Introducing the Threat Intelligence Briefing Agent
As cyber threats rapidly evolve, security teams are overwhelmed by the sheer volume of threat intelligence, making it challenging to deliver timely, targeted briefings. That’s why we’re introducing the Security Copilot Threat Intelligence Briefing Agent—a powerful new tool that slashes the time to produce actionable threat reports from hours or days to just minutes. Now in Public Preview, the agent delivers prioritized insights, mapping the latest adversary activity to your unique attack surface so you know exactly which vulnerabilities demand attention now. Looking ahead, we’re planning even deeper integrations, such as automated remediation, exposure trend analysis, and more, to empower security teams to stay one step ahead of attackers. Analysis at Machine Speed This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. The agent dynamically builds briefings based on the latest threat actor activity from Microsoft security research and both internal and external vulnerability data sourced from Microsoft Defender Vulnerability Management (MDVM) and Microsoft Defender External Attack Surface Management (EASM). It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such your organization’s evolving attack surface, your industry, and geographic location. These briefings, which can be scheduled or run ad-hoc, offer regular executive summaries and technical analysis accessible via the UI or directly to a CISO's inbox. They determine whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, cyberthreat intelligence (CTI) analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies. How the Agent Works Setting up the Agent The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and third parties offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically at an interval of their choosing. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls (RBAC): They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on the organization's unique profile. Currently, the Threat Intelligence Briefing Agent is best suited for MDEASM and Microsoft Defender for Endpoint (MDE), as it relies on telemetry and insights from these first-party integrations to deliver accurate and context-rich reports. For organizations with E5 licenses, the agent can also incorporate insights from MDVM to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes MDEASM, the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information): Once set up, the agent is ready to run in the background to generate the briefing: Agent in Action A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand: Here, we can see the briefing highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks: The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action: The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence: Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority: What’s Next The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. We are continuously listening to our customers and rolling out new updates regularly. This powerful agent will soon be available alongside the rich, continuously updated threat intelligence in the Threat Analytics blade of Defender XDR to enable Defender customers to create these briefings with the click of a button. Learn More Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness. To learn more about this agent and the rest of the first and third-party agents now available, watch our Microsoft Secure digital event. For a closer look at this agent, watch our deep dive in the Microsoft Security Copilot Content Hub. Read this blog to learn more about Security Copilot agents at RSA.MDTI is Converging into Microsoft Sentinel and Defender XDR
In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations, delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions. With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats. Key Features Arriving Soon The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include: Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in intel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions. The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment. Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture. Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability. IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise. What to Expect from the Fully Unified Threat Intelligence Experience Once MDTI is fully converged into Defender XDR and Sentinel, customers' alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets. Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost). The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel. For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog. Actions for Existing MDTI Customers Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions. Additional Information Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources: Read our blog announcing the expanded Sentinel data lake offering Register to join us in September for our next wave of innovation around threat intelligence and Microsoft SentinelA Security Copilot Customer’s Guide to MDTI
With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. Here's what you need to know.New Security Copilot Plugin Name Reflects Broader Capabilities
The Copilot for Security team is continuously enhancing threat intelligence (TI) capabilities in Copilot for Security to provide a more comprehensive and integrated TI experience for customers. We're excited to share that the Copilot for Security threat Intelligence plugin has broadened beyond just MDTI to now encapsulate data from other TI sources, including Microsoft Threat Analytics (TA) and Microsoft file and URL intelligence, with even more sources becoming available soon.New at Ignite: TI Guided Experience in Security Copilot
The Security Copilot team is consistently improving the threat intelligence (TI) experience for customers. At Microsoft Ignite 2024, we're thrilled to unveil two out-of-the-box promptbooks that create guided experiences for cyberthreat intelligence and SOC analysts for investigating and responding to threats affecting their organization, simplifying complex workflows and making difficult, repetitive tasks easier to do for all experience levels. Below, we’ll cover each of these promptbooks in more detail: Threat 'Intelligence 360' report on MDTI article With Security Copilot able to tap into powerful threat intelligence from more sources, customers get a much more holistic view of threats, better understand how they impact the organization, have more recommendations and guidance to respond faster and more effectively. This promptbook shows customers the full impact a threat covered in a Microsoft Defender Threat Intelligence article has on their organization to streamline and accelerate response. These prompts help map content from the article back to CVE and vulnerability data related to their organization’s attacks surface, surface related incidents, and provide recommendations for remediation. Below, we’ll examine what an analyst sees when they run the 'Threat Intelligence 360 Report' promptbook for the MDTI article “Attack Abuses Victim Resources to Reap Rewards from Titan Network.” The first step of the promptbook pulls up all indicators of compromise (IoCs) added to the article by Microsoft researchers. Below, you can see the prompt return a list of IoCs that includes two IP addresses and several URLs: The next step of the promptbook asks Security Copilot to create a KQL query to hunt across the organization’s network for activity related to the indicators from the article. In the example below, Security Copilot created a query for IPV4 indicators in the article returned by Security Copilot. The promptbook will create KQL queries for every indicator type and return all relevant intelligence. The promptbook will then search for Defender incidents related to the article. In this example, it returns four incidents that contain indicators or tactics, techniques, and procedures (TTPs) that are covered in the article. Grouping the incidents by activity make them easy to reference for incident responders and provide important context and a clear path forward for cyberthreat intel