File analysis with Microsoft Copilot in Microsoft Defender
Microsoft Copilot for Security in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.
Know before you begin
If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
- What is Copilot for Security?
- Copilot for Security experiences
- Get started with Copilot for Security
- Understand authentication in Copilot for Security
- Prompting in Copilot for Security
Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.
The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.
Copilot for Security integration in Microsoft Defender
The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Copilot for Security.
Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Copilot for Security.
Key features
The file analysis results generated by Copilot usually contains the following information:
- Overview - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment.
- Details - highlights Strings found in the file, lists API calls that the file uses, and lists information of the file's relevant Certificates.
Note
The analysis results vary depending on the contents of the file.
You can access the file analysis capability through the following ways:
- Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which show the overview information by default, are then displayed on the Copilot pane.
Select Show details (shown above) to display the full results or Hide details (highlighted below) to minimize the results.
- From an incident page, choose a file to investigate in the attack story graph. You can also choose a file to investigate in an alert page.
Select a file to investigate, then select Analyze on the side pane to begin analysis. The results are then displayed on the Copilot pane.
You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card.
Sample file analysis prompt
In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary:
- Tell me about the files in Defender incident {incident number). Which files are malicious?
Tip
When investigating files in the Copilot for Security portal, Microsoft recommends including the word Defender in your prompts to ensure that the file analysis capability delivers the results.
Provide feedback
Always review the results generated by Copilot in Defender. Your feedback helps improve the quality of the results generated by Copilot. Select the feedback icon 
at the bottom of the Copilot pane to provide feedback.
See also
- Learn about other Copilot for Security embedded experiences
- Privacy and data security in Copilot for Security
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.