Edit

Share via

Microsoft Copilot in Microsoft Defender

  • Article
  • Applies to:
    Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

Note

Microsoft Defender XDR provides a unified XDR experience for Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Vulnerability Management. Learn more about this pre- and post-breach defense suite in What is Microsoft Defender XDR?

This article provides an overview for users of Microsoft Copilot in Microsoft Defender, including steps to access, key capabilities, and links to the details of these capabilities.

Know before you begin

If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:

Microsoft Copilot integration in Microsoft Defender

Microsoft Copilot for Security brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Copilot for Security.

Key features

Investigate and respond to incidents like an expert

Enable security teams to tackle attack investigations in a timely manner with ease and precision. Copilot helps teams to understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks.

Summarize incidents quickly

Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Copilot to summarize an incident for you. Copilot creates an overview of the attack. The overview contains essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you navigate to an incident's page.

Screenshot of the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page.

Take action on incidents through guided responses

Resolving incidents require analysts to have an understanding of an attack to know what solutions are appropriate. Copilot recommends solutions through guided responses that are specific to each incident.

Screenshot highlighting the Copilot pane with the guided responses in the Microsoft Defender incident page.

Run script analysis with ease

Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These malware are usually obfuscated, and might be in the form of scripts or command lines in PowerShell. Copilot can quickly analyze scripts, reducing the time for investigation.

Screenshot highlighting the script analysis button in the attack story view in the incident page.

Generate device summaries

Investigating devices involved in incidents can be a tasking job. To quickly assess a device, Copilot can summarize a device's information, including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information.

Screenshot of the device summary results in Copilot in Defender.

Analyze files promptly

Copilot helps security teams quickly assess and understand suspicious files with file analysis. Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file.

Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted.

Investigate identities immediately

Quickly assess a user’s risk by generating an identity summary with Copilot. Identify when an identity is at risk or suspicious with contextualized information about a user’s role and role changes, sign in behaviors, devices signed in to, and relevant contact information.

Screenshot showing the Summarize option in the user details pane.

Write incident reports efficiently

Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For an incident report to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot generates an incident report by quickly consolidating these pieces of information.

Screenshot of the incident report card in the incident page showing the top half of the card.

Hunt like a pro

Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries.

Generate KQL queries from natural-language input

Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question, in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in Copilot for Security in advanced hunting.

Screenshot of the Copilot pane in advanced hunting.

Protect your organization with relevant threat intelligence

Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively.

Monitor threat intelligence

Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about Copilot for Security in threat intelligence.

Screenshot of the Copilot pane in threat intelligence in Defender XDR.

Access Copilot in Defender

To ensure that you have access to Copilot in Defender, see the Copilot for Security purchase and licensing information. Once you have access to Copilot for Security, the key features become available in the Microsoft Defender portal.

Sample prompts in Copilot

In the Microsoft Defender portal, you can find sample prompts to help you navigate and use some Copilot capabilities. The prompts are designed to help you understand these capabilities and how to use them effectively. Here are some examples of prompts you might see in the portal:

Advanced hunting prompts:

Screenshot highlighting the Copilot prompts in the advanced hunting page.

Threat intelligence prompts:

Screenshot highlighting the Copilot prompts in the threat intelligence page.

You can extend your investigation in the Copilot for Security standalone portal using natural language prompts. The following are sample prompts that you can type in the prompt bar to help you summarize an incident with recommendations:

  • Type Summarize incident {incident number} and conclude with a set of recommendations to generate the incident summary and recommendations.
  • Type What can you tell me about the reputation of the indicators in the script? Are they malicious? If so, why? to analyze the script and generate details about the script.

Prompting in Copilot helps you navigate and use the capabilities effectively. You can also use the prompt bar to generate KQL queries, summarize incidents, and analyze files. See tips to create effective prompts in effective prompting. You can also use prebuilt promptbooks to help you get started with Copilot. To learn more about promptbooks, see promptbooks in Copilot.

Provide feedback

All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps:

  1. Select the feedback icon Screenshot of the feedback icon for Copilot in Defender cards. located at the bottom of any results card in the Copilot side panel.
  2. Select Looks right if you deem the results accurate. You can provide more information in the next dialog box.
  3. Select Needs improvement if you assessed the result as lacking or incomplete. You can provide more information about your assessment in the next dialog box and submit this assessment to Microsoft.
  4. You can also report the results if it contains questionable or ambiguous information by selecting Inappropriate. Provide more information about the results in the next dialog box and select Submit.

Privacy and data security

Copilot continuously evolves using data that is stored, processed, and shared depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see Privacy and data security in Copilot.

Because of its continuing evolution, Copilot might miss some things. Reviewing and providing feedback about the results helps improve Copilot's future responses.

Plugins in Copilot for Security

Copilot uses preinstalled Microsoft plugins like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that plugins are turned on in Copilot to allow access to relevant data and to generate requested content from other Microsoft services in your organization.

Next steps

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.