Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Security Copilot agents are AI-powered systems designed to act on behalf of an individual, team, or business or operational domain such as Security Operations, Compliance, IT Administration, or Identity Governance to execute and orchestrate security related tasks. Agents interact with their environment to fulfill user-defined objectives by combining reasoning, planning, and executing actions to achieve specific goals.
Microsoft Security Copilot agents automate repetitive and time consuming tasks, reducing manual workloads for security professionals with precision and efficiency. Agents help in responding to security threats, user requests and system events, managing triage, investigation, and remediation of incidents. This enables organizations to operate more efficiently and focus human expertise on critical, high-impact issues.
Security Copilot personas
Security Copilot agents span across three personas:
Developers - Agents created by developers for use within an organization or agents created for the purpose of being available across organizations.
Administrators - Determine which agents to install in an organization, setup/initiate an agent, and review usage and success metrics of the agents.
End users (analysts or data security team; or IT admins) - Interact with the agent by using the output of their workflows and providing feedback on their workflows.
Extend Security Copilot with custom agents
You can extend Security Copilot by building custom agents tailored to your organization's specific security and operational needs.
Security Copilot empowers developers to build, test, and publish agents to Security Copilot.
Custom agents use AI-driven automation to streamline tasks by combining the following components:
- Tools (Skills) - Functions or actions the agent can perform.
- Triggers - Conditions or events that initiate the agent.
- Orchestrators - Logic that determines how tasks are executed.
- Instructions - System-level directives that an agent must follow.
- Feedback - Store response in memory to guide subsequent runs.
Custom agents integrate with various security workflows, helping your organization maintain a proactive and adaptive security posture. The solution supports a workflow driven automation that responds to events or schedules, executing a series of actions based on the agent structure and guidance from Large Language Models (LLMs).
Develop custom agents
Security Copilot is a comprehensive platform to easily create, manage, and deploy a variety of agents. Agents use AI to execute security processes in the organization enabling you to achieve more. These agents can range from simple, prompt-and-response agents to more advanced, fully autonomous agents and they can be published across various channels.
The process of creating a Security Copilot agent involves a structured workflow that includes building an agent manifest, testing agent functionality, and publishing the validated agent.
The process for build, test, and publish is as follows:
Developers can choose from these different experiences to get started to build agents.
| Feature | Types |
|---|---|
| Standalone experience | The standalone experience supports three different ways of creating an agent: 1. NL2Agent: Build agents simply by describing what you want in natural language. 2. Create an agent from scratch using agent builder: Configure agents using the agent builder interface in the Security Copilot platform. 3. Upload YAML: Build a YAML in your Integrated Development Environment (IDE) of choice and upload it to Security Copilot. |
| Model Context Protocol (MCP) | MCP tools: Create agents using natural language in an MCP compatible IDE using MCP tools. |
| Upload Plugins | YAML Manifest: Build and upload your agent manifest. |
Whatever experience you choose to build your custom agent, natural language or the agent builder, the experience converges in a YAML manifest file that is deployed as an agent to Security Copilot or Secure Store for partners.
For testing the agent, see Test agent.
For publishing the agent, see Publish agent.
Role-Based Access Control in Security Copilot
Access to the Security Copilot platform requires assignment of specific Security Copilot roles, which are distinct from Microsoft Entra and Azure Role-Based Access Control (RBAC) roles. Security Copilot role controls what other activities you have access to on the platform, such as configuring settings, assigning permissions, and performing tasks. Security Copilot roles are defined and managed within Copilot and only grant access to Security Copilot features. For more information on authentication to other Microsoft products, see Authentication in Security Copilot.
Agent development and publishing permissions
Security Copilot uses RBAC to manage agent lifecycle operations. The following rules apply:
Copilot contributor:
Build and test agents.
Publish agents at user scope.
Copilot owner:
- Publish agents at workspace scope (a scoped, tenant-bound environment where users, automations, and agents operate). For more information on workspaces, see Workspace overview.
Note
While publishing agents, selecting Anyone in this workspace, makes the agents visible in the Active agents.
Active agents
The Active agents in Security Copilot is the central location where you can manage and run your custom agents.
Once deployed, authorized users such as an admin can access and install agents from the Active agents that a security analyst can then run.
Tip
Check out the Security Copilot agents overview to learn about discovering Microsoft and partner agents that are available in the standalone experience.
Agents can significantly enhance the efficiency of the security operations in your organization. Automating routine tasks and gathering insights through agents allows security teams to focus on high-priority investigations and strategic initiatives.
On the Active agents page:
- Ready for setup: Displays all Microsoft and custom agents that are not yet configured. To set up an agent, see Set up an agent.
- Agents in use: Indicates agents that have been configured and are ready to run.
Custom agents that you develop and publish in user scope or workspace scope appear under Build > My agents. For more information, see Edit agents.
Note
The Security Copilot custom agent development experience is targeted at developers. For Security Copilot users such as security and compliance professionals who use Security Copilot to identify, summarize, triage, and remediate issues, see Security Copilot Admin and user library.