Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This article discusses the Threat Intelligence Briefing Agent standalone experience in Security Copilot. To learn more about the embedded experience in the Microsoft Defender portal, read Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender (preview).
Threat intelligence analysts face several challenges in delivering insightful, actionable, contextualized intelligence. The task of developing threat intelligence briefings involves collecting information from various threat feeds, tools, and portals; filtering and correlating this information; and analyzing and mapping organizational risks. These activities happen before analysts can even start developing the report itself and generating insights for when they deliver the briefing. By then, as these processes can take anywhere from hours to days, the threats facing the organization have already evolved, which can render the briefing obsolete.
The Threat Intelligence Briefing Agent was developed in response to these pain points. The Threat Intelligence Briefing Agent in the Microsoft Security Copilot standalone portal generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information—in a matter of minutes. The agent can help security teams save time by creating a customized, relevant report that provides CISOs, security managers, and analysts with key situational awareness and a solid foundation for defense work.
The agent leverages dynamic automation and deep generative AI along with its wealth of threat intelligence knowledge and signals. When building the briefing, the agent dynamically chooses the next step based on the outcome of the previous step, allowing it to decide in real-time what threat intelligence to include and prioritize. The agent then translates this technical information into a digestible report that can be consumed by various audiences.
The Threat Intelligence Briefing Agent is best suited for customers who have turned on Microsoft Defender External Attack Surface and Microsoft Defender for Endpoint, as the agent relies on signals and insights from these first-party integrations to deliver accurate and context-rich reports.
Prerequisites
Products
Microsoft Security Copilot is needed to run this agent.
Plugins
The following plugin is required to run this agent:
- Microsoft Threat Intelligence
The following plugin is optional but can add more context to the output:
- Microsoft Defender External Attack Surface Management
User account permissions configuration
Important
Identity and permissions requirement: This agent requires connection to an existing user account. The agent can read data from Defender External Attack Surface Management and Defender Vulnerability Management. You must configure the user account with the appropriate permissions outlined in the following section before setting up the agent.
Permission overview
The user account connected to the agent must have these permissions:
Required permissions:
- Microsoft Defender for Endpoint: Access to Defender Vulnerability Management data
- Security Copilot Contributor: Access to Security Copilot platform and agent management
Optional permissions:
- Exposure Management (read): Access to Microsoft Security Exposure Management insights, including External Attack Surface Management data
Role-based access:
- Owners and contributors can see the report generated by the Threat Intelligence Briefing Agent within the Microsoft Security Copilot agent library page
Configure permissions
Step 1: Create custom role in Microsoft Defender XDR
Sign in to the Microsoft Defender portal as Global Administrator or Security Administrator.
Navigate to Permissions > Microsoft Defender XDR > Roles.
Select Create custom role.
On the Basics tab:
- Role name:
Threat Intel Agent - Read Only - Description:
Read-only access for Threat Intelligence Briefing Agent - Select Next
- Role name:
On the Choose permissions page:
Select Security posture
Select custom permissions
Under Posture management, select Vulnerability management - Read
Select Apply > Next
On the Assign users and data sources page:
- Select Add assignment
- Assignment name:
Threat Intel Agent Assignment - Employees: Select the user account for the agent
- Data sources: Select Microsoft Defender for Endpoint
- Select Next > Submit
Step 2: Assign Security Copilot Contributor role
Sign in to Microsoft Security Copilot.
Select the home menu > Role assignment > Add members.
Search for and select the user account, then assign Security Copilot Contributor role.
Select Add.
Step 3 (Optional): Add External Attack Surface Management permissions
If your organization uses Microsoft Defender External Attack Surface Management:
In the Microsoft Defender portal, go to Permissions > Microsoft Defender XDR > Roles.
Find the
Threat Intel Agent - Read Onlyrole and select Edit.Navigate to Choose permissions > Security posture > Select custom permissions.
Under Posture management, add Exposure Management - Read.
In Data sources, add Microsoft Security Exposure Management.
Save the changes.
Important
After setting up permissions, activate the Microsoft Defender XDR Unified role-based access control (RBAC) model for the role to take effect.
Tip
Consider using a dedicated service account for running agents to maintain separation of duties and enhance security monitoring.
Trigger
This agent runs at the set time interval when turned on, or manually when you want to run it.
Set up the agent
To run the Threat Intelligence Briefing Agent, go to the Agents page in the Microsoft Security Copilot standalone portal.
Choose the Threat Intelligence Briefing Agent and select Set up.
Select an identity for the agent. You have the option of choosing to create an agent identity or assign an existing user account. After this, wait for the agent to finish setting up.
Specify the input parameters to customize the output, then select Next. You can edit these parameters later by selecting the three dots in the upper right section of the agent overview page.
- Insights to research – the number of vulnerabilities the agent researches for active threats
- Look back days – how far back the agent researches threats against your vulnerabilities
- Email – email address of user or distribution group that the briefing is sent to
- Region – scope of geographical area the agent checks for threats
- Industry – sector or industry that the agent checks for threats
After the agent is created, select Return to agents to go back to the Agents page, or select Go to agent to go to the Threat Intelligence Briefing Agent overview page.
To run the agent, go to the upper right of the agent overview page and select Run. Select On the trigger to schedule the agent to run at the set time or select One time to run the report on demand.
Assess and provide feedback on the agent’s output
The generated reports appear in the Threat Intelligence Briefing Agent page under Activity. The page displays the name of the report, the start time, method of generation, and current status.
Select one of the reports to assess the agent's output.
The threat intelligence briefing contains a relevant summary of threat information and detailed technical analysis, including any actively exploited vulnerability and its possible organizational impact.
The Threat Intelligence Briefing Agent dynamically chooses the next step based on the outcome of the previous step as it builds the briefing. You can view the agent’s progress toward producing the threat briefing by selecting View activity.
You'll see details of the activity, providing you with transparency on the steps the agent takes to produce the output.
You can provide feedback about the briefing by selecting the thumbs up or thumbs down button. You can elaborate in the text box that appears after. Select Submit to give your feedback.