File analysis with Microsoft Copilot in Microsoft Defender

Microsoft Security Copilot in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.

If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:

• What is Security Copilot?
• Security Copilot experiences
• Get started with Security Copilot
• Understand authentication in Security Copilot
• Prompting in Security Copilot

Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.

The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.

The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Security Copilot.

Security Copilot standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.

The file analysis results generated by Copilot usually contains the following information:

• Overview - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment.
• Details - highlights Strings found in the file, lists API calls that the file uses, and lists information of the file's relevant Certificates.

You can access the file analysis capability through the following ways:

• Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which show the overview information by default, are then displayed on the Copilot pane.
  Select Show details (shown above) to display the full results or Hide details (highlighted below) to minimize the results.
• From an incident page, choose a file to investigate in the attack story graph. You can also choose a file to investigate in an alert page. Select a file to investigate, then select Analyze on the side pane to begin analysis. The results are then displayed on the Copilot pane.

You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the file analysis card.

In the Security Copilot standalone portal, you can use the following prompt to generate a device summary:

• Tell me about the files in Defender incident {incident number). Which files are malicious?

Always review the results generated by Copilot in Defender. Your feedback helps improve the quality of the results generated by Copilot. Select the feedback icon at the bottom of the Copilot pane to provide feedback.

• Learn about other Security Copilot embedded experiences
• Privacy and data security in Security Copilot