{"id":10707,"date":"2018-09-27T16:12:11","date_gmt":"2018-09-27T23:12:11","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10707"},"modified":"2023-06-15T15:17:29","modified_gmt":"2023-06-15T22:17:29","slug":"microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/","title":{"rendered":"Microsoft uses threat intelligence to protect, detect, and respond to threats"},"content":{"rendered":"<div class=\"m-alert f-error\" role=\"alert\">\n<div>\n<div class=\"c-glyph glyph-incident-triangle\" aria-label=\"Error message\"><\/div>\n<p class=\"c-paragraph\">This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n<p>To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.<\/p>\n<p>From a global perspective, the amount of data in organizations is ballooning at 50 percent year over year. The number of threats to this data from cyberattacks and data breaches is mushrooming. Cyberincidents cause organizations to lose money, data, productivity, and consumer trust. In 2016 alone, cybercrime resulted in:<\/p>\n<ul class=\"c-list\">\n<li>Companies losing a\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.inc.com\/will-yakowicz\/cyberattacks-cost-companies-400-billion-each-year.html\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about total of $400 billion\">total of $400 billion<\/a>\u00a0from damages from hacking<\/li>\n<li>Companies losing\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.ibm.com\/account\/reg\/us-en\/signup?formid=urx-33316&amp;ce=ISM0484&amp;ct=SWG&amp;cmp=IBMSocial&amp;cm=h&amp;cr=Security&amp;ccy=US&amp;cm_mc_uid=94848149741015354079514&amp;cm_mc_sid_50200000=38525251535407951495\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about $3.86 million, on average, per breach\">$3.86 million, on average, per breach<\/a><\/li>\n<\/ul>\n<p>When it comes to malware alone,\u00a0<a class=\"c-hyperlink\" href=\"http:\/\/money.cnn.com\/2015\/04\/14\/technology\/security\/cyber-attack-hacks-security\/index.html\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about 1 million new pieces of malware\">1 million new pieces of malware<\/a>\u00a0are created each day. According to the\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.verizonenterprise.com\/resources\/reports\/2017_dbir_en_xg.pdf\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about 2017 Verizon Data Breach Investigations Report\">2017 Verizon Data Breach Investigations Report<\/a>, malware accounts for 51 percent of breaches.<\/p>\n<p>It\u2019s clear that organizations worldwide need rapid-fire protection, detection, and response to threats. Yet, on average, more than 99 days pass between infiltration and detection, which is like leaving the front door wide open for over four months. This is why we need threat intelligence.<\/p>\n<p>At Microsoft, we continue to improve our ability to identify, prioritize, and respond to the biggest threats that target our company and customers. Every six months since 2006, we publish the\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/intelligence-report\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Microsoft Security Intelligence Report\">Microsoft Security Intelligence Report<\/a>. This report has extensive Microsoft research on software vulnerabilities, vulnerability exploits, and threats like malware\u2014along with guidance to help assess risk and protect against threats.<\/p>\n<h2>At Microsoft, security is front and center<\/h2>\n<p>Part of what enables this defense is threat intelligence. Threat intelligence gathers indicators\u2014or signals\u2014from a breadth and depth of sources to understand the threat landscape. As a security leader, we build on our vast experience as a global enterprise,\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/intelligence\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about ongoing study of the threat landscape\">ongoing study of the threat landscape<\/a>, broad scale, strength of signal, and visionary thinking to help understand and mitigate the effects of increasingly sophisticated attacks. These include zero-day attacks, targeted phishing campaigns, and other novel attack methods.<\/p>\n<p>We employ threat researchers and analytics systems across our global network to give a timely, actionable view of the threat landscape. We are in a unique position, with billions of data points that shed light on security issues. For example, each month, we gather intelligence by:<\/p>\n<ul class=\"c-list\">\n<li>Processing more than 450 billion authentications.<\/li>\n<li>Scanning and analyzing 400 billion emails for malware and phishing.<\/li>\n<li>Updating more than one billion Windows devices.<\/li>\n<li>Building a rich resource from more than 200 cloud and commercial services worldwide.<\/li>\n<\/ul>\n<p>This intelligence and signal richness is built into products and services like Office 365, Windows, and Azure to let you know that attacks are happening. Many organizations don\u2019t have threat managers, threat analysts, or a threat intelligence framework. To help organizations worldwide use the framework that we have built, we look at questions like:<\/p>\n<ul class=\"c-list\">\n<li>What does threat intelligence mean to Microsoft, and why is it vital for the company and for customers?<\/li>\n<li>How does Microsoft deliver threat intelligence in services like Windows Defender ATP, Exchange Online Protection, and the newly released Office 365 Threat Intelligence?<\/li>\n<li>How do security analysts in Core Services Engineering and Operations (CSEO) use threat intelligence capabilities in various Microsoft products and services to investigate threats and take action? How does this lead to faster detection and response time, efficient incident analysis, more relevant indicators of compromise, fewer false positives, and other benefits?