|
1 | | -Threat analytics is a threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as: |
| 1 | +Threat intelligence analysts often need to gather data from multiple feeds and tools before they can create a useful briefing. The (embedded) Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender helps reduce that effort by generating a briefing in minutes based on recent threat actor activity and your organization's vulnerability context. |
2 | 2 |
|
3 | | -- Active threat actors and their campaigns |
4 | | -- Popular and new attack techniques |
5 | | -- Critical vulnerabilities |
6 | | -- Common attack surfaces |
7 | | -- Prevalent malware |
| 3 | +The briefing is designed to support CISOs, security managers, and analysts with prioritized, actionable intelligence. As the agent builds the briefing, it dynamically decides what to analyze next based on previous results. |
8 | 4 |
|
9 | | -You can access threat analytics either from the upper left-hand side of Microsoft Defender security portal's navigation menu by expanding *Threat intelligence*, or from a dedicated *Threat analytics* dashboard card that shows the threats to your org, both in terms of impact, and in terms of exposure. |
| 5 | +Watch this video to see the Threat Intelligence Briefing Agent in action. |
10 | 6 |
|
11 | | -:::image type="content" source="../media/ta-dashboard-mtp.png" alt-text="Screenshot of the Threat analytics dashboard."::: |
| 7 | +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=07ffea67-4ebf-4f13-9a7e-dcc49bcaac93] |
12 | 8 |
|
13 | | -High impact threats have the greatest potential to cause harm, while high exposure threats are the ones that your assets are most vulnerable to. Getting visibility on active or ongoing campaigns and knowing what to do through threat analytics can help equip your security operations team with informed decisions. |
| 9 | +### Find the Threat Intelligence Briefing Agent in Threat analytics |
| 10 | +In Microsoft Defender, open **Threat intelligence** > **Threat analytics**. The Threat Intelligence Briefing Agent appears as a banner at the top of the *Threat Analytics* dashboard page. |
14 | 11 |
|
15 | | -With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly: |
| 12 | +:::image type="content" source="../media/agent.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent banner on top of the Threat Analytics dashboard page." lightbox="../media/agent.png"::: |
16 | 13 |
|
17 | | -- Identify and react to emerging threats |
18 | | -- Learn if you're currently under attack |
19 | | -- Assess the impact of the threat to your assets |
20 | | -- Review your resilience against or exposure to the threats |
21 | | -- Identify the mitigation, recovery, or prevention actions you can take to stop or contain the threats |
| 14 | +### Prerequisites for using the agent |
| 15 | +Before you use the agent, make sure these requirements are in place: |
22 | 16 |
|
23 | | -Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. |
| 17 | +- Microsoft Security Copilot is available in your environment. |
| 18 | +- Required Security Copilot plugins: |
| 19 | + - Microsoft Threat Intelligence |
| 20 | + - Microsoft Threat Intelligence agents |
| 21 | +- Optional plugin: |
| 22 | + - Microsoft Defender External Attack Surface Management |
| 23 | +- The connected user account or agent identity has appropriate permissions, including: |
| 24 | + - Access to Defender Vulnerability Management data |
| 25 | + - Security Reader access to Threat analytics and results |
| 26 | + - Security Admin access for onboarding and configuration |
24 | 27 |
|
25 | | -### View the threat analytics dashboard |
26 | | -The threat analytics dashboard highlights the reports that are most relevant to your organization. It summarizes the threats in the following sections: |
| 28 | +### Run and review briefings |
| 29 | +After prerequisites are complete, use the agent banner to run an up-to-date briefing or open the full briefing panel. |
27 | 30 |
|
28 | | -- Latest threats—lists the most recently published or updated threat reports, along with the number of active and resolved alerts. |
29 | | -- High-impact threats—lists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first. |
30 | | -- Highest exposure—lists threats with the highest exposure levels first. the exposure level of a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities. |
| 31 | +:::image type="content" source="../media/run-agent.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent banner with the View full brief and Run agent buttons highlighted." lightbox="../media/run-agent.png"::: |
31 | 32 |
|
| 33 | +The full briefing panel summarizes threats, vulnerable exposures, and potential business impact. You can copy the briefing or download it as markdown for sharing. |
32 | 34 |
|
33 | | -Selecting a threat from the dashboard views the report for that threat. |
