Microsoft Defender Threat Intelligence Overview, Concepts, and Vocabulary


If you are wondering what Microsoft Defender Threat Intelligence (Defender TI) is and who should use it, you've come to the right place! Defender TI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Pivotable is the adjective form of pivot. Merriam-Webster defines pivot as turning on or as if on a pivot. This term ties in nicely with Defender TI's Infrastructure Chaining concept. You'll learn about Infrastructure Chaining in the use cases section of this module. Data sources include both raw data ingested via a worldwide collection engine and finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights that will be utilized to defend themselves against threat actors in cyberspace.

Microsoft Defender 's technology is based on Microsoft's acquisition of RiskIQ. Former users of RiskIQ's PassiveTotal should feel right at home with Defender TI. However, this is not a prerequisite for using the platform. The power of Microsoft resources promises to bring forward the ultimate analyst experience driven by feedback from the community – you! The following modules are a great place to start understanding incorporate Internet-derived data into your security operations workflows.


Figure 1 – Defender TI Home Page



Figure 2 – Why ?


Figure 3 – Where does Microsoft's fit in your organization?


Figure 4 – Where does Microsoft's threat intelligence fit in your organization?

Concepts and Vocabulary

The following terms have been and will continue to be used throughout this training and the platform. Take some time to familiarize yourself with the below list.


A lightweight version of Defender TI that is free and available to all Microsoft users.


A subscription level that is accessible via a paid and licensed account. Includes access to all features and historical datasets.


A unique data entity that represents identifiable Internet infrastructure.


Data collections curated by the Defender TI Research and Intelligence Teams.​


Curated intelligence gathered from around the web (OSINT) or published by a Microsoft intelligence research team.

Indicator of Compromise (IOC)

An artifact that points to a potential security threat if identified within your computing environment.


An organized collection of artifacts, some of which will have monitoring and alerting capabilities.


A score calculated by Defender TI to indicate the likelihood that the entity is associated with an elevated level of risk.

Analyst Insights

A feature that provides quick insights about an artifact that may help determine the next step in an investigation.


This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.