<\/li>\n<\/ul>\n<p>Because Microsoft has infused threat intelligence into its technologies, other companies reap the benefits along with their purchase or subscription, even if they don\u2019t have a formal threat program in place.<\/p>\n<h2>Why does threat intelligence matter?<\/h2>\n<p>Let\u2019s take a closer look at what the concept of threat intelligence means to us and why having this intelligence is important. Given the number of signals, it\u2019s easy to get lost in a sea of noise. It\u2019s crucial to have context to understand which signals are highest priority, why, and what actions to take.<\/p>\n<p>Threat intelligence at Microsoft includes signals inside and outside the company, related to areas shown in Figure 1, like denial of service, malware, or unauthorized data access. With the right context, this intelligence leads to targeted actions\u2014for example, releasing system updates, enforcing security policies like multi-factor authentication, or applying other security measures.<\/p>\n<figure id=\"attachment_10717\" aria-describedby=\"caption-attachment-10717\" style=\"width: 425px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10717 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img001.png\" alt=\"This figure gives examples of the types of intelligence that Microsoft gets about phishing, malware, and other attacks from analyzing things like device sign-ins, user sign-ins, and system updates.\" width=\"425\" height=\"221\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img001.png 425w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img001-300x156.png 300w\" sizes=\"(max-width: 425px) 100vw, 425px\" \/><figcaption id=\"caption-attachment-10717\" class=\"wp-caption-text\">Figure 1. Examples of the threat intelligence we get<\/figcaption><\/figure>\n<h3>Threat intelligence gives context, relevance, and priority<\/h3>\n<p>More than just a buzzword, at Microsoft, true threat intelligence goes beyond lists of bad domains or bad hashes. Instead, it provides the necessary context, relevance, and priority\u2014sometimes called enrichment\u2014for people to make faster, better, and more proactive cybersecurity decisions. For example:<\/p>\n<ul class=\"c-list\">\n<li>A security analyst who uses threat intelligence to analyze the highest-priority signals, and takes action.<\/li>\n<li>An information worker who knows to watch for emails with links that appear suspicious and could be a phishing campaign targeting the company. This awareness could, for example, influence the email recipient to be vigilant, avoid opening files or clicking questionable links, and report the email as suspicious.<\/li>\n<li>An organization that uses threat intelligence to alert employees that a particular email attachment is associated with ransomware that has affected other companies in the same sector.<\/li>\n<\/ul>\n<p>Enriched intelligence is built into our technologies that are used worldwide. Where does this enrichment come from? Some of it is from threat intelligence producers. Other enrichment is from intelligence about ourselves and the threats we face. Enrichment gives context on threat detections\u2014for example, whether a threat is related to a group that\u2019s involved in corporate espionage, or whether it involves criminals who are trying to steal credit card numbers.<\/p>\n<p>Having this enrichment and context helps us and our customers who are defending against threats know the priority for mitigating threats and identifying next steps. Threat intelligence producers at Microsoft provide relevance and tell why something\u2019s bad, which is just the type of information that security analysts want.<\/p>\n<h3>Threat intelligence helps organizations share knowledge<\/h3>\n<p>Security concerns aren\u2019t limited to any sector. All organizations need to defend themselves against cyberthreats, making it a core part of their strategies and operations. Visibility and intelligence into threats are crucial for preparedness\u2014for example, knowing the type of attack, who\u2019s being targeted, how often, and the source of attacks.<\/p>\n<p>Through threat intelligence, we give organizations and customers visibility, context, and relevance of security events. Having access to\u2014and sharing this knowledge\u2014helps decision makers both inside and outside security teams prioritize actions and reduce risk.<\/p>\n<h2>Threat intelligence is built into Microsoft products and services<\/h2>\n<p>How do we at Microsoft enable enterprises to take advantage of shared threat intelligence through products and services like Office\u00a0365 and Windows Defender ATP\u2014and offer context, relevance, and priority to help people take action?<\/p>\n<p>We gather, produce, and consume threat intelligence in our security ecosystem through:<\/p>\n<ul class=\"c-list\">\n<li>The Microsoft Intelligent Security Graph<\/li>\n<li>The Microsoft Threat Intelligence Center<\/li>\n<li>Our large customer base<\/li>\n<li>Intelligence feeds that we generate, as well as from third parties<\/li>\n<\/ul>\n<p>We integrate the threat intelligence we gather into products and services like:<\/p>\n<ul class=\"c-list\">\n<li>Office\u00a0365\u00a0Threat\u00a0Intelligence and Office\u00a0365\u00a0Advanced\u00a0Threat\u00a0Protection<\/li>\n<li>Exchange Online Protection<\/li>\n<li>Windows\u00a0Defender\u00a0Advanced\u00a0Threat\u00a0Protection<\/li>\n<li>Azure\u00a0Security\u00a0Center<\/li>\n<\/ul>\n<h3>The Microsoft Intelligent Security Graph<\/h3>\n<p>The Microsoft Intelligent Security Graph is foundational for embedding security protection in Office 365, Azure, Windows, and other products. The graph will gather signals from the entire ecosystem of Microsoft and industry-leading commercial and consumer services, security monitoring and operations services and products, Windows devices, Azure, and Office Security and Compliance services. It enriches those signals with threat, customer, industry, and operational context. Signals in the graph generate insights and context that are infused into Office 365, Azure, Windows, and other products and services.