Enhanced Reporting
Implementation Effort: Medium – Setting up and using enhanced reporting requires configuration by security teams and integration with incident response workflows.
User Impact: Low – This is a backend monitoring and analysis activity; end users are not directly affected.
Overview
Enhanced reporting in Microsoft Defender for Cloud provides deep visibility into threats, vulnerabilities, and remediation progress across cloud environments. One of the key features is the Threat Intelligence Report, which is automatically generated when a security alert is triggered. These reports include detailed insights such as:
- Attacker identity and associations
- Tactics, techniques, and procedures (TTPs)
- Indicators of compromise (IoCs)
- Campaign and activity group context
- Mitigation and remediation guidance
There are three types of reports:
- Activity Group Report – Focuses on attacker profiles and objectives.
- Campaign Report – Details specific attack campaigns.
- Threat Summary Report – Combines both attacker and campaign insights.
These reports are accessible directly from the Security Alerts page in Defender for Cloud and can be downloaded as PDFs for sharing or archiving. Enhanced reporting supports the Zero Trust principle of "Assume Breach" by enabling faster, more informed incident response and continuous threat awareness 1.