What’s New at Ignite: Powerful Enhancements in Unified Threat Intelligence
At Microsoft Ignite 2025, we’re unveiling transformative upgrades in threat intelligence designed to empower security teams. With the Threat Intelligence Briefing Agent now fully integrated into the Defender portal, defenders can shift from reactive to proactive security strategies, using Microsoft’s global intelligence combined with insights tailored to their organization. Additionally, the latest phase of the integration of Microsoft Defender Threat Intelligence (MDTI) with Defender XDR and Sentinel brings together unified, real-time threat intelligence and advanced analytics, streamlining the SecOps experience and equipping organizations with powerful tools to anticipate and address emerging threats more effectively. Threat Intelligence Briefing Agent in Defender Launched in March, the Threat Intelligence Briefing Agent has already enabled security teams to shift from reactive defense to proactive threat anticipation. At Ignite, we’re excited to announce that this agent is now fully integrated into the Microsoft Defender portal, currently available in Public Preview. It delivers daily, customized briefings, combining Microsoft’s global threat intelligence with insights specific to each organization, in just minutes. Instead of spending hours piecing together information from multiple sources, analysts now receive automated, up-to-date intelligence summaries. These briefings help analysts quickly prioritize actions by providing risk assessments, clear recommendations, and direct links to vulnerable assets, empowering organizations to address exposures proactively. MDTI Convergence into the Defender Portal In July, we announced the integration of Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel. This integration delivers world-class, real-time threat intelligence within a unified SecOps experience, all at no additional cost. We are pleased to share that the first phase of this convergence is now available in Public Preview. It features Microsoft’s comprehensive threat intelligence library within Threat Analytics, and new enhancements making it easier than ever for users to access, understand, and act on this critical information. Threat Intelligence Library in the Defender Portal Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in intel profiles. Threat reports are automatically correlated with related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions. Threat analytics in Defender enables and empowers customers to get threat insights around emerging threats on a global scale . Threat analytics provides contextual and operational information about the relevance of each threat for an organization, which allows security teams to organize and prioritize their operations and triage processes based on impact, available as in-product reports. Threat reports published in Threat analytics include threat activity such as: Active threat actors and their campaigns Popular and new attack techniques Critical vulnerabilities Common attack surfaces Prevalent malware Threat reports provide analysts with insights into the methods and attack patterns employed by threat actors, along with details on vulnerabilities, zero-day exploits, and potentially harmful tools. These findings are correlated with relevant contextual information from the customer's environment to assess the specific impact each threat may have on their organization. Threat Analytics library now also available to Sentinel-only customers Sentinel-only customers now have access to Microsoft’s threat intelligence library through reports in Threat Analytics (TA), currently in Public Preview. This upgrade, now in Public Preview, brings Microsoft’s world-class threat intelligence and actionable indicators to Sentinel without a Defender XDR license. While incident correlation and automated response remain exclusive to Defender XDR, standalone Sentinel deployments gain improved threat visibility and integrated security options. What’s new in Threat Analytics Threat reports within Threat Analytics have been upgraded with enhanced insights—previously accessible exclusively through an MDTI license—to provide Defender customers with improved context regarding finished intelligence on prevalent threats. The following contextual insights for each report are now available within Threat Analytics: Indicators of Compromise: Each threat report now includes a comprehensive list of indicators attributed to the specific threat. This feature allows customers to review all relevant indicators and access detailed entity information within Defender directly from the report, streamlining navigation to support efficient investigation and triage. MITRE ATT&CK Mapping: By mapping threats’ tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, customers can proactively identify, detect, and mitigate persistent techniques, ultimately enhancing overall security posture. Targeted Industries & Actor Origin: Reports provide insight into targeted industries and threat actor origins, enabling analysts to prioritize intelligence and contextualize motivations and observed TTPs. Related Intelligence & Aliases: Threat Analytics offers links to related intelligence and presents actor or tool aliases, allowing customers to cross-reference reports and understand the alignment between Microsoft Threat Intelligence and broader industry developments. All these additional insights are available in the overview of a threat report Furthermore, finding threat reports is now easier. The reports are systematically organized and can be filtered by Actor, Tool, Technique, Vulnerability, Activity, or Core threat, making it quicker to locate specific reports. Read more about threat analytics report and the information available here. Access to Indicators of Compromise Indicators of Compromise linked to specific threats provide SOC Analysts with valuable insight into the most common risks faced by their organization. For Defender customers, threat analytics now makes it easier to filter this data according to particular threats. Because information about indicators is vital, unauthorized access poses a risk of data theft or exploitation by malicious actors. Recognising its sensitivity, access to Indicators is restricted to verified customers only. Customers who do not have access to indicators will see the following when attempting to access it: In scenarios where access is restricted, customers will have the option to verify themselves by submitting business information to get access on successful verification. Read more about access to indicators. Customers with access to indicators (with or without the need to submit additional verification) will