File analysis with Microsoft Copilot in Microsoft Defender

Microsoft Security Copilot in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.

Know before you begin

If you're new to Security Copilot, you should familiarize yourself with it by reading the following articles:

Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.

The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.

Security Copilot integration in Microsoft Defender

The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Security Copilot.

Security Copilot standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.

Key features

The file analysis results generated by Copilot usually contains the following information:

  • Overview - contains an assessment of the file, including a detection name when the file is malicious/potentially unwanted, important file information like certificates and signer, and a summary of the contents of the file that contributes to the assessment.
  • Details - highlights Strings found in the file, lists API calls that the file uses, and lists information of the file's relevant Certificates.

Note

The analysis results vary depending on the contents of the file.

You can access the file analysis capability through the following ways:

  • Open a file page. Copilot automatically generates an analysis upon opening a file page. The results, which show the overview information by default, are then displayed on the Copilot pane.
    Screenshot of the file analysis results in Copilot in Defender with the Show details option highlighted. Select Show details (shown above) to display the full results or Hide details (highlighted below) to minimize the results. Screenshot of the file analysis results in Copilot in Defender with the Hide details option highlighted.
  • From an incident page, choose a file to investigate in the attack story graph. You can also choose a file to investigate in an alert page. Screenshot of the attack story graph with the file entities highlighted. Select a file to investigate, then select Analyze on the side pane to begin analysis. The results are then displayed on the Copilot pane. Screenshot of the incident page with the file analysis button highlighted.

You can copy the results to clipboard, regenerate the results, or open the Security Copilot portal by selecting the More actions ellipsis (...) on top of the file analysis card.

Sample file analysis prompt

In the Security Copilot standalone portal, you can use the following prompt to generate a device summary:

  • Tell me about the files in Defender incident {incident number). Which files are malicious?

Tip

When investigating files in the Security Copilot portal, Microsoft recommends including the word Defender in your prompts to ensure that the file analysis capability delivers the results.

Provide feedback

Always review the results generated by Copilot in Defender. Your feedback helps improve the quality of the results generated by Copilot. Select the feedback icon Screenshot of the feedback icon for Copilot in Defender cards at the bottom of the Copilot pane to provide feedback.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.