Deploy AI agents in Microsoft Defender

Applies to: Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

Security Store in the Microsoft Defender portal offers various agents that help you perform your security tasks efficiently. These agents include Microsoft Security Copilot agents published by Microsoft and partners. These agents integrate with Microsoft Defender and carry out various security operations (SOC) tasks, such as incident triage, investigation, threat hunting, and threat intelligence.

This article explains how to discover and deploy AI agents in Microsoft Defender.

Note

To learn more about publishing agents to Security Store, see Publish agents to Microsoft Security Store.

Prerequisites

To purchase and deploy agents from Security Store, you need:

Access to a Security Copilot workspace provisioned with SCU capacity.
For partner-published agents, you need the Azure subscription contributor or owner role.

Discover and deploy agents in the Microsoft Defender portal

To discover and deploy agents in the Microsoft Defender portal:

Select Security Copilot > Security Store.
Browse or search for the agent you want to deploy.
Select the agent to view its details, including its capabilities, requirements, and setup instructions.
To purchase and deploy the agent:
- Select Get agent to begin the deployment process if you have sufficient permissions. For more information, see Prerequisites.
- Select Copy link to copy the agent's details page URL and share it with a security administrator, if you don't have permissions to deploy agents.
- For partner-published agents, complete the purchase and deploy on the Security Store website, as described in the Microsoft Security Store documentation.
  
  You can manage centralized purchases for partner-published agents through public offers, or through private offers, as described in How to Purchase SaaS Solutions (Private Offers).
After purchasing the agent, select Security Copilot > Agents, find your agent in the Ready for setup section, and then select Set up to begin agent setup.

For more information on setting up, managing, and running partner-published agents, see Manage Security Copilot agents.

For more information on Microsoft Security Copilot agents, see Microsoft Security Copilot agents in Microsoft Defender.

After setup, the agent appears in the Agents in use section.

Microsoft Security Copilot agents in Microsoft Defender

This section details the Microsoft Security Copilot agents that are available in the Microsoft Defender portal.

Phishing Triage Agent

The Phishing Triage Agent helps security operations analysts triage and classify user-submitted phishing incidents. The agent operates autonomously, provides a transparent rationale for its classification verdicts in natural language, and continuously learns and improves its accuracy based on feedback from analysts.

Attribute	Description
Identity	Operates in the context of the user you connect to the agent
License	Microsoft Defender for Endpoint P2
Permissions	The agent requires these permissions to operate: Read Security data basics (read) Email & collaboration content (read) Email & collaboration metadata (read) Security Copilot (read) Alerts (manage)
Plugins	The agent automatically activates these Security Copilot plugins: Microsoft Defender XDR Microsoft Threat Intelligence Phishing Triage Agent
Products	Security Copilot Microsoft Defender for Office 365 Plan 2
Role-based access	Security Administrator Microsoft Entra role is required to set up and manage the agent Users with the same permissions as the Phishing Triage Agent can view the agent's activity and results, and provide feedback on the agent's classification verdict.
Trigger	Triggered when a user in your organization submits a phishing incident

Threat Intelligence Briefing Agent

The Threat Intelligence Briefing Agent provides security operations teams with regular, customized threat intelligence briefings. The agent autonomously gathers and synthesizes relevant threat intelligence data from various sources, delivering concise and actionable insights to help analysts stay informed about emerging threats and trends.

Attribute	Description
Identity	Requires connection to an existing user account or creation of a new agent identity
License	Defender EASM Standard
Permissions	Required permissions: Microsoft Defender for Endpoint Security Reader Optional permissions: Exposure Management (read)
Products	Security Copilot
Plugins	The following plugins are required to run this agent: Microsoft Threat Intelligence Microsoft Threat Intelligence agents The following plugin is optional but can add more context to the output: Microsoft Defender External Attack Surface Management
Role-based access	The Security Administrator role is required to set up and manage the agent. Users with the same permissions as the Threat Intelligence Briefing Agent can view the agent's activity and results.
Trigger	Runs at the set time interval that you configured during setup, or manually when you want to run it

Feedback

Was this page helpful?

Last updated on 2025-11-18