Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Sentinel applies the capabilities of Security Copilot in the Azure portal to create enriched summaries of incidents, providing a comprehensive overview of security incidents by consolidating information from multiple alerts. This feature enhances incident response efficiency by offering a clear summary that helps your security operations teams quickly understand the scope and impact of an incident. It provides a structured overview, including timelines, assets involved, and indicators of compromise, along with enrichments like user risk, device risk, and watchlist matching. These summaries suggest an investigation path for your analysts to assess the scope and impact of an attack. For more information, see Navigate, triage, and manage Microsoft Sentinel incidents in the Azure portal.
If you onboarded Microsoft Sentinel to the Defender portal, you can move directly to the same incident in the Defender portal and follow the guided investigation procedures there. For more information, see Triage and investigate incidents with guided responses from Security Copilot in Microsoft Defender.
This guide outlines what to expect and how to access the summarizing capability of Copilot in Microsoft Sentinel, including information on providing feedback.
Important
The Copilot incident summary feature for Microsoft Sentinel is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading these articles:
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Get started with Microsoft Security Copilot
- Understand authentication in Microsoft Security Copilot
- Prompting in Microsoft Security Copilot
Security Copilot integration with Microsoft Sentinel
The incident summary capability is available in Microsoft Sentinel in the Azure portal for customers who have provisioned access to Security Copilot.
This capability is also available in the Defender portal, and in the Security Copilot standalone experience through the Microsoft Sentinel plugins. Know more about preinstalled plugins in Security Copilot.
Key features
Incidents containing up to 100 alerts can be summarized into one incident summary. An incident summary, depending on the availability of the data, includes the following:
- The time and date when an attack started.
- The entity or asset where the attack started.
- A summary of timelines of how the attack unfolded.
- The assets involved in the attack.
- Indicators of compromise (IoCs).
- Names of threat actors involved.
- User risk and criticality.
- Device risk and criticality.
- Watchlist matches.
Copilot automatically generates an incident summary when you open the incident's page. The incident summary appears at the top of the details pane of the incident page, before the description.
Select Show more to expand the summary to see its complete content.
Tip
You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results.
Review the summary and use the information to guide your investigation and response to the incident.