Security Copilot in Microsoft Defender: Autonomous AI for SOC Operations
The evolution of modern Security Operations Centers (SOC) demands detection and response capabilities operating at machine speed. Microsoft Security Copilot, natively integrated into the Microsoft Defender XDR portal, introduces a new generation of autonomous AI agents capable of triaging, investigating and contextualizing threats without systematic human intervention. This article deconstructs the architecture, technical prerequisites and operational use cases of the four agents deployed in Defender, for security engineers and SOC administrators.
Fundamental distinction: Assistive vs Autonomous AI
Assistive AI (like M365 Copilot) generates insights and summaries on analyst demand. Autonomous AI makes decisions and executes actions proactively, without manual triggering — reducing MTTR (Mean Time To Respond) from several hours to minutes.
General Architecture: The Four Security Copilot Agents in Defender
Security Copilot agents are deployed within the security.microsoft.com portal via the Security Copilot > Agents panel. Each agent has its own managed identity (Agent ID), specific plugins and dedicated RBAC permissions. The platform also supports third-party agents and custom agents (via REST API, KQL, Logic Apps or MCP servers).
| Agent | Type | Trigger | Status |
|---|---|---|---|
| Phishing Triage Agent | Autonomous | User-reported phish (right-click) | GA |
| Threat Intel Briefing Agent | Autonomous | Scheduled / On-demand | GA |
| Threat Hunting Agent | Advanced Assistive | NLP query in Advanced Hunting | GA |
| Dynamic Threat Detection Agent | Autonomous 24/7 | Zero configuration (background) | Public Preview |
Extended Agent Ecosystem
Beyond SOC agents, Microsoft deploys specialized agents in Microsoft Entra (identity & access), Microsoft Intune (endpoint management) and Microsoft Purview (data governance). The SIEM Migration Agent is also available to accelerate migrations from third-party SIEMs.
Agent 1: Phishing Triage Agent
Prerequisites and Configuration
The Phishing Triage Agent is the most mature autonomous agent in the Defender ecosystem. Its triggering relies exclusively on the User Reported Phish mechanism: when a user right-clicks an email and selects "Report as phishing", this automatically triggers the agent.
Enable User Reported Settings
Go to security.microsoft.com > Settings > Email & Collaboration > User Reported Settings. Enable the ability for users to report emails as phishing. Also configure the result feedback email (Phishing/Malware Response Results Email).
Deploy the agent from the Security Copilot panel
In the Defender portal, expand the Security Copilot panel and click Agents. Select the Phishing Triage Agent and click Go to Agent.
Configure Agent ID in Microsoft Entra
Copy the agent's Object ID from the details page. Go to the Entra ID portal (entra.microsoft.com > Applications > Agents > All Agents) and paste the Object ID to find the associated managed identity. This Agent ID is the identity under which all agent actions are executed.
Enable required plugins on the Security Copilot platform
Go to securitycopilot.microsoft.com and enable the three mandatory plugins:
- Microsoft Defender XDR
- Microsoft Threat Intelligence
- Phishing Triage Agent Plugin
Verify Defender Unified RBAC permissions
This agent requires Defender Unified RBAC (unified RBAC role). Minimum required permissions for the agent are:
Security Data Basics ReadEmail & Collaboration Content ReadSecurity Copilot ReadManage Alerts
Security Admins can configure, reset or suspend the agent. Any user with equivalent permissions can view agent results.
Agent ID: Agent Identity Security and Governance
The Agent ID is a fundamental architectural concept introduced with autonomous Security Copilot agents. It is a managed identity (Managed Identity) registered in Microsoft Entra ID, representing the agent as a security principal. This approach offers several critical advantages:
- Reduced blast radius: permissions are strictly limited to the agent's functional scope
- Workload-based permissions
- Conditional Access policies applied to agent identity
- Complete auditability of actions via Entra ID logs
AI Agent Governance: Required Reading
Microsoft strongly recommends reviewing official documentation on Agent ID and associated security controls, particularly Conditional Access application to agent identities. Misconfiguring an autonomous agent's permissions can be a significant risk vector. Reference: Security Copilot Agent Identity documentation
Custom and Third-Party Plugins
The Security Copilot platform supports three plugin categories:
- Microsoft first-party plugins: Defender XDR, Threat Intelligence, Entra, Intune, Purview
- Third-party plugins: available via the Security Store (
security.microsoft.com > Security Copilot > Browse more agents) - Custom plugins: developable from a REST API, KQL query, Logic App or MCP server (Model Context Protocol)
Operational Functioning and Workflow Analysis
When a user reports an email, the agent completes the following steps in less than 4 minutes:
- Auto-assignment of the alert and investigation start
- Memory consultation (historical analyst feedback)
- Raw email content parsing (headers, metadata)
- Authentication record analysis: SPF, DMARC, DKIM
- Source IP address investigation (reputation, geolocation)
- Email detonation in a sandboxed environment
- Phishing simulation verification (Attack Simulator — simulation emails do not trigger false positives)
- Sentiment and urgency analysis of the message
- Screenshot capture and visual content analysis
- Final verdict: True Positive (TP), False Positive (FP), or escalation to analyst
Critical Point: Deleted Email = Investigation Impossible
If the user deletes the email after reporting it, or if Zero-hour Auto Purge (ZAP) has deleted the message, the agent cannot perform triage. This error is among the most common causes of investigation failures in the performance dashboard. Ensure retention policies are compatible with the agent's processing timeline.
