Defender for Cloud and Defender for Threat Intelligence are Better Together (2023)

Organizations today face the continually changing and complicated task of protecting their ever-expanding attack surface from cyber-attacks. The move to the Cloud and remote workspaces has pushed the boundary of their digital ecosystem well beyond their traditional physical network. Data, users, and systems are in multiple locations, creating significant challenges for security operations teams tasked with defending their organizational assets.Information Security personnel need to be equipped with solutions to identify new adversaries and threats like ransomware.

It's now crucial for defenders to have unique visibility across both their organization's attack surface and the threat infrastructure used to target it. In this blog, I will highlight key capabilities in Microsoft Defender for Cloud (MDC) and Microsoft Defender Threat Intelligence (MDTI) that, when used together, enable analysts to quickly understand exposures and equip them with crucial context about threat actors likely to target them.

Microsoft Defender Threat Intelligence can help identify and mitigate modern threats and their infrastructure with dynamic threat intelligence by applying three key capabilities:

  • Identify attackers and their tools.
  • Accelerate detection, incident response, investigations, and remediation.
  • Enhance security tools and workflows.

To watch an overview of MDTI, please review the episode here.

MDC is a cloud-native application protection that helps strengthen security posture, enabling protection against modern threats and helping reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments. MDC works with security teams to efficiently reduce the risk of an impactful breach to their environment.

During Microsoft Ignite, MDC introduced new capabilities, including the cloud security graph and attack path analysis capabilities that enable analysts to assess the risk behind each security issue and identify and prioritize the highest-risk issues.

What is Cloud Security Explorer?

Cloud Security Explorer provides defenders with the ability to perform proactive exploration. With it, analysts can search for security risks within their organization by running graph-based path-finding queries on top of the contextual security data Defender already provides for Cloud, including cloud misconfigurations, vulnerabilities, resource context, lateral movement possibilities between resources, and more.

Defender for Cloud and Defender for Threat Intelligence are Better Together (1)

figure;Cloud Security Graph

(Video) Defender Threat Intelligence | Defender for Cloud in the Field #23

Threat Intelligence Articles and the Cloud Security Graph

One of the critical features of MDTI is Articles. Articles are written by Microsoft research teams or curated open-source intelligence enriched by Microsoft's unique insight into threat actors, tooling, attacks, and vulnerabilities. MDTI intelligence includes actionable content and critical indicators of compromise to help security professionals act quickly against threats and continuously track threat actors, tooling, attacks, and vulnerabilities as they evolve.

The following image shows an overview of the different Articles created in MDTI with a Tag, which provides insight into an artifact and quickly links incidents and investigations with historical context for improved analysis.

Defender for Cloud and Defender for Threat Intelligence are Better Together (2)

Figure: article View on Microsoft Defender for Threat intelligence

In this case, we are interested in the Article "DEV-0882 exploits web-facing assets to deploy ransomware" due to aligned Tags for ransomware and CVEs.

After clicking on the article, the analyst can obtain a deeper understanding of the threat actor identified and tap into crucial explanatory information ranging from a summary of the threat, an analysis of the infrastructure it targets, and information for post-compromise and mitigation tactics. In this situation, we can track the threat actor DEV-0882, which is consistent with ransomware campaigns.

Defender for Cloud and Defender for Threat Intelligence are Better Together (3)

Figure: identified related CVEs within Article "DEV-0882 exploits web-facing assets to deploy ransomware"

The article can also contain a detailed analysis of the threat actor and its underlying infrastructure. In this case, we get information on the infrastructure targeted by the threat actor and their post-compromise tactics.

Defender for Cloud and Defender for Threat Intelligence are Better Together (4)

Figure: Analysis information for article "DEV-0882 exploits web-facing assets to deploy ransomware"

(Video) Azure Defender, Azure Sentinel, and M365 Defender - Better Together Webinar

Some of the articles will also contain information detailing mitigation tactics that customers can apply to their environment:

Defender for Cloud and Defender for Threat Intelligence are Better Together (5)

Figure: Mitigation procedures described in the Article "DEV-0882 exploits web-facing assets to deploy ransomware"

In this case, we have identified the CVEs related to the article "DEV-0882 exploits web-facing assets to deploy Play ransomware." They are CVE-2022-41080, CVE-3031-34473, CVE-2021-31207, CVE-2021-34523, and CVE-2022-41040. Proactively, a SOC analyst can proceed to the cloud Security explorer blade in MDC and run a query searching virtual machines that each vulnerability could impact. This can be seen in the following approach:

