File analysis with Microsoft Copilot in Microsoft Defender
Applies to:
- Microsoft Defender XDR
- Microsoft Defender unified security operations center (SOC) platform
Microsoft Copilot for Security in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.
Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.
The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.
The file analysis capability is available in Microsoft Defender through the Copilot for Security license. Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin.
Analyze a file
The file analysis results generated by Copilot usually contains the following information:
- Overview - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment.
- Details - highlights Strings found in the file, lists API calls that the file uses, and lists information of the file's relevant Certificates.
Note
The analysis results vary depending on the contents of the file.
You can access the file analysis capability through the following ways:
- Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which shows the overview information by default, are then displayed on the Copilot pane.
Select Show details (shown above) to display the full results or Hide details (highlighted below) to minimize the results.
- From an incident page, choose a file to investigate in the attack story graph. You can also choose a file to investigate in an alert page.
Select a file to investigate then select Analyze on the side pane to begin analysis. The results are then displayed on the Copilot pane.
You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card.
Always review the results generated by Copilot in Defender. Select the feedback icon 
at the bottom of the Copilot pane to provide feedback.
See also
- Run script analysis
- Summarize an incident
- Generate device summary
- Resolve incidents with guided responses
- Get started with Copilot for Security
- Know more about preinstalled plugins in Microsoft Copilot for Security
- Learn about other Copilot for Security embedded experiences
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for