Track and respond to emerging threats through threat analytics

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:

  • Assess the impact of new threats
  • Review your resilience against or exposure to the threats
  • Identify the actions you can take to stop or contain the threats

Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:

  • Active threat actors and their campaigns
  • Popular and new attack techniques
  • Critical vulnerabilities
  • Common attack surfaces
  • Prevalent malware

Each report provides a detailed analysis of a threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.

Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.

Required roles and permissions

The following table outlines the roles and permissions required to access Threat Analytics. Roles defined in the table below refer to custom roles in individual portals and are not connected to global roles in Microsoft Entra ID, even if similarly named.

One of the following roles are required for Microsoft Defender XDR One of the following roles are required for Defender for Endpoint One of the following roles are required for Defender for Office 365 One of the following roles are required for Defender for Cloud Apps
Threat Analytics Alerts and incidents data:
  • View data- security operations
Defender Vulnerability Management mitigations:
  • View data - Threat and vulnerability management
Alerts and incidents data:
  • View-only manage alerts
  • Manage alerts
  • Organization configuration
  • Audit logs
  • View-only audit logs
  • Security reader
  • Security admin
  • View-only recipients
Prevented email attempts:
  • Security reader
  • Security admin
  • View-only recipients
Not available for Defender for Cloud Apps or MDI users

View the threat analytics dashboard

The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:

  • Latest threats: Lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
  • High-impact threats: Lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
  • Threat summary: Shows the overall impact of tracked threats by showing the number of threats with active and resolved alerts.

Select a threat from the dashboard to view the report for that threat.

The threat analytics dashboard

View a threat analytics report

Each threat analytics report provides information in three sections: Overview, Analyst report, and Mitigations.

Overview: Quickly understand the threat, assess its impact, and review defenses

The Overview section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.

The Overview section of a threat analytics report Overview section of a threat analytics report

Assess the impact to your organization

Each report includes charts designed to provide information about the organizational impact of a threat:

  • Devices with alerts: Shows the current number of distinct devices that have been impacted by the threat. A device is categorized as Active if there is at least one alert associated with that threat and Resolved if all alerts associated with the threat on the device have been resolved.
  • Devices with alerts over time: Shows the number of distinct devices with Active and Resolved alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.

Review security resilience and posture

Each report includes charts that provide an overview of how resilient your organization is against a given threat:

  • Security configuration status: Shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered Secure if they have applied all the tracked settings.
  • Vulnerability patching status: Shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.

Analyst report: Get expert insight from Microsoft security researchers

Go to the Analyst report section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful threat hunting guidance.

Learn more about the analyst report

Mitigations: Review list of mitigations and the status of your devices

In the Mitigations section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:

  • Security updates: Deployment of security updates or patches for vulnerabilities
  • Microsoft Defender Antivirus settings
    • Security intelligence version
    • Cloud-delivered protection
    • Potentially unwanted application (PUA) protection
    • Real-time protection

Mitigation information in this section incorporates data from Microsoft Defender Vulnerability Management, which also provides detailed drill-down information from various links in the report.

The Mitigations section of a threat analytics report

Mitigations section of a threat analytics report

Additional report details and limitations

When using the reports, keep the following in mind:

  • Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in groups that you can access.
  • Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
  • Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
  • Devices are counted as "unavailable" if they have not transmitted data to the service.
  • Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.