Microsoft Copilot in Microsoft Defender
Note
Microsoft Defender XDR provides a unified XDR experience for Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Vulnerability Management. Learn more about this pre- and post-breach defense suite in What is Microsoft Defender XDR?
This article provides an overview for users of Microsoft Copilot in Microsoft Defender, including steps to access, key capabilities, and links to the details of these capabilities.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:
- What is Security Copilot?
- Security Copilot experiences
- Get started with Security Copilot
- Understand authentication in Security Copilot
- Prompting in Security Copilot
Microsoft Copilot integration in Microsoft Defender
Microsoft Security Copilot brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Security Copilot.
Key features
Investigate and respond to incidents like an expert
Enable security teams to tackle attack investigations in a timely manner with ease and precision. Copilot helps teams to understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks.
Summarize incidents quickly
Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Copilot to summarize an incident for you. Copilot creates an overview of the attack. The overview contains essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you navigate to an incident's page.
Take action on incidents through guided responses
Resolving incidents require analysts to have an understanding of an attack to know what solutions are appropriate. Copilot recommends solutions through guided responses that are specific to each incident.
Run script analysis with ease
Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These malware are usually obfuscated, and might be in the form of scripts or command lines in PowerShell. Copilot can quickly analyze scripts, reducing the time for investigation.
Generate device summaries
Investigating devices involved in incidents can be a tasking job. To quickly assess a device, Copilot can summarize a device's information, including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information.
Analyze files promptly
Copilot helps security teams quickly assess and understand suspicious files with file analysis. Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file.
Investigate identities immediately
Quickly assess a user’s risk by generating an identity summary with Copilot. Identify when an identity is at risk or suspicious with contextualized information about a user’s role and role changes, sign in behaviors, devices signed in to, and relevant contact information.
Write incident reports efficiently
Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For an incident report to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot generates an incident report by quickly consolidating these pieces of information.
Hunt like a pro
Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries.
Generate KQL queries from natural-language input
Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question, in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in Security Copilot in advanced hunting.
Protect your organization with relevant threat intelligence
Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively.
Monitor threat intelligence
Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about Security Copilot in threat intelligence.
Access Copilot in Defender
To ensure that you have access to Copilot in Defender, see the Security Copilot purchase and licensing information. Once you have access to Security Copilot, the key features become available in the Microsoft Defender portal.
Sample prompts in Copilot
In the Microsoft Defender portal, you can find sample prompts to help you navigate and use some Copilot capabilities. The prompts are designed to help you understand these capabilities and how to use them effectively. Here are some examples of prompts you might see in the portal:
Advanced hunting prompts:
Threat intelligence prompts:
You can extend your investigation in the Security Copilot standalone portal using natural language prompts. The following are sample prompts that you can type in the prompt bar to help you summarize an incident with recommendations:
- Type Summarize incident {incident number} and conclude with a set of recommendations to generate the incident summary and recommendations.
- Type What can you tell me about the reputation of the indicators in the script? Are they malicious? If so, why? to analyze the script and generate details about the script.
Prompting in Copilot helps you navigate and use the capabilities effectively. You can also use the prompt bar to generate KQL queries, summarize incidents, and analyze files. See tips to create effective prompts in effective prompting. You can also use prebuilt promptbooks to help you get started with Copilot. To learn more about promptbooks, see promptbooks in Copilot.
Provide feedback
All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps:
- Select the feedback icon located at the bottom of any results card in the Copilot side panel.
- Select Looks right if you deem the results accurate. You can provide more information in the next dialog box.
- Select Needs improvement if you assessed the result as lacking or incomplete. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft.
- You can also report the results if it contains questionable or ambiguous information by selecting Inappropriate. Provide more information about the results in the next dialog box and select Submit.
Privacy and data security
Copilot continuously evolves using data that is stored, processed, and shared depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see Privacy and data security in Copilot.
Because of its continuing evolution, Copilot might miss some things. Reviewing and providing feedback about the results helps improve Copilot's future responses.
Plugins in Security Copilot
Copilot uses preinstalled Microsoft plugins like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that plugins are turned on in Copilot to allow access to relevant data and to generate requested content from other Microsoft services in your organization.
Next steps
- Learn how to summarize incidents
- Use guided responses when responding to incidents
- Run script analysis
- Analyze files
- Generate device summaries
- Generate identity summaries
- Generate KQL queries
- Create incident reports
- Use threat intelligence
See also
- Get started with Security Copilot
- Privacy and data security in Copilot
- Responsible AI FAQs
- Other Security Copilot embedded experiences
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.