With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. This compendium of high-fidelity intelligence developed by Microsoft's team of more than 10,000 multidisciplinary security experts and informed by over 78 trillion security signals enables teams to unmask and neutralize adversaries quickly and efficiently.
In this blog, we will review what MDTI is, what you get as a Copilot for Security customer, and how you can immediately tap into this powerful intelligence.
What is MDTI?
MDTI is a threat intelligence product that enables security professionals to directly access, ingest, and act upon trillions of daily security signals in Microsoft's telemetry. MDTI's finished intelligence, including threat articles and intel profiles, provides the latest on cyber threat actors and their tools, tactics, and procedures. Its unique security data sets enable advanced investigations that uncover malicious infrastructure connections across the global cyberthreat landscape to highlight where an organization is vulnerable and address the tools and systems used in cyberattacks.
MDTI is a powerful complement to Microsoft's SIEM, XDR, and AI solutions. Copilot for Security customers can use the incredible depth and breadth of Microsoft threat intelligence in MDTI with Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations. They can immediately begin using MDTI in the Copilot for Security standalone experience or embedded experience in Defender XDR. They can also use MDTI directly via the MDTI' analyst workbench' experience in the Threat Intelligence blade in Defender XDR.
Learn more about MDTI by taking the MDTI Ninja Training here>
MDTI In Copilot for Security
Microsoft Copilot for Security enables customers to access, operate on, and integrate Microsoft's raw and finished threat intelligence via natural language. They can make simple requests known as prompts to learn about threat actors, tools, indicators of compromise (IoCs), and threat intelligence related to their organization's security incidents and alerts.
Prompts can ask important questions of MDTI's data and content, such as "Tell me more about the Threat actor Silk Typhoon." Users can also write a tailored prompt book (a predefined set of typical follow-up questions) about [security incident] and how to respond to it. The answers returned from prompts are always up to date with the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. This critical information, delivered instantly and in-context, adds to the ability to enable different security personas to defend at machine speed and scale.
MDTI powers Copilot for Security via a wide range of threat intelligence skills, enabling customers to quickly retrieve information on indicators, including IP addresses and domains, and contextualize artifacts with content such as threat articles and intel profiles. Additionally, out-of-the-box promptbooks correlate MDTI content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers quickly understand the broader scope of an attack. These capabilities will be available within the standalone and embedded Copilot for Security experiences.
MDTI is integral to the Copilot for Security experience. To begin using MDTI in Copilot, simply go to "manage plugins" (bottom left in the Copilot standalone interface) and enable "Microsoft Defender Threat Intelligence."
Learn more about MDTI in Copilot for Security here>
MDTI In Defender XDR
In Defender XDR, MDTI helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. Copilot customers can leverage MDTI's data sets and content anytime, anywhere within Defender XDR to provide additional context and aid in investigations. In the Microsoft Defender XDR portal, users can access MDTI under the "Threat Intelligence" blade in the left-hand navigation menu.
- Intel Explorer: In this tab, customers can search across all intelligence in MDTI, browse, featured articles, and peruse recent threat article pages.
- Intel Profiles: This tab contains more than 300 continuously maintained profiles on threat actors, tooling, and vulnerabilities.
- Intel Projects: In this tab, users can create or access team and individual projects to save personal investigations and collaborate with teammates across the organization.
- Detonation Intelligence for Hashes and URL Search: Customers can obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise.
The MDTI API is not included with Copilot for Security
If users wish to leverage MDTI's API endpoints to support automated enrichment against their incidents or create sophisticated scripts to address use cases our MDTI Copilot skills cannot natively support today, customers are encouraged to work with their Commercial Executive to learn more about purchasing our MDTI API license.
Learn more about the MDTI API here and here>
New to MDTI? Here's where to start
Learn more about getting started with Copilot for Security, including pricing and getting started here>
Also, be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats.