Defender for Cloud and Defender for Threat Intelligence are Better Together (6)

Figure: Using cloud security explorer to search for Vulnerabilities based on CVEs identified in MDTI

MDTI Enriches Alerts in MDC

As analysts triage alerts generated within MDC (paid plans will need to be enabled for this to occur), they can use MDTI to quickly investigate entities' information to promptly identify the following:

  • If an artifact (IP, domain, or host) exists in any threat intelligence articles.
  • The artifact's reputation: MDTI generates proprietary reputation scores for any Host, Domain, or IP address to help provide quick information about the activity of these entities, such as First and Last-Seen timespans, ASN, country, associated infrastructure, and a list of rules that impact the reputation score (when applicable).
  • Analyst Insights: These insights distill Microsoft's vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels. Insights are small facts or observations about a domain or IP address and enable Defender TI users to assess the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign.

To get started with the investigation in this scenario, we will begin with the security alerts blade on MDC to identify the alert of interest and the alert's full details.

Defender for Cloud and Defender for Threat Intelligence are Better Together (7)

Figure: Alert generated by Microsoft Defender for Cloud "Suspected brute force attack attempt using a valid user "

Clicking on the 'View full details' option of the alert, an analyst gets more information and can see the severity information, description, and affected resources. They get crucial visibility of the related entities identified and can pivot to MDTI for further investigation.

(Video) Defender EASM | Defender for Cloud in the Field #22

Defender for Cloud and Defender for Threat Intelligence are Better Together (8)

Figure: Alert view on Microsoft Defender for Cloud, highlighting the entities involved in thealert.

On the MDTI workbench, the analyst can search for the IP address ( identified in the alert.

Defender for Cloud and Defender for Threat Intelligence are Better Together (9)

Figure: Heading over to MDTI and searching the artifact (IP~

On searching the artifact, MDTI provides information an analyst can use to determine the entity's validity. In this case, we see data that confirms the IP is potentially used for malicious activity. The reputation score indicates suspicious activity.

Defender for Cloud and Defender for Threat Intelligence are Better Together (10)

Figure: Artifacts results capturing reputation scoring, analyst insights, and Articles View

The MDTI workbench also provides the user with the ability to pivot to the data blade, where they can identify a series of datasets categorized into two groups: Traditional (Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services) and Advanced (Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies). The primary focus is to collect data about the internet infrastructure to support the investigation process.

Defender for Cloud and Defender for Threat Intelligence are Better Together (11)

Figure: Proceed to the Data tab: Who IS information for Suspicious Artifact

In this case, the analyst can determine if the IP used in the suspected brute force attack is synonymous with malicious activity and use it to identify other entities that could serve as investigative leads for incident response and threat hunting.

(Video) Is Windows Defender Good Enough?

In summary, there are a variety of scenarios where Microsoft Defender for Threat Intelligence can work hand in hand with MDC. The scenarios above offer proactive and reactive methods for SOC analysts, Threat hunters, and Vulnerability managers to leverage both tools to improve their operations and processes.


We hope you found this blog helpful in understanding the value MDTI canprovide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with an MDTI Technical Specialist or Global Black Belt, please email


We would love to hear any ideas you may have to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security third-party applications. Feel free to email to share that feedback as well. If you are currently working with an MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and product feedback to them directly.

Learn About New MDTI Features

Please join our Cloud Security Private Community if you're not a member and follow our MDTI Private & Public Preview events in our MS MDTI channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit towards respective Microsoft product badges delivered by Credly.

Work With Our Sales Team

If you are interested in working with an MDTI Technical Specialist or Global Black Belt, please get in touch with our Sales team by filling out this form.


What is Microsoft Defender Threat Intelligence (Defender TI)? | Microsoft Learn

Microsoft Defender Threat Intelligence Blog - Microsoft Community Hub

(Video) Protect Your Databases Anywhere with Microsoft Defender for Cloud

Become a Microsoft Defender Threat Intelligence Ninja: The complete level 400 training


Which of the following Microsoft products powers threat intelligence in Microsoft 365? ›

Microsoft 365 Defender

Prevent and detect attacks across your Microsoft 365 workloads with built-in XDR capabilities.

