News

Microsoft Rolls Out New 'Threat Experts' Service

• By Kurt Mackie
• May 02, 2019

Microsoft's new threat-hunting service for organizations, dubbed Microsoft Threat Experts, is now generally available -- without the "experts" part.

The service has two elements: "targeted attack notifications" and "experts on demand." The targeted attack notifications part is ready for use in production environments, Microsoft announced this week. Targeted attack notifications are alerts that are sent by Microsoft about critical threats found in an organization's network. The notifications deliver information about a critical threat's "timeline, scope of breach and methods."

However, the experts-on-demand component of Microsoft Threat Experts is still at the limited preview stage. This component would give organizations the ability to ask knowledgeable personnel about critical threats. Here's how this Microsoft document explained it:

The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.

Organizations wanting the Microsoft Threat Experts service apparently get it via a subscription to the Windows Defender Advanced Threat Protection (ATP) service. Windows Defender ATP is a "post-breach detection, automated investigation and response" service that went GA back in 2016 for Windows 10, although Microsoft recently extended it to support Windows 7 and Windows 8.1 clients.

Windows Defender ATP is available via the top-tier Microsoft 365 E5 subscription plan. Back in March, Microsoft changed the name of Windows Defender ATP to "Microsoft Defender ATP" because it added support for Mac clients (at the preview stage), alongside Windows clients. However, Microsoft's documentation still generally uses the older Windows Defender ATP descriptor.

Even though Microsoft Threat Experts was declared as being at the GA stage (or half of it, at least), licensing details seem murky. Possibly, a Microsoft Premier technical support contract needs to be established -- at least to use the experts-on-demand aspect of the service. That idea is suggested in this Microsoft document as follows:

To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.

The Microsoft Premier contract requirement wasn't described. However, the experts-on-demand aspect of the service does allow organizations to connect with a Microsoft response team in certain cases, apparently at Microsoft's discretion, according to the document:

Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that require an incident response.  

Microsoft had originally unveiled Microsoft Threat Experts back in February prior to the 2019 RSA Conference. The service is aimed for use by the security operations centers of organizations, offering a combination of machine learning and artificial intelligence to deliver threat detection alerts, as well as access to security personnel for interpretation of the threat data.

"Experts provide the insights our customers need to get additional clarification on alerts," explained Ann Johnson, corporate vice president for cybersecurity solutions at Microsoft, back then about the experts-on-demand element of the service.