Microsoft Security Copilot and Chat in Microsoft Defender

This article provides an overview of Microsoft Security Copilot in Microsoft Defender, including key capabilities, access steps, and links to detailed guidance.

Note

Microsoft Defender XDR provides a unified XDR experience for Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Vulnerability Management. Learn more about this pre- and post-breach defense suite in What is Microsoft Defender XDR?

Security Copilot prerequisites

If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:

• What is Security Copilot?
• Security Copilot experiences
• Get started with Security Copilot
• Understand authentication in Security Copilot
• Prompting in Security Copilot
• Application card for Microsoft Copilot in Microsoft Defender

Microsoft Security Copilot integration in Microsoft Defender

Microsoft Security Copilot brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot in Defender is available to users who have provisioned access to Security Copilot. You can access Copilot in two ways:

• Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
• Defender Chat experience (preview) is an open prompt chat assistant built into Microsoft Defender. It helps SOC analysts investigate threats, explore incidents, and answer security questions in plain language, without needing to navigate multiple screens or write complex queries. This preview isn't yet available in Australia or New Zealand.

Copilot in Defender operates using Microsoft's AI principles. For more information, see the Application card for Microsoft Copilot in Microsoft Defender.

Defender Chat experience (preview)

Get started

To open the Defender chat experience from anywhere in the Defender portal, select the Copilot button in the top navigation bar. The chat panel slides open on the right side of the screen and stays in context while you continue working. A welcome screen appears with a greeting and an input field ready for your first question.

To close the panel, select Close in the header or select the Copilot button again. Your conversation is preserved and you can reopen the panel and pick up where you left off.

Page context awareness

Defender Chat responds based on the page you're currently viewing in the Defender portal and can answer questions based on that context.

If you ask a question such as "Which users are involved in this incident?", the chat understands which incident, alert, device, or entity you're referring to based on your current page without needing to provide IDs or names.

Chat conversation capabilities

Interactive conversations

The chat remembers the full context of your conversation, so you can ask follow-up questions naturally. For example, you can start with Show me high-severity incidents from the past week, then follow up with Tell me more about the first one, and the chat understands what you mean.

Step-by-step plans

For complex or multi-step requests, the chat might first present a proposed plan outlining the steps it intends to take. You can Approve or Reject the plan before any actions are taken. This keeps you in control, especially for investigations that require multiple data lookups.

For example: If you ask Investigate incident 12345 and summarize the key findings, the chat might propose the following plan:

1. Retrieve incident details
2. Fetch associated alerts
3. Collect evidence and impacted entities
4. Summarize findings

After you approve the plan, the chat executes each step and shows its progress in real time.

Clarifying questions

If your request is ambiguous, the chat might ask a clarifying question and offer quick-select options (up to four suggestions) to help you get to the right answer faster. Select an option or type your own response.

Conversation history

Your conversations are saved automatically. Use the Conversations panel on the left side of the chat to:

• Resume a previous conversation
• Start a new session
• Delete a conversation
• Clear all conversations

Note

• Conversations aren't synced across devices or shared with other users. The last ten conversations are stored locally in your browser.

Working with responses

Responses are formatted with structured tables, bullet points, and section headers for readability. You can:

• Copy a response: Select the copy icon on any message to copy it to your clipboard
• Export tables: Select Export on any table to export it to Excel for further analysis
• Stop generation: Select Stop to interrupt a response that's taking too long or heading in the wrong direction
• Retry: If something goes wrong, select Retry to attempt the response again

Copilot in Defender embedded skills

Key features

• Embedded chat capability enabling conversation and steering
• Context-aware answers across incidents, alerts, identities, devices, IPs, and evidence
• Follow-up questions for clarification

Investigate and respond to incidents like an expert

These AI tools enable security teams to tackle attack investigations in a timely manner with ease and precision. They can understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks.

Summarize incidents quickly

Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can ask Copilot to summarize an incident for you. Copilot creates an overview of the attack. The overview contains essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you open an incident page. It also helps you understand the assets involved and how to act by suggesting prompts about related identities, devices, IPs, and so on.

Take action on incidents through guided responses

Resolving incidents requires analysts to understand an attack to know what solutions are appropriate. Copilot recommends solutions through guided responses that are specific to each incident.

Run script analysis with ease

Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. This malware is usually obfuscated and might be in the form of scripts or command lines in PowerShell. Copilot can quickly analyze scripts, reducing the time for investigation.

Generate device summaries

Investigating devices involved in incidents can be complicated. To quickly assess a device, Copilot can summarize a device's information, including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information.

Analyze files promptly

Copilot helps security teams quickly assess and understand suspicious files with file analysis. Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file.

Investigate identities immediately

Quickly assess a user's risk by generating an identity summary with Copilot. Identify when an identity is at risk or suspicious with contextualized information about a user's role and role changes, sign in behaviors, devices signed in to, and relevant contact information.

Write incident reports efficiently

Security operations teams usually write reports to record important information. These reports include response actions taken, their results, the team members involved, and other information to aid future security decisions. Documenting incidents can be time-consuming because an effective incident report must contain the incident summary, actions taken, and who took what actions and when. Copilot generates an incident report by consolidating the incident summary, response actions, and team involvement.

Hunt like a pro

Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries.

Security teams who use advanced hunting can now use a query assistant that converts natural-language questions into ready-to-run KQL queries. The query assistant saves time by generating a KQL query that can be run immediately or tweaked to the analyst's needs. Read more about Query assistant.

Protect your organization with relevant threat intelligence

Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively.

Monitor threat intelligence

Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about Security Copilot in threat intelligence.

Access Copilot in Defender

To ensure that you have access to Copilot in Defender, see the Security Copilot purchase and licensing information. After you have access to Security Copilot, the key features become available in the Microsoft Defender portal.

Sample prompts in Copilot

In the Microsoft Defender portal, you can find sample prompts to help you navigate and use some Copilot capabilities. The prompts are designed to help you understand these capabilities and how to use them effectively. Here are some examples of prompts you might see in the portal:

Advanced hunting prompts:

Threat intelligence prompts:

You can extend your investigation in the Security Copilot standalone portal using natural language prompts. The following are sample prompts that you can type in the prompt bar to help you summarize an incident with recommendations:

• Type Summarize incident {incident number} and conclude with a set of recommendations to generate the incident summary and recommendations.
• Type What can you tell me about the reputation of the indicators in the script? Are they malicious? If so, why? to analyze the script and generate details about the script.

Prompting in Copilot helps you navigate and use the capabilities effectively. You can also use the prompt bar to generate KQL queries, summarize incidents, and analyze files. See tips for effective prompting. You can also use prebuilt promptbooks to get started with Copilot. To learn more, see use prebuilt promptbooks in Copilot.

Provide feedback

All Copilot in Defender capabilities have an option for providing feedback. Reviewing and providing feedback helps improve future responses. To provide feedback, use the 👍 / 👎 buttons on any response.

Privacy and data security

Copilot continuously evolves using data that's stored, processed, and shared depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see Privacy and data security in Copilot.

Plugins in Security Copilot

Copilot uses preinstalled Microsoft plugins like Microsoft Defender, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that plugins are turned on in Copilot to allow access to relevant data and to generate requested content from other Microsoft services in your organization.

Related content

• Learn how to summarize incidents
• Use guided responses when responding to incidents
• Run script analysis
• Analyze files
• Generate device summaries
• Generate identity summaries
• Generate KQL queries
• Create incident reports
• Use threat intelligence
• Get started with Security Copilot
• Privacy and data security in Copilot
• Security Copilot Responsible AI FAQs
• Security Copilot embedded experiences

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.