Massive reduction in Threat Intelligence IP data since Monday 10th June
Hi, Anyone else see a massive reduction in Threat Intelligence IP data since Monday 10th June into Sentinel platforms? I operate two Sentinel environments and they both seen the same change. The screenshot below is the past 30 days. The past 48 hours still reports some IP information being sent but at a very reduced rate. What's changed with the feed?
Need information on generating sample events for Threat Intelligence
Hi community, I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence. Can someone please help me here for generating events and viewing the content using Management APIs?
Need information on generating sample events for Threat Intelligence
Hi community, I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence. Can someone please help me here for generating events and viewing the content using Management APIs?
Python Update Recommendation Not Desapearing from Microsoft Vulnerability Management list
Hello, Microsoft Defender Vulnerability Management is recommending to update Python in my Azure VM Machines since version 3.9 has some critical vulnerabilities. We did the update to version 3.12 but only the Windows 2019 Datacenter machine is not appearing as Exposed Device anymore. The procedure to update Python in all machines was the same but the Windows 2016 Datacenter VM´s remains in the Exposed Device list. Because Python relies on Anaconda, it is not possible to remove the older version completely. The strange thing is why the same proceduro to update the software is seen as diferent by Microsoft Defender Vulnerability Management apparently. Any advice is highly appreciated. Thanks in advance Mirella
Can the Microsoft Defender portal show the server details as per security group?
I'm using Microsoft Defender to monitor the servers. I have multiple groups of people working from various other vendors. I would like create multiple security groups and add people based on their company and configure the defender such a manner that only people from Company "A" can see their own servers and people working from Campany "B" can see their respective servers. Also, I as admin can see both "A's" and "B's" servers. Can this be achieved using Microsoft Defender? If yes, how to achieve this? Any step-by-step approach would help. Or if there are any other ways, please suggest. Thanks
New Blog | New Copilot for Security Plugin Name Reflects Broader Capabilities
By Michael Browning The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and SONAR, with even more sources becoming available soon. To reflect this evolution of the plugin, customers may notice a change in its name from "Microsoft Defender Threat Intelligence (MDTI) to "Microsoft Threat Intelligence," reflecting its broader scope and enhanced capabilities. Since launch in April, Copilot for Security customers have been able to access, operate on, and integrate the raw and finished threat intelligence from MDTI developed from trillions of daily security signals and the expertise of over 10 thousand multidisciplinary analysts through simple natural language prompts. Now, with the ability for Copilot for Security's powerful generative AI to reason over more threat intelligence, customers have a more holistic, contextualized view of the threat landscape and its impact on their organization. Read the full post here: New Copilot for Security Plugin Name Reflects Broader CapabilitiesNew Blog | Introducing the MDTI Premium Data Connector for Sentinel
By Michael Browning The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. The connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats. Microsoft researchers, with the backing of interdisciplinary teams of thousands of experts spread across 77 countries, continually add new analysis of threat activity observed across more than 78 trillion threat signals to MDTI, including powerful indicators drawn directly from threat infrastructure. In Sentinel, this intelligence enables enhanced threat detection, enrichment of incidents for rapid triage, and the ability to launch investigations that proactively surface external threat infrastructure before it can be used in campaigns. This blog will highlight the exciting use cases for the MDTI premium data connector, including enhanced enrichment, threat detection, and hunting to ensure customer organizations are protected against the most critical threats. It will also cover how you can easily get started with this out-of-the-box connector. Read the full post here: Introducing the MDTI Premium Data Connector for SentinelNew Blog | More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes
By Michael Browning Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before. This blog will show how our 10,000 interdisciplinary experts and applied scientists reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. It will also show how this increased publishing cadence in Microsoft Defender Threat Intelligence (MDTI), Threat Analytics, and Copilot for Security helps enrich and contextualize hundreds of thousands of security alerts while enhancing customers' overall cybersecurity programs. Increased Intel Profiles Microsoft has published 270 new Intel profiles over the past year to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named actors Microsoft tracks. These digital compendiums of intelligence help organizations stay informed about potential threats, including Indicators of Compromise (IOCs), historical data, mitigation strategies, and advanced hunting queries. Intel profiles are continuously maintained and updated by Microsoft's threat intelligence team, which added 24 new Intel profiles in May alone, including 10 Activity Profiles, 4 Actor Profiles, 5 Technique Profiles, and 5 Vulnerability Profiles. Intel profiles are published to both MDTI and Threat Analytics, which can be found under the "Threat Intelligence" blade in the left-hand navigation menu in the Defender XDR Portal. In Threat Analytics, customers can understand how the content in Intel profiles relates to devices and vulnerabilities in their environment. In MDTI, Intel Profiles enhance security analyst triage, incident response, threat hunting, and vulnerability management workflows. In Copilot for Security, customers can quickly retrieve information from intel profiles to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. For example, Copilot can reason over vulnerability intelligence in MDTI and Threat Analytics to deliver a customized, prioritized list based on a customer organization’s unique security posture. Read the full post here: More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes
