In the ever-evolving landscape of cyberthreats, security teams grapple with a persistent challenge: turning unstructured threat knowledge into effective defensive action. Incident reports, red team breach write-ups, public threat intelligence feeds, and actor profiles all contain invaluable information — but the sheer volume and complexity of these documents often slow down analysis and delay defensive responses.
Traditionally, analysts would spend days manually parsing dense reports, extracting adversary tactics, techniques, and procedures (TTPs), aligning them with known frameworks like MITRE ATT&CK, and determining how existing detection tools map to those behaviors. This effort—while crucial—is time-consuming and prone to oversight.
To address this, the Microsoft Defender Security Research Team has introduced an AI-assisted workflow designed to accelerate and enhance detection engineering by automatically converting descriptive threat reports into structured detection insights.
The Core Challenge: From Narrative to Detection
Security reports vary wildly in format — mixing prose, tables, screenshots, and code snippets. Analysts must not only read and understand these reports but also interpret what telemetry is needed to detect each adversary behavior described. This often involves:
- Identifying and extracting TTPs from raw text.
- Mapping those behaviors to a standard taxonomy (such as MITRE ATT&CK).
- Comparing them with an organization’s existing detection catalog to identify gaps or overlaps.
It’s an important but labor-intensive workflow — and it’s here that AI can make a meaningful impact.
How the AI-Assisted Workflow Works
At a high level, the workflow follows three major stages:
- TTP and Metadata Extraction
The system ingests documents of various formats and breaks them into machine-readable segments, preserving structure and context. Using specialized Large Language Model (LLM) prompts, it identifies candidate TTPs — such as specific adversary behaviors — and important metadata like required telemetry and relevant cloud stack layers. - Normalization and MITRE ATT&CK Mapping
Extracted candidate behaviors are then validated and mapped to precise MITRE ATT&CK technique identifiers. This standardization makes it easier for security teams to compare and analyze behaviors consistently across reports. A focused approach is used — often one behavior per LLM call — to maintain mapping accuracy. - Detection Coverage Analysis
Once TTPs are mapped, the workflow checks whether existing detections cover them. It uses a two-step approach:- A vector similarity search to find candidate matches in the current detection catalog.
- An LLM-based validation step to refine those matches and separate likely covered behaviors from detection gaps.
The goal isn’t to replace human analysts but to give them a structured, high-quality starting point so they can focus on what only expert defenders can do: validate findings against real telemetry, confirm detection logic, and tune rules for operational environments.
What This Means for Security Teams
By automating the early stages of analysis, AI helps reduce the turnaround time from receiving a threat report to generating meaningful defensive actions. Teams can:
- Rapidly uncover and interpret relevant TTPs from complex content.
- Understand where existing protections are already effective.
- Spot gaps where new detections or tunings are needed.
Importantly, this workflow also emphasizes human-in-the-loop validation. While AI accelerates the heavy lifting, final confirmation still requires human expertise and real-world validation against telemetry. This ensures accuracy — especially for high-impact detection decisions.
Real-World Impact
In a world where threat actors continuously innovate and adapt, defenders must keep pace. Automated analysis powered by AI enables security teams to transform yesterday’s narrative reports into tomorrow’s protective rules — not just faster, but with more context and clarity.
By combining LLM speed with expert validation, organizations can scale their detection engineering workflows and stay ahead of adversaries without overwhelming their analysts. In an age where every minute counts, accelerating detection insights from reports isn’t just helpful — it’s essential.
