MDTI is Converging into Microsoft Sentinel and Defender XDR
In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions. With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats. Key Features Arriving Soon The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include: Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in intel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions. The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment. Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture. Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability. IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise. What to Expect from the Fully Unified Threat Intelligence Experience Once MDTI is fully converged into Defender XDR and Sentinel, customers' alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets. Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost). The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel. For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog. Actions for Existing MDTI Customers Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions. Additional Information Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources: Read our blog announcing the expanded Sentinel data lake offering Register to join us in September for our next wave of innovation around threat intelligence and Microsoft SentinelBecome a Microsoft Defender External Attack Surface Management Ninja: Level 400 training
Learn to become a Microsoft Defender External Attack Surface (Defender EASM) Ninja! This blog will walk you through the resources you'll need to master and derive maximum value from Microsoft's Defender EASM product.A Security Copilot Customer’s Guide to MDTI
With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. Here's what you need to know.New Security Copilot Plugin Name Reflects Broader Capabilities
The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.How MDTI Helps Power Copilot for Security
This blog post will delve into Copilot for Security, focusing on the strategic utilization of Microsoft Defender Threat Intelligence (MDTI), a comprehensive threat intelligence product designed to enhance triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows. It will explore how this integral part of Copilot can be effectively harnessed to facilitate comprehensive understanding, investigation, and maneuvering through threat intelligence.Introducing the MDTI Premium Data Connector for Sentinel
The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI Premium data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. This connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.MDTI Standalone Portal Retirement and Transition to Defender XDR
On June 30th, 2024, the Microsoft Defender Threat Intelligence (MDTI) standalone portal will reach end-of-life and the Microsoft Defender XDR portal will become MDTI’s exclusive home for both standard and premium users. In this blog, we’ll guide customers using the standalone portal that wish to continue using MDTI in Defender XDR through the simple migration process. We’ll also help customers, and their teams, prepare to take advantage of the benefits MDTI brings to Microsoft’s XDR, SIEM, and AI solutions.
