Prevent repeat attacks with threat-informed security posture recommendations
Published Jun 06 2023 09:53 AM 27K Views

As organizations continue to face an ever-evolving threat landscape, it is essential to have an effective posture management strategy in place. To do this effectively, security analysts not only need to consider industry standards and vendor best practices, but also take recent attacks into consideration. Investigating incidents that affected the organization helps understanding how the adversary got in and what misconfigurations were leveraged during the attack. These learnings enable security analysts to identify which settings should be addressed to close those gaps and prevent the organization from being affected by the same attack again.


Microsoft 365 Defender now makes it easy for security operations (SOC) teams to identify and prioritize the right controls with the general availability of threat-informed security posture recommendations.


This embedded experience maps techniques that were used during an attack on your organization to the relevant available security controls in Microsoft Secure Score and presents posture recommendations to prevent similar attacks from being successful again. The new experience delivers:

  • Microsoft 365 Defender maps techniques used during an attack to available Microsoft Secure Score controls
  • Prioritized security posture recommendations are shown in the new “Exposures and mitigations” tab on the relevant incident, as well as the threat analytics page of the associated threat
  • Prevent similar attacks in the future by addressing the root cause and apply the recommended controls


Prevent repeat attacks
When investigating an incident or a new threat campaign, security analysts investigate, contain, respond, and remediate an attack. However, it’s also critical to continuously evaluate and fine tune an organization’s security settings after an attack is remediated to prevent the same attack from reoccurring.


Bringing posture recommendations available via Microsoft Secure Score into the threat analytics and incident views, Microsoft 365 Defender now maps the techniques used by the attacker to the vulnerabilities or misconfigurations that led to the breach. This gives security analysts the information within the context of an incident and helps implement a prioritized and threat-driven security posture plan.


This new capability analyzes incidents in your environment and recommends specific Microsoft Secure Score controls that can block the techniques used in previous incidents, enabling you to prioritize posture recommendations based on relevant, repetitive techniques, and reduce the risks of similar attacks.


Start using the new threat-informed posture recommendations

When investigating emerging threats, Microsoft 365 Defender researches and analyzes the techniques used by threat actors and maps them to security posture in Microsoft 365 Defender. These actions and their status are available in the threat analytics report, allowing you to focus on improving your organization’s resilience in the context of a specific emerging threat.

Figure 1: Example of a threat-informed posture recommendations within Threat AnalyticsFigure 1: Example of a threat-informed posture recommendations within Threat Analytics


Understand your resilience against threats – In the Microsoft 365 Defender portal, navigate to Threat analytics from the left-hand navigation. For each threat, you’ll be able to view a score that reflects the severity of misconfigurations the attacker exploited and the number of affected assets as shown in Figure 2.

Figure 2: View a graph of your organization's score over time in the threat overview tab.Figure 2: View a graph of your organization's score over time in the threat overview tab.


View and act on recommended actions from an incident or a threat analytics report
View the list of recommended posture controls directly from the recommended actions tab within the incident or threat analytics page in Microsoft 365 Defender.

Figure 3: Posture recommendation actions within Incident.Figure 3: Posture recommendation actions within Incident.


The new threat-informed security posture recommendations in Microsoft 365 Defender make it easy for defenders to identify the highest priority security controls that will help them protect their organization from being affected by the same threats and attack techniques repeatedly. It’s a new, automated approach to better understand the direct impact that misconfiguration can have on the environment – and how to fix it.


Learn more







Version history
Last update:
‎Jun 06 2023 09:53 AM
Updated by: