Microsoft Defender Threat Intelligence Blog articles

What’s New at Ignite: Powerful Enhancements in Unified Threat Intelligence

PrateekTaneja — Tue, 18 Nov 2025 16:18:26 GMT

At Microsoft Ignite 2025, we’re unveiling transformative upgrades in threat intelligence designed to empower security teams. With the Threat Intelligence Briefing Agent now fully integrated into the Defender portal, defenders can shift from reactive to proactive security strategies, using Microsoft’s global intelligence combined with insights tailored to their organization. Additionally, the latest phase of the integration of Microsoft Defender Threat Intelligence (MDTI) with Defender XDR and Sentinel brings together unified, real-time threat intelligence and advanced analytics, streamlining the SecOps experience and equipping organizations with powerful tools to anticipate and address emerging threats more effectively.

Threat Intelligence Briefing Agent in Defender

Launched in March, the Threat Intelligence Briefing Agent has already enabled security teams to shift from reactive defense to proactive threat anticipation. At Ignite, we’re excited to announce that this agent is now fully integrated into the Microsoft Defender portal, currently available in Public Preview. It delivers daily, customized briefings, combining Microsoft’s global threat intelligence with insights specific to each organization, in just minutes. Instead of spending hours piecing together information from multiple sources, analysts now receive automated, up-to-date intelligence summaries. These briefings help analysts quickly prioritize actions by providing risk assessments, clear recommendations, and direct links to vulnerable assets, empowering organizations to address exposures proactively.

MDTI Convergence into the Defender Portal

In July, we announced the integration of Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel. This integration delivers world-class, real-time threat intelligence within a unified SecOps experience, all at no additional cost. We are pleased to share that the first phase of this convergence is now available in Public Preview. It features Microsoft’s comprehensive threat intelligence library within Threat Analytics, and new enhancements making it easier than ever for users to access, understand, and act on this critical information.

Threat Intelligence Library in the Defender Portal

Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in i ntel profiles. Threat reports are automatically correlated with related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions.

Threat analytics in Defender enables and empowers customers to get threat insights around emerging threats on a global scale . Threat analytics provides contextual and operational information about the relevance of each threat for an organization, which allows security teams to organize and prioritize their operations and triage processes based on impact, available as in-product reports.

Threat reports published in Threat analytics include threat activity such as:

Active threat actors and their campaigns
Popular and new attack techniques
Critical vulnerabilities
Common attack surfaces
Prevalent malware

Threat reports provide analysts with insights into the methods and attack patterns employed by threat actors, along with details on vulnerabilities, zero-day exploits, and potentially harmful tools. These findings are correlated with relevant contextual information from the customer's environment to assess the specific impact each threat may have on their organization.

Threat Analytics library now also available to Sentinel-only customers

Sentinel-only customers now have access to Microsoft’s threat intelligence library through reports in Threat Analytics (TA), currently in Public Preview. This upgrade, now in Public Preview, brings Microsoft’s world-class threat intelligence and actionable indicators to Sentinel without a Defender XDR license. While incident correlation and automated response remain exclusive to Defender XDR, standalone Sentinel deployments gain improved threat visibility and integrated security options.

What’s new in Threat Analytics

Threat reports within Threat Analytics have been upgraded with enhanced insights—previously accessible exclusively through an MDTI license—to provide Defender customers with improved context regarding finished intelligence on prevalent threats. The following contextual insights for each report are now available within Threat Analytics:

Indicators of Compromise: Each threat report now includes a comprehensive list of indicators attributed to the specific threat. This feature allows customers to review all relevant indicators and access detailed entity information within Defender directly from the report, streamlining navigation to support efficient investigation and triage.
MITRE ATT&CK Mapping: By mapping threats’ tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, customers can proactively identify, detect, and mitigate persistent techniques, ultimately enhancing overall security posture.
Targeted Industries & Actor Origin: Reports provide insight into targeted industries and threat actor origins, enabling analysts to prioritize intelligence and contextualize motivations and observed TTPs.
Related Intelligence & Aliases: Threat Analytics offers links to related intelligence and presents actor or tool aliases, allowing customers to cross-reference reports and understand the alignment between Microsoft Threat Intelligence and broader industry developments.

All these additional insights are available in the overview of a threat report

Furthermore, finding threat reports is now easier. The reports are systematically organized and can be filtered by Actor, Tool, Technique, Vulnerability, Activity, or Core threat, making it quicker to locate specific reports.

Read more about threat analytics report and the information available here.

Access to Indicators of Compromise

Indicators of Compromise linked to specific threats provide SOC Analysts with valuable insight into the most common risks faced by their organization. For Defender customers, threat analytics now makes it easier to filter this data according to particular threats. Because information about indicators is vital, unauthorized access poses a risk of data theft or exploitation by malicious actors. Recognising its sensitivity, access to Indicators is restricted to verified customers only.

Customers who do not have access to indicators will see the following when attempting to access it:

In scenarios where access is restricted, customers will have the option to verify themselves by submitting business information to get access on successful verification. Read more about access to indicators.

Customers with access to indicators (with or without the need to submit additional verification) will be able to see the entire list.

The improvements to Threat analytics described above are designed to deliver a unified threat intelligence experience. By integrating MDTI features into Microsoft Defender and Sentinel, customers will progressively have access to more valuable insights that were previously available only with paid MDTI licenses. Read more about MDTI convergence here.

Link Cases to IOCs for Complete Threat Context

You can now link a case directly to relevant Indicators of Compromise (IOCs), ensuring investigations and response workflows stay connected. This feature improves visibility and collaboration, enabling faster, more informed decisions during threat investigations.

Conclusion

The integration of the Threat Intelligence Briefing agent into the Defender Portal and the convergence of MDTI into Microsoft Defender and Sentinel represents a major leap forward for security teams, delivering unified threat intelligence and streamlined workflows. With enhanced access to threat reports, indicators of compromise, and contextual insights, organizations are better equipped to proactively defend against emerging threats and respond with greater speed and confidence. These advancements ensure that valuable intelligence is accessible to all, strengthening security operations and empowering defenders to stay ahead in an ever-evolving threat landscape.

MDTI is Converging into Microsoft Sentinel and Defender XDR

Mike_Browning — Wed, 30 Jul 2025 14:58:58 GMT

In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions.

With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats.

Key Features Arriving Soon

The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include:

Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in i ntel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions.

The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment.

Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture.

Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability.

IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise.

What to Expect from the Fully Unified Threat Intelligence Experience

Once MDTI is fully converged into Defender XDR and Sentinel, customers' alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets.

Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost).

The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel.

This chart shows how MDTI features will converge into Defender XDR and Sentinel

For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog.

Actions for Existing MDTI Customers

Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions.

Additional Information

Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources:

Read our blog announcing the expanded Sentinel data lake offering

Introducing the Threat Intelligence Briefing Agent

Mike_Browning — Thu, 07 Aug 2025 17:58:46 GMT

As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing the Security Copilot Threat Intelligence Briefing Agent—a powerful new tool that slashes the time to produce actionable threat reports from hours or days to just minutes. Now in Public Preview, the agent delivers prioritized insights, mapping the latest adversary activity to your unique attack surface so you know exactly which vulnerabilities demand attention now.

Looking ahead, we’re planning even deeper integrations, such as automated remediation, exposure trend analysis, and more, to empower security teams to stay one step ahead of attackers.

Analysis at Machine Speed

This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. The agent dynamically builds briefings based on the latest threat actor activity from Microsoft security research and both internal and external vulnerability data sourced from Microsoft Defender Vulnerability Management (MDVM) and Microsoft Defender External Attack Surface Management (EASM). It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such your organization’s evolving attack surface, your industry, and geographic location.

These briefings, which can be scheduled or run ad-hoc, offer regular executive summaries and technical analysis accessible via the UI or directly to a CISO's inbox. They determine whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, cyberthreat intelligence (CTI) analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies.

How the Agent Works

Setting up the Agent

The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and third parties offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically at an interval of their choosing. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls (RBAC):

Customers can choose an existing identity or create an agent-specific identity.

They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile.