| 35 | +:::image type="content" source="../media/full-brief.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent side panel in Threat analytics with download and copy controls." lightbox="../media/full-brief.png"::: |
34 | 36 |
|
35 | | -View a threat analytics report. Each threat analytics report provides information in several sections: |
| 37 | +### Manage agent settings |
| 38 | +Select **Manage agent** to review or update agent settings, such as schedule behavior and briefing preferences. |
36 | 39 |
|
37 | | -- Overview |
38 | | -- Analyst report |
39 | | -- Related incidents |
40 | | -- Impacted assets |
41 | | -- Prevented email attempts |
42 | | -- Exposure & mitigations |
| 40 | +:::image type="content" source="../media/manage-agent.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent side panel with the Manage agent button highlighted." lightbox="../media/manage-agent.png"::: |
43 | 41 |
|
| 42 | +You can also open settings from **System** > **Settings** > **Microsoft Defender XDR** > **Threat Intelligence Briefing Agent**. |
44 | 43 |
|
45 | | -### Overview: Quickly understand the threat, assess its impact, and review defenses |
46 | | -The Overview section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization, and your exposure through misconfigured and unpatched devices. |
| 44 | +:::image type="content" source="../media/settings.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent settings page in the Defender portal." lightbox="../media/settings.png"::: |
47 | 45 |
|
| 46 | +### Assess output and provide feedback |
| 47 | +Generated briefings are saved in Security Copilot under **Activity**, where you can inspect run status and review previous reports. |
48 | 48 |
|
| 49 | +:::image type="content" source="../media/agent-activity.png" alt-text="Screenshot of the Threat Intelligence Briefing Agent activity page in the Security Copilot standalone portal." lightbox="../media/agent-activity.png"::: |
49 | 50 |
|
50 | | -### Assess impact on your organization |
51 | | -Each report includes charts designed to provide information about the organizational impact of a threat: |
| 51 | +To evaluate agent reasoning and workflow transparency, open a generated report and select **View activity**. |
52 | 52 |
|
53 | | -- Related incidents—provides an overview of the impact of the tracked threat to your organization with the number of active alerts and the number of active incidents they're associated with and severity of active incidents |
54 | | -- Alerts over time—shows the number of related Active and Resolved alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. |
55 | | -- Impacted assets—shows the number of distinct devices and email accounts (mailboxes) that currently have at least one active alert associated with the tracked threat. Alerts are triggered for mailboxes that received threat emails. Review both org- and user-level policies for overrides that cause the delivery of threat emails. |
56 | | -- Prevented email attempts—shows the number of emails from the past seven days that were either blocked before delivery or delivered to the junk mail folder. |
| 53 | +:::image type="content" source="../media/view-agent-activity.png" alt-text="Screenshot of a Threat Intelligence Briefing Agent report with View activity highlighted." lightbox="../media/view-agent-activity.png"::: |
57 | 54 |
|
58 | | -### Review security resilience and posture |
59 | | -Each report includes charts that provide an overview of how resilient your organization is against a given threat: |
60 | | - |
61 | | -- Secure configuration status—shows the number of devices with misconfigured security settings. Apply the recommended security settings to help mitigate the threat. Devices are considered Secure if they've applied all the tracked settings. |
62 | | -- Vulnerability patching status—shows the number of vulnerable devices. Apply security updates or patches to address vulnerabilities exploited by the threat. |
63 | | - |
64 | | - |
65 | | -### View reports per threat tags |
66 | | -You can filter the threat report list and view the most relevant reports according to a specific threat tag (category) or a report type. |
67 | | - |
68 | | -- Threat tags—assist you in viewing the most relevant reports according to a specific threat category. For example, all reports related to ransomware. |
69 | | -- Report types—assist you in viewing the most relevant reports according to a specific report type. For example, all reports that cover tools and techniques. |
70 | | -- Filters—assist you in efficiently reviewing the threat report list and filtering the view based on a specific threat tag or report type. For example, review all threat reports related to ransomware category, or threat reports that cover vulnerabilities. |
71 | | - |
72 | | - |
73 | | -### How does it work? |
74 | | -The Microsoft Threat Intelligence team has added threat tags to each threat report: |
75 | | - |
76 | | -Four threat tags are now available: |
77 | | - |
78 | | -- Ransomware |
