Summarize an incident with Microsoft Security Copilot in Microsoft Defender XDR


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR


The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Defender XDR applies the capabilities of Microsoft Security Copilot to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can oftentimes be time-consuming since it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack.

Incident responders can easily gain the right context to investigate and remediate incidents through Microsoft Defender XDR's correlation capabilities and Security Copilot's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation.

This guide outlines what to expect and how to access the summarizing capability of Security Copilot within Microsoft Defender XDR, including information on providing feedback.


The incident summary capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Microsoft Security Copilot.

Technical requirements

Learn how you can get started with Security Copilot.

Summarize an incident

Incidents containing up to 100 alerts can be summarized into one incident summary. An incident summary, depending on the availability of the data, includes the following:

  • The time and date when an attack started.
  • The entity or asset where the attack started.
  • A summary of timelines of how the attack unfolded.
  • The assets involved in the attack.
  • Indicators of compromise (IOCs).
  • Names of threat actors involved.

To summarize an incident, perform the following steps:

  1. Open an incident page. Security Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting Cancel or restart creation by selecting Regenerate. Screenshot highlighting the automatic incident summary generation by Security Copilot pane in the Microsoft Defender XDR incident page.
  2. The incident summary card loads on the Security Copilot pane in the incident page. Review the generated summary on the card. Screenshot of the incident summary card on the Security Copilot pane as seen in the Microsoft Defender XDR incident page.
  3. Select the three dots at the top of the incident summary card to copy or regenerate the summary, or view the summary in Security Copilot. Selecting Open in Security Copilot opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins. Screenshot highlighting the actions available on the incident summary card.

Managing feedback

You can validate or report the results of the incident summary provided by Security Copilot. Validating and reporting results enable Security Copilot to continuously improve delivery of more accurate responses in the future.

Follow these steps to provide your feedback about the results.

Next steps

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.