<\/p>\n<p>By stitching together and correlating these enriched signals, the Intelligent Security Graph can generate a holistic picture of the threat landscape. This, in turn, helps Microsoft and graph-enabled customers detect threats and share real-time intelligence\u2014and drive rapid and systematic response and remediation action.<\/p>\n<p>In fact, the security analysts in our Cyber Defense Operations Center (CDOC)\u2014a facility that unites security response experts from across the company to protect, detect, and respond to threats\u2014use the Intelligent Security Graph. Faster detection is essential. The Intelligent Security Graph enables faster, more comprehensive threat discovery and response.<\/p>\n<h3>Microsoft Threat Intelligence Center<\/h3>\n<p>The Microsoft Threat Intelligence Center (MSTIC) team\u2014one of the main producers of threat intelligence at Microsoft\u2014collects the threat intelligence that\u2019s infused into products and services. MSTIC aggregates data from sources such as:<\/p>\n<ul class=\"c-list\">\n<li>First-party threat intelligence feeds (honeypots, malicious IP addresses, botnets, malware detonation feeds)<\/li>\n<li>Third-party sources (threat intelligence feeds, reference\/lookup data)<\/li>\n<li>Analysts\/human-based observation and intelligence collection<\/li>\n<\/ul>\n<h3>Microsoft and third-party intelligence feeds<\/h3>\n<p>Microsoft gets additional visibility into the security landscape by collecting intelligence feeds. These combined feeds supply data about threats and can be matched against the signals provided in Microsoft products and services.<\/p>\n<h3>Integration across Windows 10, Azure, Office 365, and other products<\/h3>\n<p>Certain cybersecurity threat intelligence data that\u2019s gathered from different sources is processed and enriched by MSTIC, so that there\u2019s ample context and actionable insight for security analysts. Some of this threat intelligence data is then fed into products and services.<\/p>\n<p>Figure 2 shows examples of built-in security protection and threat intelligence across our products and services bundled into Microsoft 365 Enterprise.<\/p>\n<div><\/div>\n<div class=\"m-image float-right\">\n<figure id=\"attachment_10718\" aria-describedby=\"caption-attachment-10718\" style=\"width: 624px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10718 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img002.png\" alt=\"This figure gives examples of Microsoft products and services that have built-in security, such as Windows Server 2016, SQL Server 2016, Windows Hello, Azure Active Directory, and Office 365 Data Loss Prevention.\" width=\"624\" height=\"157\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img002.png 624w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img002-300x75.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption id=\"caption-attachment-10718\" class=\"wp-caption-text\">Figure 2. Examples of built-in security protection<\/figcaption><\/figure>\n<\/div>\n<p>To list just a few examples, Microsoft builds threat intelligence into products and services like:<\/p>\n<ul class=\"c-list\">\n<li><a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/cloud-platform\/advanced-threat-analytics\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Advanced Threat Analytics\">Advanced Threat Analytics<\/a>\u00a0for identifying and analyzing normal and suspicious user or device behavior.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Windows Defender ATP\">Windows Defender ATP<\/a>\u00a0for zero-day protection against malware in attachments and links.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/azure.microsoft.com\/en-us\/services\/security-center\/\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Azure Security Center\">Azure Security Center<\/a>\u00a0for preventing, detecting, and responding to threats related to Azure resources.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/products.office.com\/en-us\/exchange\/exchange-email-security-spam-protection\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Exchange Online Protection\">Exchange Online Protection<\/a>\u00a0in Office 365 for blocking email malware and spam.<\/li>\n<li>The\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/support.office.com\/en-us\/article\/Office-365-Security-Compliance-Center-7e696a40-b86b-4a20-afcc-559218b7b1b8?ui=en-US&amp;rs=en-US&amp;ad=US\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Office 365 Security and Compliance Center\">Office 365 Security and Compliance Center<\/a>\u00a0for helping to protecting data and managing compliance.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/support.office.com\/en-us\/article\/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Advanced Security Management\">Advanced Security Management<\/a>\u00a0in Office 365 Enterprise E5 or as an add-on subscription.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/support.office.com\/en-us\/article\/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Data Loss Prevention in Office 365\">Data Loss Prevention in Office 365<\/a>\u00a0for data protection, risk management, and compliance.