability Intelligence

Recently, we announced the expansion of the Threat Intelligence plugin in Security Copilot. Now generally available, Security Copilot can also reason over vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Mangement (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. Through this holistic experience, customers get a deeper view of threats, better understand how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.

Above, we can see the threat intelligence sidecar in Defender XDR showing the key details around CVE – 2023-6119, including its severity, impact on the organization in number of exposed devices, and other important information, such as affected versions.

In a single view, customers can understand the impact of a vulnerability or exposure, including exposed and unmanaged assets, risk-based prioritization, and steps for remediation. Customers can also see all threat intelligence related to the vulnerability to better understand the threat actors leveraging it so they can take preemptive steps to secure their organization.

With the integration of threat intelligence sources in Security Copilot that are otherwise separate, customers get a much more holistic view of threats, sharper clarity on how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

Learn more about other threat intelligence innovations being announced at Ignite here.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

New Blog | New Copilot for Security Plugin Name Reflects Broader Capabilities

DavidFernandes — Wed, 02 Oct 2024 16:48:40 GMT

By Michael Browning

The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and SONAR, with even more sources becoming available soon.

To reflect this evolution of the plugin, customers may notice a change in its name from "Microsoft Defender Threat Intelligence (MDTI) to "Microsoft Threat Intelligence," reflecting its broader scope and enhanced capabilities.

Since launch in April, Copilot for Security customers have been able to access, operate on, and integrate the raw and finished threat intelligence from MDTI developed from trillions of daily security signals and the expertise of over 10 thousand multidisciplinary analysts through simple natural language prompts. Now, with the ability for Copilot for Security's powerful generative AI to reason over more threat intelligence, customers have a more holistic, contextualized view of the threat landscape and its impact on their organization.

Read the full post here: New Copilot for Security Plugin Name Reflects Broader Capabilities

New Security Copilot Plugin Name Reflects Broader Capabilities

Mike_Browning — Mon, 14 Apr 2025 19:42:41 GMT

The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Security Copilot to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Security Copilot threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.

Since launch in April, Security Copilot customers have been able to access, operate on, and integrate the raw and finished threat intelligence from MDTI developed from trillions of daily security signals and the expertise of over 10 thousand multidisciplinary analysts through simple natural language prompts. Now, with the ability for Security Copilot's powerful generative AI to reason over more threat intelligence, customers have a more holistic, contextualized view of the threat landscape and its impact on their organization.

New plugin name in Security Copilot reflects broader range of capabilities

This broader range of information, delivered instantly and in-context, adds to the ability to enable different security personas to defend at machine speed and scale. For example, a customer may ask "Tell me more about the Threat actor Silk Typhoon" for the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. Security Copilot now also shows customers the impact of threat to their organization and which assets may be vulnerable though threat analytics and reputation information from Microsoft file and URL (detonation) intelligence. for indicators associated with incidents and other threat activity.

In this example, impacted asset data from Threat Analytics is available alongside MDTI intelligence for complete context about a threat and its impact on the organization.

It's important to note that customers will only see threat intelligence associated with the products they are provisioned for. For example, a Security Copilot customer that isn't provisioned for Defender XDR will not see any threat intelligence from Threat Analytics.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

MDTI for Government Now Available

Mike_Browning — Mon, 30 Sep 2024 17:08:06 GMT

We are thrilled to introduce Microsoft Defender Threat Intelligence (MDTI) with FedRAMP High (DOD IL2) attestation are now available for government sectors. Customers across U.S. state, local, and tribal governments utilizing GCC services can now purchase MDTI and the MDTI API SKUs to unmask adversaries and understand their organization’s security posture against threats.

MDTI serves as the ultimate resource for Microsoft Threat Intelligence, empowering security teams to access, ingest, and act upon a comprehensive repository of operational, strategic, and tactical threat intelligence. With MDTI, organizations can swiftly assess their exposure to threats, including over 300 threat actors monitored by Microsoft, and determine the best course of action. Licensed per seat, MDTI grants access to a premium 'analyst workbench' in the Threat Intelligence tab of the Defender XDR portal. This workbench features extensive finished threat intelligence on actors, tools, and techniques, complemented by advanced internet data sets to help analysts delve deeper and identify threat infrastructures.

For API access, customers must purchase an MDTI seat license. The API facilitates integration with other security tools, providing critical context around threat actors, vulnerabilities, and attack tools. When combined with Microsoft Sentinel, the API provides powerful context and enhances alert enrichment and triage capabilities.

Learn more about MDTI by taking the MDTI Ninja Training here.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Introducing the MDTI Home Page Widget and Article Digest

Mike_Browning — Fri, 06 Sep 2024 20:49:54 GMT

The MDTI team is excited to announce the Threat Intelligence Widget in the Microsoft Defender home page and the MDTI Article Digest, two handy new features that make Microsoft threat intelligence more accessible, digestible, and relevant. When customers login to the Unified SecOps platform, they will now see a widget that displays featured threat intelligence articles containing the most impactful content on the threat landscape. Via the digest, they can stay up to speed with a summary of the latest threat intelligence published since their last login.

