Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page provides information about agents available in the standalone experience of Security Copilot.
Agent terminology
All agents require the following controls configured.
Trigger
A trigger is an event or condition that tells an agentic system to initiate an action or series of actions. You can set the agent to run automatically at specific intervals or choose to run it manually when needed.
Permissions
In the context of agents, permissions are the level of authorization an AI agent is given by an admin during configuration that enables it to access specific information or carry out its tasks.
These permissions might include the ability to read data from other solutions, for example Microsoft Defender External Attack Surface Management or Microsoft Threat Intelligence. By giving the agent permissions to access data from these solutions, the agent can generate insights or provide recommendations based on the information it's able to gather.
Identity
An agent needs an identity to authenticate and securely access resources when it runs. During the agent setup process, you're given two types of identity to choose from:
Create an agent identity
Note
Currently, this option is only available for Microsoft-built agents.
This option creates a dedicated identity for the agent using the Microsoft Entra Agent ID capability. Microsoft Entra Agent IDs are identities created specifically for AI agents. The user setting up the agent grants the agent ID permissions needed for the agent to run successfully. Using Agent IDs keeps access scoped, secure, and easier to manage. For more information, see What are agent identities?.
Connect with an existing user account
This option lets the agent use your credentials to run. It inherits your access and permissions while it's active.
Plugins
Plugins extend the capabilities of Security Copilot. A plugin is a component that extends what an agent can do by giving it access to capabilities in Microsoft and non-Microsoft services and public websites through APIs. Having access to plugins adds more context to the output of an agent.
Available agents
Threat intelligence briefing agent
Generating a threat intelligence report can be a cumbersome and resource intensive task. It requires intelligence gathering and can take hours or days to complete.
The Threat Intelligence Briefing Agent generates timely, relevant threat intelligence reports with detailed technical analysis based on the latest threat actor activity and both internal and external vulnerability information. The agent correlates Microsoft threat data from Defender External Attack Surface Management (EASM) and real-time customer signals to add critical context to threat information in a matter of minutes, saving analyst teams hours or even days spent on intelligence gathering and correlation.
| Attribute | Description |
|---|---|
| Identity | Requires connection to an existing user account and creation of a new agent identity |
| License | Defender EASM Standard |
| Permissions | Read data from Agents, Microsoft Defender External Attack Surface Management, Microsoft Threat Intelligence, and Microsoft Threat Intelligence Agents |
| Products | Security Copilot |
| Plugins | Microsoft Defender External Attack Surface Management Microsoft Threat Intelligence Microsoft Threat Intelligence Agent |
| Role-based access | Security Copilot Owner and Security Copilot Contributor roles can see the report generated by the Threat intelligence briefing agent within the Microsoft Security Copilot Agents page |
| Trigger | Runs every 7 days or can be triggered manually |