Currently, the Threat Intelligence Briefing Agent is best suited for MDEASM and Microsoft Defender for Endpoint (MDE), as it relies on telemetry and insights from these first-party integrations to deliver accurate and context-rich reports.

For organizations with E5 licenses, the agent can also incorporate insights from MDVM to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes MDEASM, the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information):

Customers can choose up to three plugins to provide the agent with threat intelligence to build briefings.

Once set up, the agent is ready to run in the background to generate the briefing:

Once the agent is set up, it's ready to run!

Agent in Action

A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand:

Customers can look into any run the agent has made to read past briefings.

Here, we can see the briefing highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks:

Briefings show the latest threats that are most relevant to an organization with a summary of recent campaigns and recommended actions.

The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action:

The briefing also shows the most critical vulnerabilities identified by the agent, mitigation steps, and the affected assets across the organization's IT setup and external attack surface.

The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence:

Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority:

The agent shows the path it took to build each briefing. It makes dynamic decision based on its threat intelligence expertise every step of the way.

What’s Next

The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. We are continuously listening to our customers and rolling out new updates regularly. This powerful agent will soon be available alongside the rich, continuously updated threat intelligence in the Threat Analytics blade of Defender XDR to enable Defender customers to create these briefings with the click of a button.

Learn More

Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness.

To learn more about this agent and the rest of the first and third-party agents now available, watch our Microsoft Secure digital event. For a closer look at this agent, watch our deep dive in the Microsoft Security Copilot Content Hub. Read this blog to learn more about Security Copilot agents at RSA.

New at Ignite: TI Guided Experience in Security Copilot

Mike_Browning — Fri, 22 Nov 2024 17:27:22 GMT

The Security Copilot team is consistently improving the threat intelligence (TI) experience for customers. At Microsoft Ignite 2024, we're thrilled to unveil two out-of-the-box promptbooks that create guided experiences for cyberthreat intelligence and SOC analysts for investigating and responding to threats affecting their organization, simplifying complex workflows and making difficult, repetitive tasks easier to do for all experience levels.

Below, we’ll cover each of these promptbooks in more detail:

Threat 'Intelligence 360' report on MDTI article

With Security Copilot able to tap into powerful threat intelligence from more sources, customers get a much more holistic view of threats, better understand how they impact the organization, have more recommendations and guidance to respond faster and more effectively. This promptbook shows customers the full impact a threat covered in a Microsoft Defender Threat Intelligence article has on their organization to streamline and accelerate response.

These prompts help map content from the article back to CVE and vulnerability data related to their organization’s attacks surface, surface related incidents, and provide recommendations for remediation. Below, we’ll examine what an analyst sees when they run the 'Threat Intelligence 360 Report' promptbook for the MDTI article “Attack Abuses Victim Resources to Reap Rewards from Titan Network.”

The first step of the promptbook pulls up all indicators of compromise (IoCs) added to the article by Microsoft researchers. Below, you can see the prompt return a list of IoCs that includes two IP addresses and several URLs:

Copilot extracts the IoCs from the MDTI article.

The next step of the promptbook asks Security Copilot to create a KQL query to hunt across the organization’s network for activity related to the indicators from the article. In the example below, Security Copilot created a query for IPV4 indicators in the article returned by Security Copilot. The promptbook will create KQL queries for every indicator type and return all relevant intelligence.

KQL query to hunt for malicious domains referenced in the article on the network.

The promptbook will then search for Defender incidents related to the article. In this example, it returns four incidents that contain indicators or tactics, techniques, and procedures (TTPs) that are covered in the article. Grouping the incidents by activity make them easy to reference for incident responders and provide important context and a clear path forward for cyberthreat intel analysts' investigation.

Related incidents involving the IoCs and TTPs covered in the MDTI article

Finally, the promptbook shows the analyst details of the CVEs listed in the articles and its impact to the organization by listing their organization's vulnerable assets and resources to help them understand how their attack surface is exposed and the steps they need to take to address and remediate the vulnerabilities:

List of impacted assets from Threat Analytics.

Overall, this information rapidly summarizes a threat analyzed in a threat intelligence article so analysts can quickly and efficiently understand the nuances of the threat and its impact to the organization.

Impact of external article

This promptbook shows analysts the impact of an external threat intelligence article from a third-party source (not found in Microsoft products) on their organization. This promptbook extracts indicators from the article to check against all Microsoft’s intelligence to show all relevant information and the impact on the organization.

Below, the analyst deploys this promptbook to better understand a threat intelligence article from a third-party source about the latest campaigns leveraging the 'Silent Skimmer':

IoCs extracted from third-party article

Next, the promptbook takes the indicators extracted from the article and queries Microsoft's compendium of threat intelligence to show all related content and data to give analysts a broader understanding of the threat activity. Below, the promptbook checks each IoC's reputation against Microsoft Threat Intelligence. The analyst can see that several of the indicators from the article are known to be malicious to Microsoft and are associated with several Microsoft threat intelligence articles in MDTI:

Microsoft reputation scoring for each third-party IoC

After uncovering related intelligence, the promptbook asks Security Copilot to create KQL queries to automatically hunt across the network for the malicious indicators from the article, as well as the ones newly surfaced in Microsoft threat intelligence. In the example below, it’s searching for the file hashes listed in the article:

KQL query automatically generated by the promptbook to hunt across the network for threat activity covered in the article

Finally, the promptbook asks Security Copilot to create a table showing any reference in Microsoft threat intelligence to the indicators mentioned in the article, as well as any devices in the customer organization that are affected by CVEs listed in the article based on Threat Analytics data:

Query automatically generated to show the impact of this third-party article to the organization from data in Threat Analytics and MDVM.

These powerful new promptbooks will create guided experiences for a variety of personas, simplifying complex workflows and making difficult, repetitive tasks easier to do.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Copilot for Security providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Learn more about other Microsoft threat intelligence innovations launching at Ignite here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

New at Ignite: Unified Threat Intelligence Experience in Security Copilot

Mike_Browning — Fri, 22 Nov 2024 17:26:48 GMT

The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Copilot. At Microsoft Ignite 2024, we’re excited to announce several powerful innovations that provide a more comprehensive and integrated TI experience for customers. Now generally available, Security Copilot customers can build a '360-degree' view of threats by tapping into a wider range of TI sources for more insight into attacker tooling and methodology and how they may impact the organization.

Below, we’ll cover these innovations in more detail.

Now Public Preview: MDTI Indicator Data

Ten new indicators skills can now leverage the full corpus of raw and finished threat intelligence in MDTI to link any indicator of compromise (IoC) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities that give defenders a head start on adversaries. This automated infrastructure chaining is a crucial function for a security analyst or threat hunter to investigate the relationships between connected data sets, which allows them to kick off and expand their investigations into events or incidents on their network.

These skills call upon two main categories of threat intelligence:

In-depth Indicators data: Security Copilot can now automatically link any IoC with all threat intelligence linked to it in MDTI, including intel profiles, articles, and summary data, which includes detonation and reputation information from Microsoft’s file and URL analysis. This context is critical when responding to an incident, providing instant information on the attacker and nature of the attack. This data can also level-up analysts by providing the necessary next steps outlined in MDTI to help them deal with the incident quickly and efficiently.

Indicators metadata: Security Copilot can link any IoC to associated infrastructure across the internet via MDTI’s advanced internet data sets. These data sets are developed by collecting and analyzing internet data at a global scale and are comprised of core and derived data sets. Core data sets include Resolutions, WHOIS information, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived data sets including Trackers, Components, Host Pairs, and Cookies. When linked to related infrastructure, analysts can make connections between related threat activity and preemptively uncover new threat tooling before it can be used against the organization.

In this example, you can see an indicator has been linked to several IP addresses, two articles, and three intel profiles. Copilot has also pulled up its reputation, WHOIS, and passive DNS data.

Now GA: Expanded Unified Vulnerability Intelligence

Recently, we announced the expansion of the Threat Intelligence plugin in Security Copilot. Now generally available, Security Copilot can also reason over vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Mangement (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. Through this holistic experience, customers get a deeper view of threats, better understand how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.

