New Security Copilot Plugin Name Reflects Broader Capabilities
The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.Introducing the Threat Intelligence Briefing Agent
As cyber threats evolve, security teams face the challenge of sifting through vast amounts of security data and threat intelligence to develop briefings that are relevant to their organization. This is a lengthy, resource-intensive process that takes analysts away from important work that keeps the organization safe. To help security teams focus on business-critical work while keeping pace with threat actors, we’re excited to introduce the Security Copilot Threat Intelligence Briefing Agent—a force-multiplying innovation that reduces the time for CTI analysts to produce timely, hyper-relevant threat intelligence reports from hours or days to just minutes. Analysis at Machine Speed This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. In real time, the agent dynamically builds briefings based on the latest threat actor activity and both internal and external vulnerability data sourced from Microsoft security research. It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such as industry, geographic location, and your organization’s evolving attack surface. These scheduled briefings offer executive daily summaries and detailed technical analysis accessible via the Security Copilot UI or directly to a CISO's inbox. They determine in real time whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, CTI analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies. How the Agent Works Setting up the Agent The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and partners offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically every 24 hours. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls: They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile. For organizations with E5 licenses, the agent can also incorporate insights from Microsoft Defender Vulnerability Management (MDVM) to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes Microsoft Defender External Attack Surface Management (MDEASM), the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information). Once set up, the agent is ready to run in the background to generate the briefing: Agent in Action A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand: Here, we can see the briefing for this organization highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks: The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action. The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence: Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority. What’s Next Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness. The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. To learn more about this agent, join us at the Microsoft Secure digital event on April 9, 2025 and read our latest blog.MDTI for Government Now Available
We are thrilled to introduce Microsoft Defender Threat Intelligence (MDTI) with FedRAMP High (DOD IL2) attestation are now available for government sectors. Customers across U.S. state, local, and tribal governments utilizing GCC services can now purchase MDTI and the MDTI API SKUs to unmask adversaries and understand their organization’s security posture against threats.Introducing the MDTI Premium Data Connector for Sentinel
The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI Premium data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. This connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.More Threat Intelligence Content In MDTI, TA Enables Better Security Outcomes
Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before.Defender TI Detections in Microsoft Sentinel
Did you know that you can benefit from Microsoft Defender Threat Intelligence if you're a Microsoft Sentinel customer? Come and learn how Microsoft Defender Threat Intelligence can help you generate more high-confidence detections by taking advantage of its free threat intelligence article indicators as well as indicators from its malware and phishing feeds.What's in an MDTI Web Crawl?
Want to learn how data found from the DOM of web pages is so powerful when it comes to investigating threats? Check out this blog to learn more about Microsoft Defender Threat Intelligence's web crawling process and how its internet derived datasets can bolster your cyber threat investigations.What’s New: MDTI Interoperability with Microsoft 365 Defender
Microsoft Defender Threat Intelligence (MDTI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that MDTI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.New at Secure: Corpus of Intel Profiles Available in Defender XDR
The Microsoft Defender Threat Intelligence (MDTI) team is excited to announce that we are revealing previews for each of our 350+ intel profiles to all Defender XDR customers for the first time. This represents Microsoft’s broadest expansion of threat intelligence content to non-MDTI customers yet, adding nearly 340 intel profiles to Defender XDR customers' view, including over 200 tracked threat actors, tools, and vulnerabilities that Microsoft has not named anywhere else.
