A Copilot for Security Customer’s Guide to MDTI

With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic in Microsoft Defender (MDTI), a $50k per seat value, at no extra cost. This compendium of high-fidelity intelligence developed by Microsoft's team of more than 10,000 multidisciplinary security experts and informed by over 78 trillion security signals enables teams to unmask and neutralize adversaries quickly and efficiently.  

 In this blog, we will review what MDTI is, what you get as a Copilot for Security customer, and how you can immediately tap into this powerful intelligence.

What is MDTI?

MDTI is a product that enables security professionals to directly access, ingest, and act upon trillions of daily security signals in Microsoft's telemetry. MDTI's finished intelligence, including threat articles and intel profiles, provides the latest on cyber threat actors and their tools, tactics, and procedures. Its unique security data sets enable advanced investigations that uncover malicious infrastructure connections across the global cyberthreat landscape to highlight where an organization is vulnerable and address the tools and systems used in cyberattacks.  

 MDTI is a powerful complement to Microsoft's SIEM, XDR, and solutions. Copilot for Security customers can use the incredible depth and breadth of Microsoft threat intelligence in MDTI with Generative to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations. They can immediately begin using MDTI in the Copilot for Security standalone experience or embedded experience in Defender XDR. They can also use MDTI directly via the MDTI' analyst workbench' experience in the Threat Intelligence blade in Defender XDR.

Copilot for Security customers can tap into MDTI's powerful threat intelligence in a variety of waysCopilot for Security customers can tap into MDTI's powerful threat intelligence in a variety of ways

Learn more about MDTI by taking the MDTI Ninja Training here

MDTI In Copilot for Security

Microsoft Copilot for Security  enables customers to access, operate on, and integrate Microsoft's raw and finished threat intelligence via natural language. They can make simple requests known as prompts to learn about threat actors, tools, indicators of compromise (IoCs), and threat intelligence related to their organization's security incidents and alerts

Prompts can ask important questions of MDTI's data and content, such as “Tell me more about the Threat actor Silk Typhoon. Users can also write a tailored prompt book (a predefined set of typical follow-up questions) about [security incident] and respond to it. The answers returned from prompts are always up to date with the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. This critical information, delivered instantly and in context, adds to the ability to enable different security personas to defend at machine speed and scale.  

Example of MDTI skills and prompts in Copilot for SecurityExample of MDTI skills and prompts in Copilot for Security

MDTI powers Copilot for Security via a wide range of threat intelligence skills, enabling customers to quickly retrieve information on indicators, including IP addresses and domains, and contextualize artifacts with content such as threat articles and intel profiles. Additionally, out-of-the-box promptbooks correlate MDTI content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers quickly understand the broader scope of an attack. These capabilities will be available within the standalone and embedded Copilot for Security experiences.  

MDTI is integral to the Copilot for Security experience. To begin using MDTI in Copilot, simply go to “manage plugins” (bottom left in the Copilot standalone interface) and enable “Microsoft Defender Threat Intelligence.” 

Learn more about MDTI in Copilot for Security here 

MDTI In Defender XDR

In Defender XDR, MDTI helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. Copilot customers can leverage MDTI's data sets and content anytime, anywhere within Defender XDR to provide additional context and aid in investigations. In the Microsoft Defender XDR portal, users can access MDTI under the “Threat Intelligence” blade in the left-hand navigation menu. 

  • Intel Explorer: In this tab, customers can search across all intelligence in MDTI, browse, featured articles, and peruse recent threat article pages.  
  • Intel Profiles: This tab contains more than 300 continuously maintained profiles on threat actors, tooling, and vulnerabilities. 
  • Intel Projects: In this tab, users can create or access team and individual projects to save personal investigations and collaborate with teammates across the organization. 
  • Detonation Intelligence for Hashes and URL Search: Customers can obtain insights about the file hash or URL and any associated links to intelligence articles where the file hash or URL has been listed as an Indicator of Compromise. 

The MDTI user interface in the Intelligence blade within Defender XDRThe MDTI user interface in the Intelligence blade within Defender XDR

The MDTI API is not included with Copilot for Security

If users wish to leverage MDTI's API endpoints to support automated enrichment against their incidents or create sophisticated to address use cases our MDTI Copilot skills cannot natively support today, customers are encouraged to work with their Commercial Executive to learn more about purchasing our MDTI API license. 

Learn more about the MDTI API here and here

New to MDTI? Here's where to start

Learn more about getting started with Copilot for Security, including pricing and getting started here>  

Also, be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats.


This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.