You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/threat-analytics.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ ms.custom:
20
20
- cx-ta
21
21
- seo-marvel-apr2020
22
22
search.appverid: met150
23
-
ms.date: 11/03/2025
23
+
ms.date: 11/24/2025
24
24
---
25
25
26
26
# Threat analytics in Microsoft Defender
@@ -62,6 +62,8 @@ To access Threat analytics in the Defender portal, you need a license for at lea
62
62
63
63
>[!NOTE]
64
64
> The Microsoft Defender for Endpoint P1 license is an exception to this prerequisite and doesn't grant Threat analytics access.
65
+
>
66
+
> Microsoft Sentinel SIEM customers have access to certain Threat analytics sections or tabs only. [Learn more](/azure/sentinel/threat-analytics-sentinel)
65
67
66
68
The following roles and permissions are also required to access Threat analytics:
67
69
-**Security data basics (read)**—to view threat analytics report, related incidents and alerts, and impacted assets
@@ -137,7 +139,7 @@ The **Overview** section provides a preview of the detailed analyst report. It a
137
139
Each report includes the following details about a threat, whenever applicable or available, providing you a quick glance of what the threat is and how it might impact your organization:
138
140
-**Aliases**—lists the publicly disclosed names given by other security vendors to the threat
139
141
-**Origin**—shows the country or region the threat originated from
140
-
-**Related intelligence**—lists other threat analytics reports that relevant or are related to the threat
142
+
-**Related intelligence**—lists other threat analytics reports that are relevant or related to the threat
141
143
-**Targets**—lists the countries or regions and industries targeted by the threat
142
144
-**MITRE attack techniques**—lists the threat’s observed tactics, techniques, and procedures (TTPs) according to the [MITRE ATT&CK framework](https://attack.mitre.org/)
143
145
@@ -148,8 +150,8 @@ Each report includes charts designed to provide information about the organizati
148
150
-**Related incidents**—provides an overview of the impact of the tracked threat to your organization with the following data:
149
151
- Number of active alerts and the number of active incidents they're associated with
150
152
- Severity of active incidents
151
-
-**Alerts over time**—shows the number of related **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
152
-
-**Impacted assets**—shows the number of distinct assets that currently have at least one active alert associated with the tracked threat. Alerts are triggered for mailboxes that received threat emails. Review both org- and user-level policies for overrides that cause the delivery of threat emails.
153
+
-**Alerts over time**—shows the number of related **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should show alerts resolved within a few days.
154
+
-**Impacted assets**—shows the number of distinct assets that currently have at least one active alert associated with the tracked threat. Alerts are triggered for mailboxes that receive threat emails. Review both org- and user-level policies for overrides that cause the delivery of threat emails.
153
155
154
156
#### Review security resilience and posture
155
157
@@ -221,7 +223,7 @@ Threat analytics leverages and integrates various Microsoft Defender and [Micros
221
223
222
224
### Set up the Threat Intelligence Briefing Agent (preview)
223
225
224
-
You can set up the Threat Intelligence Briefing Agent to get timely, relevant threat intelligence reports with detailed technical analysis based on the latest threat actor activity and both internal and external vulnerability exposure. The agent correlates Microsoft threat data and customer signals to add critical context to threat information in a matter of minutes, saving analyst teams hours or even days spent on intelligence gathering and correlation.
226
+
Set up the Threat Intelligence Briefing Agent to get timely, relevant threat intelligence reports with detailed technical analysis based on the latest threat actor activity and both internal and external vulnerability exposure. The agent correlates Microsoft threat data and customer signals to add critical context to threat information in a matter of minutes, saving analyst teams hours or even days spent on intelligence gathering and correlation.
225
227
226
228
Once deployed, the Threat Intelligence Briefing Agent appears as a banner at the top of the Threat analytics page.
227
229
@@ -231,19 +233,19 @@ Once deployed, the Threat Intelligence Briefing Agent appears as a banner at the
231
233
232
234
### Set up custom detections and link them to Threat analytics reports
233
235
234
-
You can set up [custom detection rules](custom-detection-rules.md#2-create-new-rule-and-provide-alert-details) and link them to Threat analytics reports. If these rules get triggered and an alert generates an incident, the report shows up in that incident and the incident appears under the **Related incidents** tab, just like any other Microsoft-defined detection.
236
+
Set up [custom detection rules](custom-detection-rules.md#2-create-new-rule-and-provide-alert-details) and link them to Threat analytics reports. If these rules get triggered and an alert generates an incident, the report shows up in that incident and the incident appears under the **Related incidents** tab, just like any other Microsoft-defined detection.
235
237
236
238
:::image type="content" source="/defender/media/threat-analytics/ta-custom-detection.png" alt-text="Screenshot of custom detection setup page with Threat analytics option highlighted." lightbox="/defender/media/threat-analytics/ta-custom-detection.png":::
237
239
238
240
[Learn more about creating and managing custom detections rules](custom-detection-rules.md)
239
241
240
242
### Set up email notifications for report updates
241
243
242
-
You can set up email notifications that send you updates on Threat analytics reports. To create email notifications, follow the steps in [get email notifications for Threat analytics updates in Microsoft Defender XDR](m365d-threat-analytics-notifications.md).
244
+
Set up email notifications that send you updates on Threat analytics reports. To create email notifications, follow the steps in [get email notifications for Threat analytics updates in Microsoft Defender XDR](m365d-threat-analytics-notifications.md).
243
245
244
246
## Other report details and limitations
245
247
246
-
When you look at the threat analytics data, remember the following factors:
248
+
When you review the threat analytics data, consider the following factors:
247
249
248
250
- The checklist in the **Recommended actions** tab only displays recommendations tracked in [Microsoft Secure Score](microsoft-secure-score.md). Check the **Analyst report** tab for more recommended actions that aren't tracked in Secure Score.
249
251
- The recommended actions don't guarantee complete resilience and only reflect the best possible actions needed to improve it.
0 commit comments