+ Title: Microsoft Copilot for Security and Microsoft Defender Threat Intelligence

+description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Copilot for Security.

+keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins

+# Microsoft Copilot for Security and Microsoft Defender Threat Intelligence

+Microsoft Copilot for Security is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot).

+**Copilot for Security integrates with Microsoft Defender Threat Intelligence**

+Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Microsoft Defender Threat Intelligence (Defender TI). You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape.

+This article introduces you to Copilot and includes sample prompts that can help Defender TI users.

+- You can use Copilot capabilities to surface threat intelligence in either the [Copilot for Security portal](#using-copilot-for-security-standalone-portal-to-get-threat-intelligence) or the [Microsoft Defender portal](#using-microsoft-copilot-in-defender-to-get-threat-intelligence). [Learn more about Copilot for Security experiences](/security-copilot/experiences-security-copilot)

+- Be specific when referencing an incident (for example, "incident ID 15324").

+- Copilot for Security saves your prompt sessions. To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**.

+

+ 

+ > For a walkthrough on Copilot, including the pin and share feature, read [Navigate Microsoft Copilot for Security](/security-copilot/navigating-security-copilot).

+## Using Copilot for Security standalone portal to get threat intelligence

+1. Go to [Microsoft Copilot for Security](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.

+2. Make sure that the Defender TI plugin is turned on. In the prompt bar, select the **Sources** icon .

+ 

+

+

+ > Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read [Manage plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins).

+### Built-in system features

+Copilot for Security has built-in system features that can get data from the different plugins that are turned on.

+1. In the prompt bar, select the **Prompts** icon .

+ 

+2. Select **See all system capabilities**. The *Microsoft Defender Threat Intelligence* section lists all the available capabilities for Defender TI that you can use.

+Copilot also has the following promptbooks that also deliver information from Defender TI:

+- **Threat actor profile** ΓÇô Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics.

+- **Vulnerability impact assessment** ΓÇô Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it.

+To view these promptbooks, in the prompt bar, select the **Prompts** icon then select **See all promptbooks**.

+### Sample prompts for Defender TI

+#### General information about threat intelligence trends

+- Get threat articles related to ransomware in the last six months.

+#### IP address and host contextual information in relation to threat intelligence

+- Show me the reputation of the host _\<host name\>_.

+- Get resolutions for IP address _\<IP address\>_.

+#### Threat actor mapping and infrastructure

+#### Vulnerability data by CVE

+### Provide feedback

+Your feedback on the Defender TI integration with Copilot for Security helps with development. To provide feedback, in Copilot, select **HowΓÇÖs this response?** At the bottom of each completed prompt and choose any of the following options:

+- **Looks right** - Select this button if the results are accurate, based on your assessment.

+- **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment.

+## Using Microsoft Copilot in Defender to get threat intelligence

+Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Microsoft Defender portal. To ensure that you have access to Copilot, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot).

+Once you have access to Copilot for Security, the key features discussed in the next section become accessible in the following *Threat intelligence* sections of the Defender portal:

+- Threat analytics

+- Intel profiles

+- Intel explorer

+- Intel projects

+### Key features

+Copilot in Defender brings Copilot for SecurityΓÇÖs capability to look up threat intelligence into the portal, letting security teams understand, prioritize, and take action on threat intelligence information immediately.

+You can ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, and Copilot generates responses based on threat analytics reports, intel profiles and articles, and other Defender TI content. You can also select any of the available built-in prompts that let you do the following actions:

+- [Summarize](using-copilot-threat-intelligence-defender-xdr.md#summarize-the-latest-threats-related-to-your-organization) the latest threats related to your organization

+- [Prioritize](using-copilot-threat-intelligence-defender-xdr.md#prioritize-which-threats-to-focus-on) which threats to focus on based on your environment's highest exposure level to these threats

+- [Ask](using-copilot-threat-intelligence-defender-xdr.md#ask-about-the-threat-actors-targeting-the-communications-infrastructure) about the threat actors targeting the communications infrastructure

+[Learn more about using Copilot in Defender for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md)

+When you interact with Copilot for Security to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. [Learn more about privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security)

+- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot)

+- [Privacy and data security in Microsoft Copilot for Security](/security-copilot/privacy-data-security)

+- [Using Microsoft Copilot for Security for threat intelligence](using-copilot-threat-intelligence-defender-xdr.md)

+ Title: Use Microsoft Copilot for Security for threat intelligence

+description: Learn about Copilot for Security embedded experience in Microsoft Defender for Microsoft Defender Threat Intelligence.

+keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, copilot for security, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins

+ms.localizationpriority: medium

+audience: ITPro

+ - Tier1

+# Using Microsoft Copilot for Security for threat intelligence

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+Microsoft Copilot in Defender applies the capabilities of [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) to deliver Microsoft Defender Threat Intelligence (Defender TI) information about threat actors and tools, as well as contextual threat intelligence, directly into the Microsoft Defender portal. Based on threat analytics reports, intel profiles, and other available Defender TI content, you can use Copilot in Defender to summarize the latest threats affecting your organization, know which threats to prioritize based on your exposure level, or gain more knowledge about your organization's or the global threat landscape.

+> [!NOTE]

+> Defender TI capabilities are also available in Copilot for Security standalone experience through the Microsoft Defender Threat Intelligence plugin. [Learn more about Defender TI integration with Copilot for Security](security-copilot-and-defender-threat-intelligence.md)

+## Technical requirements

+Copilot for Security customers gain for each of their authenticated Copilot users access to Defender TI within the Defender portal. [Learn how you can get started with Copilot for Security](/security-copilot/get-started-security-copilot)

+## Accessing Copilot in Defender for threat intelligence content

+You can experience Copilot for SecurityΓÇÖs capability to look up threat intelligence in the following pages of the Defender portal:

+- Threat analytics

+- Intel profiles

+- Intel explorer

+- Intel projects

+## Try your first request

+1. Open any of the pages mentioned previously from the Defender portal navigation bar. The Copilot side pane appears on the right hand side.

