Describe Microsoft Security Copilot agents

  • 10 minutes

Microsoft Security Copilot agents enhance security and IT operations with autonomous and adaptive automation. These agents seamlessly integrate with Microsoft Security solutions and the third-party partner ecosystem to handle high-volume security tasks. Purpose-built for security, agents learn from feedback, adapt to organizational workflows with your team fully in control, and operate securely within Microsoft's Zero Trust framework—accelerating responses, prioritizing risks, and driving efficiency.

Define agents in Microsoft Security Copilot

An agent is an AI-driven security assistant or workflow that can autonomously execute and orchestrate tasks on behalf of security teams. Each agent has a defined goal, such as triaging alerts, generating a threat intelligence briefing, or remediating vulnerabilities. Agents reduce manual workloads, enhance operational effectiveness, and strengthen your organization's overall security posture.

Agents can be:

  • Interactive – Respond to user input in real time through a conversational experience.
  • Automated – Triggered by events or schedules to run autonomously without requiring user interaction.

Agents utilize security compute units (SCUs) to operate, just like other features in Security Copilot. They integrate seamlessly with Microsoft Security solutions and the broader supported partner ecosystem, fitting naturally into existing workflows.

Agent terminology in Microsoft Security Copilot

To effectively use Security Copilot agents, it's essential to understand the terminology used when working with agents.

Term Description
Trigger An event or condition that tells an agentic system to initiate an action or series of actions. You can set the agent to run automatically at specific intervals or choose to run it manually when needed.
Permissions The level of authorization an AI agent is given by an administrator during configuration that enables it to access specific information or carry out its tasks. These permissions might include the ability to read data from other solutions, such as Microsoft Defender External Attack Surface Management or Microsoft Threat Intelligence.
Identity An agent needs an identity to authenticate and securely access resources when it runs. During the agent setup process, you can choose from two types of identity: (1) Create an agent identity—Creates a dedicated identity for the agent using the Microsoft Entra Agent ID capability. Microsoft Entra Agent IDs are identities created specifically for AI agents. Using Agent IDs keeps access scoped, secure, and easier to manage. Currently, this option is only available for Microsoft-built agents. (2) Connect with an existing user account—Lets the agent use your credentials to run, inheriting your access and permissions while it's active.
Plugins A component that extends what an agent can do by giving it access to capabilities in Microsoft and non-Microsoft services and public websites through APIs. Having access to plugins adds more context to the output of an agent. While some plugins may be required to run an agent, others are optional and can enhance functionality by providing access to more data sources or tools.
Role-based access control (RBAC) Determines who can view and manage the outputs generated by agents in Microsoft Security Copilot, and ensures that sensitive information is accessible only to authorized users.

Discover agents in Microsoft Security Copilot

You can discover Microsoft Security Copilot agents from both the standalone and embedded experiences. Finding the right agent is the first step to automating your security workflows.

In the standalone experience (accessed through https://securitycopilot.microsoft.com):

  1. Navigate to the agent library from the home menu.
  2. Select Agents.
  3. The agent library opens, displaying Microsoft and partner agents available for you to choose from.

In the embedded experiences, you see agents within the portal of the corresponding Microsoft security product and can explore their capabilities directly.

Depending on your role, you can either set up agents or access them to run.

Note

The list of Microsoft and Partner agents is continually growing. The agents covered in this module represent only a sample of the available agents.

Screen capture of the Agents page in Microsoft Security Copilot. The page displays tiles for all available agents from Microsoft and partners.

Microsoft agents

Security Copilot includes agents that are seamlessly integrated with Microsoft security solutions. Agents are available across the integrated Microsoft security products, organized by area:

Agents in the standalone experience

  • Threat Intelligence Briefing Agent: Generates timely, relevant threat intelligence reports with detailed technical analysis based on the latest threat actor activity and vulnerability information.
  • Security Analyst Agent: Helps security analysts quickly identify, assess, and prioritize risks by providing flexible analysis, data integration, and actionable insights from Microsoft Defender XDR, Microsoft Sentinel Log Analytics, or Microsoft Sentinel Data Lake.

Agents embedded in Microsoft Entra

  • Conditional Access Optimization Agent: Evaluates your Conditional Access policies against Microsoft best practices and Zero Trust principles, identifies gaps and redundancies, and recommends improvements that identity teams can apply with one click.
  • Identity Risk Management Agent (Preview): Helps administrators investigate potential identity risks in Microsoft Entra ID Protection, understand their effects, and take decisive action to protect critical assets.

Agents embedded in Microsoft Defender

  • Security Alert Triage Agent: Helps security teams triage alerts at scale using AI-driven reasoning, identifying which alerts represent real attacks and which are false positives. This agent evolved from the Phishing Triage Agent and now supports email, identity, and cloud alerts.
  • Threat Intelligence Briefing Agent: Also available in the Defender portal, this agent gathers and synthesizes threat intelligence data to deliver concise and actionable insights to security operations teams.
  • Threat Hunting Agent: Enables threat hunting using natural language, generates KQL queries, interprets results, and guides analysts through full hunting sessions.
  • Dynamic Threat Detection Agent: An always-on adaptive service that uncovers hidden threats across Defender and Microsoft Sentinel environments by correlating alerts, events, and threat intelligence.
  • Security Analyst Agent: Accessible in the Advanced hunting experience in the Defender portal, this agent helps security analysts quickly identify, assess, and prioritize risks by analyzing data from Microsoft Defender XDR, Microsoft Sentinel Log Analytics, or Microsoft Sentinel Data Lake.

Agents embedded in Microsoft Purview

  • Alert Triage Agent in Data Loss Prevention: Evaluates DLP alerts based on sensitivity risk, exfiltration risk, and policy risk, then sorts them into prioritized categories.
  • Triage Agent in Insider Risk Management: Evaluates IRM alerts based on user risk, file risk, and activity risk, then sorts them into prioritized categories.
  • Data Security Posture Agent: Uses natural language search to find sensitive data across SharePoint, OneDrive, Teams, Exchange, and Copilot interactions, providing risk-level assessments and exportable insight reports for preinvestigation checks.

Agents embedded in Microsoft Intune

  • Vulnerability Remediation Agent: Uses Defender data to identify vulnerabilities on managed devices, prioritize remediation, and provide step-by-step guidance.
  • Change Review Agent: Evaluates the effect of Multi Admin Approval requests in Intune and makes recommendations for actions to take.
  • Device Offboarding Agent: Identifies stale or misaligned devices across Intune and Microsoft Entra ID, providing actionable insights before offboarding.
  • Policy Configuration Agent: Converts plain-language documents and industry baselines into recommended Intune settings and policies.

Partner agents

Organizations can extend their security operations by integrating partner-built agents into Security Copilot. These agents offer unique capabilities—from privacy breach response to network supervision and alert triage—ensuring you can address diverse security challenges with tools you're already familiar with.

Browse and add agents directly from the integrated Security Store within Security Copilot. The Security Store provides a growing ecosystem of Microsoft and partner-built agents, making it easy to find solutions that fit your security needs.

Screen capture of the Security Copilot home menu with the Security store menu option highlighted.