MDTI Article Digest

The MDTI article digest is a brand new way for customers to stay up to speed with the latest analysis of threat activity observed across more than 78 trillion daily threat signals from Microsoft's interdisciplinary teams of experts worldwide. The digest, seamlessly integrated into the MDTI user interface in the threat intelligence blade of Defender XDR, shows users everything published since their last login:

Customers will see that not only does the digest notify users of the latest content but also encourages exploration through a user-friendly sidebar that lists the articles:

With the added convenience of pagination, users can now easily navigate through a wealth of information, ensuring they never miss valuable insights. The digest is also flexible, allowing users to clear notifications, thus tailoring the experience to their preferences.

The digest is a significant step forward in our commitment to delivering exceptional user experiences, and we're excited to see how it will positively impact the MDTI community. If you're a licensed MDTI user, login to Defender XDR today to see the digest located on the right-hand side of the UI, to the left of the TI Copilot embedded experience sidebar.

MDTI Home Page Widget

The MDTI Home Page Widget provides features the most impactful and relevant content recently publishes to MDTI surfaced alongside a summary of the most crucial information across your cybersecurity program. The articles surfaced serves as a 'front page' for the latest threat intelligence and news about the threat landscape, and serves as a great entry point for additional research.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.

New Blog | Introducing the MDTI Premium Data Connector for Sentinel

DavidFernandes — Mon, 19 Aug 2024 16:25:37 GMT

By Michael Browning

The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. The connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.

Microsoft researchers, with the backing of interdisciplinary teams of thousands of experts spread across 77 countries, continually add new analysis of threat activity observed across more than 78 trillion threat signals to MDTI, including powerful indicators drawn directly from threat infrastructure. In Sentinel, this intelligence enables enhanced threat detection, enrichment of incidents for rapid triage, and the ability to launch investigations that proactively surface external threat infrastructure before it can be used in campaigns.

This blog will highlight the exciting use cases for the MDTI premium data connector, including enhanced enrichment, threat detection, and hunting to ensure customer organizations are protected against the most critical threats. It will also cover how you can easily get started with this out-of-the-box connector.

Read the full post here: Introducing the MDTI Premium Data Connector for Sentinel

Introducing the MDTI Premium Data Connector for Sentinel

Mike_Browning — Tue, 24 Sep 2024 22:04:50 GMT

Getting started

The MDTI premium data connector provides more IoCs than the standard (free) MDTI data connector, including high-fidelity IoCs added by the Microsoft Threat Intelligence Center (MSTIC) and those tied to the over 300 threat actor groups Microsoft tracks. Combined, the free and premium data connectors give you full coverage of available threat intelligence. Please note that an MDTI premium license and API license are required to begin using the MDTI premium data connector.

To get started with the free and premium data connectors, follow the instructions here.

Use Cases

Dynamic Incident Enrichment

The MDTI premium data connector can help analysts respond to threats at scale by automatically enriching incidents with MDTI premium threat intelligence, evaluating indicators in an incident with dynamic reputation data (everything Microsoft knows about a piece of online infrastructure) to mark its severity and automatically triage it accordingly. Comments are added to the incident outlining the reputation details with links to further information about associated threat actors, tools, and vulnerabilities.

Threat Detection

With a flip of the switch, the MDTI premium data connector immediately enables detections for threats, including activity from the more than 300 named threat actor groups tracked by Microsoft. When enabled in Microsoft Sentinel, this connector takes URLs, domains, and IPs from a customer environment via log data and checks them against a dynamic list of known bad IOCs from MDTI. When a match occurs, an incident is automatically created, and the data is written to the Microsoft Sentinel TI tab. By enabling this rule, Microsoft Sentinel users know they have detections in place for threats known to Microsoft.

External Threat Hunting

Customers can pivot off the IoCs to investigate further and boost their understanding of the threat with MDTI's repository of raw and finished intelligence. Finished intelligence, or written intelligence and analysis, includes articles, activity snapshots, and Intel Profiles about actors tooling and vulnerabilities. It provides crucial context and vital information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs.

Customers can also explore advanced internet data sets created by amass collection network that maps threat infrastructure across the internet every day to locate relationships between entities on the web to malicious infrastructure, tooling, and backdoors outside the network at incredible scale. Below is an example of how to effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with MDTI connector enabled.

Begin by following these steps:

Filter IoCs by MDTI Source - Set the source filter to "Premium Microsoft Defender Threat Intelligence" within Sentinel TI tab
By using tags, you can filter IoCs by specific threat actors, for example, `ActivityGroup:AQUA BLIZZARD`

Leverage the enriched data from the MDTI feed in your Log Analytics workspace using KQL queries to hunt and create custom analytic rules.