Performance Dashboard: Key Metrics
The agent's Performance panel exposes the following indicators:
- Total submissions over 30 and 90 days
- Incidents addressed vs total (TPs not resolved automatically remain open for analyst)
- Mean Time to Triage (MTTT): approximately 3 minutes 5 seconds on average
- Security Compute Units (SCU) consumption: approximately 0.12 to 0.15 SCU per execution
Security Compute Units (SCU)
SCU is the underlying Azure resource consumed by Security Copilot. Each Phishing Triage agent execution consumes on average 0.12 to 0.15 SCU. This metric is essential for capacity planning and cost management. Reference: Security Copilot pricing
Filtering Incidents Triaged by the Agent in Defender
To isolate incidents handled by the Phishing Triage Agent in the incidents view:
1Portal: security.microsoft.com > Investigations > Incidents & Alerts > Incidents2Filter by: Tags = "Agent"Triaged incidents automatically receive two tags:
agent(generic tag indicating autonomous processing)credential phishing(or corresponding classification)
Learning from Feedback and Custom Guidebooks
One of the most strategic features is the agent's ability to learn from analyst feedback. When an analyst changes a verdict classification (TP → FP or FP → TP), the agent analyzes the associated comment and updates its memory for future investigations.
Feedback Quality
The agent has feedback validation logic: incoherent or irrelevant feedback will be ignored. Train your analysts to provide precise and contextualized comments (e.g., "Email from our internal simulation campaign via Attack Simulator — source: training@contoso.com").
Custom Guidebooks allow customization of triage steps recommended by Security Copilot. To deploy them:
Access Copilot in Defender settings
Navigate to security.microsoft.com > Settings > Copilot in Defender.
Upload your custom SOP
Click Upload Custom Guidebook and import your SOP (Standard Operating Procedure) document. Security Copilot automatically analyzes the content and extracts structured steps (triage, containment, investigation, remediation, prevention).
Verify step extraction
After upload, the portal displays the number of identified steps, author and addition date. Steps then appear in the guided incident panel, clearly labeled Custom Guidebook.
Analyst Notes: Automated Incident Documentation
The Analyst Notes feature allows Security Copilot to automatically draft a structured investigation report while an analyst works on a parallel incident. The generated report contains:
- Executive summary of the incident
- Description of detected alerts
- Investigation steps performed (built-in + custom guidebook)
- Conclusion and recommendations
This facilitates handoffs between analysts (shift changes) and post-incident documentation without added writing burden.
Roadmap: Extension to Identity-Based Alerts
Announced at Microsoft Ignite, the next evolution of the Phishing Triage Agent will include support for identity-based alerts:
- Binary drift detections in Microsoft Defender for Cloud (Kubernetes alerts)
- Microsoft Entra ID risk detections (users synchronized from the cloud)
- Hybrid identity alerts
Agent 2: Threat Intelligence Briefing Agent
The Threat Intel Briefing Agent automatically generates a personalized threat intelligence report for your tenant, accessible directly from security.microsoft.com > Threat Intelligence > Threat Analytics.
What This Agent Produces
Unlike generic threat intelligence reports, this agent correlates Microsoft Threat Intelligence global data with:
- The industry configured when deploying the agent
- Active CVEs impacting equipment in your tenant
- EASM (External Attack Surface Management) data
- Indicators of Compromise (IoCs) relevant to your environment
The produced report contains an executive summary adapted for CISOs and leadership teams, as well as direct links to the Advanced Hunting portal with pre-generated KQL queries to investigate impacted devices.
Prerequisite: Exposure Report
If the "Exposure report not available" message appears in the report, missing permissions or EASM configurations are needed. Click the contextual link in the portal to access the resolution guide specific to your configuration.
Link Between Threat Intel and Threat Hunting
The Threat Intel Briefing Agent's report provides a natural bridge to active investigation: each CVE mentioned in the report can be directly clicked to view details, then forwarded to Advanced Hunting with a KQL query targeting vulnerable devices in your tenant.
