Describe Microsoft Security Copilot agents

  • 1 minute

Microsoft Security Copilot provides a range of agents designed to enhance security workflows and streamline operations. These agents assist security engineers by automating tasks, providing insights, and integrating with other Microsoft security tools.

Define agents in Microsoft Security Copilot

Agents in Microsoft Security Copilot help automate repetitive tasks, reduce manual workloads, and optimize security operations. Agents consist of predefined workflows and capabilities tailored to address particular security challenges. They're designed to perform specific tasks, such as analyzing threats, triaging phishing incidents, or optimizing conditional access policies.

Agents utilize security compute units (SCUs) to operate just like other features in Security Copilot. They integrate seamlessly with Microsoft Security solutions and the broader supported partner ecosystem and fit naturally into existing workflows. Agents learn based on feedback and keep you in control on the actions it takes.

Agent terminology in Microsoft Security Copilot

To effectively use Security Copilot agents, it's essential to understand the terminology used when working with agents.

Term Description
Trigger An event or condition that tells an agentic system to initiate an action or series of actions.
Permissions The level of authorization an AI agent is given by an admin during configuration that enables it to access specific information or carry out its tasks.
Identity The credentials that the agent uses when it runs.
Plugins A component that extends what an agent can do by giving it access to capabilities in Microsoft and non-Microsoft services and public websites through APIs. While some plugins may be required to run an agent, some agents may employ optional plugins that can enhance its functionality by providing access to more data sources or tools.
Role-based access control (RBAC) Determines who can view and manage the outputs generated by agents in Microsoft Security Copilot, and ensures that sensitive information is accessible only to authorized users.

Agents in Microsoft Security Copilot

You can discover Microsoft Security Copilot agents through the standalone and embedded experiences. Copilot agents are also available from partners.

To access the full list of available agents, select Agents from the home menu. Copilot displays the list of available Microsoft and partner agents.

Screen capture of the Agents page in Microsoft Security Copilot. The page displays tiles for all available agents from Microsoft and partners.

Microsoft Agents

Security Copilot includes agents that are seamlessly integrated with Microsoft security solutions. Microsoft agents include:

  • Threat Intelligence Briefing Agent: Curates relevant threat intelligence based on an organization's attributes and exposure.
  • Conditional Access Optimization Agent: Embedded in Microsoft Entra, the Conditional Access optimization agent ensures all users are protected by policy. It recommends policies and changes based on best practices aligned with Zero Trust and Microsoft's learnings. In preview, the agent evaluates policies requiring multifactor authentication (MFA), enforces device based controls (device compliance, app protection policies, and Domain Joined Devices), and blocks legacy authentication and device code flow.
  • Phishing Triage Agent: Embedded in Microsoft Defender, the Phishing Triage Agent helps security operations analysts to triage and classify user-submitted phishing incidents. The agent operates autonomously, provides a transparent rationale for its classification verdicts in natural language, and continuously learns and improves its accuracy based on feedback provided by analysts.

This list is not all-inclusive.

Partner agents

Security Copilot offers integration with Partner agents. Integrating partner agents provides you with the flexibility to use tools you're already familiar with. These agents offer unique capabilities, from privacy breach response to network supervision and alert triage, ensuring you can address diverse security challenges effectively.

Partner agents available in Security Copilot include:

  • Network Supervisor Agent by Aviatrix Performs root cause analysis and summarizes issues related to VPN, gateway, or Site2Cloud connection outages and failures.
  • SecOps Tooling Agent by BlueVoyant Assesses a security operations center (SOC) and state of controls to make recommendations that help optimize security operations and improve controls, efficacy, and compliance.
  • Task Optimizer Agent by Fletch Helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security.
  • Privacy Breach Response Agent by OneTrust Analyzes data breaches to generate guidance for the privacy team on how to meet regulatory requirements.

This list is not all-inclusive.