be able to see the entire list. The improvements to Threat analytics described above are designed to deliver a unified threat intelligence experience. By integrating MDTI features into Microsoft Defender and Sentinel, customers will progressively have access to more valuable insights that were previously available only with paid MDTI licenses. Read more about MDTI convergence here. Link Cases to IOCs for Complete Threat Context You can now link a case directly to relevant Indicators of Compromise (IOCs), ensuring investigations and response workflows stay connected. This feature improves visibility and collaboration, enabling faster, more informed decisions during threat investigations. Conclusion The integration of the Threat Intelligence Briefing agent into the Defender Portal and the convergence of MDTI into Microsoft Defender and Sentinel represents a major leap forward for security teams, delivering unified threat intelligence and streamlined workflows. With enhanced access to threat reports, indicators of compromise, and contextual insights, organizations are better equipped to proactively defend against emerging threats and respond with greater speed and confidence. These advancements ensure that valuable intelligence is accessible to all, strengthening security operations and empowering defenders to stay ahead in an ever-evolving threat landscape.Introducing the Threat Intelligence Briefing Agent
As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing the Security Copilot Threat Intelligence Briefing Agent—a powerful new tool that slashes the time to produce actionable threat reports from hours or days to just minutes. Now in Public Preview, the agent delivers prioritized insights, mapping the latest adversary activity to your unique attack surface so you know exactly which vulnerabilities demand attention now. Looking ahead, we’re planning even deeper integrations, such as automated remediation, exposure trend analysis, and more, to empower security teams to stay one step ahead of attackers. Analysis at Machine Speed This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. The agent dynamically builds briefings based on the latest threat actor activity from Microsoft security research and both internal and external vulnerability data sourced from Microsoft Defender Vulnerability Management (MDVM) and Microsoft Defender External Attack Surface Management (EASM). It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such your organization’s evolving attack surface, your industry, and geographic location. These briefings, which can be scheduled or run ad-hoc, offer regular executive summaries and technical analysis accessible via the UI or directly to a CISO's inbox. They determine whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, cyberthreat intelligence (CTI) analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies. How the Agent Works Setting up the Agent The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and third parties offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically at an interval of their choosing. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls (RBAC): They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile. Currently, the Threat Intelligence Briefing Agent is best suited for MDEASM and Microsoft Defender for Endpoint (MDE), as it relies on telemetry and insights from these first-party integrations to deliver accurate and context-rich reports. For organizations with E5 licenses, the agent can also incorporate insights from MDVM to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes MDEASM, the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information): Once set up, the agent is ready to run in the background to generate the briefing: Agent in Action A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand: Here, we can see the briefing highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks: The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action: The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence: Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority: What’s Next The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. We are continuously listening to our customers and rolling out new updates regularly. This powerful agent will soon be available alongside the rich, continuously updated threat intelligence in the Threat Analytics blade of Defender XDR to enable Defender customers to create these briefings with the click of a button. Learn More Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness. To learn more about this agent and the rest of the first and third-party agents now available, watch our Microsoft Secure digital event. For a closer look at this agent, watch our deep dive in the Microsoft Security Copilot Content Hub. Read this blog to learn more about Security Copilot agents at RSA.New Security Copilot Plugin Name Reflects Broader Capabilities
The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.MDTI for Government Now Available
We are thrilled to introduce Microsoft Defender Threat Intelligence (MDTI) with FedRAMP High (DOD IL2) attestation are now available for government sectors. Customers across U.S. state, local, and tribal governments utilizing GCC services can now purchase MDTI and the MDTI API SKUs to unmask adversaries and understand their organization’s security posture against threats.Introducing the MDTI Premium Data Connector for Sentinel
The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI Premium data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. This connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.More Threat Intelligence Content In MDTI, TA Enables Better Security Outcomes
Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before.Defender TI Detections in Microsoft Sentinel
Did you know that you can benefit from Microsoft Defender Threat Intelligence if you're a Microsoft Sentinel customer? Come and learn how Microsoft Defender Threat Intelligence can help you generate more high-confidence detections by taking advantage of its free threat intelligence article indicators as well as indicators from its malware and phishing feeds.What's in an MDTI Web Crawl?
Want to learn how data found from the DOM of web pages is so powerful when it comes to investigating threats? Check out this blog to learn more about Microsoft Defender Threat Intelligence's web crawling process and how its internet derived datasets can bolster your cyber threat investigations.What’s New: MDTI Interoperability with Microsoft 365 Defender
Microsoft Defender Threat Intelligence (MDTI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that MDTI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.