<\/li>\n<li><a class=\"c-hyperlink\" href=\"https:\/\/products.office.com\/en-us\/exchange\/online-email-threat-protection\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Office 365 Advanced Threat Protection\">Office 365 Advanced Threat Protection<\/a>, an email filtering service for protecting against advanced threats and for integrating and sharing threat data.<\/li>\n<\/ul>\n<h2>Office 365 Threat Intelligence<\/h2>\n<p>With\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/support.office.com\/en-us\/article\/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512?ui=en-US&amp;rs=en-US&amp;ad=US\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Office 365 Threat Intelligence\">Office 365 Threat Intelligence<\/a>, we\u2019ve empowered our customers to have their own threat intelligence on the cyberthreat landscape. Office 365 Threat Intelligence integrates with other Office 365 security features like Exchange\u00a0Online Protection and Advanced Threat Protection. Office 365 Threat Intelligence takes advantage of rich signals from the Microsoft Intelligent Security Graph, giving our customers access to many of the powerful threat intelligence feeds that Microsoft itself uses.<\/p>\n<p>Office 365 Threat Intelligence consists of the threat dashboard, Threat explorer, incidents, and alerts. The threat dashboard, shown in Figure 3, and Threat explorer are available in the Office 365 Security and Compliance Center.<\/p>\n<figure id=\"attachment_10719\" aria-describedby=\"caption-attachment-10719\" style=\"width: 521px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10719 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img003.png\" alt=\"This screenshot shows what the Office 365 Security and Compliance Center looks like. The Office 365 Security and Compliance Center contains the Threat dashboard and Threat Explorer.\" width=\"521\" height=\"347\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img003.png 521w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img003-300x200.png 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><figcaption id=\"caption-attachment-10719\" class=\"wp-caption-text\">Figure 3. Office 365 Security and Compliance\u2014managing threats<\/figcaption><\/figure>\n<h3>What Office 365 Threat Intelligence does<\/h3>\n<p>Available to Office 365 Enterprise E5 subscribers, this service:<\/p>\n<ul class=\"c-list\">\n<li>Gives insights on advanced threats, malware, phishing, and other attacks for proactive defense.<\/li>\n<li>Reports on attacks that are happening in the Office 365 ecosystem. It creates insights on what Office 365 blocks, or stops, for instance\u2014based on signals from the broader Microsoft ecosystem\u2014which includes Office, Windows, Azure, and other sources.<\/li>\n<li>Shows how many threats were detected on a given day, how many messages were scanned, and how many threats were stopped, blocked, or removed.<\/li>\n<li>Integrates data from 3,500 Microsoft security specialists, who search data to detect advanced threats.<\/li>\n<\/ul>\n<h3>How Office 365 Threat Intelligence helps organizations<\/h3>\n<p>By using Office 365 Threat Intelligence to protect, detect, and respond to threats, any size organization can:<\/p>\n<ul class=\"c-list\">\n<li>Track and respond to today\u2019s most serious threats, in real-time, in one place.<\/li>\n<li>Retain high-value data, ensure business continuity, and reduce risk.<\/li>\n<li>Proactively detect advanced attacks before they reach the organization.<\/li>\n<li>Gain insights from our broad global presence.<\/li>\n<li>Systematically help protect the organization with dynamic policy recommendations.<\/li>\n<li>Take action on malware threats in real time.<\/li>\n<li>Gain visibility into top targeted users.<\/li>\n<li>Use dashboard components that range from global trends to investigation starting points.<\/li>\n<\/ul>\n<h3>Office 365 Threat Intelligence has unique features<\/h3>\n<p>Office 365 is one of the biggest enterprise email services and productivity suites in the world. To help protect information and spot patterns in Office 365, Microsoft has built a vast repository of threat intelligence data. Let\u2019s look at some of the capabilities and features in Office 365 Threat Intelligence:<\/p>\n<ul class=\"c-list\">\n<li>Threat dashboard\u2014overall view of threats that were detected and handled; can be used to report to business decision makers and other stakeholders.<\/li>\n<li>Threat explorer\u2014details about threat families, global threats, and links to security analyst reports on malware families that summarize the threat.<\/li>\n<\/ul>\n<p>With Threat explorer, organizations can see threat families over time, top threats, and top targeted users. Figure 4 gives a sample view of threat families, top threats, and top targeted users in an organization.<\/p>\n<h3>Scenario: Office 365 Threat explorer to investigate a malware threat<\/h3>\n<figure id=\"attachment_10720\" aria-describedby=\"caption-attachment-10720\" style=\"width: 555px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10720 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img004.png\" alt=\"This screenshot gives a sample view of Threat Explorer, with threat families, top threats, and top targeted users.