What is Microsoft threat intelligence? ›

Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence.

How many signals does Microsoft analyze everyday to identify emerging threats and protect customers? ›

Our cloud also processes and analyzes more than 43 trillion security signals every single day. This massive amount of intelligence derived from our platform and products gives us unique insights to help protect customers from the inside out.

What is vulnerability intelligence? ›

Like most other types of threat intelligence, vulnerability intelligence can be used to combat security threats by providing key recommendations to security teams on a risk-based approach. This intelligence can be given on a case-by-case basis, or can be part of a broader threat intelligence feed.

What are the 3 types of threat intelligence data? ›

Cyber Threat Intelligence is categorized into three types: Tactical, Operational, and Strategic. CTI uses a third category, tactical, to describe the technical indicators and behaviors used to inform network level action and remediation.

What are three uses of Microsoft Defender for cloud apps? ›

Explore our top use cases
  • Detect and manage suspicious activities.
  • Investigate risky users.
  • Investigate risky OAuth apps.
  • Protect any app in your organization in real time.
  • Block download of sensitive information.
  • Manage cloud platform security.
  • Protect files with admin quarantine.

Can Windows Defender remove threats? ›

The Windows Defender Offline scan will automatically detect and remove or quarantine malware.

What are four types of cyber threat intelligence? ›

There are three kinds of cyber threat intelligence: strategic, tactical and operational. Strategic threat intelligence: This is a high-level assessment of potential threats, identifying who might be interested in attacking the organization or companies in its industry and their motivations.

What are the three key elements of threat intelligence? ›

Three Key Elements that a modern CTI program includes:

Security Orchestration, Automation, and Response (SOAR) ensure security teams detect and respond faster to emerging threats.

What are 4 methods of threat detection? ›

Generally, all threat detection falls into four major categories: Configuration, Modeling, Indicator, and Threat Behavior. There is no best type of threat detection. Each category can support different requirements and approaches depending on the business requirement.

What are 3 examples of threat detection technology how do they work? ›

These include, but are not limited to:
  • Cloud access and security brokers (CASB)
  • Endpoint detection and response.
  • Intrusion detection prevention systems (IDS/IPS)
  • Perimeter and application firewalls.
  • Threat intelligence platforms.

Which type of alert can you manage from the Microsoft 365 Defender? ›

This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see Create activity alerts - Microsoft Purview | Microsoft Docs.

What is the 4 types of vulnerability? ›

The different types of vulnerability

According to the different types of losses, the vulnerability can be defined as physical vulnerability, economic vulnerability, social vulnerability and environmental vulnerability.

What are the 4 main types of security vulnerability? ›

Security Vulnerability Types
  • Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
  • Operating System Vulnerabilities. ...
  • Human Vulnerabilities. ...
  • Process Vulnerabilities.

What is threat intelligence in simple words? ›

Threat Intelligence is evidence-based information about cyber attacks that cyber security experts organize and analyze. This information may include: Mechanisms of an attack.

What is the best threat model? ›

Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
  • STRIDE is a high-level threat model focused on identifying overall categories of attacks. ...
  • The tools described here are only a subset of the threat modeling frameworks available. ...
  • No “one size fits all” threat modeling framework exists.
Feb 11, 2021

What are the top 5 internal data security threats? ›

Common methods include ransomware, phishing attacks, and hacking. Internal threats originate within the organization itself and usually are carried out by a current and former employee, a contractor, a business associate, etc. Insider attacks can be malicious or inadvertent.

What are two methods that detect threats? ›

Here are four popular threat detection methods and how they work.
  • Threat intelligence. ...
  • User and attacker behavior analytics. ...
  • Intruder traps. ...
  • Threat hunting. ...
  • Security event detection technology. ...
  • Network threat technology. ...
  • Endpoint threat technology. ...
  • Security data lake implementation.

What is the difference between Defender for Cloud and Defender for endpoint? ›

Microsoft Defender for Endpoint and Microsoft Defender for Cloud are entirely two different products, the former is dedicated to endpoint protection and the latter is for Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios, however, by integrating Security Center with ...

Why would you use Microsoft Defender for Cloud? ›

Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and helps protect workloads across multicloud and hybrid environments from evolving ...

