Microsoft Announces New Threat Intelligence Solutions


Microsoft today announced two new security products – Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management – to provide organizations with a deeper context into threat actor activity and help them lock down their infrastructure and reduce their overall attack surface.

Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management at Microsoft, said: “Today, any device connected to the internet is susceptible to vulnerabilities. For organizations, the key to building resilience is understanding the gaps that can lead to these vulnerabilities. We recognize the importance of working together as a security community to help protect the planet from threats. These new threat intelligence offerings expand our growing security portfolio, offer deeper insights into threat actors and their behaviors, and help security teams accelerate identification and prioritization of risks.”

The threat landscape is more sophisticated than ever, and damages have soared. The Federal Bureau of Investigation’s 2021 IC3 report found that the cost of cybercrime now totals more USD6.9 billion. To counter these threats, Microsoft is continuously aggregating signal and threat intelligence across the digital estate to track threat actors much more closely and to better understand their behavior over time. Microsoft currently tracks 35 ransomware families, and more than 250 unique nation-states, cybercriminals, and other threat actors. Its cloud also processes and analyzes more than 43 trillion security signals every single day.

This massive amount of intelligence that Microsoft derives from its platform and products, as well as its acquisition of RiskIQ in 2021, have allowed it to provide customers with unique visibility into threat actor activity, behavior patterns, and targeting. Customers can also map their digital environment and infrastructure to view their organization as an attacker would, and this outside-in view delivers even deeper insights to help organizations predict malicious activity and secure unmanaged resources.


Microsoft Defender Threat Intelligence maps the internet every day, providing security teams with the necessary information to understand adversaries and their attack techniques. Customers can now access a library of raw threat intelligence detailing adversaries by name, correlating their tools, tactics, and procedures, and can see active updates within the portal as new information is distilled from Microsoft’s security signals and experts. This allows organizations to lift the veil on attackers and threat family behavior, helping security teams find, remove, and block hidden adversary tools within their organization.

This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender security research teams. The volume, scale and depth of intelligence is designed to empower security operations centers to understand the specific threats their organization faces and to harden their security posture accordingly. This intelligence also enhances the detection capabilities of Microsoft Sentinel and the family of Microsoft Defender products.

Fig 1: Microsoft Defender Threat Intelligence home screen featuring adversary articles for users to read.


Many businesses have internet-facing assets—often created by shadow IT, mergers and acquisitions, incomplete cataloguing, business partners’ exposure, or rapid business growth—that they may not be aware of or have forgotten about. For organizations to eliminate gaps and strengthen their security posture to help reduce the potential for an attack, they need to see their business the way an attacker can.

Microsoft Defender External Attack Surface Management scans the internet and its connections every day, and this builds a complete catalogue of an organization’s environment, discovering internet-facing resources that includes even the agentless and unmanaged assets. Continuous monitoring, without the need for agents or credentials, prioritizes new vulnerabilities. This complete view of the organization allows businesses to take recommended steps to mitigate risk and bring these unknown resources, endpoints, and 3

Fig 2: Microsoft Defender External Attack Surface Management summary page featuring Attack Surface Summary and Attack Surface Priorities.

Microsoft has also announced a new Microsoft Sentinel solution for SAP, which allows security teams to monitor, detect, and respond to SAP alerts, such as privilege escalation and suspicious downloads, all from its cloud-native SIEM.

Given how business-specific risks can be unique and complicated, this new innovative solution will allow organizations to build custom detections for the threats they face to reduce the risk of catastrophic interruption.