Above, we can see the threat intelligence sidecar in Defender XDR showing the key details around CVE – 2023-6119, including its severity, impact on the organization in number of exposed devices, and other important information, such as affected versions.

In a single view, customers can understand the impact of a vulnerability or exposure, including exposed and unmanaged assets, risk-based prioritization, and steps for remediation. Customers can also see all threat intelligence related to the vulnerability to better understand the threat actors leveraging it so they can take preemptive steps to secure their organization.

With the integration of threat intelligence sources in Security Copilot that are otherwise separate, customers get a much more holistic view of threats, sharper clarity on how they impact the organization, and have more recommendations and guidance to respond faster and more effectively.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

Learn more about other threat intelligence innovations being announced at Ignite here.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

New Security Copilot Plugin Name Reflects Broader Capabilities

Mike_Browning — Mon, 14 Apr 2025 19:42:41 GMT

The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Security Copilot to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Security Copilot threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.

To reflect this evolution of the plugin, customers may notice a change in its name from "Microsoft Defender Threat Intelligence (MDTI) to "Microsoft Threat Intelligence," reflecting its broader scope and enhanced capabilities.

Since launch in April, Security Copilot customers have been able to access, operate on, and integrate the raw and finished threat intelligence from MDTI developed from trillions of daily security signals and the expertise of over 10 thousand multidisciplinary analysts through simple natural language prompts. Now, with the ability for Security Copilot's powerful generative AI to reason over more threat intelligence, customers have a more holistic, contextualized view of the threat landscape and its impact on their organization.

New plugin name in Security Copilot reflects broader range of capabilities

This broader range of information, delivered instantly and in-context, adds to the ability to enable different security personas to defend at machine speed and scale. For example, a customer may ask "Tell me more about the Threat actor Silk Typhoon" for the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. Security Copilot now also shows customers the impact of threat to their organization and which assets may be vulnerable though threat analytics and reputation information from Microsoft file and URL (detonation) intelligence. for indicators associated with incidents and other threat activity.

In this example, impacted asset data from Threat Analytics is available alongside MDTI intelligence for complete context about a threat and its impact on the organization.

It's important to note that customers will only see threat intelligence associated with the products they are provisioned for. For example, a Security Copilot customer that isn't provisioned for Defender XDR will not see any threat intelligence from Threat Analytics.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.

Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.

MDTI for Government Now Available

Mike_Browning — Mon, 30 Sep 2024 17:08:06 GMT

We are thrilled to introduce Microsoft Defender Threat Intelligence (MDTI) with FedRAMP High (DOD IL2) attestation are now available for government sectors. Customers across U.S. state, local, and tribal governments utilizing GCC services can now purchase MDTI and the MDTI API SKUs to unmask adversaries and understand their organization’s security posture against threats.

MDTI serves as the ultimate resource for Microsoft Threat Intelligence, empowering security teams to access, ingest, and act upon a comprehensive repository of operational, strategic, and tactical threat intelligence. With MDTI, organizations can swiftly assess their exposure to threats, including over 300 threat actors monitored by Microsoft, and determine the best course of action. Licensed per seat, MDTI grants access to a premium 'analyst workbench' in the Threat Intelligence tab of the Defender XDR portal. This workbench features extensive finished threat intelligence on actors, tools, and techniques, complemented by advanced internet data sets to help analysts delve deeper and identify threat infrastructures.

For API access, customers must purchase an MDTI seat license. The API facilitates integration with other security tools, providing critical context around threat actors, vulnerabilities, and attack tools. When combined with Microsoft Sentinel, the API provides powerful context and enhances alert enrichment and triage capabilities.

Learn more about MDTI by taking the MDTI Ninja Training here.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Introducing the MDTI Home Page Widget and Article Digest

Mike_Browning — Fri, 06 Sep 2024 20:49:54 GMT

The MDTI team is excited to announce the Threat Intelligence Widget in the Microsoft Defender home page and the MDTI Article Digest, two handy new features that make Microsoft threat intelligence more accessible, digestible, and relevant. When customers login to the Unified SecOps platform, they will now see a widget that displays featured threat intelligence articles containing the most impactful content on the threat landscape. Via the digest, they can stay up to speed with a summary of the latest threat intelligence published since their last login.

MDTI Article Digest

The MDTI article digest is a brand new way for customers to stay up to speed with the latest analysis of threat activity observed across more than 78 trillion daily threat signals from Microsoft's interdisciplinary teams of experts worldwide. The digest, seamlessly integrated into the MDTI user interface in the threat intelligence blade of Defender XDR, shows users everything published since their last login:

Customers will see that not only does the digest notify users of the latest content but also encourages exploration through a user-friendly sidebar that lists the articles:

With the added convenience of pagination, users can now easily navigate through a wealth of information, ensuring they never miss valuable insights. The digest is also flexible, allowing users to clear notifications, thus tailoring the experience to their preferences.

The digest is a significant step forward in our commitment to delivering exceptional user experiences, and we're excited to see how it will positively impact the MDTI community. If you're a licensed MDTI user, login to Defender XDR today to see the digest located on the right-hand side of the UI, to the left of the TI Copilot embedded experience sidebar.

MDTI Home Page Widget

The MDTI Home Page Widget provides features the most impactful and relevant content recently publishes to MDTI surfaced alongside a summary of the most crucial information across your cybersecurity program. The articles surfaced serves as a 'front page' for the latest threat intelligence and news about the threat landscape, and serves as a great entry point for additional research.

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.

Introducing the MDTI Premium Data Connector for Sentinel

Mike_Browning — Tue, 24 Sep 2024 22:04:50 GMT

The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. The connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.

Microsoft researchers, with the backing of interdisciplinary teams of thousands of experts spread across 77 countries, continually add new analysis of threat activity observed across more than 78 trillion threat signals to MDTI, including powerful indicators drawn directly from threat infrastructure. In Sentinel, this intelligence enables enhanced threat detection, enrichment of incidents for rapid triage, and the ability to launch investigations that proactively surface external threat infrastructure before it can be used in campaigns.

This blog will highlight the exciting use cases for the MDTI premium data connector, including enhanced enrichment, threat detection, and hunting to ensure customer organizations are protected against the most critical threats. It will also cover how you can easily get started with this out-of-the-box connector.

Getting started

The MDTI premium data connector provides more IoCs than the standard (free) MDTI data connector, including high-fidelity IoCs added by the Microsoft Threat Intelligence Center (MSTIC) and those tied to the over 300 threat actor groups Microsoft tracks. Combined, the free and premium data connectors give you full coverage of available threat intelligence. Please note that an MDTI premium license and API license are required to begin using the MDTI premium data connector.

To get started with the free and premium data connectors, follow the instructions here.

Use Cases

Dynamic Incident Enrichment

The MDTI premium data connector can help analysts respond to threats at scale by automatically enriching incidents with MDTI premium threat intelligence, evaluating indicators in an incident with dynamic reputation data (everything Microsoft knows about a piece of online infrastructure) to mark its severity and automatically triage it accordingly. Comments are added to the incident outlining the reputation details with links to further information about associated threat actors, tools, and vulnerabilities.

Threat Detection

With a flip of the switch, the MDTI premium data connector immediately enables detections for threats, including activity from the more than 300 named threat actor groups tracked by Microsoft. When enabled in Microsoft Sentinel, this connector takes URLs, domains, and IPs from a customer environment via log data and checks them against a dynamic list of known bad IOCs from MDTI. When a match occurs, an incident is automatically created, and the data is written to the Microsoft Sentinel TI tab. By enabling this rule, Microsoft Sentinel users know they have detections in place for threats known to Microsoft.

External Threat Hunting

Customers can pivot off the IoCs to investigate further and boost their understanding of the threat with MDTI's repository of raw and finished intelligence. Finished intelligence, or written intelligence and analysis, includes articles, activity snapshots, and Intel Profiles about actors tooling and vulnerabilities. It provides crucial context and vital information such as targeting information, TTPs (tactics, techniques, and procedures), and additional IoCs.