Does Defender for Cloud include Defender for endpoint? ›

Defender for Cloud contains two plans which enable both Defender for Endpoint Plan 2. In Defender for Cloud there is a Defender for Servers Plan 1 and Plan 2 available. Plan 2 enables more benefits and additional enhanced security features.

Can Windows Defender detect all malware? ›

Microsoft Defender Antivirus is a built-in malware scanner for Microsoft Windows 10. As part of the Windows Security suite, it will search for any files or programs on your computer that can cause harm to it. Defender looks for software threats like viruses and other malware across email, apps, the cloud, and the web.

Can Windows Defender stop hackers? ›

Windows Defender has shown some vulnerabilities with malware. No antivirus software can guarantee you 100% security protection, but you can get affordable products that help keep your device safe. Solid antivirus software is an investment in your data privacy.

Can malware hide from Windows Defender? ›

It is called Windows Defender. But sometimes, malware can outsmart Windows Defender by hiding within Windows while the operating system is running. To remove the more clever and devious malware, like rootkits, out in the wild you may have to run Windows Defender in offline mode.

What are the 5 best methods used for cyber security? ›

10 steps to an effective approach to cyber security
  • Risk management regime. ...
  • Secure configuration. ...
  • Network security. ...
  • Managing user privileges. ...
  • User education and awareness. ...
  • Incident management. ...
  • Malware prevention. ...
  • Monitoring.

What are the three 3 categories of threats to security? ›

In particular, these three common network security threats are perhaps the most dangerous to enterprises:
  • malware.
  • advanced persistent threats.
  • distributed denial-of-service attacks.

What are the 3 cyber security domains? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

How many types of threat intelligence are there? ›

Supported the consumption of threat intelligence, it's divided into four differing types. they're specifically strategic threat intelligence , tactical threat intelligence , operational threat intelligence , and technical threat intelligence.

What are the levels of threat intelligence? ›

Threat intelligence falls into 4 categories within the framework of applicable information: Strategic, Tactical, Operational, and Technical. For these 4 types of intelligence, data collection, analysis, and consumption of intelligence differ.

What is the threat intelligence cycle? ›

The threat intelligence lifecycle is the entire process of gaining evidence-based intelligence about potential cyber threats, using that information to build defenses against them, responding proactively, and investigating successful attacks to learn from the outcome and improve intelligence.

What are the three main detection types? ›

The 3 Intrusion Detection Systems (IDS) Types (+ 2 Intrusion Detection Methods)
  • Network Intrusion Detection System (NIDS)
  • Network Node Intrusion Detection System (NNIDS)
  • Host Intrusion Detection System (HIDS)

What are the 3 strategies for security management? ›

Three common types of security management strategies include information, network, and cyber security management.
  • #1. Information Security Management. ...
  • #2. Network Security Management. ...
  • #3. Cybersecurity Management.

What are the 6 steps of threat modeling? ›

The steps of a PASTA threat model are:
  • Define business objectives.
  • Define the technical scope of assets and components.
  • Application decomposition and identify application controls.
  • Threat analysis based on threat intelligence.
  • Vulnerability detection.
  • Attack enumeration and modeling.
Feb 6, 2022

What are the 3 main security tools are used to protect your computer from threats? ›

Antivirus software, antispyware software, and firewalls are also important tools to thwart attacks on your device.

What is threat detection in cloud computing? ›

Threat detection is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network.

What are the two versions of Microsoft Defender for Office 365 called? ›

Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions.

What are two capabilities of Microsoft Defender for Endpoint? ›

Defender for Endpoint capabilities
  • Eliminate the blind spots in your environment.
  • Discover vulnerabilities and misconfigurations in real time.
  • Quickly go from alert to remediation at scale with automation.
  • Block sophisticated threats and malware.

Is Microsoft 365 Defender an EDR? ›

Microsoft Defender for Endpoint is more than just an EDR, it's a complete solution. Microsoft Defender for Endpoint (MDE) include of course EDR and AV in a same product that improve threat detection effectiveness for human operated attacks and insider threats as well.

Which is the top most common vulnerability? ›

OWASP Top 10 Vulnerabilities
  1. Injection. Injection occurs when an attacker exploits insecure code to insert (or inject) their own code into a program. ...
  2. Broken Authentication. ...
  3. Sensitive Data Exposure. ...
  4. XML External Entities. ...
  5. Broken Access Control. ...
  6. Security Misconfiguration. ...
  7. Cross-Site Scripting. ...
  8. Insecure Deserialization.

