Microsoft Defender Threat Intelligence and Sentinel integration deep dive
See how quick detection and response are vital to navigating today's fast-moving cyberattacks. We'll break down a cyberattack and show how Microsoft Defender Threat Intelligence, combined with Microsoft's SIEM and XDR solutions, constructs a multi-stage incident giving visibility into the attack timeline and all related events. We'll then investigate the attacker and automate mitigations to contain the damage. This session is part of the Microsoft Secure Tech Accelerator. RSVP for event reminders, add it to your calendar, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.
Need information on generating sample events for Threat Intelligence
Hi community, I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence. Can someone please help me here for generating events and viewing the content using Management APIs?
New Blog | New Copilot for Security Plugin Name Reflects Broader Capabilities
By Michael Browning The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and SONAR, with even more sources becoming available soon. To reflect this evolution of the plugin, customers may notice a change in its name from "Microsoft Defender Threat Intelligence (MDTI) to "Microsoft Threat Intelligence," reflecting its broader scope and enhanced capabilities. Since launch in April, Copilot for Security customers have been able to access, operate on, and integrate the raw and finished threat intelligence from MDTI developed from trillions of daily security signals and the expertise of over 10 thousand multidisciplinary analysts through simple natural language prompts. Now, with the ability for Copilot for Security's powerful generative AI to reason over more threat intelligence, customers have a more holistic, contextualized view of the threat landscape and its impact on their organization. Read the full post here: New Copilot for Security Plugin Name Reflects Broader CapabilitiesNew Blog | More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes
By Michael Browning Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before. This blog will show how our 10,000 interdisciplinary experts and applied scientists reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. It will also show how this increased publishing cadence in Microsoft Defender Threat Intelligence (MDTI), Threat Analytics, and Copilot for Security helps enrich and contextualize hundreds of thousands of security alerts while enhancing customers' overall cybersecurity programs. Increased Intel Profiles Microsoft has published 270 new Intel profiles over the past year to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named actors Microsoft tracks. These digital compendiums of intelligence help organizations stay informed about potential threats, including Indicators of Compromise (IOCs), historical data, mitigation strategies, and advanced hunting queries. Intel profiles are continuously maintained and updated by Microsoft's threat intelligence team, which added 24 new Intel profiles in May alone, including 10 Activity Profiles, 4 Actor Profiles, 5 Technique Profiles, and 5 Vulnerability Profiles. Intel profiles are published to both MDTI and Threat Analytics, which can be found under the "Threat Intelligence" blade in the left-hand navigation menu in the Defender XDR Portal. In Threat Analytics, customers can understand how the content in Intel profiles relates to devices and vulnerabilities in their environment. In MDTI, Intel Profiles enhance security analyst triage, incident response, threat hunting, and vulnerability management workflows. In Copilot for Security, customers can quickly retrieve information from intel profiles to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. For example, Copilot can reason over vulnerability intelligence in MDTI and Threat Analytics to deliver a customized, prioritized list based on a customer organization’s unique security posture. Read the full post here: More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes
Massive reduction in Threat Intelligence IP data since Monday 10th June
Hi, Anyone else see a massive reduction in Threat Intelligence IP data since Monday 10th June into Sentinel platforms? I operate two Sentinel environments and they both seen the same change. The screenshot below is the past 30 days. The past 48 hours still reports some IP information being sent but at a very reduced rate. What's changed with the feed?
Python Update Recommendation Not Desapearing from Microsoft Vulnerability Management list
Hello, Microsoft Defender Vulnerability Management is recommending to update Python in my Azure VM Machines since version 3.9 has some critical vulnerabilities. We did the update to version 3.12 but only the Windows 2019 Datacenter machine is not appearing as Exposed Device anymore. The procedure to update Python in all machines was the same but the Windows 2016 Datacenter VM´s remains in the Exposed Device list. Because Python relies on Anaconda, it is not possible to remove the older version completely. The strange thing is why the same proceduro to update the software is seen as diferent by Microsoft Defender Vulnerability Management apparently. Any advice is highly appreciated. Thanks in advance Mirella
New Blog | MDTI Earns Impactful Trio of ISO Certificates
Microsoft Defender Threat Intelligence (MDTI) has achieved ISO 27001, ISO 27017 and ISO 27018 certifications. The ISO, the International Organization for Standardization, develops market relevant international standards that support innovation and provide solutions to global challenges, including information security requirements around establishing, implementing, and improving an Information Security Management System (ISM). These certificates emphasize the MDTI team’s continuous commitment to protecting customer information and following the strictest standards of security and privacy standards. Read the full blog here: MDTI Earns Impactful Trio of ISO Certificates - Microsoft Community Hub
New blog post | What's New: Hash and URL Search Intelligence
Microsoft Defender Threat Intelligence (Defender TI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities. What's New: Hash and URL Search Intelligence - Microsoft Community HubNew Blog Post | The New Microsoft Security Customer Connection Program (CCP)
Read the full blog post: The New Microsoft Security Customer Connection Program (CCP) - Microsoft Community Hub The security community is constantly growing, changing, and learning from each other in order to better position the world against cyber security threats. For years, Microsoft has driven a customer-obsessed development process by hosting two private communities for end-users of Microsoft security products: the Microsoft Cloud Security Private Community and the Microsoft 365 Defender Customer Connection Program. Under a strict confidentiality framework, our engineering teams get direct community feedback and insights for our roadmap plans, new user experience designs, private preview features, and more. Today, we are happy to announce that these two communities have now come together under one team – The Microsoft Security Customer Connection Program.New Blog Post | Microsoft Defender Weekly Wrap – Issue #50
Microsoft Defender Weekly Wrap – Issue #50 - Azure Cloud & AI Domain Blog (azurecloudai.blog) Happy Friday all! This newsletter is 50! I just want to make it a quick point to thank you all for tuning in and continuing to tune in. This newsletter - and this community - continues to grow by leaps and bounds. Who knew 50 weeks ago that a simple idea like this could swell into something so far reaching and valuable to many of you. I receive commentary frequently from folks that count on this newsletter weekly and participate heavily in the associated LinkedIn group. Your community patronage is amazing and always appreciated. Remember, if you see something you like in the newsletter content don’t keep it to yourself. Share it with someone that needs it. That’s how we continue to grow. … GitLab Survey - Defender for DevOps GitLab Integration The Defender for DevOps team is looking to broaden the Microsoft Defender for Cloud ecosystem by offering customers the ability to onboard their GitLab resources into Defender for DevOps. If your DevOps team uses GitLab in any capacity, we request your feedback to better understand how you interact with the GitLab platform. Survey link: https://rodtrent.com/o9o … The Must Learn KQL Christmas edition has been relaunched for the holidays! Know someone (or yourself) that lives KQL? Could be better than a Christmas Hallmark movie. https://must-learn-kql.creator-spring.com/listing/get-kql-for-christmas All proceeds go to St. Jude. … Even with the purposeful effort to consolidate security portals I think you’ll agree with me that Microsoft still has portal glut. I found the Microsoft Cloud command line this past week and thought I’d share with all of you. If you’ve not seen this already, you’ll thank me for the link: https://cmd.ms/ … That’s it from me for this week. Have a wonderful weekend and week ahead! Talk soon. -Rod