\" width=\"555\" height=\"371\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img004.png 555w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img004-300x201.png 300w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><figcaption id=\"caption-attachment-10720\" class=\"wp-caption-text\">Figure 4. Threat explorer\u2014sample view of threat families, top threats, top targeted users<\/figcaption><\/figure>\n<p>Suppose you want to investigate a malware threat. Here are some examples of how you can use Threat explorer:<\/p>\n<ul class=\"c-list\">\n<li>Drill down into the history of a threat. You can filter on options like sender email, recipient email, sender IP address, and the detection technology used to stop a threat\u2014for example, whether an email was blocked by Office 365 ATP or through an Exchange Online Protection filter.<\/li>\n<li>Get information about malware family behavior, a definition of the threat, technical details (with a link to an associated analyst report), global details (to see how a threat has affected the global Office 365 network, specific nations and industries, and your own organization), and advanced analysis (with more details on how the threat is affecting your organization).<\/li>\n<li>See each instance where a user in an organization got an attachment with a specific malware threat.<\/li>\n<li>See if an email was caught and blocked before it reached the user or if it was delivered as spam.<\/li>\n<\/ul>\n<p>Figure 5 shows an example.<\/p>\n<div><\/div>\n<div class=\"m-image float-right\">\n<figure id=\"attachment_10721\" aria-describedby=\"caption-attachment-10721\" style=\"width: 561px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10721 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img005.png\" alt=\"This screenshot gives a sample view of Threat Explorer, with email recipients, subject, sender, sender IP, and status.\" width=\"561\" height=\"319\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img005.png 561w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-img005-300x171.png 300w\" sizes=\"(max-width: 561px) 100vw, 561px\" \/><figcaption id=\"caption-attachment-10721\" class=\"wp-caption-text\">Figure 5. Threat explorer\u2014sample view of recipients, subject, sender, sender IP, and status<\/figcaption><\/figure>\n<\/div>\n<ul class=\"c-list\">\n<li>Also, in Office 365 Security and Compliance Center, you can remediate emails in real time. Use filters to find the email you want to investigate and then create an incident.<\/li>\n<li>Once you create the incident, there are options to delete the incident, move it to junk, move it to the user inbox, or keep it but delete any attachment.<\/li>\n<\/ul>\n<p>In addition to the threat dashboard and Threat explorer, Office 365 Threat Intelligence offers real-time alerts, and through its\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/msdn.microsoft.com\/en-us\/office-365\/office-365-management-activity-api-schema#threat-intelligence-schema\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about threat intelligence schema\">threat intelligence schema<\/a>, threat intelligence feeds are made available to the Office 365 Management Activity API. This API gives visibility into user, admin, system, and policy actions and events from Office 365 and Azure\u00a0Active Directory activity logs. The Management Activity API also connects to a wide variety of security information and event management providers so that you have access to most of the data in Office 365 Threat Intelligence. You can use this information in your investigations to help understand and remediate a suspected breach.<\/p>\n<h3>Scenario: Office 365 threat protection to help prevent a malware attack<\/h3>\n<p>This Microsoft\u00a0<a class=\"c-hyperlink\" href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/How-to-use-Office-365-threat-protection-services-to-help-prevent\/ba-p\/74571\" target=\"_blank\" rel=\"noopener\" aria-label=\"Read more about Security, Privacy and Compliance blog post\">Security, Privacy and Compliance blog post<\/a>\u00a0has an example of using threat intelligence and threat protection capabilities in Office 365 to help prevent a specific malware attack from occurring\u2014by using the end-to-end Office 365 Threat Protection stack. Features include:<\/p>\n<ul class=\"c-list\">\n<li><strong>Office 365 Exchange Online Protection.<\/strong>\u00a0Anti-virus signatures are updated to block the malware attack, based on known file hashes for this malware.<\/li>\n<li><strong>Office 365 Advanced Threat Protection.<\/strong>\u00a0ATP can catch new variants of a malware attack if email is the vehicle of attack. If new variants are detected in ATP, the anti-virus signatures are updated in Exchange Online Protection.\u00a0Also, Office 365\u00a0ATP works with Windows Defender ATP to help protect users and systems from attacks.<\/li>\n<li><strong>Office 365 Threat Intelligence.<\/strong>\u00a0Office 365 Threat Intelligence shows emails that were part of a malware campaign. Search for the malware family, if any emails related to the campaign targeted a tenant:\n<ol class=\"c-list\">\n<li>In the Office 365 Security and Compliance Center, under\u00a0<strong>Threat Management<\/strong>, click\u00a0<strong>Threat explorer<\/strong>.<\/li>\n<li>In Threat explorer, search for the malware family.<\/li>\n<li>If an instance of this family entered a tenant through Office 365, a graph will display it.<\/li>\n<\/ol>\n<\/li>\n<li><strong>Office 365 Advanced Security Management.<\/strong>\u00a0Create an activity policy to detect if a user renames, syncs, or uploads multiple files with a suspicious file extension to Office 365. Automatically suspend the user\u2019s account to help stop other encrypted files from being transferred.<\/li>\n<\/ul>\n<p>Together, the threat intelligence capabilities in Office 365 Threat Intelligence provide insights to help organizations proactively defend against advanced threats, malware, phishing, zero-day attacks, and other attacks.