Customers can also explore advanced internet data sets created by amass collection network that maps threat infrastructure across the internet every day to locate relationships between entities on the web to malicious infrastructure, tooling, and backdoors outside the network at incredible scale. Below is an example of how to effectively detect and hunt for Indicators of Compromise (IoCs) associated with threat actors using Sentinel with MDTI connector enabled.

Begin by following these steps:

Filter IoCs by MDTI Source - Set the source filter to "Premium Microsoft Defender Threat Intelligence" within Sentinel TI tab
By using tags, you can filter IoCs by specific threat actors, for example, `ActivityGroup:AQUA BLIZZARD`

Leverage the enriched data from the MDTI feed in your Log Analytics workspace using KQL queries to hunt and create custom analytic rules.

To create an analytics rule, fill out the fields under the 'general tab' as shown below:

For the sake of this demo, our detection rule is very simple. However, you can enhance it with your own detection logic:

Customers can extend their investigation even further and gather more intelligence on the threat actor by using the Unified Security Operations platform premium MDTI experience. Simply take an indicator value and perform a search in the global search feature:

Clicking into an Intel Profile for Aqua Blizzard provides the full corpus of intelligence, data, and analysis related to the threat actor, including TTPs and IoCS, continuously updated by Microsoft threat researchers:

Conclusion

Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in MDTI providing an all-encompassing view of attack vectors across various platforms, ensuring Sentinel customers have comprehensive threat detection and remediation.

Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Copilot for Security SCU here.

Copilot for Security TI Embedded Experience in Defender XDR is now GA

Mike_Browning — Mon, 24 Jun 2024 21:36:45 GMT

The Microsoft Defender Threat Intelligence (MDTI) and Defender XDR teams are pleased to announce that the Copilot for Security threat intelligence embedded experience in the Defender XDR portal is now generally available. As of today, Defender XDR customers will see a handy AI-powered sidecar in the Threat Analytics, intel profiles, intel explorer, and intel projects tabs in the threat intelligence blade (in brackets below), which returns, contextualizes, and summarizes intelligence from across MDTI and Threat Analytics about threat actors, threat tooling, and indicators of compromise (IoCs) related to their vulnerabilities and security incidents.

How Copilot Enhances Microsoft Threat Intelligence

Microsoft Copilot for Security enables customers to access, operate on, and integrate Microsoft's raw and finished threat intelligence via natural language with simple requests known as prompts, which ask important questions about MDTI's data and content, such as "Tell me more about the threat actor Silk Typhoon." The answers returned from prompts are always up to date with the latest threat intelligence information, including IoCs, data from mass collection and analysis, intelligence articles, intel profiles (vulnerabilities, threat actors, threat tooling, techniques), and guidance. This critical information delivered instantly and in-context, up-levels and enables different security personas to defend at machine speed and scale.

Key Capabilities of the Threat Intelligence Embedded Experience

Think of the Copilot threat intelligence embedded experience in Defender XDR as a helpful research assistant that can pull, contextualize, and summarize relevant intelligence at machine speed to drive an optimal security plan for your organization. Customers can evaluate artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help them assess their vulnerabilities and quickly understand the broader scope of an attack. With helpful pre-populated prompts or through typing your own, the Copilot sidecar helps you quickly understand threats and assess vulnerabilities faster and more efficiently than before in several exciting ways:

Summarize threat intelligence: By clicking on the pre-populated prompt ‘Give me an overview of the latest threats to my organization,’ Copilot returns the latest Intel Profiles and Activity Snapshots that contain mentions of your vulnerabilities, TTPs (tactics, techniques, and procedures) that include the infrastructure your organization runs, and other relevant factors such as intelligence that mentions your industry and region:

Customers can also ask Copilot to summarize other relevant intelligence via open prompts, such as “Tell me about the threat actor Mango Sandstorm” or “Summarize the latest threat activity involving Cobalt Strike.”

Prioritize threats: By clicking the pre-populated prompt “Which threats should I focus on based on their exposure score,” Copilot queries Threat Analytics and MDTI to deliver the intelligence most relevant to an organization based on the exposures and vulnerabilities they have across their attack surface. Customers can also quickly retrieve information on indicators, including IP addresses and domains, to enrich artifacts with content such as threat articles and intel profiles to understand the risk they pose to their organization’s unique attack surface.

Understand your risk: Copilot can reason over vulnerability intelligence in MDTI and Threat Analytics to deliver a customized, prioritized list based on a customer organization’s unique security posture. By clicking on the pre-populated prompt “Which threat actors are targeting infrastructure in my industry?” Copilot returns summaries of the top threat actors implicated in attacks involving your industry. This information provides an excellent starting point for threat research and building out a robust defense strategy.

New to MDTI? Here's where to start

Learn more about getting started with MDTI here, and read everything you need to know about MDTI as a Copilot for Security customer here. Also, be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats.

MDTI Achieves PCI DSS Certification: Elevating Security Standards

Aashis_Luitel — Tue, 30 Apr 2024 16:48:00 GMT

We are excited to announce that MDTI has successfully obtained the Payment Card Industry Data Security Standard (PCI DSS) certification, representing a significant milestone in our continuous pursuit of security excellence. This accomplishment follows closely after our ISO certification, highlighting our unwavering commitment to upholding the highest standards of data protection and our dedication to safeguarding information and proactively combating fraud.

This certification not only strengthens our security measures but also reaffirms the trust our customers have in us to handle their most sensitive data with the utmost care and diligence.

Why the PCI DSS certification matters

PCI DSS is a renowned global standard for securing credit card data and preventing fraud. For organizations that handle sensitive payment information, compliance with PCI DSS is not just a requirement - it's a cornerstone of our promise to safeguard customer data.

Advantages for our customers

Our customers are central to our operations, and our PCI DSS certification offers numerous benefits, including:

Enhanced Security: The rigorous security measures of PCI DSS significantly reduce the risk of data breaches and credit card fraud, ensuring that our customers' sensitive payment card data is well-protected.

Compliance Ease: With MDTI's PCI DSS certification, our customers can save on the effort and costs of obtaining their own PCI DSS validation, as they can confidently build or host their services on our validated platform.

Trust and Confidence: This certification reinforces the trust our customers place in us, enhancing their confidence in our ability to handle their most sensitive data with the utmost care and diligence.

Shared Responsibility: The Azure PCI DSS Responsibility Matrix we provide clarifies the areas of responsibility for each PCI DSS requirement, ensuring a clear partnership in maintaining security standards.

Guidance and Support: Our Azure Security and Compliance PCI DSS Blueprint offers a roadmap for deploying a PCI DSS-compliant environment, enabling our customers to manage payment card data with confidence.

Our commitment to continuous improvement

Achieving PCI DSS certification is more than just meeting a standard; it's a reflection of our commitment to continuous improvement and excellence in security. It's about providing our customers with the assurance they need to operate confidently in today's digital landscape.

Join us on this journey

We invite you to join us in celebrating this achievement and to learn more about how MDTI's PCI DSS certification can benefit your organization by engaging us via our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats.

Also, be sure to explore our services, engage with our experts, and discover the peace of mind that comes with partnering with a leader in security by contacting our sales team.

A Security Copilot Customer’s Guide to MDTI

Mike_Browning — Tue, 29 Apr 2025 04:27:19 GMT

With just one Security Compute Unit (SCU), Security Copilot customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. This compendium of high-fidelity intelligence developed by Microsoft's team of more than 10,000 multidisciplinary security experts and informed by over 78 trillion security signals enables teams to unmask and neutralize adversaries quickly and efficiently.

In this blog, we will review what MDTI is, what you get as a Security Copilot customer, and how you can immediately tap into this intelligence to protect your organization.

What is MDTI?

MDTI is a threat intelligence product that enables security professionals to directly access, ingest, and act upon trillions of daily security signals in Microsoft's telemetry. MDTI's finished intelligence, including threat articles and intel profiles, provides the latest on cyber threat actors and their tools, tactics, and procedures. Its unique security data sets enable advanced investigations that uncover malicious infrastructure connections across the global cyberthreat landscape to highlight where an organization is vulnerable and address the tools and systems used in cyberattacks.

MDTI is a powerful complement to Microsoft's SIEM, XDR, and AI solutions. Security Copilot customers can use the incredible depth and breadth of Microsoft threat intelligence in MDTI with Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations. They can immediately begin using MDTI in the Security Copilot standalone experience or embedded experience in Defender XDR. They can also use MDTI directly via the MDTI' analyst workbench' experience in the Threat Intelligence blade in Defender XDR.

Security Copilot customers can tap into MDTI’s powerful threat intelligence in a variety of ways

Learn more about MDTI by taking the MDTI Ninja Training here>

MDTI In Security Copilot

Microsoft Security Copilot enables customers to access, operate on, and integrate Microsoft's raw and finished threat intelligence via natural language. They can make simple requests known as prompts to learn about threat actors, tools, indicators of compromise (IoCs), and threat intelligence related to their organization's security incidents and alerts.

Prompts can ask important questions of MDTI's data and content, such as "Tell me more about the Threat actor Silk Typhoon." Users can also write a tailored prompt book (a predefined set of typical follow-up questions) about [security incident] and how to respond to it. The answers returned from prompts are always up to date with the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. This critical information, delivered instantly and in-context, adds to the ability to enable different security personas to defend at machine speed and scale.

Example of MDTI skills and prompts in Security Copilot

MDTI powers Security Copilot via a wide range of threat intelligence skills, enabling customers to quickly retrieve information on indicators, including IP addresses and domains, and contextualize artifacts with content such as threat articles and intel profiles. Additionally, out-of-the-box promptbooks correlate MDTI content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers quickly understand the broader scope of an attack. These capabilities will be available within the standalone and embedded Security Copilot experiences.

MDTI is integral to the Security Copilot experience. To begin using MDTI in Copilot, simply go to "manage plugins" (bottom left in the Copilot standalone interface) and enable "Microsoft Defender Threat Intelligence."

Learn more about MDTI in Security Copilot here>

MDTI In Defender XDR

In Defender XDR, MDTI helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. Copilot customers can leverage MDTI's data sets and content anytime, anywhere within Defender XDR to provide additional context and aid in investigations. In the Microsoft Defender XDR portal, users can access MDTI under the "Threat Intelligence" blade in the left-hand navigation menu.

Intel Explorer: In this tab, customers can search across all intelligence in MDTI, browse, featured articles, and peruse recent threat article pages.
Intel Profiles: This tab contains more than 300 continuously maintained profiles on threat actors, tooling, and vulnerabilities.
Intel Projects: In this tab, users can create or access team and individual projects to save personal investigations and collaborate with teammates across the organization.
Detonation Intelligence for Hashes and URL Search: Customers can obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise.

The MDTI user interface in the Intelligence blade within Defender XDR

The MDTI API is not included with Security Copilot

If users wish to leverage MDTI's API endpoints to support automated enrichment against their incidents or create sophisticated scripts to address use cases our MDTI Copilot skills cannot natively support today, customers are encouraged to work with their Commercial Executive to learn more about purchasing our MDTI API license.

Learn more about the MDTI API here and here>

New to MDTI? Here's where to start

Learn more about getting started with Security Copilot, including pricing and getting started here>

Also, be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats.

New at Secure: Corpus of Intel Profiles Available in Defender XDR

SpencerBerg — Wed, 13 Mar 2024 16:26:13 GMT

The Microsoft Defender Threat Intelligence (MDTI) team is excited to announce that we are revealing previews for each of our 350+ intel profiles to all Defender XDR customers for the first time. This represents Microsoft’s broadest expansion of threat intelligence content to non-MDTI premium customers yet, adding nearly 340 intel profiles to Defender XDR customers' view, including over 200 tracked threat actors, tools, and vulnerabilities that Microsoft has not named anywhere else.

We are also revealing the full content for an additional 31 profiles, building on our initial set of 17 profiles released to standard (free) users at Microsoft Ignite. Defender XDR customers now can access 27 full threat actor profiles, including new profiles like Periwinkle Tempest and Purple Typhoon; 13 full tool profiles, such as Qakbot and Cobalt Strike; and eight full vulnerability profiles, including CVE-2021-40444 and CVE-2023-45319.

Note: Profiles in the standard edition will not contain indicators of compromise (IOCs), which are reserved for MDTI premium customers.

Intel Profiles standard edition experience

You can visit our more than 350 intel profiles on the “Intel profiles” tab under the “Threat intelligence” blade in the left navigation menu:

Currently, our corpus of shareable finished threat intelligence contains 205+ named threat actors, 70+ malicious tools, and 75+ vulnerabilities, with more to be released on a continual basis. To view our full catalog for each of the three profile types – Threat Actors, Tools, and Vulnerabilities – click their respective tab near the top of the page.

In the intel profiles page list view, profiles containing limited information are marked with an icon. However, don’t let this symbol stop you – each of these profiles contain the same detailed summary (“Snapshot”) written at the start of the content for premium customers. For threat actor profiles, this section often includes a valuable description of the actor’s origins, activities, techniques, and motivations. On tool and vulnerability profiles, these summaries describe the malicious tool or exploit and illustrate its significance, with details from real-world activity by threat actor groups when available. This information enables leaders of threat intelligence and security programs to take an intel-led approach, starting with the threat actors, tools, and vulnerabilities that matter most to their organization and building a robust strategy outward.

Our intel profiles containing full content can be distinguished from the limited profiles in the list view as they do not contain the icon. Full profiles can contain much additional detail beyond a Snapshot, including:

Real details from past threat actor activity, tool usage, and vulnerability exploits, including phishing templates, malicious attachments, code excerpts and more from actual threat investigations
Detailed TTPs (tactics, techniques, and procedures) and attack path analyses, based on both past and potential future exploitation attempts, and their corresponding MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) techniques
Detections and Hunting Queries, which list alerts and detections that may indicate the presence of the above threats
Advanced Hunting queries to identify adversary presence within a customer’s network
Microsoft Analytic Rules, which result in alerts and incidents to signal detections associated with adversarial activity
Recommendations to protect your organization against the threat
And References for more information.

To see the full content and IOCs for all intel profiles, start a free trial or upgrade to premium.

Discovering relevant profiles

On the intel profiles page, each of the tabs for the three profile types contains a local search box, enabling you to quickly discover profiles of interest by matching keywords. Additionally, the Threat actors tab enables you to filter for the Country/Region of Origin and Targets (representing Targeted Industries) of actor groups, helping to narrow the list down to the profiles that are most important to your organization:

With the inclusion of MDTI results in Defender XDR’s global search bar, you also may use this top-level search to discover intel profiles from anywhere in the portal based on keywords. Refer to the linked blog for inspiration on what you can search for and what other MDTI results you can expect.

About intel profiles

Intel profiles are Microsoft’s definitive source of shareable knowledge on tracked threat actors, malicious tools, and vulnerabilities. Written and continuously updated by our dedicated security researchers and threat intelligence experts, intel profiles contain detailed analysis of the biggest threats facing organizations, along with recommendations on how to protect against these threats and IOCs to hunt for these threats within your environment.

As the defender of four of the world’s largest public clouds, Microsoft has unique visibility into the global threat landscape, including the tools, techniques, and vulnerabilities that threat actors are actively using and exploiting to inflict harm. Our team of more than 10,000 dedicated security researchers and engineers is responsible for making sense of more than 65 trillion security signals per day to protect our customers. We then build our findings into highly digestible intel profiles, so high-quality threat intelligence is available where you need it, when you need it, and how you need it.

Just one year after launching intel profiles at Microsoft Secure last year, Microsoft’s repository of shareable threat intelligence knowledge has expanded to over 205 named threat actors, 70 tools, and 75 vulnerabilities, with more added every month.

Next steps

Learn more about what you can do with the standard edition of MDTI in Defender XDR.

We want to hear from you!

Learn more about what else is rolling out at Microsoft Secure 2024, and be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI and learn how to access the MDTI standard version at no cost.

New at Secure: Enhanced Vulnerability Profiles and CVE Search within MDTI

SpencerBerg — Wed, 13 Mar 2024 16:03:32 GMT

The Microsoft Defender Threat Intelligence (MDTI) team revamped vulnerability profiles to improve customers’ ability to access world-class intelligence on vulnerabilities and exposures within the Defender XDR portal.

