Summarize device information with Microsoft Copilot in Microsoft Defender
Microsoft Security Copilot in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:
- What is Security Copilot?
- Security Copilot experiences
- Get started with Security Copilot
- Understand authentication in Security Copilot
- Prompting in Security Copilot
Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks.
The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts.
Security Copilot integration in Microsoft Defender
The device summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Security Copilot.
This capability is also available in the Security Copilot standalone portal through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.
Key features
The device summary generated by Copilot contains noteworthy information about the device, including:
- The status of important Microsoft Defender XDR protection capabilities, like attack surface reduction and tamper protection
- Any significant user activity observed, like unusual sign-in attempts
- A list of vulnerable software installed in the device
- The status of other security features, like firewall settings, that contribute to the device's risk
- Other notable insights that signify the device's status, like when the device was last seen active
- Device insights delivered by Microsoft Intune, like information on the device's primary user, device group, or discovered apps
You can access the device summary capability through the following ways:
From the main menu, open the Device inventory page by selecting Devices under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane.
From an incident page, you can choose a device on the incident graph and then (1) select Device details. On the device pane, (2) select Summarize to generate the device summary. The summary is displayed in the Copilot pane.
You can also access the device summary capability by choosing a device listed in the Assets tab of an incident. Select Copilot in the device pane to generate the device summary.
Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the device summary card.
Sample device summary prompt
In the Security Copilot standalone portal, you can use the following prompt to generate a device summary:
- Summarize device information in Defender incident {incident number.
Tip
When investigating devices in the Security Copilot portal, Microsoft recommends including the word Defender in your prompts to ensure that the device summary capability delivers the results.
Provide feedback
Your feedback helps improve the quality of the results generated by Copilot. You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon .
See also
- Learn about other Security Copilot embedded experiences
- Privacy and data security in Security Copilot
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.