Incident with Copilot
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 70%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Carlos Gormaz
0
Reputation points
Am I looking for the best way to submit an incident report with Copilot?
Microsoft Copilot | Other
1 answer
Sort by: Most helpful
-
AI answer
2026-05-17T22:59:17.3+00:00 For incidents related to Microsoft Defender XDR and Microsoft Sentinel, the best way to create and share an incident report with Copilot is to use the built-in “Generate incident report” capability in Microsoft Defender, or to prompt Security Copilot directly.
Recommended options:
- Use Copilot in the Microsoft Defender portal
- Open the incident page in Microsoft Defender XDR.
- Select the More actions ellipsis (...) and choose Generate incident report, or select the report icon in the Copilot side panel.
- Copilot generates the incident report based on data from Microsoft Defender XDR and Microsoft Sentinel, including:
- Incident creation/closure timestamps and key logs
- Analysts involved
- Incident classification and reasons
- Investigation and remediation actions
- Follow-up actions and recommendations
- When the report card appears in the Copilot pane, use Copy to clipboard, Post to activity log, or Export incident as PDF to share it with stakeholders.
- Optionally select Regenerate if an error occurs or if more actions have been taken on the incident.
- Use the Security Copilot standalone portal
- In Security Copilot, use a natural language prompt such as:
- “Generate the incident report for Defender incident {incident ID}.”
- Include the word Defender in the prompt so Security Copilot uses the Defender XDR plugin and pulls the correct incident data.
- In Security Copilot, use a natural language prompt such as:
Preparation and best practices
To get the most complete incident report when submitting or sharing it:
- Resolve and classify the incident before generating the report so all actions and outcomes are captured.
- Add clear, detailed comments to the incident:
- In Microsoft Defender XDR, use the incident activity log to record analyst notes and decisions.
- In Microsoft Sentinel, ensure comments are saved in the incident activity log.
- Use comprehensive language in comments so Copilot can summarize context, reasoning, and next steps accurately.
- If using ServiceNow with Sentinel, enable the Microsoft Sentinel–ServiceNow bi-directional sync so more robust incident data flows into the report.
- After generation, copy the incident report back into the incident’s activity log so it is preserved with the incident record.
If additional investigation is needed (for example, suspicious scripts or indicators), start from the incident in Microsoft Defender XDR, use the Copilot button to summarize and analyze artifacts, and then extend the investigation in the Security Copilot standalone experience. Those findings can then be summarized into the incident report.
References:
- Create an incident report with Microsoft Copilot in Microsoft Defender
- Use case: Investigate an incident and associated suspicious entities
- ServiceNow plugin for Microsoft Security Copilot
- Copilot in Teams Chats
AI-generated content may be incorrect. Read our transparency notes for more information. - Use Copilot in the Microsoft Defender portal