These exciting updates include:

A new layout that mirrors the design of our Threat Actor and Tool intel profiles for a more consistent experience
Vulnerability profiles sorted by published date by default in list view to display a steady feed of new, high importance CVEs
The decoupling of Vulnerability Profiles from open-source Common Vulnerabilities and Exposures (CVEs) so customers can access all available information on vulnerabilities
An enhanced CVE search experience: searches will return all content related to a vulnerability instead of directing a user to a CVE information page.

These enhancements will provide a more intuitive experience for surfacing content related to CVEs, offering critical context on threats and information within alerts and incidents.

What are Vulnerability Profiles?

Vulnerability Profiles are MDTI’s newest intel profile type, launched at Microsoft Ignite in November. Building off our work to introduce intel profiles to MDTI, which has become the definitive source of Microsoft’s shareable knowledge on over 200 threat actors and 70 tools, MDTI now also contains over 75 extensive profiles of the CVEs deemed most critical and relevant by our dedicated security researchers.

Amid the many vulnerabilities teams must keep track of — old and new, with varying degrees of prominence and impact as threat actors adjust their techniques, tactics, and procedures (TTPs) — Vulnerability Profiles tilt the advantage back in favor of defenders by delivering focused, actionable insights and recommendations on how to protect against the most critical CVEs, based on information garnered from Microsoft’s 65 trillion threat signals per day.

By routinely visiting the “Vulnerabilities” tab on the Intel Profiles page in Defender XDR, customers will see a steady stream of new profiles, sorted by published date, indicating CVEs that are considered pressing by Microsoft’s security researchers. This enables CISOs, Vulnerability Managers, SOC Analysts and Cyber Threat Intelligence Analysts alike to remain informed on these CVEs to prioritize detections and implement patching on endpoints and other recommendations in their environment for the vulnerabilities which are most relevant to their organization.

Vulnerability Profiles are accessible from the “Intel profiles” page within the “Threat intelligence” blade in the left navigation. See these profiles by clicking on the “Vulnerabilities” tab:

On the Vulnerability Profiles list view, the “Profile” column displays the CVE number, title, and summary of the profile, whereas the right-most column displays the published date, indicating how recently Microsoft wrote about the vulnerability. Under the “Intelligence” column in the Vulnerability Profiles list view, customers will see priority and CVSS scores as well as indications of active exploitation (“Active exploitation observed”), dark web chatter (“Chatter Observed”), and available public proof of concept exploits (“POC Available”, "1 Published POC") for these vulnerabilities.

Vulnerability Profiles are decorated with proprietary information from Microsoft’s own research and telemetry that can only be found in our intel profiles. This includes original research such as observations of active exploitation in the wild; detailed analysis of the methods used to exploit these CVEs by malicious actors; detections and Advanced Hunting queries that will indicate or alert on related activity in an organization’s network; and recommendations to protect against the threat.

MDTI Premium customers can experience this feature today from the Intel Profiles page within Defender XDR. Unlicensed users can view free previews of all Vulnerability Profiles from the same page, as well as the full details for select profiles.

Improved Layout and Decoupling from Open-Source CVEs

Users familiar with our Vulnerability Profiles will notice a sleek new look which resembles our other intel profiles:

On the new Vulnerability Profile page, you will still see the same context about the CVE as before, including Priority and CVSS (Common Vulnerability Scoring System) scores, published POCs, related articles, indicators and more. Yet our Vulnerability Profiles now exist on a separate page from our open-source CVEs from the National Vulnerability Database (NVD), giving you multiple options to find high-quality information on these CVEs within MDTI.

To support this decoupling and alert you of additional information elsewhere in MDTI, you will now see a pop-up box informing you of a linked Vulnerability Profile when viewing the open-source information for the same CVE:

Enhanced CVE search

MDTI users have long enjoyed the ability to search for any CVE within MDTI to view details from NVD. Now, to accommodate the rapid expansion of content across the platform, CVE searches executed from both the Defender XDR global search and Intel Explorer search will also return results for matching Intel Profiles and Articles.

With this new approach, upon searching for an exact CVE-ID users will not be sent directly to the NVD information page for the CVE, but rather see a search results page containing this open-source CVE link and more:

As an example, a search for CVE-2023-47246 on the Intel Explorer page (as shown above) surfaces both a Vulnerability Profile and the open-source CVE containing information from NVD, which is the page users previously were sent directly to. Additionally, the search results show that this vulnerability is also referenced on the Lace Tempest intel profile and within an article pertaining to this threat actor’s exploitation of the vulnerability. This represents a more comprehensive approach to CVE searches, enabling you to easily discover and traverse through the breadth of content related to your CVEs of interest within MDTI.

We want to hear from you!

New at Secure: MDTI in Defender XDR Global Search

SpencerBerg — Wed, 13 Mar 2024 16:25:41 GMT

On the heels of introducing Microsoft Defender Threat Intelligence (MDTI) premium and standard editions into the Microsoft Defender XDR portal, we are thrilled to introduce an even greater integrated threat intelligence experience by making results for MDTI content available within Defender XDR’s global search bar.

Users will notice that they can now use the top-level Defender XDR search to discover results from MDTI on indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), articles, threat actors and more. From anywhere in the portal, customers now can readily find MDTI raw intelligence including IPs, domains, hashes, and URLs as well as finished intelligence in the form of articles, intel profiles, and CVEs alongside their other content from Defender XDR when conducting searches, helping to accelerate investigations with critical threat intelligence context.

Results from MDTI and Threat Analytics will appear within the “Intel Explorer” list in the results page:

Searching for indicators of compromise (IoCs)

Search for any IOC, including IP addresses, domains, URLs, and file hashes within the global search bar to see all associated information from MDTI. This includes the indicator's reputation score (under “Description”), last active date (under “Created/last seen time”), tags from Analyst Insights, related articles, and related intel profiles. Click into the indicator to visit the IoC’s page in the MDTI interface (under the Threat Intelligence tab) to discover more information and pivot to related artifacts.

Searching for files

Customers can search for file names or file hashes of interest from Defender incidents or elsewhere to discover whether they are mentioned in intel profiles or articles from MDTI. This information can quickly help SOC analysts determine the severity of an incident and provide critical context about their adversaries to determine the next steps to combat, protect against, and hunt for threat actor exposure and address adversarial persistence within their environment. Conversely, search for file names or file hashes of interest from MDTI to discover prevalence in your organization via the “Files” tab. You can also do this with more parameters via Advanced Hunting.

Searching for CVEs

Search directly for a CVE-ID to see all MDTI results which include the given vulnerability. This includes any Vulnerability Profiles pertaining to the CVE; our open-source information on the CVE; threat actor profiles for groups who are actively exploiting the CVE; and any other intel profiles or articles containing a mention of the vulnerability. Visit the “Vulnerabilities” tab to see results from Microsoft Defender Vulnerability Management (MDVM) and evaluate the impact of the CVE on your organization.

Learn more about our recent efforts to improve discovery of information on CVEs within MDTI.

Searching for detections from other Microsoft Defender products

Search for behavioral, threat, or other components from Microsoft Defender Antivirus such as “Backdoor:Win32/CobaltStrike”; malware families such as “WhisperGate”; or Microsoft Defender for Endpoint alerts such as “Suspicious WMI process creation” to find articles or intel profiles containing mention of the detections. This can help Threat Intelligence analysts perform threat actor attribution and identify appropriate next steps to stifle a threat, such as building detection or analytic rules to detect threat actor TTPs as well as proactively blocking that adversary’s infrastructure from their network.

Searching for articles, intel profiles, keywords, and more

Search for article titles; threat actor and tool names or aliases from other security providers; MITRE ATT&CK techniques; keywords such as “DLL sideloading”, “universities”, or “Iran”; command names and more via global search to discover the breadth of content available in MDTI on any topic of interest.

We want to hear from you!