+ :::image type="content" source="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png" alt-text="Screenshot of the Microsoft Defender portal Threat analytics page with the open Microsoft Copilot in Defender side pane highlighted." lightbox="/defender/threat-intelligence/media/defender-ti-and-copilot/copilot-defender-side-pane.png":::

+ You can also reopen Copilot by selecting the **Copilot icon**  at the top of the page.

+2. In the Copilot prompt bar, ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, then select the **Send message** icon 

+3. Copilot generates a response from your text instruction or question. While Copilot is generating, you can cancel the response by selecting **Stop generating**.

+

+ 

+4. Review the generated response. Copilot typically generates responses that include summaries and links to related Defender TI intel profiles and articles.

+ 

+5. You can provide feedback about the generated response by selecting the **Provide feedback** icon  and choosing **Confirmed, it looks great**; **Off-target, inaccurate**; or **Potentially harmful, inappropriate**. [Learn more](/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender#data-security-and-feedback-in-copilot)

+6. To start a new chat session with Copilot, select the **New chat** icon .

+> [!NOTE]

+> Copilot saves your sessions from the Defender portal in the [Copilot for Security standalone portal](https://go.microsoft.com/fwlink/?linkid=2247989). To see the previous sessions, from the Copilot [Home menu](/security-copilot/navigating-security-copilot#home-menu), go to **My sessions**. [Learn more about navigating Microsoft Copilot for Security](/security-copilot/navigating-security-copilot)

+> [!IMPORTANT]

+> Copilot in Defender starts a new chat session every time you navigate to a different *Threat intelligence* page (for example, when you go from *Threat analytics* to *Intel profiles*) in the Defender portal. If you wish to go back or continue a previous session, go to the Copilot for Security standalone site.

+## Use the built-in Defender TI prompts

+Copilot in Defender also has the following built-in prompts when accessing the *Threat intelligence* pages to get you started:

+- [Summarize](#summarize-the-latest-threats-related-to-your-organization)

+- [Prioritize](#prioritize-which-threats-to-focus-on)

+- [Ask](#ask-about-the-threat-actors-targeting-the-communications-infrastructure)

+### Summarize the latest threats related to your organization

+Gathering and digesting threat intelligence data and trends can be a daunting task, especially when they come from multiple data sets and sources. Choose the **Summarize** prompt if you want Copilot to give you an overview of the latest threats in your environment. Copilot lists and summarizes relevant campaigns, activities, and threat actors, and includes links to related threat analytics reports or intel profiles for more information.

+### Prioritize which threats to focus on

+Copilot provides insights on which threats you should prioritize and focus on based on your environment's highest exposure level to these threats. Choose the **Prioritize** prompt if you want to find out which threats are likely to significantly impact your organization. This prompt gives you a starting point and could thus make triaging, investigating, and mitigating incidents less complex.

+### Ask about the threat actors targeting the communications infrastructure

+An important aspect of threat intelligence is keeping up to date with the global threat landscape. Choose the **Ask** prompt if you want Copilot to summarize the latest threat articles about threat actors that target the communications infrastructure so you can gather information on their latest TTPs or campaigns, and promptly assess and apply mitigation or prevention strategies.

+### See also

+- [What is Microsoft Copilot for Security?](/security-copilot/microsoft-security-copilot)

+- [Microsoft Copilot for Security and Microsoft Defender Threat Intelligence](security-copilot-and-defender-threat-intelligence.md)

+**Last updated:** 03/29/2024 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

+|**Last updated:** 03/29/2024 - |

+|Canada |CAN |- eDiscovery (Premium): Canada datacenters <br> - eDiscovery (Standard): US datacenters|

+ > All Windows Defender services (`wdboot`, `wdfilter`, `wdnisdrv`, `wdnissvc`, and `windefend`) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system. Example default configurations for `WdBoot` and `WdFilter`:

+ >

+ > If Microsoft Defender Antivirus is in passive mode, these drivers are set to manual (`0`).

+> The following troubleshooting guidance is only applicable for Windows Server 2016 and earlier versions of Windows Server.

+ Title: Microsoft Copilot for Security in advanced hunting

+description: Learn how Microsoft Copilot for Security advanced hunting (NL2KQL) plugin can generate a KQL query for you.

+keywords: advanced hunting, threat hunting, cyber threat hunting, Security Copilot, AI, Microsoft Defender XDR, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down, copilot for security advanced hunting, Microsoft Copilot for Security

+# Microsoft Copilot for Security in advanced hunting

+- Microsoft Defender

+## Copilot for Security in advanced hunting

+[Microsoft Copilot for Security in Microsoft Defender](security-copilot-in-microsoft-365-defender.md) comes with a query assistant capability in advanced hunting.

+Threat hunters or security analysts who are not yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, *Get all alerts involving user admin123*). Copilot for Security then generates a KQL query that corresponds to the request using the advanced hunting data schema.

+Users with access to Copilot for Security have access to this capability in advanced hunting.

+> The advanced hunting capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).

+1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Copilot for Security side pane for advanced hunting appears at the right hand side.

+ :::image type="content" source="../../media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-pane-big.png":::

+ You can also reopen Copilot by selecting **Copilot** at the top of the query editor.

+1. In the Copilot prompt bar, ask any threat hunting query that you want to run and press  or **Enter** .

+ :::image type="content" source="../../media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Copilot for Security for advanced hunting." lightbox="../../media/advanced-hunting-security-copilot-query-big.png":::

+1. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting **Stop generating**.

+ 

+ 

+ 

+1. You can provide feedback about the generated response by selecting the feedback icon  and choosing **Confirm**, **Off-target**, or **Potentially harmful**.

+> Providing feedback is an important way to let the Copilot for Security team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used.

+You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page does not discard the session. You can still access the generated queries should you need them.

+Select the chat bubble icon (**New chat**) to discard the current session.

+ 

+Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting.

+ 

+ Title: Summarize device information with Microsoft Copilot in Microsoft Defender

+description: Generate a summary for devices with Microsoft Copilot in Microsoft Defender.

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier1

+search.appverid:

+ - MOE150

+ - MET150

+# Summarize device information with Microsoft Copilot in Microsoft Defender

+**Applies to:**

+- Microsoft Defender XDR

+- Microsoft Defender unified security operations center (SOC) platform

+[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities.

+Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks.

+The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts.

+The device summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin.

+## Summarize device information

+The device summary generated by Copilot contains noteworthy information about the device, including:

+- The status of important Defender XDR protection capabilities, like attack surface reduction and tamper protection

+- Any significant user activity observed, like unusual log in attempts

+- A list of vulnerable software installed in the device

+- The status of other security features, like firewall settings, that contribute to the device's risk

+- Other notable insights that signify the device's status, like when the device was last seen active

+- Device insights delivered by Microsoft Intune, like information on the device's primary user, device group, or discovered apps

+You can access the device summary capability through the following ways:

+1. From the main menu, open the Device inventory page by selecting **Devices** under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane.

+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot of the device summary results in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page.png":::

+2. From an incident page, you can choose a device on the incident graph and then select **Device details** (1). On the device pane, select **Summarize** (2) to generate the device summary. The summary is displayed in the Copilot pane.

+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident-small.png" alt-text="Screenshot highlighting the steps to access the device summary in an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident.png":::

+ You can also access the device summary capability by choosing a device listed in the **Assets** tab of an incident. Select **Copilot** in the device pane to generate the device summary.

+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png":::

+Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.

+You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon .

+## See also

+- [Run script analysis](security-copilot-m365d-script-analysis.md)

+- [Analyze files](copilot-in-defender-file-analysis.md)

+- [Summarize an incident](security-copilot-m365d-incident-summary.md)

+- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)

+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)

+ Title: Analyze files with Microsoft Copilot in Microsoft Defender

+description: Analyze files with Microsoft Copilot in Microsoft Defender.

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier1

+search.appverid:

+ - MOE150

+ - MET150

+# File analysis with Microsoft Copilot in Microsoft Defender

+**Applies to:**

+- Microsoft Defender XDR

+- Microsoft Defender unified security operations center (SOC) platform

+[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.

+Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.

+The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.

+The file analysis capability is available in Microsoft Defender through the [Copilot for Security license](/security-copilot/faq-security-copilot). Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin.

+## Analyze a file

+The file analysis results generated by Copilot usually contains the following information:

+- **Overview** - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment.

+- **Details** - highlights *Strings* found in the file, lists *API calls* that the file uses, and lists information of the file's relevant *Certificates*.

+> [!NOTE]

+> The analysis results vary depending on the contents of the file.

+You can access the file analysis capability through the following ways:

+1. Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which shows the overview information by default, are then displayed on the Copilot pane.

+ :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-small.png" alt-text="Screenshot of the file analysis results in Copilot in Defender with the Show details option highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis.png":::

+ Select **Show details** (shown above) to display the full results or **Hide details** (highlighted below) to minimize the results.

+ :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide-small.png" alt-text="Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-hide.png":::

+2. From an incident page, choose a file to investigate in the [attack story](investigate-incidents.md#attack-story) graph. You can also choose a file to investigate in an alert page.

+ :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-attack-story-small.png" alt-text="Screenshot of the attack story graph with the file entities highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-attack-story.png":::

+ Select a file to investigate then select **Analyze** on the side pane to begin analysis. The results are then displayed on the Copilot pane.

+ :::image type="content" source="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane-small.png" alt-text="Screenshot of the incident page with the file analysis button highlighted." lightbox="../../media/copilot-in-defender/file-analysis/copilot-defender-file-analysis-file-pane.png":::

+You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card.

+Always review the results generated by Copilot in Defender. Select the feedback icon  at the bottom of the Copilot pane to provide feedback.

+## See also

+- [Run script analysis](security-copilot-m365d-script-analysis.md)

+- [Summarize an incident](security-copilot-m365d-incident-summary.md)

+- [Generate device summary](copilot-in-defender-device-summary.md)

+- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)

+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+This approach is based on a strong foundation of protections and includes key areas such as identity, endpoints (devices), data, apps, infrastructure, and networking. The Readiness Assessment team determines the areas where a foundational requirement for enabling Microsoft Defender XDR hasn't yet been met and what needs remediation.

+The following list provides some examples of things that must be remediated in order for the SOC to fully optimize processes in the SOC:

+- **Data and apps:** Lack of data governance standards, or no inventory of custom apps that won't integrate.

+Use the guidance in [turning on Microsoft Defender XDR](m365d-enable.md) to capture the baseline set of configuration requirements. These steps will in turn determine remediation activities the SOC teams have to carry out to effectively develop use cases.

+ Title: Manage incidents in Microsoft Defender

+# Manage incidents in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+- [Export incident data to PDF](#export-incident-data-to-pdf)

+Microsoft Defender automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. The incident name allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*

+## Export incident data to PDF

+> [!IMPORTANT]

+> Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+>

+> The export incident data feature is currently available to Microsoft Defender XDR and Microsoft Defender unified security operations center (SOC) platform customers with the Microsoft Copilot for security license.

+You can export an incidentΓÇÖs data to PDF through the **Export incident as PDF** function and save it into PDF format. This function allows security teams to review an incidentΓÇÖs details offline at any given time.

+The incident data exported includes the following information:

+- An overview containing the incident details

+- The [attack story](investigate-incidents.md#attack-story) graph and threat categories

+- The impacted [assets](investigate-incidents.md#assets), covering up to 10 assets for each asset type

+- The [evidence list](investigate-incidents.md#evidence-and-response) covering up to 100 items

+- Supporting data, including all [related alerts](investigate-incidents.md#alerts) and activities recorded in the [activity log](#activity-log)

+Here's an example of the exported PDF:

+If you have the [Copilot for Security](/security-copilot/microsoft-security-copilot) license, the exported PDF contains the following additional incident data:

+- [Incident summary](security-copilot-m365d-incident-summary.md)

+- [Incident report](security-copilot-m365d-create-incident-report.md)

+The export to PDF function is also available in the Copilot side panel of a generated incident report.

+

+To generate the PDF, perform the following steps:

+1. Open an incident page. Select the **More actions** ellipsis (...) on the upper right corner and choose **Export incident as PDF**. The function becomes grayed out while the PDF is being generated.

+ :::image type="content" source="../../media/incidents-queue/export-incident-main-small.png" alt-text="Screenshot highlighting the export incident to PDF option." lightbox="../../media/incidents-queue/export-incident-main.png":::

+1. A dialog box appears, indicating that the PDF is being generated. Select **Got it** to close the dialog box. Additionally, a status message indicating the current state of the download appears below the incident title. The export process may take a few minutes depending on the incident's complexity and the amount of data to be exported.

+ :::image type="content" source="../../media/incidents-queue/export-incident-predownload-small.png" alt-text="Screenshot highlighting export message and status before download." lightbox="../../media/incidents-queue/export-incident-predownload.png":::

+1. Once the PDF is ready, the status message indicates that the PDF is ready and another dialog box appears. Select **Download** from the dialog box to save the PDF to your device.

+ :::image type="content" source="../../media/incidents-queue/export-incident-download-small.png" alt-text="Screenshot highlighting export message and status when download is available." lightbox="../../media/incidents-queue/export-incident-download.png":::

+The report is cached for a couple of minutes. The system provides the previously generated PDF if you try to export the same incident again within a short time frame. To generate a newer version of the PDF, wait for the cache to expire.

+ Title: Microsoft Copilot in Microsoft Defender

+description: Learn about Microsoft Copilot for Security capabilities embedded in Microsoft Defender.

+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response automated, automatic incident response, summarize incidents, summarize incident report, plugins, Microsoft plugins, preinstalled plugins, Microsoft Copilot for Security, Copilot for Security, file analysis, file analyzer, summarize device, device summary, summarize device information, device report, file information report, Microsoft Defender, Copilot in Defender

+# Microsoft Copilot in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Copilot for Security is embedded in the Microsoft Defender portal to enable security teams to efficiently summarize incidents, analyze scripts and codes, analyze files, summarize device information, use guided responses to resolve incidents, generate KQL queries, create incident reports.

+This article provides an overview for users of the Copilot in Defender, including steps to access, key capabilities, and links to the details of these capabilities.

+## Access Copilot in Defender

+To ensure that you have access to Copilot in Defender, see the [Copilot for Security purchase and licensing information](/security-copilot/faq-security-copilot). Once you have access to Copilot for Security, the key capabilities discussed below become accessible in the Microsoft Defender portal.

+## Investigate and respond to incidents like an expert

+Enable security teams to tackle attack investigations in a timely manner with ease and precision. Copilot helps teams to understand attacks immediately, quickly analyze suspicious files and scripts, and promptly assess and apply appropriate mitigation to stop and contain attacks.

+Investigating incidents with multiple alerts can be a daunting task. To immediately understand an incident, you can tap Copilot to [summarize an incident](security-copilot-m365d-incident-summary.md) for you. Copilot creates an overview of the attack containing essential information for you to understand what transpired in the attack, what assets are involved, and the timeline of the attack. Copilot automatically creates a summary when you navigate to an incident's page.

+Resolving incidents require analysts to have an understanding of an attack to know what solutions are appropriate. Copilot recommends solutions through [guided responses](security-copilot-m365d-guided-response.md) that are specific to each incident.

+### Run script analysis with ease

+Most attackers rely on sophisticated malware when launching attacks to avoid detection and analysis. These malware are usually obfuscated, and might be in the form of scripts or command lines in PowerShell. Copilot can quickly [analyze scripts](security-copilot-m365d-script-analysis.md), reducing the time for investigation.

+### Generate device summaries

+Investigating devices involved in incidents can be a tasking job. To quickly assess a device, Copilot can [summarize a device's information](copilot-in-defender-device-summary.md), including the device's security posture, any unusual behaviors, a list of vulnerable software, and relevant Microsoft Intune information.

+### Analyze files promptly

+Copilot helps security teams quickly assess and understand suspicious files with [file analysis](copilot-in-defender-file-analysis.md). Copilot provides a file's summary, including detection information, related file certificates, a list of API calls, and strings found in the file.

+Security operations teams usually write reports to record important information, including what response actions were taken and the corresponding results, the team members involved, and other information to aid future security decisions and learning. Oftentimes, documenting incidents can be time-consuming. For incident reports to be effective, it must contain an incident's summary along with the actions taken, including what actions were taken by whom and when. Copilot [generates an incident report](security-copilot-m365d-create-incident-report.md) by quickly consolidating these pieces of information.

+## Hunt like a pro

+Copilot in Defender helps security teams proactively hunt for threats in their network by quickly building appropriate KQL queries.

+### Generate KQL queries from natural-language input

+Security teams who use advanced hunting to proactively hunt for threats in their network can now use a query assistant that converts any natural-language question in the context of threat hunting, into a ready-to-run KQL query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst needs. Read more about the query assistant in [Copilot for Security in advanced hunting](advanced-hunting-security-copilot.md).

+## Protect your organization with relevant threat intelligence

+Empower your security organization to make informed decisions with the latest threat intelligence. Copilot consolidates and summarizes threat intelligence to help security teams prioritize and respond to threats effectively.

+### Monitor threat intelligence

+Ask Copilot to summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry. Read more about [Copilot for Security in threat intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence).

+## Data security and feedback in Copilot

+Copilot continuously evolves using [data](/security-copilot/privacy-data-security#customer-data-and-system-generated-logs) that is [stored](/security-copilot/privacy-data-security#customer-data-storage-location), [processed](/security-copilot/privacy-data-security#location-for-prompt-evaluation), and [shared](/security-copilot/privacy-data-security#customer-data-sharing-preferences) depending on the settings defined by your administrator. Microsoft ensures that your data is always protected and secure when using Copilot. To learn more about data security and privacy in Copilot, see [Privacy and data security in Copilot](/security-copilot/privacy-data-security).

+Because of its continuing evolution, Copilot might miss some things. Reviewing and [providing feedback](/security-copilot/rai-faqs-security-copilot#what-are-the-limitations-of-security-copilot-how-can-users-minimize-the-impact-of-security-copilots-limitations-when-using-the-system) about the results helps improve Copilot's future responses.

+All Copilot in Defender capabilities have an option for providing feedback. To provide feedback, perform the following steps:

+1. Select the feedback icon  located at the bottom of any results card in the Copilot side panel.