Agent 3: Threat Hunting Agent
The Threat Hunting Agent is accessible from security.microsoft.com > Investigations > Hunting > Advanced Hunting. It appears as a Copilot panel integrated into the existing Advanced Hunting interface.
Natural Language KQL Generation
The agent translates natural language queries into optimized KQL (Kusto Query Language) queries. Example interaction:
1NLP Query: "List all active Windows 7 or Windows 10 devices in the environment"The agent automatically generates the corresponding KQL query, executes it and presents results with visualizations. It then suggests contextualized next investigation steps.
1// Example query generated by the Threat Hunting Agent2DeviceInfo3| where OSPlatform has_any ("Windows 7", "Windows 10")4| where Timestamp > ago(7d)5| summarize LastSeen = max(Timestamp), Count = count() by DeviceName, OSPlatform, OSVersion6| order by LastSeen descIdeal for Junior Analysts
The Threat Hunting Agent is particularly valuable for KQL-beginner analysts. It doesn't just generate the query — it explains the reasoning, interprets results and suggests next investigation questions, acting as a real-time technical mentor.
Interactive Investigation Workflow
The agent supports multi-turn conversational investigation sessions:
- Initial question → KQL generation + execution + results
- Refinement → "Now, list recent security alerts for these specific devices"
- Contextualization → agent generates new KQL query accounting for previous results
- Recommendations → list of remediation or supplementary investigation actions
Agent 4: Dynamic Threat Detection Agent
The Dynamic Threat Detection Agent is the most innovative of the quartet. It operates 24/7 in the background, without required configuration, and is currently in Public Preview.
Operation: Blind Spot Detection
This agent continuously analyzes all available signals in your Defender XDR environment:
- SIEM/SOAR data: Microsoft Sentinel (formerly Azure Sentinel)
- First-party XDR signals: Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps
- Third-party XDR signals: AWS, GCP and other connected integrations
Its goal is to identify malicious patterns that would not have triggered standard detection rules — filling blind spots in static analytical rules.
Examples of Identified Detections
- Unusual internal phishing campaigns
- Suspicious e-discovery searches
- Suspicious OAuth application modifications
- Authentications via anonymous proxies (Tor network, questionable VPNs)
- Sensitive data access by compromised accounts
Access to Alerts in Defender Portal
Incidents detected by this agent are accessible via:
1security.microsoft.com > Investigations > Incidents & Alerts > Incidents2Quick filter: "Incidents involving AI detections"Each generated alert includes:
- Description of the detected anomaly
- MITRE ATT&CK mapping (associated tactics and techniques)
- Evidence and indicators motivating the detection
- Recommended actions
Zero-touch Deployment
The Dynamic Threat Detection Agent requires no initial configuration. It is automatically enabled for all tenants eligible for Security Copilot. Additional configuration controls will be available upon General Availability (GA) release.
Public Demonstration and Official Resources
Microsoft provides a public demonstration of the Phishing Triage Agent accessible without authentication:
- Phishing Triage Agent Demo: aka.ms/ptademo
- Security Copilot Documentation: learn.microsoft.com/security-copilot
- Security Copilot Platform: securitycopilot.microsoft.com
- Defender Portal: security.microsoft.com
- Security Copilot Pricing (SCU): Azure Pricing - Copilot for Security
Building Your Own Security Copilot Agent
If native agents don't cover a use case specific to your organization, the Security Copilot platform allows developing custom agents. Two approaches are available:
| Approach | Tool | Required Profile | Use Case |
|---|---|---|---|
| Low-code | Microsoft Copilot Studio | Security Analyst / Power User | SOC workflow automation, internal knowledge base integration |
| Pro-code | VS Code + Security Copilot SDK | Cloud Engineer / Developer | Complex agents, custom API integrations, MCP plugins |
Summary: Evolution Toward Agentic AI in SOCs
The four Security Copilot agents in Microsoft Defender represent a major architectural evolution for modern SOCs, structured around four operational pillars:
- Anticipate and prevent: Threat Intel Briefing Agent (personalized reports, active CVEs, EASM)
- Detect and disrupt: Dynamic Threat Detection Agent (continuous 24/7 detection, blind spots)
- Triage and investigate: Phishing Triage Agent + Threat Hunting Agent (MTTT < 4 min, assisted KQL)
- Document and optimize: Analyst Notes + Custom Guidebooks (structured handoff, integrated SOPs)
Recommended Next Steps
- Enable User Reported Settings in Defender to allow Phishing Triage Agent deployment
- Configure a dedicated Agent ID in Entra ID with minimal permissions (least privilege)
- Deploy the Threat Intel Briefing Agent by configuring your industry
- Explore Custom Guidebooks to integrate your existing SOPs into the Copilot workflow
- Review the Microsoft Ignite session on Predictive Shielding to anticipate platform evolution



