3.6 Threat Analytics

50 minutes · Module 3 · Free

Threat Analytics

Threat Analytics is the intelligence layer of the Defender portal. It shows active threat campaigns affecting organisations globally, maps them to your environment, and tells you whether you are exposed.

Unlike the incident queue (which is reactive — something already happened), Threat Analytics is proactive. It answers: “Is this new ransomware campaign that is hitting other organisations going to hit us? Are we protected?”

What you see

Each threat report contains:

Overview — a summary of the campaign, the threat actor (if attributed), the attack techniques used, and the geographic distribution. Written by Microsoft’s threat intelligence team.

Analyst report — the full technical analysis with indicators of compromise (IOCs), MITRE ATT&CK mapping, and detailed attack chain.

Exposure and mitigations — the critical section. This tells you how many of your devices, users, and mailboxes are exposed to this specific threat, and which mitigations you have deployed vs which you are missing.

How to use Threat Analytics operationally

Weekly review: Check the latest threat reports. Filter by relevance to your industry and geography. For each active campaign, check your exposure score and action the missing mitigations.

During incidents: When you are investigating an attack, check Threat Analytics to see if it matches a known campaign. Matching a known campaign gives you the full playbook — IOCs, TTPs, and expected next steps — without starting from scratch.

Reporting to leadership: The exposure metrics from Threat Analytics translate directly into executive-level risk communication. “We are exposed to the current AiTM campaign affecting financial services — 247 users lack phishing-resistant MFA” is actionable. “We need better security” is not.

Connect Threat Analytics to your hardening roadmap

If Threat Analytics shows you are exposed to a specific campaign, the recommended mitigations are your immediate hardening priorities. This is a data-driven alternative to generic hardening checklists — you are fixing the gaps that matter for the threats that are active right now.

Check your understanding

1. What does the "Exposure and mitigations" section of a Threat Analytics report tell you?

How many organisations globally are affected

How many of your specific devices, users, and mailboxes are exposed to this threat, and which mitigations you are missing

The MITRE ATT&CK techniques used

The exposure section maps the threat directly to your environment. It tells you your specific risk — not the generic threat description. This is what makes it actionable for prioritising remediation.

2. When should you check Threat Analytics during an investigation?

Only after the investigation is complete

Never — it is only for proactive review

When the attack matches a known pattern — Threat Analytics may provide IOCs, TTPs, and expected next steps from the same campaign

Matching your investigation to a known campaign gives you the attacker's likely playbook. If Threat Analytics has a report matching the TTPs you are seeing, you know what the attacker is likely to do next — which tells you where to look and what to contain.

← 3.7 Secure Score and Exposure Management 3.5 Notifications, RBAC, and Exam Relevance →