News

Office 365 Threat Intelligence Service Now Has Threat Tracker Capability

• By Kurt Mackie
• 05/31/2018

Microsoft on Wednesday announced the general availability of Threat Tracker for the Office 365 Threat Intelligence service.

The Office 365 Threat Intelligence service is used for security tracking and compliance purposes, providing insights into malware and phishing attempts in e-mail, as well as end user behavior. It works with the Exchange Online and SharePoint Online services.

Threat Tracker is a new component in the Office 365 Threat Intelligence service, which gets accessed using the Office 365 Security and Compliance Center Web portal. Threat Tracker was one of the developments announced during Microsoft's September Ignite event last year, according to this list compiled by Office 365 and Azure consulting firm MessageOps.

The Office 365 Threat Intelligence service has four Threat Tracker views with their own graphical displays. The four views are called "Noteworthy Campaigns," "Trending Campaigns," "Saved Query" and "Tracked Query."

The Noteworthy Campaigns view is an automated monitoring process with remediation capabilities that shows big attacks, such as the Petya and WannaCry malware. The Trending Campaigns view is a tenant-level view of trends classified by malware families, showing "new and targeted threats that are observed in your organization." Organizations can be assured they are being targeted if the "targeting percentage is more than 10 percent," according to the announcement. There's also a Saved Query view for the research that IT pros conduct, as well as a Tracked Query view for selected threats, such as malware and phishing attempts.

Tracked queries will continue to run, in contrast to saved queries, according to a demo explanation by John Engels, a senior program manager at Microsoft, who helped create the Threat Tracker feature. Engels showed off Threat Tracker in this May 30 on-demand Microsoft video (requires sign-up). The demo of Threat Tracker happens about midway through the video.

Microsoft commercially released the Office 365 Threat Intelligence service last year. It's offered via Office 365 Enterprise E5 subscription plans, or the licensing can be purchased as an add-on subscription, according to this Microsoft document. Office 365 Threat Intelligence has other tools besides Threat Tracker, notably its Threat Explorer and Attack Simulator components. The Attack Simulator tool adds a little fun by letting IT pros simulate three different kinds of attack scenarios (phish, brute force and cracking) on end users to discover any potential weaknesses.

During the video, Debraj Ghosh, senior product marketing manager at Microsoft, said that Microsoft is planning to add more attack scenarios to the Attack Simulator tool in "the next few months."

Microsoft's various security products are typically interrelated, making it difficult to figure out which does what. The Office 365 Threat Intelligence service, for instance, works with the Exchange Online Protection service and the Office 365 Advanced Threat Protection service, both of which handle different aspects of security. The underlying technology behind them is the Microsoft Security Graph. This slide from the video outlines that relationship:

The "graph" term was recently defined by Microsoft as a "cloud-backed data store" that gets assessed using artificial intelligence. The Microsoft Security Graph also gets supplemented by security analysis from the team at the Microsoft Threat Intelligence Center. 

Microsoft uses Office 365 Advanced Threat Protection to find unknown threats, while Office 365 Threat Intelligence is used to get "better visibility into the cybersecurity landscape," according to a description in this Microsoft "IT Showcase" publication.