+2. Select **Confirmed, it looks great** if the results are accurate based on your assessment. You can provide more information in the next dialog box.

+## Plugins in Copilot for Security

+Copilot uses [preinstalled Microsoft plugins](/security-copilot/manage-plugins#preinstalled-plugins) like Microsoft Defender XDR, Defender Threat Intelligence, and Natural Language to KQL for Microsoft Sentinel and Defender XDR plugins to generate relevant information, provide more context to incidents, and generate more accurate results. Ensure that [plugins are turned on in Copilot](/security-copilot/manage-plugins#managing-preinstalled-plugins) to allow access to relevant data and to generate requested content from other Microsoft services in your organization.

+- [Run script analysis](security-copilot-m365d-script-analysis.md)

+- [Analyze files](copilot-in-defender-file-analysis.md)

+- [Generate device summary](copilot-in-defender-device-summary.md)

+- [Use threat intelligence](/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence)

+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Privacy and data security in Copilot](/security-copilot/privacy-data-security)

+- Other [Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+ Title: Create incident reports with Microsoft Copilot in Microsoft Defender

+description: Write incident reports with Microsoft Copilot in Microsoft Defender.

+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident report, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident report creation, create report, create incident report, write incident report, write report, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender

+# Create an incident report with Microsoft Copilot in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal assists security operations teams with writing incident reports efficiently. Utilizing Copilot for Security's AI-powered data processing, security teams can immediately create incident reports with a click of a button in the Microsoft Defender portal.

+A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams. Collecting, organizing, and summarizing incident information from multiple sources requires focus and detailed analysis to create an information-rich report. With Copilot in Defender, security teams can now instantly create an extensive incident report within the portal.

+While an [incident summary](security-copilot-m365d-incident-summary.md) provides an overview of an incident and how it happened, an incident report consolidates incident information from various data sources available in Microsoft Sentinel and Defender XDR. The Copilot-generated incident report also includes all analyst-driven steps and automated actions, the analysts involved in incident response, and the comments from the analysts. Whether security teams are using Microsoft Sentinel, Defender XDR, or both, all relevant incident data are added into the generated incident report.

+Copilot generates the incident report based on the automatic and manual actions implemented, and the analysts' comments and notes posted in the incident. You can review and follow [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure that Copilot creates a comprehensive incident report.

+The incident report generation capability in Microsoft Defender is available through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin.

+This guide lists the data in incident reports and contains steps on how to access the incident report creation capability within the Microsoft Defender portal. It also includes information on how to provide feedback about the generated report.

+## Incident report content

+Copilot in Defender creates an incident report containing the following information:

+- The analysts involved in incident response

+- [Incident classification](manage-incidents.md#specify-the-classification), including the analyst's reason for classification that Copilot summarizes

+- Investigation and remediation actions

+- Follow up actions like recommendations, open issues, or next steps noted by the analysts in the incident logs

+Actions like device isolation, disabling a user, and soft delete of emails are included in the incident report. For a full list of actions included in the incident report, see the [Action center](m365d-action-center.md). The incident report also includes [Microsoft Sentinel playbooks ran](/azure/sentinel/automate-responses-with-playbooks). [Live response commands](/microsoft-365/security/defender-endpoint/live-response) and response actions coming from public API sources or from custom detections are not yet supported.

+We recommend resolving the incident to view all actions that have been taken. Incidents that are not resolved will partially reflect the actions in the incident report.

+## Create an incident report

+To create an incident report with Copilot in Defender, perform the following steps:

+1. Open an incident page. In the incident page, navigate to the **More actions** ellipsis (...) and then select **Generate incident report**. Alternately, you can select the report icon found in the Copilot side panel.

+ :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-create-small.png" alt-text="Screenshot highlighting the generated incident report and report icon buttons in the incident page." lightbox="../../media/copilot-in-defender/create-report/incident-report-create.png":::

+2. Copilot creates the incident report. You can stop the report creation by selecting **Cancel** and restart report creation by selecting **Regenerate**. Additionally, you can restart report creation if you encounter an error.

+3. The incident report card appears on the Copilot pane. The generated report depends on the incident information available from Microsoft Defender XDR and Microsoft Sentinel. Refer to the [recommendations](security-copilot-m365d-create-incident-report.md#recommendations-for-incident-report-creation) to ensure a comprehensive incident report.

+ :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-main1-small.png" alt-text="Screenshot of the incident report card in the incident page showing the top half of the card." lightbox="../../media/copilot-in-defender/create-report/incident-report-main1.png":::

+ :::image type="content" source="../../media/copilot-in-defender/create-report/incident-report-main2-small.png" alt-text="Screenshot of the incident report card in the incident page showing the lower bottom of the card." lightbox="../../media/copilot-in-defender/create-report/incident-report-main2.png":::

+4. Select the More actions ellipsis (...) located on the upper right of the incident report card. To copy the report, select **Copy to clipboard** and paste the report to your preferred system, **Post to activity log** to add the report to the activity log in the Microsoft Defender portal, or **Export incident as PDF** to [export the incident data to PDF](manage-incidents.md#export-incident-data-to-pdf). Select **Regenerate** to restart report creation. You can also **Open in Copilot for Security** to view the results and continue accessing other plugins available in the Copilot for Security standalone portal.

+ 

+5. Review the generated incident report. You can provide feedback on the report by selecting the feedback icon found on the bottom of the results .

+## Export incident to PDF

+You can export the incident data to PDF to create a report that you can easily share with stakeholders. The exported incident data contains relevant information like the attack story, impacted assets, relevant alerts, and AI-generated content from Copilot, like the incident summary and incident report. With this capability, security teams can quickly export more incident information for post-incident discussions within team members or with other stakeholders.

+You can follow the steps in [export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf) to generate the PDF.

+Here are some recommendations to consider to ensure that Copilot generates a comprehensive and complete incident report:

+- Ensure that you write and save comments in the Microsoft Sentinel activity log or in the [Microsoft Defender XDR incident activity log](manage-incidents.md#activity-log) to include the comments in the incident report.

+ - [Add comments to incidents in the Microsoft Defender portal](manage-incidents.md#add-comments)

+ - Add comments to incidents in Microsoft Sentinel

+- Copy the generated incident report and post it to the activity log in the Microsoft Defender portal to ensure that the incident report is saved in the incident page.

