Threat Analytics
Stay informed about emerging threats and active attack campaigns with Microsoft threat intelligence. Threat analytics provides expert analysis of current threats, your organization’s exposure, and recommended mitigations.
Note: Threat analytics reports are authored by Microsoft security researchers who track nation-state actors, cybercrime groups, and emerging attack techniques worldwide.
Report Categories
Threat Actors
Profiles of known threat groups including nation-state APTs, financially-motivated criminals, and hacktivists. TTPs, targets, and historical campaigns.
Attack Campaigns
Active or recent attack campaigns being tracked globally. IOCs, targeted industries, and geographic distribution.
Vulnerabilities
Analysis of critical CVEs, exploitation trends, and which vulnerabilities are actively weaponized in the wild.
Tool Analysis
Deep dives into malware families, attack frameworks, and tools commonly used by adversaries.
Report Structure
Overview
- Executive summary of the threat
- Severity and urgency assessment
- Industries and regions most affected
- Timeline of activity
Analyst Report
- Detailed technical analysis
- Attack chain and techniques (MITRE ATT&CK mapping)
- Code snippets and behavior descriptions
- Attribution and actor connections
Organizational Impact
- Devices in your environment that match threat indicators
- Users who may have been exposed
- Emails containing threat artifacts
- Vulnerable assets count
Mitigations
- Specific configuration recommendations
- Links to relevant security policies
- Hunting queries to detect activity
- Remediation steps for affected assets
Exposure Assessment
- Impacted Assets — Devices or users showing signs of threat activity
- At Risk — Assets vulnerable to the threat but not yet impacted
- Protected — Assets with mitigations already in place
Exposure Breakdown
Each threat report shows your specific exposure based on:
- Missing security updates or patches
- Security configurations not meeting recommendations
- Detection of threat IOCs in your environment
- Vulnerable software versions installed
Mitigation Tracking
Track your progress implementing recommended mitigations:
- Security Updates — Device patches (75% complete)
- Configuration Changes — Policy settings (45% complete)
- Detection Coverage — Sensors deployed (90% complete)
MITRE ATT&CK Mapping
Each threat is mapped to the MITRE ATT&CK framework showing techniques used:
| Tactic | Techniques |
|---|---|
| Initial Access | Phishing, Exploit Public Apps |
| Execution | PowerShell, Scripting |
| Persistence | Registry Run Keys, Services |
| Privilege Escalation | Token Manipulation |
| Defense Evasion | Obfuscation, Disabling Tools |
| Credential Access | Credential Dumping |
| Lateral Movement | Pass-the-Hash, RDP |
| Exfiltration | C2 Channel, Web Service |
Indicators of Compromise
File Indicators
SHA256 hashes of malicious files. Auto-blocked by Defender.
Network Indicators
Domains, URLs, and IP addresses associated with threat infrastructure.
Email Indicators
Sender addresses, subject lines, and attachment characteristics.
Behavioral Indicators
Process behaviors, registry modifications, and network patterns.
Actions
Run Hunting Query
Execute provided hunting queries to search for threat activity in your environment. Results show potentially affected assets.
View Affected Assets
Drill into the list of impacted devices, users, or mailboxes to prioritize investigation and remediation.
Apply Mitigations
Direct links to deploy recommended security configurations, patches, or policies to reduce exposure.
Create Alert Rule
Convert threat indicators into custom detection rules for ongoing monitoring after the campaign ends.
Best Practices
- Review reports regularly — Check threat analytics weekly to stay informed about relevant threats.
- Prioritize by exposure — Focus first on threats where you have impacted or at-risk assets.
- Track mitigation progress — Use the mitigation dashboard to ensure recommendations are implemented.
- Share relevant reports — Distribute threat information to stakeholders for awareness.
API Reference
GET /api/security/threat-analytics/reports— List all threat analytics reportsGET /api/security/threat-analytics/reports/:id— Get detailed threat reportGET /api/security/threat-analytics/exposure— Get organization exposure summaryGET /api/security/threat-analytics/mitigations— Get mitigation status and recommendationsGET /api/security/threat-analytics/iocs/:reportId— Get IOCs for a specific threat