<\/p>\n<p>Now let\u2019s look specifically at how the CSEO organization uses threat intelligence to protect, detect, and respond to threats.<\/p>\n<h2>How Microsoft uses threat intelligence in Office 365<\/h2>\n<p>There are both producers and consumers of threat intelligence. As stated earlier, MSTIC is one of the main producers at Microsoft. They work with groups in Microsoft to help build threat intelligence data into solutions like Office 365 and Windows Defender.<\/p>\n<p>Within CSEO, we\u2019re primarily threat intelligence consumers. We analyze signals that we get and do operational response based on analysis. We process more than 15 billion security events on a given day and manage:<\/p>\n<ul class=\"c-list\">\n<li>More than 600,000 devices for more than 150,000 users.<\/li>\n<li>Devices and users in more than 100 countries and regions.<\/li>\n<\/ul>\n<p>Within Microsoft, the Digital Security and Risk Engineering (DSRE) team was developed to help ensure that all the company\u2019s information and services are protected, secured, and available for appropriate use through innovation and a robust risk prevention framework. Across CSEO and throughout the company, DSRE is continually evolving the security strategy and taking actions to protect our assets and the data of our customers.<\/p>\n<p>The Office 365 security stack provides insights to help organizations\u2014including CSEO and DSRE\u2014proactively defend against advanced threats, malware, phishing, zero-day attacks, and other attacks. For example, CSEO uses technologies in the Office 365 security stack such as:<\/p>\n<ul class=\"c-list\">\n<li>Office 365 Advanced Threat Protection<\/li>\n<li>Exchange Online Protection in Office 365<\/li>\n<li>Office 365 Threat Intelligence<\/li>\n<\/ul>\n<p>All of these technologies have threat intelligence built in.<\/p>\n<p>Let\u2019s look at how the CSEO organization uses Office 365 threat protection capabilities to detect, investigate, and remediate threats.<\/p>\n<h3>How Microsoft uses threat intelligence technologies<\/h3>\n<p>We use a combination of threat intelligence technologies and related processes in Office 365 such as:<\/p>\n<ul class=\"c-list\">\n<li>Office 365 Advanced Threat Protection for preventing exposure to unknown threats, together with Exchange Online Protection in Office 365 for preventing signature-based malware. Exchange Online Protection handles the large volume of attacks, and Advanced Threat Protection has extra capabilities built on top of Exchange Online Protection to handle the sophistication of certain types of attacks. Both are tightly integrated with Office 365 Threat Intelligence.<\/li>\n<li>Office 365 Threat Intelligence and Threat explorer in Office 365 Threat Intelligence for gaining better visibility into the cybersecurity landscape and for context and prioritization, which help us investigate and quickly respond to threats.<\/li>\n<\/ul>\n<h4>How Office 365 Advanced Threat Protection and Exchange Online Protection help us<\/h4>\n<p>Ninety-nine percent of our mailboxes are in Exchange Online. We use the entire Office 365 email protection suite including Office 365 Advanced Threat Protection and Exchange Online Protection.<\/p>\n<p>Email that contains unsafe attachments and links can carry many advanced threats like zero-day attacks and advanced phishing campaigns. We need to get ahead of these threats for our employees. To proactively defend against the sophistication and volume of attacks, we use Office 365 Advanced Threat Protection and Exchange Online Protection. Based on the visibility we get, we apply security policies in organizations across Microsoft. We use ATP and EOP to:<\/p>\n<ul class=\"c-list\">\n<li>Enable the Safe Links policy, which gives time-of-click protection against malicious URLs. ATP\u2019s Safe Links feature protects anyone who clicks. Malicious links are dynamically blocked while good links can be accessed.<\/li>\n<li>Enable the Safe Attachments policy. With ATP\u2019s Safe Attachments, potentially malicious files are opened in an isolated environment to see if they\u2019re malicious. Messages and attachments without a known virus\/malware signature are routed to the isolated environment, where behavior analysis and machine learning help detect malicious intent. If no suspicious activity is detected, the message is released for mailbox delivery.<\/li>\n<li>Reporting and tracing. With reporting and message tracing, we investigate messages that have been blocked because of an unknown virus or malware. The URL trace capability helps us track individual malicious links that have been clicked.<\/li>\n<\/ul>\n<h4>How Threat explorer in Office 365 Threat Intelligence is a game-changer for Microsoft<\/h4>\n<p>The recently released Threat explorer in Office 365 Threat Intelligence has transformed how CSEO detects, investigates, and responds to email threats. It gives us insights into top threat families, top sender domains, protection status, and top targeted users.<\/p>\n<h5>Core part of our security investigation<\/h5>\n<p>Threat explorer has become critical to our security investigations. As we identify related emails, our security team can quickly group them into an incident and take action.<\/p>\n<h5>Easier searches for better visibility of issues that are happening and how to tackle them<\/h5>\n<p>Before Threat explorer, two teams were engaged to respond to email threats: the Security Operations Center Team and the Email Service Delivery team. The SOC provided the Email Service Delivery team criteria to search across all mailboxes. After going through the search results, malicious emails were identified and asked to be deleted. If only malicious emails were returned, a blocking rule was added to protect against the same threat in the future. If legitimate emails were also returned, the search criteria had to be modified, a new search had to be performed, and the cycle would continue.