Microsoft Threat Experts

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Threat Experts is a managed threat hunting service that provides your Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in your unique environments don't get missed.

This managed threat hunting service provides expert-driven insights and data through these two capabilities: endpoint attack notification and access to experts on demand.

Watch this video to learn how Microsoft Threat Experts provides Security Operation Centers (SOCs) with expert-level monitoring and analysis and ensures that no critical threat is missed.

Before you begin


Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. Threat Experts is not currently available in the Microsoft 365 for U.S. Government clouds.

If you're a Microsoft Defender for Endpoint customer, you need to apply for Endpoint Attack Notifications to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.

To enroll to Endpoint Attack Notifications benefits, go to Settings > Endpoints > General > Advanced features > Endpoint Attack Notifications to apply. Once accepted, you'll get the benefits of Endpoint Attack Notifications.

Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries that your organization is facing.

See Configure Microsoft Threat Experts capabilities for details.

Endpoint attack notification

Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts - Targeted Attack Notification) provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage. These notifications show up as a new alert. The managed hunting service includes:

  • Threat monitoring and analysis, reducing dwell time and risk to the business
  • Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
  • Identifying the most important risks, helping SOCs maximize time and energy
  • Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.

Microsoft Threat Experts - Experts on Demand

Customers can engage our security experts directly from within Microsoft 365 Defender portal to get their response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to more threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:

  • Get more clarification on alerts including root cause or scope of the incident
  • Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker
  • Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques

The option to Ask Defender Experts is available in several places in the portal so you can engage with experts in the context of your investigation:

  • Help and support menu
  • Device page actions menu
  • Alerts page actions menu
  • File page actions menu


If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager.

Watch this video for a quick overview of the Microsoft Services Hub.

See also