79 | | -- Phishing |
80 | | -- Vulnerability |
81 | | -- Activity group |
82 | | - |
83 | | -Threat tags are presented at the top of the threat analytics page. There are counters for the number of available reports under each tag. |
84 | | - |
85 | | - |
86 | | -### Analyst report: Get expert insight from Microsoft security researchers |
87 | | -In the Analyst report section, read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful threat hunting guidance. |
88 | | - |
89 | | - |
90 | | -### Related incidents: View and manage related incidents |
91 | | -The Related incidents tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident. |
92 | | - |
93 | | -### Impacted assets: Get list of impacted devices and mailboxes |
94 | | -An asset is considered impacted if it's affected by an active, unresolved alert. The Impacted assets tab lists the following types of impacted assets: |
95 | | - |
96 | | -- Impacted devices—endpoints that have unresolved Microsoft Defender for Endpoint alerts. These alerts typically fire on sightings of known threat indicators and activities. |
97 | | - |
98 | | -- Impacted mailboxes—mailboxes that have received email messages that have triggered Microsoft Defender for Office 365 alerts. While most messages that trigger alerts are typically blocked, user- or org-level policies can override filters. |
99 | | - |
100 | | - |
101 | | -### Prevented email attempts: View blocked or junked threat emails |
102 | | -Microsoft Defender for Office 365 typically blocks emails with known threat indicators, including malicious links or attachments. In some cases, proactive filtering mechanisms that check for suspicious content will instead send threat emails to the junk mail folder. In either case, the chances of the threat launching malware code on the device is reduced. |
103 | | - |
104 | | -The Prevented email attempts tab lists all the emails that have either been blocked before delivery or sent to the junk mail folder by Microsoft Defender for Office. |
105 | | - |
106 | | -### Exposure and mitigations: Review list of mitigations and the status of your devices |
107 | | -In the Exposure & mitigations section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes: |
108 | | - |
109 | | -- Security updates—deployment of supported software security updates for vulnerabilities found on onboarded devices |
110 | | -- Supported security configurations |
111 | | - - Cloud-delivered protection |
112 | | - - Potentially unwanted application (PUA) protection |
113 | | - - Real-time protection |
114 | | - |
115 | | -Mitigation information in this section incorporates data from threat and vulnerability management, which also provides detailed drill-down information from various links in the report. |
116 | | - |
117 | | -### Set up email notifications for report updates |
118 | | -You can set up email notifications that send you updates on threat analytics reports. |
119 | | - |
120 | | -To set up email notifications for threat analytics reports, perform the following steps: |
121 | | - |
122 | | -1. Select Settings in the Microsoft Defender XDR sidebar. Select Microsoft Defender XDR from the list of settings. |
123 | | - |
124 | | -2. Choose Email notifications > Threat analytics, and select the button, + Create a notification rule. A flyout appears. |
125 | | - |
126 | | -3. Follow the steps listed in the flyout. First, give your new rule a name. The description field is optional, but a name is required. You can toggle the rule on or off using the checkbox under the description field. |
127 | | - |
128 | | - > [!NOTE] |
129 | | - > The name and description fields for a new notification rule only accept English letters and numbers. They don't accept spaces, dashes, underscores, or any other punctuation. |
130 | | -
|
131 | | - |
132 | | -4. Choose which kind of reports you want to be notified about. You can choose between being updated about all newly published or updated reports, or only those reports that have a certain tag or type. |
133 | | - |
134 | | -5. Add at least one recipient to receive the notification emails. You can also use this screen to check how the notifications will be received, by sending a test email. |
135 | | -<!-- missing Screenshot of the recipients screen. There are three recipients listed, and a test email has been sent, as indicated by a green checkmark --> |
136 | | - |
137 | | -6. Review your new rule. If there's anything you would like to change, select the Edit button at the end of each subsection. Once your review is complete, select the Create rule button. |
138 | | - |
139 | | -Your new rule has been successfully created. Select the Done button to complete the process and close the flyout. Your new rule will now appear in the list of Threat analytics email notifications. |
| 55 | +Use **thumbs up** or **thumbs down** in the briefing panel to provide feedback and help improve future agent output. |
140 | 56 |
|
0 commit comments