<\/p>\n<p>This was time consuming because Microsoft has more than 300,000 mailboxes in Exchange Online. Each email had to be searched to see if there was a match.<\/p>\n<p>Threat explorer drastically simplified this process. The SOC can do targeted searches itself and get results back in a fraction of the time. This dramatically reduces the time to investigate an email and take action.<\/p>\n<h5>Self-service response for quicker, more efficient actions without having to rely on other teams<\/h5>\n<p>Taking action based on the results of an email search is an important step in our email investigations. Malicious emails left in user mailboxes are like ticking time bombs\u2014at any moment, people can open them and fall victim. The faster those emails can be removed or purged, the better.<\/p>\n<p>Before Threat explorer, response actions against email were limited to high-level user roles on the Email Service Delivery team. Now, the ability to take action is integrated directly into the incident pane. Because of Threat explorer, our security analysts can take direct action against emails to rapidly contain threats.<\/p>\n<h5>Integrated products, services, and information for quicker investigation and broader visibility<\/h5>\n<p>One example of integration is between Windows Defender ATP and Office 365. Let\u2019s look at a scenario. A security analyst investigates a behavioral alert. Windows Defender ATP identifies a malicious file that has come from email. Integration behind the scenes pulls email information from Office 365, including the date of the email, the sender address, the recipient address, and the email subject. For security analysts in large enterprises like ours, having this information available inside the Windows Defender ATP portal is invaluable and saves minutes or even hours trying to gather it in other ways. Windows Defender ATP charts the activity in the sequence it happened, making it quick to comprehend an action.<\/p>\n<p>Another example of this deep integration appears on the file metadata page in the Windows Defender ATP portal. If any email across the entire enterprise had that file as an attachment, an indicator and a link appears, which allows the analyst to continue investigating in Threat explorer. From there, the analyst can keep investigating to see if other systems are also compromised\u2014using the email as a link between the two systems. This is one of the big integration points between Windows Defender ATP and Threat explorer.<\/p>\n<h3>Benefits summary<\/h3>\n<p>The threat protection capabilities in Office 365, Office 365 Threat Intelligence, Exchange Online Protection, and Advanced Threat Protection have allowed CSEO to identify, investigate, and respond to attacks better than ever before. We can:<\/p>\n<ul class=\"c-list\">\n<li>Get greater visibility into indicators of compromise and the cyberthreat landscape.<\/li>\n<li>Rapidly identify email threats using Threat explorer and integration with Windows Defender ATP.<\/li>\n<li>Perform detailed investigations to precisely target the emails, users, and machines that were affected.<\/li>\n<li>More quickly detect and investigate threats, and respond with greater speed and efficiency to contain threats\u2014in minutes instead of hours or days.<\/li>\n<li>Respond more precisely to threats because of the increased visibility into indicators of compromise.<\/li>\n<\/ul>\n<h3>What we\u2019ve learned<\/h3>\n<p>Here\u2019s a quick summary of some of the lessons we\u2019ve learned about applying threat intelligence:<\/p>\n<ul class=\"c-list\">\n<li><strong>Give analysts as much context as possible around signals to save time and money<\/strong>. This helps us make sure we give an operator, analyst, or CISO the most context and prioritization that we can. They want to know what to address first and how, with as few resources and impact as possible.<\/li>\n<li><strong>Know what your own capabilities are to thwart attacks.<\/strong>\u00a0Sometimes people think threat intelligence is only about understanding an attacker. It\u2019s also important to collect information from internal systems and assets in your own organization and to prioritize security events that affect your key services.<\/li>\n<li><strong>Know your trade-offs with each security provider you use.<\/strong>\u00a0There are many companies that do threat intelligence and provide a feed of indicators that can be matched against email, network traffic, or indicators on the host. The challenges we\u2019ve found are that:\n<ul class=\"c-list\">\n<li>They often use automation that doesn\u2019t provide the context needed to understand the priority and relevance to your organization. We don\u2019t know why an indicator is bad because there\u2019s no context.<\/li>\n<li>There usually isn\u2019t a confidence-level rating. People report threats, but today\u2019s threats might not be relevant tomorrow. Or there might not be context, which can affect the quality and accuracy of the results. All these factors affect the confidence level and trustworthiness of the threat indicators.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>What\u2019s next for Office 365 Threat Intelligence?<\/h2>\n<p>Microsoft is constantly enhancing the ability to identify, prioritize, and respond to the biggest threats to the company and to our customers. For Office 365 Threat Intelligence our roadmap includes new capabilities such as:<\/p>\n<ul class=\"c-list\">\n<li>Expand threat intelligence across the Office 365 productivity suite, beyond email.