SECURITY teams routinely need to transform unstructured threat knowledge into concrete defensive action, and this post from the Microsoft Defender Security Research Team describes an AI-assisted workflow designed to accelerate detection analysis. It outlines how AI can generate a structured initial analysis from incident reports and threat writeups, extract candidate TTPs, and normalise them to a MITRE ATT&CK alignment.
The workflow combines vector similarity search with LLM-based validation to map extracted TTPs to detections and perform coverage and gap analysis against an existing detection catalog. It uses a three-stage process: TTP extraction, MITRE ATT&CK mapping, and detection mapping and gap analysis, with human-in-the-loop validation emphasised as essential.
The authors note that this approach reduces time to initial analysis and helps defenders prioritise validation and tuning of detections, while cautions that mappings are recommendations and should be confirmed with real telemetry and testing. According to Microsoft Defender Security Research Team, the AI-assisted results were comparable to those produced by security experts when paired with expert review.