What are the 6 types of vulnerability? ›

In a list that is intended to be exhaustively applicable to research subjects, six discrete types of vulnerability will be distinguished—cognitive, juridic, deferential, medical, allocational, and infrastructural.

What are the 5 types of security? ›

Cybersecurity can be categorized into five distinct types:
  • Critical infrastructure security.
  • Application security.
  • Network security.
  • Cloud security.
  • Internet of Things (IoT) security.

Who can benefit from threat intelligence? ›

Threat intelligence benefits organizations of all shapes and sizes by helping process threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat actor's next move. For SMBs, this data helps them achieve a level of protection that would otherwise be out of reach.

What is the primary benefit of using threat intelligence? ›

The information is analyzed, refined and organized and then used to minimize and mitigate cybersecurity risks. The main purpose of threat intelligence is to show organizations the various risks they face from external threats, such as zero-day threats and advanced persistent threats (APTs).

What is CrowdStrike threat intelligence? ›

Cyber threat intelligence

CrowdStrike Falcon® Intelligence Premium enables security teams to be become intelligence-led by exposing the adversaries and evolving tradecraft targeting your business.

Which of the following is a Microsoft 365 threat protection tool? ›

Microsoft Defender for Office 365.

Which three of the following products are supported by Office 365 advanced threat protection? ›

Compatible plans that support ATP include Exchange Online Plan 1, Exchange Online Plan 2, Exchange Online Kiosk, Exchange Online Protection, Office 365 Business Essentials, Office 365 Business Premium, Office 365 Enterprise E1, Office 365 Enterprise E3, Office 365 Enterprise E4, Office 365 Enterprise K1, Office 365 ...

What is Microsoft 365 Advanced Threat protection? ›

Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like phishing, business email compromise, and malware attacks.

What are the 4 pillars of Microsoft 365 integrated security? ›

Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management.

What is difference between XDR and EDR? ›

Some of the primary differences between EDR and XDR include: Focus: EDR is focused on protecting the endpoint, providing in-depth visibility and threat prevention for a particular device. XDR takes a wider view, integrating security across endpoints, cloud computing, email, and other solutions.

What does Microsoft Defender for cloud do? ›

Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and helps protect workloads across multicloud and hybrid environments from evolving ...

What are three main solutions areas for advanced threat? ›

The three main solutions for advanced threats are Network Analytics, Intrusion Analytics, and Threat Analytics.

What is the new name for advanced threat protection? ›

Microsoft Defender Advanced Threat Protection is now Microsoft Defender for Endpoint. Office 365 Advanced Threat Protection is now Microsoft Defender for Office 365.

Is Advanced threat protection the same as defender? ›

Windows Defender Advanced Threat Protection (ATP) is a Microsoft security product that is designed to help enterprise-class organizations detect and respond to security threats. ATP is a preventative and post-detection, investigative response feature to Windows Defender.

What are the 7 layers of IT security? ›

The Seven Layers Of Cybersecurity
  • Mission-Critical Assets. This is data that is absolutely critical to protect. ...
  • Data Security. ...
  • Endpoint Security. ...
  • Application Security. ...
  • Network Security. ...
  • Perimeter Security. ...
  • The Human Layer.

What are the 5 layers of security? ›

The 5 Layers Of Cyber Security
  • Firewalls.
  • Secure Configuration.
  • User Access Control.
  • Malware Protection.
  • Patch Management.
Jun 29, 2019

What are the 5 basic security principles? ›

The U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.


1. Better Together: Microsoft Sentinel - IT/OT Threat Monitoring with Defender for IoT Solution
(Microsoft Security Community)
2. Get started with Microsoft Defender for Cloud
(Andy Malone MVP)
3. Introducing Microsoft Defender External Attack Surface Management
(Synergy Technical)
4. Azure Defender for Storage with Microsoft Threat Intelligence | Help Security Teams for Effective
(CloudFirst Technology)
5. A Day In the Life Series with Microsoft Defender for Cloud
(Microsoft Security Community)
6. Better together for US government: Azure Security Center + Azure Sentinel
(Microsoft Azure Government Meetup)
Top Articles
Latest Posts
Article information

Author: Stevie Stamm

Last Updated: 03/18/2023

Views: 5737

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.