What's New at Microsoft Secure 2024

Mike_Browning — Thu, 14 Nov 2024 20:43:03 GMT

At Microsoft Secure, we are excited to announce several new innovations from the Microsoft Defender Threat Intelligence (MDTI) team. These updates enable our customers to access valuable, high-fidelity threat intelligence where, when, and how they need it:

To optimize MDTI content for customers, we have enhanced the look and feel of vulnerability profiles and are releasing the full corpus of Microsoft’s intel profiles to the MDTI standard version.
We are keeping pace with Copilot for Security as it evolves, launching a new sidecar experience in the threat intelligence blade of Defender XDR. We have also introduced new MDTI skills and promptbooks for Copilot that deliver more of Microsoft's world-class threat intelligence to the SOC at machine speed.
Finally, as we continue to build a more comprehensive threat intelligence experience across Microsoft Defender XDR, we’re proud to announce that MDTI content is now available via the global search function.

Read more about what's rolling out at Microsoft Secure 2024 below:

New MDTI skills and workbooks for Copilot for Security

MDTI is making more threat intelligence available via new Copilot for Security skills and workbooks to help customers understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations at machine speed and scale.

These include:

Correlate MDTI data with Defender XDR information: These out-of-the-box prompt books correlate MDTI data with other critical security information from Defender XDR such as incidents and hunting activities to help a user understand the broader scope of an attack.
Correlate MDTI Content with Threat Analytics (TA) content: When prompted, this skill reasons over threat intelligence content from MDTI and Threat Analytics, and provides a summary of the two, e.g., "Tell me everything Microsoft knows about [this threat actor]."
Obtain current reputation TI for file hashes, URLs, Domains, and IPs: This skill shows the full information for hashes and URLs, including MDTI and SONAR data.

Register for our Tech Community Webinar in April 11 to learn more about how MDTI enables Copilot to deliver threat intelligence at machine speed.

MDTI sidecar experience

A brand-new Copilot for Security sidecar experience in the threat intelligence blade of Microsoft Defender XDR enables users to quickly query and summarize the powerful threat intelligence, security data, and other content available within the Intel Profile, Intel Explorer, and Threat Analytics tabs to add crucial context to incidents and investigations.

The MDTI Copilot for Security sidecar in Defender XDR

Unified Threat Intelligence Experience via Global Search

Microsoft Defender Threat Intelligence (MDTI) is now integrated across Microsoft Defender XDR to provide a comprehensive threat intelligence experience. Customers can return in-context information related to incidents, assets, and threats with a single search. Searches will return all relevant information from Microsoft products relating to incidents, assets, threat intelligence in MDTI, and Threat Analytics (TA).

MDTI content alongside other results in Defender XDR

Learn more>

Enhanced Vulnerability Profiles:

The Microsoft Defender Threat Intelligence (MDTI) team launched new updates to our vulnerability profiles that help provide world-class intelligence on vulnerabilities and exposures within the Defender XDR portal. These exciting enhancements, which create a more intuitive experience for surfacing content around CVEs that offer critical context threats and information within alerts and incidents, include:

Enhanced layout and design to match threat actor and tooling intel profiles
Adjusted CVE search behavior that returns all content related to a vulnerability
Vulnerability profiles sorted by published date by default in list view, displaying a consistent feed of new, highly relevant CVEs

New-look vulnerability profiles have the same user experience as other Intel Profiles

Learn more>

Intel Profiles available in the MDTI standard (free) edition

In November 2023, the Microsoft Defender Threat Intelligence (MDTI) team launched a standard edition of MDTI, a free version of the product that became available to all Defender XDR customers at Microsoft Ignite. At Microsoft Secure, we’re releasing Microsoft’s full set of Intel Profiles into the standard edition, expanding its library from 17 to more than 340.

These newly added profiles will not have the same depth of information that licensed MDTI users have via the premium experience, namely all content outside of the Snapshot (summary) section. However, they will materially expand the breadth of threat intelligence available to free users and showcase the substantial and always-expanding scope of threat activity that Microsoft tracks.

MDTI standard users can now peruse the full corpus of MDTI Intel Profiles

Learn more>

We want to hear from you!

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI and learn how to access the MDTI standard version at no cost.

MDTI Standalone Portal Retirement and Transition to Defender XDR

SpencerBerg — Wed, 20 Mar 2024 17:05:14 GMT

On June 30th, 2024, the Microsoft Defender Threat Intelligence (MDTI) standalone portal will reach end-of-life and the Microsoft Defender XDR portal will become MDTI’s exclusive home for both standard and premium users. In this blog, we’ll guide customers using the standalone portal that wish to continue using MDTI in Defender XDR through the simple migration process. We’ll also help customers, and their teams, prepare to take advantage of the benefits MDTI brings to Microsoft’s XDR, SIEM, and AI solutions.

What is happening to the MDTI standalone portal?

On June 30th, 2024, the MDTI standalone portal at ti.defender.microsoft.com will be decommissioned. However, all existing MDTI licenses will carry over to its permanent home in the Microsoft Defender XDR portal, where customers can seamlessly use the same features and content in in both premium and free capacities. Customers can also access MDTI content and data via natural language prompts by purchasing Copilot for Security.

How do I use MDTI within the Defender XDR portal?

Within Microsoft Defender XDR, users will see the familiar MDTI homepage under the “Threat Intelligence” blade in the left-hand navigation menu (pictured below).

On the “Intel explorer” tab within Defender XDR (pictured above), you will find the same features and content from the standalone portal home page. This includes threat intelligence search, featured articles, and recent threat article streams.
The content from the 'Profiles' page on the standalone portal is available on the “Intel Profiles” tab in Defender XDR.
Users can create or access their team and individual projects from the “Intel Projects” tab and continue working on the same projects they created in the standalone portal simply by logging into Defender XDR with the same account.

Customers with an MDTI license may begin using the premium experience within Defender XDR immediately. Those without a license can continue using the standard version at no cost or explore MDTI licensing options to receive unlimited access to Microsoft’s award-winning threat intelligence.

If you do not have Defender XDR but want to continue using MDTI, explore licensing options or set up a trial environment.

Note: Please contact your tenant administrator if you believe you should have access to Defender XDR within your organization, but do not. The Microsoft Entra roles which grant access to Defender XDR can be found here.

What else can I do with MDTI within Defender XDR?

Since launching MDTI into the XDR portal early last year and opening the standard version to all Defender XDR customers at Microsoft Ignite in November, thousands of MDTI and Defender XDR customers have experienced the benefits of aligning the high-fidelity threat intelligence in MDTI with their investigation and response tools under a single pane of glass. MDTI complements other products and features in Defender XDR in a number of ways:

Use Threat Analytics to prioritize threats and content related to ongoing campaigns and your organization’s top exposures.
Find MDTI results from anywhere in the Defender portal using Defender XDR global search functionality (search bar at the top of the page in Defender XDR). MDTI results will appear under the “Intel Explorer” tab, alongside results from Microsoft Defender for Endpoint, Office, Identity, Cloud Apps, Vulnerability Management, and more, on other tabs.
Enrich discovered artifacts (IP addresses, domains, hosts, URLs and more) from Microsoft Defender incidents and alerts with more information by searching in MDTI.
In Advanced Hunting, use IOCs sourced from MDTI to hunt across logs and events in your environment (see “Use Cases” section in this blog).

MDTI also enhances Microsoft Defender for Cloud and Microsoft Sentinel to help deliver a unified threat intelligence experience for customers:

In Microsoft Defender for Cloud, proactively discover vulnerable assets in Cloud Security Explorer using knowledge from MDTI content.
In Microsoft Sentinel, improve your mean time to detect (MTTD) by:
- Enabling the MDTI data connector to ingest, monitor, alert and hunt based on MDTI’s IOCs.
- Configuring MDTI analytics rules to create alerts and incidents when your logs match our domain, IP and URL indicators.
- And installing our pre-built Microsoft Sentinel Playbooks to enrich incidents with reputation scores and other data from MDTI (users with MDTI API license only).
Parlayed with Sentinel’s analytic or automation rules, incidents can be automatically enriched against these MDTI playbooks, which facilitate incident triage and provide context to those observed IP and host entities. This greatly improves your SOC’s mean time to respond (MTTR).

