Become a Microsoft Defender External Attack Surface Management Ninja: Level 400 training
Learn to become a Microsoft Defender External Attack Surface (Defender EASM) Ninja! This blog will walk you through the resources you'll need to master and derive maximum value from Microsoft's Defender EASM product.MDTI Standalone Portal Retirement and Transition to Defender XDR
On June 30th, 2024, the Microsoft Defender Threat Intelligence (MDTI) standalone portal will reach end-of-life and the Microsoft Defender XDR portal will become MDTI’s exclusive home for both standard and premium users. In this blog, we’ll guide customers using the standalone portal that wish to continue using MDTI in Defender XDR through the simple migration process. We’ll also help customers, and their teams, prepare to take advantage of the benefits MDTI brings to Microsoft’s XDR, SIEM, and AI solutions.MDTI is Converging into Microsoft Sentinel and Defender XDR
In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions. With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats. Key Features Arriving Soon The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include: Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in intel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions. The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment. Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture. Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability. IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise. What to Expect from the Fully Unified Threat Intelligence Experience Once MDTI is fully converged into Defender XDR and Sentinel, customers' alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets. Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost). The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel. For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog. Actions for Existing MDTI Customers Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions. Additional Information Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources: Read our blog announcing the expanded Sentinel data lake offering Register to join us in September for our next wave of innovation around threat intelligence and Microsoft SentinelPerforming a Successful Proof of Concept (PoC)
To effectively determine the benefits of adopting Defender Threat Intelligence, you should perform a Proof of Concept (PoC). Before enabling Defender Threat Intelligence, you and your team should go through a planning process to determine a series of tasks that must be accomplished in this PoC.What’s New: MDTI Interoperability with Microsoft 365 Defender
Microsoft Defender Threat Intelligence (MDTI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that MDTI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.What's New: MDTI Intel Reporting Dashboard and Workbook
We are excited to announce the launch of a new dashboard that we have created to enhance our threat intelligence reporting capabilities. This dashboard provides a user-friendly interface that enables organizations to easily access and analyze threat intelligence data.A Security Copilot Customer’s Guide to MDTI
With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. Here's what you need to know.Unleash the Power of Threat Intel: Introducing the MDTI GitHub
Are you looking to enhance your organization's security processes? The Microsoft Defender Threat Intelligence (MDTI) GitHub offers technical solutions for common scenarios, including advanced hunting queries, brand intelligence, and the latest threat trends. Learn how to access the repository and run custom scenarios to unleash the power of threat intelligence. Take advantage of this opportunity to strengthen your security posture and protect against potential threats.