To create an analytics rule, fill out the fields under the 'general tab' as shown below:

For the sake of this demo, our detection rule is very simple. However, you can enhance it with your own detection logic:

Customers can extend their investigation even further and gather more intelligence on the threat actor by using the Unified Security Operations platform premium MDTI experience. Simply take an indicator value and perform a search in the global search feature:

Clicking into an Intel Profile for Aqua Blizzard provides the full corpus of intelligence, data, and analysis related to the threat actor, including TTPs and IoCS, continuously updated by Microsoft threat researchers:

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.

Incorrect Detected as Malware

anguslii — Mon, 29 Jul 2024 07:36:09 GMT

Dear team,

Our apps have been detected incorrectly as malware and we've submitted for screening somehow still flagged as malware.

We tried to appeal and looking for someone to help us how can we remove this flag from defender.

New Blog | More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes

DavidFernandes — Fri, 28 Jun 2024 21:26:32 GMT

By Michael Browning

Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before.

This blog will show how our 10,000 interdisciplinary experts and applied scientists reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. It will also show how this increased publishing cadence in Microsoft Defender Threat Intelligence (MDTI), Threat Analytics, and Copilot for Security helps enrich and contextualize hundreds of thousands of security alerts while enhancing customers' overall cybersecurity programs.

Increased Intel Profiles

Microsoft has published 270 new Intel profiles over the past year to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named actors Microsoft tracks. These digital compendiums of intelligence help organizations stay informed about potential threats, including Indicators of Compromise (IOCs), historical data, mitigation strategies, and advanced hunting queries. Intel profiles are continuously maintained and updated by Microsoft's threat intelligence team, which added 24 new Intel profiles in May alone, including 10 Activity Profiles, 4 Actor Profiles, 5 Technique Profiles, and 5 Vulnerability Profiles.

Intel profiles are published to both MDTI and Threat Analytics, which can be found under the "Threat Intelligence" blade in the left-hand navigation menu in the Defender XDR Portal. In Threat Analytics, customers can understand how the content in Intel profiles relates to devices and vulnerabilities in their environment. In MDTI, Intel Profiles enhance security analyst triage, incident response, threat hunting, and vulnerability management workflows.

In Copilot for Security, customers can quickly retrieve information from intel profiles to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. For example, Copilot can reason over vulnerability intelligence in MDTI and Threat Analytics to deliver a customized, prioritized list based on a customer organization’s unique security posture.

Read the full post here: More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes

rss.livelink.threads-in-node

What’s New at Ignite: Powerful Enhancements in Unified Threat Intelligence

Threat Intelligence Briefing Agent in Defender

MDTI Convergence into the Defender Portal

Threat Intelligence Library in the Defender Portal

Threat Analytics library now also available to Sentinel-only customers

What’s new in Threat Analytics

Access to Indicators of Compromise

Link Cases to IOCs for Complete Threat Context

Conclusion

My companies app incorrectly detected as a trojan

Microsoft Defender doesn't, Spy hunter shows a Hijacker

Need information on generating sample events for Threat Intelligence

Need information on generating sample events for Threat Intelligence

MDTI is Converging into Microsoft Sentinel and Defender XDR

Key Features Arriving Soon

What to Expect from the Fully Unified Threat Intelligence Experience

Actions for Existing MDTI Customers

Additional Information

Disable Defender TI access to end user

Can the Microsoft Defender portal show the server details as per security group?

Introducing the Threat Intelligence Briefing Agent

Analysis at Machine Speed

How the Agent Works

Agent in Action

What’s Next

Learn More

New at Ignite: TI Guided Experience in Security Copilot

Threat 'Intelligence 360' report on MDTI article

Impact of external article

Conclusion

New at Ignite: Unified Threat Intelligence Experience in Security Copilot

Now Public Preview: MDTI Indicator Data

Now GA: Expanded Unified Vulnerability Intelligence

Conclusion

New Blog | New Copilot for Security Plugin Name Reflects Broader Capabilities

New Security Copilot Plugin Name Reflects Broader Capabilities

Conclusion

MDTI for Government Now Available

Conclusion

Introducing the MDTI Home Page Widget and Article Digest

Conclusion

New Blog | Introducing the MDTI Premium Data Connector for Sentinel

Introducing the MDTI Premium Data Connector for Sentinel

Getting started

Use Cases

Conclusion

Incorrect Detected as Malware

New Blog | More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes

Increased Intel Profiles

More Threat Intelligence Content In MDTI, TA Enables Better Security Outcomes

Increased Intel Profiles

Enhanced OSINT

Microsoft Defender XDR Threat Analytics

New to MDTI? Here’s where to start