+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)

+ Title: Resolve incidents with guided responses with Microsoft Copilot in Microsoft Defender

+description: Resolve incidents using guided responses delivered by Microsoft Copilot in Microsoft Defender.

+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents, guided responses, security copilot guided response, copilot in security guided response, security copilot guided response in Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender

+# Resolve incidents with guided responses from Microsoft Copilot in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+[Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal supports incident response teams in immediately resolving incidents with guided responses. Copilot in Defender uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions.

+Responding to incidents in the Microsoft Defender portal often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Copilot in Defender allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease.

+Guided responses are available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). Guided responses are also available in the Copilot for Security standalone experience through the Defender XDR plugin.

+This guide outlines how to access the guided response capability, including information on providing feedback about the responses.

+## Apply guided responses to resolve incidents

+Each card contains information about the recommended action, including the entity where the action needs to be applied and why the action is recommended. The cards also emphasize when a recommended action was done by automated investigation like [attack disruption](automatic-attack-disruption.md) or [automated investigation response](m365d-autoir.md).

+The guided response cards can be sorted based on the available status for each card. You can select a specific status when viewing the guided responses by clicking on **Status** and selecting the appropriate status you want to view. All guided response cards regardless of status are shown by default.

+1. Open an incident page. Copilot automatically generates guided responses upon opening an incident page. The Copilot pane appears on the right side of the incident page, showing the guided response cards.

+ :::image type="content" source="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-small.png" alt-text="Screenshot highlighting the Copilot pane with the guided responses in the Microsoft Defender incident page." lightbox="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response.png":::

+2. Review each card before applying the recommendations. Select the More actions ellipsis (...) on top of a response card to view the options available for each recommendation. Here are some examples.

+ 

+ 

+3. To apply an action, select the desired action found on each card. The guided response action on each card is tailored to the type of incident and the specific entity involved.

+ :::image type="content" source="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions-small.png" alt-text="Screenshot of the guided response cards in the Copilot pane in Microsoft Defender." lightbox="../../media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions.png":::

+4. You can provide feedback to each response card to continuously enhance future responses from Copilot. To provide feedback, select the feedback icon  found on the bottom right of each card.

+> [!NOTE]

+> Grayed out action buttons mean these actions are limited by your permission. [Refer to the unified role-based access (RBAC) permissions](manage-rbac.md) page for more information.

+Copilot in Defender supports incident response teams by enabling analysts to gain more context about response actions with additional insights. For remediation responses, incident response teams can view additional information with options like **View similar incidents** or **View similar emails**.

+The **View similar incidents** action becomes available when there are other incidents within the organization that are similar to the current incident. The Similar incidents tab lists similar incidents that you can review. Microsoft Defender automatically identifies similar incidents within the organization through machine learning. Incident response teams can use the information from these similar incidents to classify incidents and further review the actions done in those similar incidents.

+The **View similar emails** action, which is specific to phishing incidents, takes you to the [advanced hunting](advanced-hunting-overview.md) page, where a KQL query to list similar emails within the organization is automatically generated. This automatic query generation related to an incident helps incident response teams further investigate other emails that might be related to the incident. You can review the query and modify it as needed.

+- [Summarize an incident](security-copilot-m365d-incident-summary.md)

+- [Analyze files](copilot-in-defender-file-analysis.md)

+- [Run script analysis](security-copilot-m365d-script-analysis.md)

+- [Create an incident report](security-copilot-m365d-create-incident-report.md)

+- [Generate KQL queries](advanced-hunting-security-copilot.md)

+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)

+ Title: Summarize incidents with Microsoft Copilot in Microsoft Defender

+description: Generate incident summaries with Microsoft Copilot embedded in Microsoft Defender.

+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, guided response, incident response playbooks, incident response, summary, summarize incident, summarize incidents, incident overview, write incident summary, Microsoft Copilot for Security, Copilot in Defender, Microsoft Defender

+# Summarize an incident with Microsoft Copilot in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+Microsoft Defender XDR applies the capabilities of [Copilot for Security](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can oftentimes be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack.

+Incident responders can easily gain the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Copilot for Security's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation.

+The incident summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin.

+This guide outlines what to expect and how to access the summarizing capability of Copilot in Defender, including information on providing feedback.

+- Indicators of compromise (IoCs).

+1. Open an incident page. Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting **Cancel** or restart creation by selecting **Regenerate**.

+2. The incident summary card loads on the Copilot pane. Review the generated summary on the card.

+ :::image type="content" source="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-small.png" alt-text="Screenshot of the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page." lightbox="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary.png":::

+ > [!TIP]

+ > You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results.

+3. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Copilot for Security portal. Selecting **Open in Copilot for Security** opens a new tab to the Copilot for Security standalone portal where you can input prompts and access other plugins.

+ :::image type="content" source="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png" alt-text="Screenshot highlighting the actions available on the incident summary card." lightbox="../../media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png":::

+4. Review the summary and use the information to guide your investigation and response to the incident. You can provide feedback on the summary by selecting the feedback icon  found on the bottom of the Copilot pane.

+## See also

+- [Run script analysis](security-copilot-m365d-script-analysis.md)

+- [Analyze files](copilot-in-defender-file-analysis.md)

+- [Generate device summary](copilot-in-defender-device-summary.md)

+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+- Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)

+ Title: Script analysis with Microsoft Copilot in Microsoft Defender

+description: Use Microsoft Copilot script analysis in Microsoft Defender to investigate scripts and command lines.

+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer, security copilot script analysis, copilot in security script analysis, security copilot script analysis in Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Defender, Copilot in Defender

+# Script analysis with Microsoft Copilot in Microsoft Defender

+- Microsoft Defender unified security operations center (SOC) platform

+Through AI-powered investigation capabilities from [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal, security teams can speed up their analysis of malicious or suspicious scripts and command lines.

+Most complex and sophisticated attacks like [ransomware](/security/ransomware) evade detection through numerous ways, including the use of scripts and PowerShell command lines. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. Security operations teams need to quickly analyze scripts to understand capabilities and apply appropriate mitigation, immediately stopping attacks from progressing further within a network.