analysts' investigation. Finally, the promptbook shows the analyst details of the CVEs listed in the articles and its impact to the organization by listing their organization's vulnerable assets and resources to help them understand how their attack surface is exposed and the steps they need to take to address and remediate the vulnerabilities: Overall, this information rapidly summarizes a threat analyzed in a threat intelligence article so analysts can quickly and efficiently understand the nuances of the threat and its impact to the organization. Impact of external article This promptbook shows analysts the impact of an external threat intelligence article from a third-party source (not found in Microsoft products) on their organization. This promptbook extracts indicators from the article to check against all Microsoft’s intelligence to show all relevant information and the impact on the organization. Below, the analyst deploys this promptbook to better understand a threat intelligence article from a third-party source about the latest campaigns leveraging the 'Silent Skimmer': Next, the promptbook takes the indicators extracted from the article and queries Microsoft's compendium of threat intelligence to show all related content and data to give analysts a broader understanding of the threat activity. Below, the promptbook checks each IoC's reputation against Microsoft Threat Intelligence. The analyst can see that several of the indicators from the article are known to be malicious to Microsoft and are associated with several Microsoft threat intelligence articles in MDTI: After uncovering related intelligence, the promptbook asks Security Copilot to create KQL queries to automatically hunt across the network for the malicious indicators from the article, as well as the ones newly surfaced in Microsoft threat intelligence. In the example below, it’s searching for the file hashes listed in the article: Finally, the promptbook asks Security Copilot to create a table showing any reference in Microsoft threat intelligence to the indicators mentioned in the article, as well as any devices in the customer organization that are affected by CVEs listed in the article based on Threat Analytics data: These powerful new promptbooks will create guided experiences for a variety of personas, simplifying complex workflows and making difficult, repetitive tasks easier to do. Conclusion Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Copilot for Security providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation. If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here. Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here. Learn more about other Microsoft threat intelligence innovations launching at Ignite here. Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.New at Ignite: Unified Threat Intelligence Experience in Security Copilot
The Security Copilot team is continuously enhancing threat intelligence (TI) capabilities in Copilot. At Microsoft Ignite 2024, we’re excited to announce several powerful innovations that provide a more comprehensive and integrated TI experience for customers. Now generally available, Security Copilot customers can build a '360-degree' view of threats by tapping into a wider range of TI sources for more insight into attacker tooling and methodology and how they may impact the organization. Below, we’ll cover these innovations in more detail. Now Public Preview: MDTI Indicator Data Ten new indicators skills can now leverage the full corpus of raw and finished threat intelligence in MDTI to link any indicator of compromise (IoC) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities that give defenders a head start on adversaries. This automated infrastructure chaining is a crucial function for a security analyst or threat hunter to investigate the relationships between connected data sets, which allows them to kick off and expand their investigations into events or incidents on their network. These skills call upon two main categories of threat intelligence: In-depth Indicators data: Security Copilot can now automatically link any IoC with all threat intelligence linked to it in MDTI, including intel profiles, articles, and summary data, which includes detonation and reputation information from Microsoft’s file and URL analysis. This context is critical when responding to an incident, providing instant information on the attacker and nature of the attack. This data can also level-up analysts by providing the necessary next steps outlined in MDTI to help them deal with the incident quickly and efficiently. Indicators metadata: Security Copilot can link any IoC to associated infrastructure across the internet via MDTI’s advanced internet data sets. These data sets are developed by collecting and analyzing internet data at a global scale and are comprised of core and derived data sets. Core data sets include Resolutions, WHOIS information, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived data sets including Trackers, Components, Host Pairs, and Cookies. When linked to related infrastructure, analysts can make connections between related threat activity and preemptively uncover new threat tooling before it can be used against the organization. n this example, you can see an indicator has been linked to several IP addresses, two articles, and three intel profiles. Copilot has also pulled up its reputation, WHOIS, and passive DNS data. Now GA: Expanded Unified Vulnerability Intelligence Recently, we announced the expansion of the Threat Intelligence plugin in Security Copilot. Now generally available, Security Copilot can also reason over vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Mangement (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. Through this holistic experience, customers get a deeper view of threats, better understand how they impact the organization, and have more recommendations and guidance to respond faster and more effectively. In a single view, customers can understand the impact of a vulnerability or exposure, including exposed and unmanaged assets, risk-based prioritization, and steps for remediation. Customers can also see all threat intelligence related to the vulnerability to better understand the threat actors leveraging it so they can take preemptive steps to secure their organization. With the integration of threat intelligence sources in Security Copilot that are otherwise separate, customers get a much more holistic view of threats, sharper clarity on how they impact the organization, and have more recommendations and guidance to respond faster and more effectively. Conclusion Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Security Copilot providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation. If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here. Learn more about other threat intelligence innovations being announced at Ignite here. Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here. Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.How MDTI Helps Power Copilot for Security
This blog post will delve into Copilot for Security, focusing on the strategic utilization of Microsoft Defender Threat Intelligence (MDTI), a comprehensive threat intelligence product designed to enhance triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows. It will explore how this integral part of Copilot can be effectively harnessed to facilitate comprehensive understanding, investigation, and maneuvering through threat intelligence.MDTI for Government Now Available
We are thrilled to introduce Microsoft Defender Threat Intelligence (MDTI) with FedRAMP High (DOD IL2) attestation are now available for government sectors. Customers across U.S. state, local, and tribal governments utilizing GCC services can now purchase MDTI and the MDTI API SKUs to unmask adversaries and understand their organization’s security posture against threats.Introducing the MDTI Premium Data Connector for Sentinel
The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI Premium data connector available in the Unified Security Operations Platform and standalone Sentinel experiences. This connector enables customers to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.