<\/li>\n<li>Give a more proactive understanding of the threat landscape to drive policy recommendations before an incident happens. These recommendations help organizations adjust and update their policies to align with the evolving threat landscape.<\/li>\n<li>Create alerts from identified patterns for the security team, threat hunters, and high-level analysts to investigate.<\/li>\n<li>Detect low-prevalence, new, and targeted campaigns; detect anomalies in account usage.<\/li>\n<li>Create add to block-list capabilities.<\/li>\n<li>Understand the most vulnerable points or targets within a tenant to enable better and stronger protection.<\/li>\n<li>Provide further insight into the attacker origin and location.<\/li>\n<\/ul>\n<h2>Summary<\/h2>\n<p>Cyberthreats are ongoing, and protection is paramount. Microsoft has built a security and threat intelligence framework based on billions of signals that it gathers. Threat intelligence is infused into products and services like Office 365, Windows, and Exchange Online Protection\u2014with the context, relevance, and prioritization that help people make proactive decisions. Even organizations without threat managers, threat analysts, or a formal threat intelligence program can use the threat intelligence that\u2019s available in many Microsoft products and services to help protect, detect, and respond to cyberincidents that affect software, people, and organizations worldwide.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual [&hellip;]<\/p>\n","protected":false},"author":146,"featured_media":10716,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"coauthors":[674],"class_list":["post-10707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-09-27T23:12:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-15T22:17:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track \u2013 retired stories\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track \u2013 retired stories\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/\",\"name\":\"Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg\",\"datePublished\":\"2018-09-27T23:12:11+00:00\",\"dateModified\":\"2023-06-15T22:17:29+00:00\",\"author\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\"},\"description\":\"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg\",\"width\":1040,\"height\":585,\"caption\":\"Microsoft Cyber Defense Operations Center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft uses threat intelligence to protect, detect, and respond to threats\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\",\"name\":\"Inside Track \u2013 retired stories\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"caption\":\"Inside Track \u2013 retired stories\"},\"description\":\"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog","description":"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog","og_description":"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/","og_site_name":"Inside Track Blog","article_published_time":"2018-09-27T23:12:11+00:00","article_modified_time":"2023-06-15T22:17:29+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg","type":"image\/jpeg"}],"author":"Inside Track \u2013 retired stories","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track \u2013 retired stories","Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/","name":"Microsoft uses threat intelligence to protect, detect, and respond to threats - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg","datePublished":"2018-09-27T23:12:11+00:00","dateModified":"2023-06-15T22:17:29+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575"},"description":"To combat cyber attacks and protect against urgent threats, Microsoft amasses billions of signals for a holistic view of the security ecosystem\u2014giving our company and customers relevant, contextual threat intelligence that\u2019s built into products like Office 365, Windows, and Azure. To more quickly detect, investigate, and respond to email threats, Microsoft uses Threat Explorer in Office 365 Threat Intelligence for broad threat visibility, along with Office 365 Advanced Threat Protection and Exchange Online Protection.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg","width":1040,"height":585,"caption":"Microsoft Cyber Defense Operations Center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft uses threat intelligence to protect, detect, and respond to threats"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575","name":"Inside Track \u2013 retired stories","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213","url":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","caption":"Inside Track \u2013 retired stories"},"description":"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/7596-hero.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2MH","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10707"}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/146"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=10707"}],"version-history":[{"count":4,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10707\/revisions"}],"predecessor-version":[{"id":10889,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10707\/revisions\/10889"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/10716"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=10707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=10707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=10707"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=10707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}