How do I use MDTI through Copilot for Security?

Microsoft Copilot for Security enables customers to access, operate on, and integrate Microsoft’s raw and finished threat intelligence via natural language. With Copilot for Security, users can leverage MDTI’s data sets and content anytime, anywhere within Defender XDR to provide additional context and aid in investigations:

MDTI powers Copilot for Security via a wide range of Threat Intelligence skills, enabling customers to quickly retrieve information on indicators including IP addresses and domains, and contextualize artifacts with content such as threat articles and intel profiles. Additionally, out-of-the-box promptbooks correlate MDTI content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers quickly understand the broader scope of an attack. These capabilities will be available within both the standalone and embedded Copilot for Security experiences.

Learn more about the MDTI skills available in Copilot here, and check back to this blog following Microsoft Secure next week to learn more about MDTI’s role in Copilot for Security.

New to MDTI? Here's where to start

If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. Also, be sure to contact our sales team to request a demo or a quote.

MDTI Earns Impactful Trio of ISO Certificates

Aashis_Luitel — Mon, 26 Feb 2024 17:48:18 GMT

We are excited to announce that Microsoft Defender Threat Intelligence (MDTI) has achieved ISO 27001, ISO 27017 and ISO 27018 certifications. The ISO, the International Organization for Standardization, develops market relevant international standards that support innovation and provide solutions to global challenges, including information security requirements around establishing, implementing, and improving an Information Security Management System (ISM).

These certificates emphasize the MDTI team’s continuous commitment to protecting customer information and following the strictest standards of security and privacy standards.

Certificate meaning and importance

ISO 27001: This certification demonstrates compliance of MDTI’s ISMS with best practices of industry, thereby providing a structured approach towards risk management pertaining to information security.

ISO 27017: This certificate is a worldwide standard that provides guidance on securing information in the cloud. It demonstrates that we have put in place strong controls and countermeasures to ensure our customers’ data is safe when stored in the cloud.

ISO 27018: This certificate sets out common objectives, controls and guidelines for protecting personally identifiable information (PII) processed in public clouds consistent with the privacy principles outlined in ISO 29100. This is confirmed by our ISO 27018 certification, which shows that we are committed to respecting our customers’ privacy rights and protecting their personal data through cloud computing.

What are the advantages of these certifications for our customers?

Enhanced Safety and Privacy Assurance: Our customers can be confident that the most sophisticated and exhaustive security and privacy standards offered in the market are in place to protect their data. We have ensured we exceed these certifications; therefore, their information is secure from emerging threats.
Reduced Risk and Liability Exposure: Through our certified ISMs and Privacy Information Management System (PIMS), consumers can significantly reduce liability for potential data breaches, legal actions, regulatory fines, or reputational risks. They use our efficient structures to boost resistance against cybercrime to reduce the risk of lawsuits.
Streamlined Compliance and Competitive Edge: The clients’ industry or market-specific rigorous regulatory and contractual requirements are usually facilitated by our certification programs. Global accreditation of international standards signifies that organizations are serious when it comes to data security. Their job reputation improves plus they get options for teaming up with other businesses that value safeguarding privacy.

What are the steps to begin with MDTI?

Also, be sure to contact our sales team to request a demo or a quote.

Managing MDTI Premium licenses in Microsoft Entra Admin Center

Alexandra_Roland — Wed, 14 Feb 2024 23:47:20 GMT

This blog details how to assign and manage Defender Threat Intelligence (MDTI) licenses and contains links to helpful content and resources. It is intended for customers who recently purchased the MDTI Premium SKU or a SKU that enables MDTI Premium access for its user base, such as Copilot for Security. Global administrators or identity governance administrators responsible for assigning MDTI user seat assignments will find it particularly useful.

Prerequisites to assigning MDTI premium licenses

Your Microsoft account team should have notified you that your MDTI procurement processing has been complete and requested that you view the available licenses within your respective tenant. If your agreement has not been fully processed, you will not be able to view the “Defender Threat Intelligence” licenses.

Instructions to assign MDTI Premium Licenses

As mentioned above, global administrators or identity governance administrators are responsible for assigning MDTI premium licenses to users, and should review the following Microsoft Learn resources for best practices for assigning licenses to users within Microsoft Entra Admin Center:

Figure 1 – This is how your “Defender Threat Intelligence” MDTI Premium SKU licenses appear in Microsoft Entra Admin Center.

Troubleshooting MDTI Premium Seat Assignments

Ensure that you have the permissions to assign “Defender Threat Intelligence” licenses. Only global administrators or identity governance administrators have the appropriate permissions to assign user licenses.
Check with your Microsoft Account team that your MDTI Premium SKU agreement has been processed.

If you have completed the troubleshooting steps above and still cannot locate your “Defender Threat Intelligence” licenses in Microsoft Entra Admin Center, please work with your Microsoft account team to engage a CSA or another technical resource for further support.

We Want to Hear from You!

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions. Let us know how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Also, learn more about how to use MDTI to unmask adversaries and address threats here.

Microsoft Defender Threat Intelligence Blog articles

What’s New at Ignite: Powerful Enhancements in Unified Threat Intelligence

Threat Intelligence Briefing Agent in Defender

MDTI Convergence into the Defender Portal

Threat Intelligence Library in the Defender Portal

Threat Analytics library now also available to Sentinel-only customers

What’s new in Threat Analytics

Access to Indicators of Compromise

Link Cases to IOCs for Complete Threat Context

Conclusion

MDTI is Converging into Microsoft Sentinel and Defender XDR

Key Features Arriving Soon

What to Expect from the Fully Unified Threat Intelligence Experience

Actions for Existing MDTI Customers

Additional Information

Introducing the Threat Intelligence Briefing Agent

Analysis at Machine Speed

How the Agent Works

Agent in Action

What’s Next

Learn More

New at Ignite: TI Guided Experience in Security Copilot

Threat 'Intelligence 360' report on MDTI article

Impact of external article

Conclusion

New at Ignite: Unified Threat Intelligence Experience in Security Copilot

Now Public Preview: MDTI Indicator Data

Now GA: Expanded Unified Vulnerability Intelligence

Conclusion

New Security Copilot Plugin Name Reflects Broader Capabilities

Conclusion

MDTI for Government Now Available

Conclusion

Introducing the MDTI Home Page Widget and Article Digest

Conclusion

Introducing the MDTI Premium Data Connector for Sentinel

Getting started

Use Cases

Conclusion

More Threat Intelligence Content In MDTI, TA Enables Better Security Outcomes

Increased Intel Profiles

Enhanced OSINT

Microsoft Defender XDR Threat Analytics

New to MDTI? Here’s where to start

Copilot for Security TI Embedded Experience in Defender XDR is now GA

How Copilot Enhances Microsoft Threat Intelligence

Key Capabilities of the Threat Intelligence Embedded Experience

New to MDTI? Here's where to start

MDTI Achieves PCI DSS Certification: Elevating Security Standards

Why the PCI DSS certification matters

Advantages for our customers

Our commitment to continuous improvement

Join us on this journey

A Security Copilot Customer’s Guide to MDTI

What is MDTI?

MDTI In Security Copilot

MDTI In Defender XDR

The MDTI API is not included with Security Copilot

New to MDTI? Here's where to start

New at Secure: Corpus of Intel Profiles Available in Defender XDR

Intel Profiles standard edition experience

Discovering relevant profiles

About intel profiles

Next steps

We want to hear from you!

New at Secure: Enhanced Vulnerability Profiles and CVE Search within MDTI

What are Vulnerability Profiles?

Improved Layout and Decoupling from Open-Source CVEs

Enhanced CVE search

We want to hear from you!

New at Secure: MDTI in Defender XDR Global Search

Searching for indicators of compromise (IoCs)

Searching for files

Searching for CVEs

Searching for detections from other Microsoft Defender products

Searching for articles, intel profiles, keywords, and more

We want to hear from you!

What's New at Microsoft Secure 2024

Unified Threat Intelligence Experience via Global Search

Enhanced Vulnerability Profiles: