Microsoft has launched a significant update at Ignite 2025, integrating the Threat Intelligence Briefing Agent directly into the Microsoft Defender portal to enhance proactive cybersecurity defenses.
This AI-powered tool, now in Public Preview, delivers daily customized briefings that merge global threat data with organization-specific insights, helping security teams anticipate risks rather than react to them.
Previously available as a standalone feature since March 2025, the agent now operates natively within the Defender interface, reducing manual analysis time from hours to minutes.
Security analysts can access automated summaries, including risk assessments, remediation recommendations, and links to vulnerable assets, streamlining workflows in environments like endpoints, cloud services, and networks.
The integration aligns with Microsoft’s broader strategy to unify threat intelligence across its security ecosystem, making advanced tools accessible without extra licensing costs.
For instance, the agent correlates threats with real-time data from Microsoft Defender XDR and Sentinel, enabling faster incident triage for malware campaigns and zero-day exploits.
Technical details reveal how the agent uses machine learning to parse vast datasets, identifying tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework for precise threat modeling.
This allows teams to prioritize high-impact vulnerabilities, such as those in widespread attack surfaces like remote code execution (RCE) or server-side request forgery (SSRF), by assessing their relevance to the organization’s infrastructure.
Unified Threat Intelligence Enhancements
Building on the Briefing Agent, Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) into Defender XDR and Sentinel, with the first phase now in Public Preview.
This brings a comprehensive threat library into Threat Analytics, featuring reports on active threat actors, emerging attack techniques, critical vulnerabilities, and prevalent malware like ransomware variants.
For Defender XDR users, reports automatically link to related incidents and assets, revealing endpoint exposures and suggesting actions such as patching or policy updates.
Sentinel-only customers also gain access to this library, including indicators of compromise (IOCs) such as SHA-256 hashes, IP addresses, and domains, though advanced correlation remains XDR-exclusive.
New features in Threat Analytics include detailed IOC lists per threat, enabling direct entity lookups within Defender for efficient investigations.
Reports now offer MITRE ATT&CK mappings to track persistent TTPs, alongside insights into targeted industries and actor origins, such as nation-state groups focusing on finance or healthcare sectors.
Analysts can filter reports by actor, tool, technique, vulnerability, activity, or core threat, speeding up searches for specific risks, such as supply chain compromises.
Additionally, a case-linking capability connects investigations to relevant IOCs, maintaining context across workflows and supporting collaborative responses in security operations centers (SOCs).
Access to sensitive IOCs requires customer verification to prevent misuse, ensuring only authorized users can view full details such as file hashes or malicious URLs.
These enhancements democratize high-value intelligence that was previously locked behind paid MDTI licenses, fostering a proactive SecOps posture.
Overall, the updates equip organizations to counter evolving threats, from advanced persistent threats (APTs) to AI-driven attacks, by embedding actionable intel into daily operations.
With Defender portal serving as a central hub, security teams can now focus on strategic defense rather than data aggregation, marking a shift toward intelligence-led cybersecurity.
