Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
You can create custom agents quickly and intuitively with the new form-based experience. This article explains how to start building your custom agent from scratch using the agent builder in Security Copilot.
Start building your custom agent
From the Build page, create your custom agent from scratch as follows:
Select the card Create an agent.
Select Get started.
The Overview page is displayed.
On the top navigation bar, there are two tabs: Build and Test. You build your agent and configure the agent tools on the Build tab.
On the Agent overview page, you can configure the agent's details, tools, triggers, and permissions. These configuration sections are accessible from the left navigation pane under Agent overview.
Select the Copilot button to open the Chat interface, which appears on the right side of the screen. You can alternate between the Chat interface and the agent builder form, to iteratively define your agent and add tools. In the Chat interface, Copilot asks questions to guide you, and uses your responses to fill in the details, such as the name, description, instructions, and tools that define your agent.
Steps to create your custom agent
Use the Overview page to specify your agent’s purpose and scope, tools to execute tasks, triggers, and permissions.
Define agent details
Enter a descriptive Name for your agent.
You can add a customized icon for your agent. The accepted formats are:
.svg,.jpg,.png.Describe your agent in the Description and the end goal it must meet.
Publisher is the organization that develops and maintains the security agent.
Specify the Product(s) for which the agent is scoped to.
Note
The name must be a valid identifier, as it's used to uniquely identify your agent. After the agent is deployed to Security Copilot, you can use the name to search.
Configure agent tools
Tools represent a specific capability that your agent can use to perform its tasks. A tool is typically a modular component, a function, or even another specialized agent that is designed to execute a predefined task. These tasks often involve enabling agents to interact with external systems or data.
Add an existing tool from the extensive Security Copilot tools catalog or create a new tool that enables your agent to perform specific tasks and interact with external systems.
Add tools
You can add tools explicitly to your agent.
Select Add tools to open the Tools catalog modal.
In the Add a tool modal, you can select multiple tools from the catalog: Microsoft tools and the predefined tools that you create such as AGENT, GPT, KQL, API, and MCP.
Search: You can search for the tool in the Search bar (semantic search). The agent uses these specific skills or tools to accomplish a specific task. After selection, the tool appears on the Selected tools field. You can apply filters to improve discoverability for search.
Select Add selected to add the tools to your agent.
- Select Show Details to see the detailed information on the tool.
The selected tool is added to the Tools section. It is also displayed on the left navigation.
Select Remove to delete a tool.
Note
Semantic search enhances information retrieval by interpreting the context and intent behind the query. It uses advanced techniques such as Natural Language Processing (NLP) to deliver more relevant and meaningful results.
Create Tool
You can extend the capabilities of your custom agent by adding one or more tools.
For creating a tool from the tool types such as GPT, KQL, AGENT, API and MCP, see How to create tools.
Set up Triggers
Triggers activate the agent to run on a schedule. It uses Fetch tool to gather data before invoking the Process tool to analyze the data.
Select Add Trigger to configure a schedule for your agent. You can configure multiple triggers.
Provide a Trigger name, Frequency on how often the trigger runs.
Fetch tool(optional): Provide the tool details to retrieve data for the agent.
Process tool: Processes the retrieved data by the Fetch tool.
Fetch tool and Process tool function as entry points for the agent's workflow. You can add the following types of tools:
A newly created (AGENT, API, KQL, GPT, MCP) tool from Agent Tools.
Global tools created in Security Copilot.
Custom tools created for your organization.
The agent uses these specific tools to accomplish a specific task.
Manage Permissions
You can set whether the agent is allowed to run concurrently and view what plugins are required for it to run.
Select the desired Single tenant constraint for the agent from the dropdown.
Tenant: There can only be one instance per tenant.
Workspace: The agent instance is scoped to a specific collaborative environment within the tenant. Agent runs are visible only to workspace members unless explicitly shared. There can only be one instance per workspace.
None: No restriction. Create as many agent instances as you want.
For more information on workspaces, see Workspaces.
The Required plugins displays the Microsoft or other plugins added for your agent. This is automatically added based on the tools selected in your agent.
View code
You can toggle View code to see the code editor displaying the autogenerated agent code in a YAML format. You can make edits to the YAML to apply dynamic changes to the form view.
You can also copy the YAML directly or download the YAML to edit in your preferred code editor.
Add tools through chat
You can use the chat interface to also build your agent and it’s underlying custom tools. Select Apply changes to accept.
The child tool is added to the Tools section.
Note
You can create a Security Copilot tool or an agent in any order. The development process allows flexibility to fit your workflow.