Introduction
Cyber security breaches are a huge expenditure in today’s internet-based world. As such, it’s important that organizations invest in prevention rather than just recovery from a security breach. It's often expensive for organizations to recover from a typical cyber-security breach. The reason why is because most organizations rarely spend much money on preparing for attacks. Rather, they spend the bulk of their money on remediation costs AFTER the attack occurred. These costs typically stem from litigation, brand damage, and even loss of business.
One of the aspects of today’s cyberthreat landscape is its scale. The reach of cyberthreat tentacles is widespread throughout most organization. This reach makes it hard to absorb the extensive and incessant pool of information. It also makes it difficult to understand which information is most relevant among the noise.
Microsoft 365 hosts one of the largest networks in the world. It also manages content created on millions of devices. In doing so, Microsoft built a vast repository of threat intelligence data. It also built the systems needed to spot patterns that correspond to attack behaviors and suspicious activity.
Microsoft 365 Threat Intelligence is a collection of these insights, which can help you proactively find and eliminate threats.
Note
Microsoft 365 Threat Intelligence is available with Microsoft 365 Enterprise E5. If an organization uses another Microsoft 365 Enterprise subscription, it can purchase Threat Intelligence as an add-on.
So, what exactly is threat intelligence? Gartner’s definition reads as follows: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can inform decisions about the subject’s response to that menace or hazard.
In this module, you learn about the Microsoft Intelligent Security Graph. This feature powers threat intelligence in Microsoft 365. It does so by consuming trillions of signals daily across the Microsoft 365 network. These signals come from sources such as user activity, authentication, email, compromised PCs, and security incidents.
Next, you examine how Microsoft Defender XDR uses alerts. Alerts indicate the occurrence of malicious or suspicious events in your environment. They're typically part of a broader attack and provide clues about an incident.
The module then examines how alerts are the trigger mechanism for Automated investigation and response (AIR) capabilities in Microsoft Defender XDR. AIR enables organizations to run automated investigation processes in response to well-known threats that exist today. AIR can help an organization's security operations team operate more efficiently and effectively.
The module concludes with an introduction to threat hunting. It examines Microsoft Threat Protection and advanced hunting in Microsoft Defender XDR. Threat hunting enables security operators to identify cybersecurity threats. Advanced hunting in Microsoft Defender XDR proactively inspects events in your network using Kusto-based queries to locate threat indicators and entities.