Using Microsoft Security Copilot for threat intelligence
Applies to:
Important
On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com
) was retired and is no longer accessible. Customers can continue using Defender TI in the Microsoft Defender portal or with Microsoft Security Copilot. Learn more
Microsoft Copilot in Defender applies the capabilities of Microsoft Security Copilot to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape.
Note
Defender TI capabilities are also available in Security Copilot standalone experience through the Microsoft Threat Intelligence plugin. Learn more about Defender TI integration with Security Copilot
Technical requirements
Security Copilot customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. Learn how you can get started with Security Copilot
Accessing Copilot in Defender for threat intelligence content
You can experience Security Copilot's capability to look up threat intelligence in the following pages of the Defender portal:
- Threat analytics
- Intel profiles
- Intel explorer
- Intel projects
Try your first request
Open any of the pages mentioned previously from the Defender portal navigation bar. The Copilot side pane appears on the right hand side.
You can also reopen Copilot by selecting the Copilot icon at the top of the page.
In the Copilot prompt bar, ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, then select the Send message icon or press Enter. See sample prompts for Defender TI.
Copilot generates a response from your text instruction or question. While Copilot is generating, you can cancel the response by selecting Stop generating.
Review the generated response. Copilot typically generates responses that include summaries and links to related Defender TI intel profiles and articles.
You can provide feedback about the generated response by selecting the Provide feedback icon and choosing Looks right, Needs improvement, or Inappropriate. Learn more
To start a new chat session with Copilot, select the New chat icon .
Note
Copilot saves your sessions from the Defender portal in the Security Copilot standalone portal. To see the previous sessions, from the Copilot Home menu, go to My sessions. Learn more about navigating Microsoft Security Copilot
Important
Copilot in Defender starts a new chat session every time you navigate to a different Threat intelligence page (for example, when you go from Threat analytics to Intel profiles) in the Defender portal. If you wish to go back or continue a previous session, go to the Security Copilot standalone portal.
Use the built-in Defender TI prompts
Copilot in Defender also has the following built-in prompts when accessing the Threat intelligence pages to get you started:
Summarize the latest threats related to your organization
Gathering and digesting threat intelligence data and trends can be a daunting task, especially when they come from multiple data sets and sources. Choose the Summarize prompt if you want Copilot to give you an overview of the latest threats in your environment. Copilot lists and summarizes relevant campaigns, activities, and threat actors, and includes links to related threat analytics reports or intel profiles for more information.
Prioritize which threats to focus on
Copilot provides insights on which threats you should prioritize and focus on based on your environment's highest exposure level to these threats. Choose the Prioritize prompt if you want to find out which threats are likely to significantly impact your organization. This prompt gives you a starting point and could thus make triaging, investigating, and mitigating incidents less complex.
Ask about the threat actors targeting the communications infrastructure industry
An important aspect of threat intelligence is keeping up to date with the global threat landscape. Choose the Ask prompt if you want Copilot to summarize the latest threat articles about threat actors that target the communications infrastructure industry so you can gather information on their latest TTPs or campaigns, and promptly assess and apply mitigation or prevention strategies.