+The script analysis capability provides security teams added capacity to inspect scripts without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign. Script analysis is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).

+## Analyze a script

+You can access the script analysis capability within the attack story below the incident graph on an incident page and in the [device timeline](/microsoft-365/security/defender-endpoint/device-timeline-event-flag).

+To begin analysis, perform the following steps:

+1. Open an incident page then select an item on the left pane to open the attack story below the incident graph. Within the attack story, select an event with a script or command line that you want to analyze. Click **Analyze** to start the analysis.

+ :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-incident-small.png" alt-text="Screenshot highlighting the script analysis button in the attack story view." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-incident.png":::

+ Alternately, you can select an event to inspect in the device timeline view. On the file details pane, select **Analyze** to run the script analysis capability.

+ :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-device-timeline-small.png" alt-text="Screenshot highlighting the Analyze button in the device timeline." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-device-timeline.png":::

+

+2. Copilot runs script analysis and displays the results in the Copilot pane. Select **Show code** to expand the script, or **Hide code** to close the expansion.

+ :::image type="content" source="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results-small.png" alt-text="Screenshot of the Copilot pane with script analysis results in the Microsoft Defender XDR incident page." lightbox="../../media/copilot-in-defender/script-analyzer/copilot-defender-script-analysis-results.png":::

+3. Select the **More actions** ellipsis (...) on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Copilot for Security standalone experience. Selecting **Open in Copilot for Security** opens a new tab to the Copilot standalone portal where you can input prompts and access other plugins.

+

+ 

+4. Review the results. You can provide feedback on the results by selecting the feedback icon  found at the end of the script analysis card.

+## See also

+- [Analyze files](copilot-in-defender-file-analysis.md)

+- [Generate device summary](copilot-in-defender-device-summary.md)

+- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)

+- [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)

+## April 2024

+- (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence.

+ms.localizationpriority: medium

+To search the Microsoft 365 Roadmap for Defender for Office 365 features, use [this link](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365).

+## How to avoid email authentication failures when sending mail to Microsoft 365

+search.appverid:

+adobe-target: true

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+Microsoft Defender for Office 365 is a seamless integration into Microsoft 365 subscriptions that protects against threats in email, links (URLS), file attachments, and collaboration tools. This article explains the _protection ladder_ in Microsoft 365 organizations. The protection ladder starts with Exchange Online Protection (EOP) and continues through to Defender for Office 365, which includes Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2.

+This article is intended for Security Operations (SecOps) personnel, admins in Microsoft 365, or decisions makers who want to learn more about Defender for Office 365.

+> [!TIP]

+> If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need information about _Safelinks_ or _advanced attachment scanning_, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).

+>

+> If you're new to your Microsoft 365 subscription and would like to know your licenses before you begin, go the **Your products** page in the Microsoft 365 admin center at <https://admin.microsoft.com/Adminportal/Home#/subscriptions>.

+All Microsoft 365 subscriptions include built-in security and protection features. The goals and available actions of these features vary. In Microsoft 365, there are three main security services (or products):

+1. **Exchange Online Protection (EOP)**: Included in any subscription that includes Exchange Online mailboxes. Also available as a [standalone subscription](/exchange/standalone-eop/standalone-eop) to protect on-premises email environments.

+2. **Defender for Office 365 365 Plan 1**: Included in some Microsoft 365 subscriptions with Exchange Online mailboxes that cater to small to medium-sized businesses (for example, Microsoft 365 Business Premium).

+3. **Defender for Office 365 365 Plan 2**: Included in some Microsoft 365 subscriptions with Exchange Online mailboxes that cater to enterprise organizations (for example, Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 GCC G5).

+Defender for Office 365 always includes EOP. Defender for Office 365 is also available as an add-in subscription to many Microsoft 365 subscriptions with Exchange Online mailboxes.

+Defender for Office 365 Plan 1 contains a subset of the features that are available in Plan 2. Defender for Office 365 Plan 2 contains many features that aren't available in Plan 1.

+> For information about subscriptions that contain Defender for Office 365, see the [Microsoft 365 business plan comparison](https://aka.ms/M365BusinessPlans) and the [Microsoft 365 Enterprise plan comparison](https://aka.ms/M365EnterprisePlans).

+> Use the following exhaustive reference to determine if Defender for Office 365 Plan 1 or Plan 2 licenses are included in a Microsoft 365 subscription: [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference).

+> Use the following interactive guide to see how Defender for Office 365 is able to protect your organization: [Safeguard your organization with Microsoft Defender for Office 365](https://aka.ms/MSDO-IG).

+>

+> Use [this page](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-office-365#pmg-allup-content) to compare plans and purchase Defender for Office 365.

+EOP and Defender for Office 365 can be summarized with the following descriptions:

+- **EOP** prevents broad, volume-based, known email attacks.

+- **Defender for Office 365 Plan 1** protects email and collaboration features from zero-day malware, phishing, and business email compromise (BEC).

+- **Defender for Office 365 Plan 2** adds phishing simulations, post-breach investigation, hunting, and response, and automation.

+However, you can also think about the _architecture_ of EOP and Defender for Office 365 as _cumulative layers of security_, where each layer has a different _security emphasis_. This architecture is shown in the following diagram:

+EOP and Defender for Office 365 are capable of protecting, detecting, investigating, and responding to threats. But as you move up the protection ladder, the _available features_ and _automation_ increase.

+Whether you're using the onmicrosoft.com domain only or custom domains for email in Microsoft 365, it's important to configure email authentication for your used and unused domains. SPF, DKIM, and DMARC records in DNS allow Microsoft 365 to more accurately protect against spoofing attacks. For more information, see [Email authentication in Microsoft 365](email-authentication-about.md).

+## The Microsoft 365 security ladder from EOP to Defender for Office 365

+It can be difficult to identity the advantages of Defender for Office 365 over EOP. The following subsections describe the capabilities of each product using the following security emphases:

+- Preventing and detecting threats.

+- Investigating threats.

+- Responding to threats.

