Edit

Microsoft Copilot in Microsoft Defender

  • Article

Applies to:

  • Microsoft Defender XDR
  • Microsoft Defender unified security operations center (SOC) platform

Microsoft Copilot for Security brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, create incident reports.

This article provides an overview for users of the Copilot in Defender, including steps to access, key capabilities, and links to the details of these capabilities.

Access Copilot in Defender

To ensure that you have access to Copilot in Defender, see the Copilot for Security purchase and licensing information. Once you have access to Copilot for Security, the key capabilities discussed below become accessible in the Microsoft Defender portal.

Investigate and respond to incidents like an expert

Enable security teams to tackle attack investigations in a timely manner with ease and precision. Copilot helps teams to understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks.

Summarize incidents quickly

Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Copilot to summarize an incident for you. Copilot creates an overview of the attack containing essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you navigate to an incident's page.

Screenshot of the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page.

Take action on incidents through guided responses

Resolving incidents require analysts to have an understanding of an attack to know what solutions are appropriate. Copilot recommends solutions through guided responses that are specific to each incident.

Screenshot highlighting the Copilot pane with the guided responses in the Microsoft Defender incident page.

Run script analysis with ease

Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These malware are usually obfuscated, and might be in the form of scripts or command lines in PowerShell. Copilot can quickly analyze scripts, reducing the time for investigation.

Screenshot highlighting the script analysis button in the attack story view in the incident page.

Generate device summaries

Investigating devices involved in incidents can be a tasking job. To quickly assess a device, Copilot can summarize a device's information, including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information.

Screenshot of the device summary results in Copilot in Defender.

Analyze files promptly

Copilot helps security teams quickly assess and understand suspicious files with file analysis. Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file.

Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted.

Write incident reports efficiently

Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For incident reports to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot generates an incident report by quickly consolidating these pieces of information.

Screenshot of the incident report card in the incident page showing the top half of the card.

Hunt like a pro

Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries.

Generate KQL queries from natural-language input

Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in Copilot for Security in advanced hunting.

Screenshot of the Copilot pane in advanced hunting.

Protect your organization with relevant threat intelligence

Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively.

Monitor threat intelligence

Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about Copilot for Security in threat intelligence.

Screenshot of the Copilot pane in threat intelligence in Defender XDR.

Data security and feedback in Copilot

Copilot continuously evolves using data that is stored, processed, and shared depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see Privacy and data security in Copilot.

Because of its continuing evolution, Copilot might miss some things. Reviewing and providing feedback about the results helps improve Copilot's future responses.

All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps:

  1. Select the feedback icon Screenshot of the feedback icon for Copilot in Defender cards located at the bottom of any results card in the Copilot side panel.
  2. Select Confirmed, it looks great if the results are accurate based on your assessment. You can provide more information in the next dialog box.
  3. Select Off-target, inaccurate if any detail is incorrect or incomplete based on your assessment. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft.
  4. You can also report the results if it contains questionable or ambiguous information by selecting Potentially harmful, inappropriate. Provide more information about the results in the next dialog box and select Submit.

Plugins in Copilot for Security

Copilot uses preinstalled Microsoft plugins like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that plugins are turned on in Copilot to allow access to relevant data and to generate requested content from other Microsoft services in your organization.

Next steps

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.