Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender Threat Intelligence

How Microsoft Defender XDR integrates threat intelligence — built-in feeds, custom IoCs, and Defender TI as a separate product.

Threat intelligence (TI) is the knowledge about ongoing attacks, threat actors, and indicators of compromise that informs detection and hunting. Microsoft Defender XDR consumes substantial threat intelligence — from Microsoft's own research, from partner feeds, and from customer-provided indicators. Understanding how it works helps you use Defender effectively.

Built-in Microsoft threat intelligence

Microsoft operates one of the largest threat-intelligence operations in the security industry:

  • Microsoft 365 Defender Research Team tracks active campaigns.
  • Microsoft Threat Intelligence Center (MSTIC) does state-actor and APT research.
  • Microsoft Digital Crimes Unit (DCU) disrupts criminal operations.

Their intelligence feeds Defender automatically:

  • File hashes of known malware.
  • IP addresses and domains associated with C2 infrastructure.
  • URL patterns of phishing campaigns.
  • TTP signatures matching known threat actor behaviour.
  • CVE intelligence for the vulnerability-management module.

You don't configure this — it's the platform's underlying capability.

Threat analytics

The Threat Analytics dashboard in Defender XDR shows:

  • Currently active campaigns Microsoft is tracking.
  • Your tenant's exposure to each — based on observed signals.
  • Recommended actions — patches to apply, configurations to harden.
  • Mitigation status — which recommendations you've implemented.

Excellent surface for proactive defensive planning — know what attackers are doing, harden against it before being targeted.

Custom indicators

Beyond Microsoft's intelligence, organisations have their own indicators:

  • File hashes of known-bad files from past incidents.
  • IP addresses associated with attackers targeting you.
  • Domains observed in phishing campaigns against your users.
  • URLs to block at click time.

Custom indicators are configured in Defender for Endpoint → Settings → Indicators:

  • Add specific hash / IP / URL / domain.
  • Action: alert only, block, or audit.
  • Title and severity for organisation.

These complement Microsoft's intelligence with organisation-specific signal.

Microsoft Defender Threat Intelligence (standalone)

Microsoft Defender Threat Intelligence (Defender TI) is a standalone product providing access to Microsoft's broader threat-intelligence dataset:

  • Threat actor profiles with detailed analysis of major adversaries.
  • Indicator searching — research a specific hash, IP, domain.
  • Infrastructure analysis — see how attacker infrastructure interconnects.
  • Threat hunting datasets — historical observations to enrich investigations.
  • External Attack Surface Management (EASM) integration.

Used by SOC analysts, threat hunters, and security researchers for deep investigation. Licensed separately from base Defender XDR.

STIX/TAXII feeds

For organisations consuming third-party threat intelligence feeds:

  • STIX/TAXII standards for threat-intelligence exchange.
  • Microsoft Sentinel TAXII connector ingests external feeds — government feeds, commercial vendors (Mandiant, CrowdStrike, etc.).
  • Indicators ingested into Sentinel are matched against the same telemetry as Microsoft's own indicators.

For mature SOC operations, blending multiple TI sources covers Microsoft's blind spots.

Threat hunting with TI

Analysts can use TI to drive hunts:

// Hunt for connections to known C2 IPs from a TI feed
let MaliciousIPs = ThreatIntelligenceIndicator
    | where Action == "block"
    | where IsActive == true
    | project NetworkIP;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (MaliciousIPs)

Identify any device that connected to any known-bad IP in the last week.

Operational discipline

For TI to provide real value:

  • Subscribe to relevant feeds — not all indicators are relevant; focus on what targets your industry / geography.
  • Tune for false positives — some TI feeds are noisy.
  • Document the source of each indicator for retention / accountability.
  • Periodically refresh — old indicators lose relevance.
  • Integrate with hunting practice — TI shapes what to hunt for.

When standalone Defender TI is worth it

Standalone Defender TI is most valuable for:

  • Mature SOC doing threat hunting, not just alert triage.
  • Organisations targeting by specific threat actors (regulated industries, high-value targets).
  • Threat researchers investigating broader threat landscape.
  • Incident-response scenarios needing deep enrichment of indicators.

For typical Microsoft 365 customers, the built-in TI in Defender XDR provides solid baseline; standalone Defender TI is a step-up investment for organisations needing more depth.

What threat intelligence isn't

  • Replacement for detection rules — TI is supplementary, not substitute.
  • Magic — TI doesn't catch novel attacks Microsoft hasn't seen yet.
  • Automatic improvement — using TI well requires analyst skill and discipline.

For Microsoft 365 customers running SOC operations, threat intelligence is one of those capabilities that's easy to consume in shallow form and rewards deeper investment. Built-in is the start; deliberate integration is what produces real value.