Microsoft Copilot for Security in Microsoft Defender Threat Intelligence

Important

On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) was retired and is no longer accessible. Customers can continue using Defender TI in the Microsoft Defender portal or with Microsoft Copilot for Security. Learn more

Microsoft Copilot for Security is a cloud-based AI platform that provides natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, read What is Microsoft Copilot for Security?.

Copilot for Security customers gain for each of their authenticated Copilot users access to Microsoft Defender Threat Intelligence (Defender TI). To ensure that you have access to Copilot, see the Copilot for Security purchase and licensing information.

Once you have access to Copilot for Security, the key features discussed in this article become accessible in either the Copilot for Security portal or the Microsoft Defender portal.

Know before you begin

If you're new to Copilot for Security, you should familiarize yourself with it by reading these articles:

Copilot for Security integration in Defender TI

Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Defender TI. You can use the prompts and promptbooks to investigate incidents, enrich your hunting flows with threat intelligence information, or gain more knowledge about your organization's or the global threat landscape.

  • Be clear and specific with your prompts. You might get better results if you include specific threat actor names or IOCs in your prompts. It might also help if you add threat intelligence to your prompt, like:

    • Show me threat intelligence data for Aqua Blizzard.
    • Summarize threat intelligence data for "malicious.com."
  • Be specific when referencing an incident (for example, "incident ID 15324").

  • Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.

  • Copilot saves your prompt sessions. To see the previous sessions, from the Copilot for Security Home menu, go to My sessions.

    Screenshot that shows the Microsoft Copilot for Security Home menu with My sessions highlighted.

    Note

    For a walkthrough on Copilot, including the pin and share feature, read Navigate Microsoft Copilot for Security.

Learn more about creating effective prompts

Key features

Copilot for Security lets security teams understand, prioritize, and take action on threat intelligence information immediately.

You can ask about a threat actor, attack campaign, or any other threat intelligence that you want to know more about, and Copilot generates responses based on threat analytics reports, intel profiles and articles, and other Defender TI content.

You can also select any of the built-in prompts that are available in the Defender portal to do the following actions:

  • Summarize the latest threats related to your organization
  • Prioritize which threats to focus on based on your environment's highest exposure level to these threats
  • Ask about the threat actors targeting the communications infrastructure industry

Learn more about using Copilot in Defender for threat intelligence

Enable the Copilot for Security integration in Defender TI

  1. Go to Microsoft Copilot for Security and sign in with your credentials.

  2. Make sure that the Defender TI plugin is turned on. In the prompt bar, select the Sources icon Screenshot of the Sources icon..

    Screenshot of the prompt bar in Microsoft Copilot for Security with the Sources icon highlighted.

    In the Manage sources pop-up window that appears, under Plugins, confirm that the Microsoft Threat Intelligence toggle is turned on, then close the window.

    Screenshot of the Manage plugins pop-up window with the Microsoft Threat Intelligence plugin highlighted.

    Note

    Some roles can turn the toggle on or off for plugins like Defender TI. For more information, read Manage plugins in Microsoft Copilot for Security.

  3. Enter your prompt in the prompt bar.

Built-in system features

Copilot for Security has built-in system features that can get data from the different plugins that are turned on.

To view the list of built-in system capabilities for Defender TI:

  1. In the prompt bar, select the Prompts icon Screenshot of the prompts icon..

    Screenshot of the prompt bar in Microsoft Copilot for Security with the Prompts icon highlighted.

  2. Select See all system capabilities. The Microsoft Defender Threat Intelligence section lists all the available capabilities for Defender TI that you can use.

Copilot also has the following promptbooks that also deliver information from Defender TI:

  • Threat actor profile – Generates a report profiling a known threat actor, including suggestions to defend against their common tools and tactics.
  • Vulnerability impact assessment – Generates a report summarizing the intelligence for a known vulnerability, including steps on how to address it.

To view these promptbooks, in the prompt bar, select the Prompts icon then select See all promptbooks.

Sample Defender TI prompts

You can use many prompts to get information from Defender TI. This section lists some ideas and examples.

Get threat intelligence from threat articles and threat actors.

Sample prompts :

  • Summarize the recent threat intelligence.
  • Show me the latest threat articles.
  • Get threat articles related to ransomware in the last six months.

IP address and host contextual information in relation to threat intelligence

Get information on datasets associated with IP addresses and hosts, such as ports, reputation scores, components, certificates, cookies, services, and host pairs.

Sample prompts:

  • Show me the reputation of the host <host name>.
  • Get resolutions for IP address <IP address>.

Threat actor mapping and infrastructure

Get information on threat actors and the tactics, techniques, and procedures (TTPs), sponsored states, industries, and IOCs associated with them.

Sample prompts:

  • Tell me more about Silk Typhoon.
  • Share the IOCs associated with Silk Typhoon.
  • Share the TTPs associated with Silk Typhoon.
  • Share threat actors associated with Russia.

Vulnerability data by CVE

Get contextual information and threat intelligence on Common Vulnerabilities and Exposures (CVEs).

Sample prompts:

  • Share the technologies that are susceptible to the vulnerability CVE-2021-44228.
  • Summarize the vulnerability CVE-2021-44228.
  • Show me the latest CVEs.
  • Show me threat actors associated with CVE-2021-44228.
  • Show me the threat articles associated with CVE-2021-44228.

Provide feedback

Your feedback on the Defender TI integration in Copilot for Security helps with development. To provide feedback, in Copilot, select How's this response? At the bottom of each completed prompt and choose any of the following options:

  • Looks right - Select this button if the results are accurate, based on your assessment.
  • Needs improvement - Select this button if any detail in the results is incorrect or incomplete, based on your assessment.
  • Inappropriate - Select this button if the results contain questionable, ambiguous, or potentially harmful information.

For each feedback button, you can provide more information in the next dialog box that appears. Whenever possible, and when the result is Needs improvement, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Defender TI and the results aren't related, then include that information.

Privacy and data security in Copilot for Security

When you interact with Copilot for Security to get Defender TI data, Copilot pulls that data from Defender TI. The prompts, the data retrieved, and the output shown in the prompt results are processed and stored within the Copilot service. Learn more about privacy and data security in Microsoft Copilot for Security

See also