+### EOP capabilities

+The capabilities of **EOP** are summarized in the following table:

+|Prevent/Detect|Investigate|Respond|

+||||

+|<ul><li>[Anti-malware protection](anti-malware-protection-about.md)^\*</li><li>[Anti-spam protection](anti-spam-protection-about.md)^\*, including [bulk email protection](anti-spam-spam-vs-bulk-about.md)</li><li>[Anti-phishing (spoofing) protection](anti-phishing-protection-spoofing-about.md)^\*, including the [Spoof intelligence insight](anti-spoofing-spoof-intelligence.md)</li><li>[Outbound spam filtering](outbound-spam-protection-about.md)</li><li>[Connection filtering](connection-filter-policies-configure.md)</li><li>[Quarantine](quarantine-about.md) and [quarantine policies](quarantine-policies.md)</li><li>False positives and false negative reporting by [admin submissions to Microsoft](submissions-admin.md) and [user reported messages](submissions-user-reported-messages-custom-mailbox.md)</li><li>[Allow and block entries in the Tenant Allow/Block List](tenant-allow-block-list-about.md) for: <ul><li>Domains and email addresses</li><li>Spoof</li><li>URLs</li><li>Files</li></ul></li></ul>|<ul><li>[Audit log search](audit-log-search-defender-portal.md)</li><li>[Message Trace](message-trace-defender-portal.md)</li><li>[Email security reports](reports-email-security.md)</li></ul>|<ul><li>[Zero-hour auto purge (ZAP) for email](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-email-messages)</li><li>Refine and test entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md)</li></ul>|

+^\* The associated protection polices are available in default policies, custom policies, and [the Standard and Strict preset security policies](preset-security-policies.md). For help with deciding which method to use, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy).

+For more information about EOP, see [Exchange Online Protection overview](eop-about.md).

+### Defender for Office 365 Plan 1 capabilities

+Defender for Office 365 Plan 1 expands on the _prevention_ and _detection_ capabilities of EOP.

+The additional features that you get in **Defender for Office 365 Plan 1** on top of EOP are described in the following table:

+|Prevent/Detect|Investigate|Respond|

+||||

+|<ul><li>The following [additional features in anti-phishing policies](anti-phishing-protection-about.md#additional-anti-phishing-protection-in-microsoft-defender-for-office-365): <ul><li>User and domain impersonation protection</li><li>Mailbox intelligence impersonation protection (contact graph)</li><li>Advanced phishing thresholds</li></ul></li><li>[Safe Attachments in email](safe-attachments-about.md)</li><li>[Safe Attachments for files in SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links in email, Office clients, and Teams](safe-links-about.md)</li><li>Email & collaboration alerts at <https://security.microsoft.com/viewalertsv2><li>SIEM integration API for **alerts**</li></ul>|<ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)^\*</li><li>[The Email entity page](mdo-email-entity-page.md)</li><li>SIEM integration API for **detections**</li><li>[URL trace](../defender-endpoint/investigate-domain.md)</li><li>[Defender for Office 365 reports](reports-defender-for-office-365.md)</li></ul>|<ul><li>Same</li></ul>|

+^\* The presence of **Email & collaboration** \> **Real-time detections** in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 1 and Plan 2.

+### Defender for Office 365 Plan 2 capabilities

+Defender for Office 365 Plan 2 expands on the _investigation_ and _response_ capabilities of Plan 1 and EOP, including the addition of _automation_.

+The additional features that you get in **Defender for Office 365 Plan 2** on top of Defender for Office 365 Plan 1 and EOP are described in the following table:

+|Prevent/Detect|Investigate|Respond|

+||||

+|<ul><li>[Attack simulation training](attack-simulation-training-get-started.md)</li>|<li>[Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md) instead of Real-time detections.^\*</li><li>[Threat Trackers](threat-trackers.md)</li><li>[Campaigns](campaigns.md)</li></ul>|<ul><li>[Automated Investigation and Response (AIR)](air-about.md): <ul><li>AIR from Threat Explorer</li><li>AIR for compromised users</li></ul></li><li>SIEM Integration API for **Automated Investigations**</li></ul>|

+^\* The presence of **Email & collaboration** \> **Explorer** in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 2 and Plan 1.

+## Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet

+This quick-reference section summarizes the different capabilities between Defender for Office 365 Plan 1 and Plan 2 that aren't included in EOP.

+|Defender for Office 365 Plan 1|Defender for Office 365 Plan 2|

+|Prevent and detect capabilities: <ul><li>[Anti-phishing policies with impersonation protection and Advanced phishing thresholds](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li></ul> <br/> Investigate and respond capabilities: <ul><li>[Real-time detections](threat-explorer-real-time-detections-about.md)</li><li>[The Email entity page](mdo-email-entity-page.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Investigate and respond capabilities: <ul><li>[Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md)</li><li>[Threat Trackers](threat-trackers.md)</li><li>[AIR](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft Defender XDR](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md)</li></ul>|

+- For more information, see [Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability).

+- [Safe Documents](safe-documents-in-e5-plus-security-about.md) is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Defender for Office 365 plans).

+- If your current subscription doesn't include Defender for Office 365 Plan 2, you can [try Defender for Office 365](try-microsoft-defender-for-office-365.md) free for 90 days. Or, [contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).

+- Defender for Office 365 P2 customers have access to **Microsoft Defender XDR integration** to efficiently detect, review, and respond to incidents and alerts.

+## Where to go next

+[Get started with Microsoft Defender for Office 365](mdo-deployment-guide.md)

+[Microsoft Defender for Office 365 Security Operations Guide](mdo-sec-ops-guide.md)

+[Migrate from a third-party protection service or device to Microsoft Defender for Office 365](migrate-to-defender-for-office-365.md)

+[What's new in Microsoft Defender for Office 365](defender-for-office-365-whats-new.md)

+The [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365) describes new features that are being added to Defender for Office 365.

+|Microsoft Teams, Exchange Online, SharePoint Online and OneDrive, Microsoft 365 Apps, Microsoft Power Platform, and Viva Engage|Create, communicate, and collaborate.|Microsoft 365 E3 or E5 and Microsoft Teams Enterprise |

+|Microsoft Teams|Guest access, private teams, private channels, shared channels|Microsoft 365 E3 and E5 with a Microsoft Teams Enterprise license|