Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Security Copilot in the Microsoft Defender portal supports incident response teams in immediately resolving incidents with guided responses. Copilot in Defender uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions.
This guide outlines how to access the guided response capability, including information on providing feedback about the responses.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:
- What is Security Copilot?
- Security Copilot experiences
- Get started with Security Copilot
- Understand authentication in Security Copilot
- Prompting in Security Copilot
Responding to incidents in the Microsoft Defender portal often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Copilot in Defender allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease.
Security Copilot integration in Microsoft Defender
Guided responses are available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot.
Guided responses are also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.
Key features
Guided responses recommend actions in the following categories:
- Triage - includes a recommendation to classify incidents as informational, true positive, or false positive
- Containment - includes recommended actions to contain an incident
- Investigation - includes recommended actions for further investigation
- Remediation - includes recommended response actions to apply to specific entities involved in an incident
Each card contains information about the recommended action, including the entity where the action needs to be applied and why the action is recommended. The cards also emphasize when a recommended action was done by automated investigation like attack disruption or automated investigation response.
The guided response cards can be sorted based on the available status for each card. You can select a specific status when viewing the guided responses by clicking on Status and selecting the appropriate status you want to view. All guided response cards regardless of status are shown by default.
To use guided responses, perform the following steps:
- Open an incident page. Copilot automatically generates guided responses upon opening an incident page. The Copilot pane appears on the right side of the incident page, showing the guided response cards. 
- Review each card before applying the recommendations. Select the More actions ellipsis (...) on top of a response card to view the options available for each recommendation. Here are some examples.   
- To apply an action, select the desired action found on each card. The guided response action on each card is tailored to the type of incident and the specific entity involved. 
- You can provide feedback to each response card to continuously enhance future responses from Copilot. To provide feedback, select the feedback icon  found on the bottom right of each card. found on the bottom right of each card.
Note
Grayed out action buttons mean these actions are limited by your permission. Refer to the unified role-based access (RBAC) permissions page for more information.
Copilot helps speed up analysts' investigation tasks. When an incident requires further investigation on a user activity, Copilot suggests text that analysts can use to communicate with a user. The guided response card includes a Contact user in Teams or Copy to clipboard action that copies the suggested text to the clipboard. Analysts can then paste the text into an email or another communication tool. The analyst can also gain more context about the user through the View user action.
 
Copilot also supports incident response teams by enabling analysts to gain more context about response actions with additional insights. For remediation responses, incident response teams can view additional information with options like View similar incidents or View similar emails.
The View similar incidents action becomes available when there are other incidents within the organization that are similar to the current incident. The Similar incidents tab lists similar incidents that you can review. Microsoft Defender automatically identifies similar incidents within the organization through machine learning. Incident response teams can use the information from these similar incidents to classify incidents and further review the actions done in those similar incidents.
The View similar emails action, which is specific to phishing incidents, takes you to the advanced hunting page, where a KQL query to list similar emails within the organization is automatically generated. This automatic query generation related to an incident helps incident response teams further investigate other emails that might be related to the incident. You can review the query and modify it as needed.
Sample guided responses prompt
In the Security Copilot standalone portal, you can use the following prompt to generate guided responses:
- Generate guided responses and recommendations for Defender incident {incident ID}.
Tip
When generating guided responses in the Security Copilot portal, Microsoft recommends including the word Defender in your prompts to ensure that the guided responses capability delivers the results.
Provide feedback
Microsoft highly encourages you to provide feedback to Copilot, as it's crucial for a capability's continuous improvement. To provide feedback, navigate to the bottom of the Copilot side panel and select the feedback icon  .
.
See also
- Learn about other Security Copilot embedded experiences
- Privacy and data security in Security Copilot
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
 
 
