Summarize device information with Microsoft Copilot in Microsoft Defender
Applies to:
- Microsoft Defender XDR
- Microsoft Defender unified security operations center (SOC) platform
Microsoft Copilot for Security in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities.
Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks.
The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts.
The device summary capability is available in the Microsoft Defender portal through the Copilot for Security license. This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin.
Summarize device information
The device summary generated by Copilot contains noteworthy information about the device, including:
- The status of important Defender XDR protection capabilities, like attack surface reduction and tamper protection
- Any significant user activity observed, like unusual log in attempts
- A list of vulnerable software installed in the device
- The status of other security features, like firewall settings, that contribute to the device's risk
- Other notable insights that signify the device's status, like when the device was last seen active
- Device insights delivered by Microsoft Intune, like information on the device's primary user, device group, or discovered apps
You can access the device summary capability through the following ways:
From the main menu, open the Device inventory page by selecting Devices under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane.
From an incident page, you can choose a device on the incident graph and then select Device details (1). On the device pane, select Summarize (2) to generate the device summary. The summary is displayed in the Copilot pane.
You can also access the device summary capability by choosing a device listed in the Assets tab of an incident. Select Copilot in the device pane to generate the device summary.
Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon 
.
See also
- Run script analysis
- Analyze files
- Summarize an incident
- Resolve incidents with guided responses
- Get started with Copilot for Security
- Learn about other Copilot for Security embedded experiences
- Know more about preinstalled plugins in Microsoft Copilot for Security
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for