Describe the agents in the Security Copilot standalone experience
Microsoft Security Copilot includes agents available directly through the standalone experience at securitycopilot.microsoft.com. These agents are accessible from the Security Copilot agent library and provide capabilities that span threat intelligence reporting and advanced security data analysis. Some standalone agents are also accessible through embedded experiences in other Microsoft security portals, such as Microsoft Defender.
Note
The list of Security Copilot agents is continually growing. This unit is designed to provide a high-level overview of the Security Copilot agents available in the standalone experience.
Microsoft Security Copilot agents in the standalone experience
The following Microsoft Security Copilot agents are available in the standalone portal. Due to the fast pace at which these agents are released and updated, each agent might have features at various stages of availability.
Threat Intelligence Briefing Agent
The Threat Intelligence Briefing Agent generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information. The agent uses dynamic automation and deep generative AI along with its wealth of threat intelligence knowledge and signals. When building the briefing, the agent dynamically chooses the next step based on the outcome of the previous step, allowing it to decide in real time what threat intelligence to include and prioritize. The agent then translates this technical information into a digestible report that various audiences can consume.
The Threat Intelligence Briefing Agent is best suited for customers who have turned on Microsoft Defender for Endpoint and Microsoft Defender External Attack Surface Management, as it relies on signals from these integrations for accurate, context-rich reports. This agent is also available as an embedded experience in the Microsoft Defender portal.
Key capabilities include:
- Automated briefing generation: Produces customized threat intelligence reports within minutes, saving analysts hours of manual collection, filtering, and analysis.
- Dynamic reasoning: Chooses the next step in real time based on the outcome of the previous step, allowing it to decide what threat intelligence to include and prioritize.
- Organizational context: Uses signals from Defender for Endpoint and External Attack Surface Management to deliver context-rich, relevant reports.
- Configurable parameters: Allows customization of the number of insights to research, look-back period, geographical region, and industry scope.
| Attribute | Description |
|---|---|
| Identity | Requires connection to an existing user account or creation of a new agent identity (recommended). |
| Permissions | Required: Microsoft Defender for Endpoint (Vulnerability Management read), Security Copilot Contributor. Optional: Exposure Management (read). |
| Plugins | Required: Microsoft Threat Intelligence. Optional: Microsoft Defender External Attack Surface Management. |
| Products | Security Copilot. |
| Role-based access | Owners and contributors can see the report generated by the agent within the Security Copilot agent library page. |
| Trigger | Runs at the time interval configured during setup, or manually. |
Security Analyst Agent
The Security Analyst Agent helps security analysts quickly identify, assess, and prioritize risks. The agent performs ready-to-use or custom analyses on security data, providing actionable and prioritized insights, recommendations, and reports to uncover hidden vulnerabilities and risks. This is a Python-powered advanced analysis experience delivered through a chat-first interface, without requiring you to write any code or queries.
The agent can perform single or multistep analysis on large volumes of data and iteratively reasons through findings, prioritizing risks with a detailed evidence trail and justification. The Security Analyst Agent is also accessible in the Advanced hunting experience in Microsoft Defender.
Key capabilities include:
- Flexible analysis: Perform pattern analysis, anomaly detection, clustering, risk scoring, forecasting, and predictive modeling to uncover hidden risks.
- Data integration: Analyze data from Microsoft Defender XDR, Microsoft Sentinel Log Analytics, or Microsoft Sentinel Data Lake based on your instructions. You can also upload CSV files for custom dataset analysis in the standalone experience.
- Interactive exploration: Visualize data with charts and graphs to spot anomalies and risks faster.
- Conversation assistance: Chat with the agent, ask follow-up questions, and perform related analyses to deepen understanding.
| Attribute | Description |
|---|---|
| Identity | Tied to the identity of the user who configures the agent. Each user configures their own instance. |
| Permissions | Read access to Microsoft Defender XDR, Microsoft Sentinel Log Analytics Workspace, or Microsoft Sentinel Data Lake, depending on the data source chosen. |
| Plugins | Security Copilot. |
| Products | Security Copilot and Microsoft Defender. |
| Role-based access | Agent configuration is per-user. Other users in the same tenant can configure the agent using their own identity. |
| Trigger | Interactive—runs when a user submits a natural language prompt. |
