Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender XDR applies the capabilities of Security Copilot to summarize incidents. Incident summaries provide impactful information and insights to simplify investigation tasks. Investigations are often time-consuming and involve numerous steps.
This guide outlines how to access the summarizing capability of Copilot in Defender and what information is included in the summary, including information on providing feedback.
Prerequisites
If you're new to Security Copilot, familiarize yourself with it by reading the following articles:
- What is Security Copilot?
- Security Copilot experiences
- Get started with Security Copilot
- Understand authentication in Security Copilot
- Prompting in Security Copilot
Incident responders can access the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Security Copilot's AI-powered data processing and contextualization. With an incident summary, responders get important information quickly to help in their investigation.
Security Copilot integration in Microsoft Defender
The incident summary capability is available in the Microsoft Defender portal for customers with provisioned access to Security Copilot.
This capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.
Incident summary content
Incidents containing up to 100 alerts can be summarized into one incident summary. An incident summary, depending on the availability of the data, includes the following information:
- The time and date when an attack started.
- The entity or asset where the attack started.
- A summary of timelines of how the attack unfolded.
- The assets involved in the attack.
- Indicators of compromise (IoCs).
- Names of threat actors involved.
- Suggested Security Copilot prompts, which guide you to focus on the most relevant next steps, gain deeper insights, and simplify investigations.
Summarize an incident
Open an incident page. Copilot automatically creates an incident summary in the Tasks pane. You can stop the summary creation by selecting Cancel or restart creation by selecting Regenerate.
The incident summary card loads on the Copilot pane. Review the generated summary on the card. Review the summary and use the information to guide your investigation and response to the incident.
Tip
You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results.
Select See prompts to view suggested prompts. Suggested prompts surface relevant follow-up questions based on the most crucial information in the given incident.
Select a suggested prompt to get more insights about the specific assets involved in the incident, such as device summaries, identity summaries, and related threat intelligence.
Select the More actions ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Security Copilot portal. Selecting Open in Security Copilot opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins.
Manage Copilot incident summaries settings (preview)
By default, Copilot generates a summary for each incident the user opens, but you can change this setting to display incident summaries only in specific instances. You can choose to have summaries generated:
- Always (for every incident opened)
- Based on the severity level of the incident
- On demand only
To change the settings for Copilot incident summaries in Microsoft Sentinel, follow these steps:
Go to System > Settings > Copilot in Defender in the Microsoft Sentinel navigation pane.
Under Preferences, select Incident Summary generation.
Select either Auto-generate or Generate on demand, depending on your preference.
If you select Auto-generate, choose between Always or Incident severity. If you select Incident severity, choose the minimum severity level for which you want Copilot to generate incident summaries automatically.
Select Save.
When you select Incident severity, an estimate of the number of incidents of each severity level reviewed per day is displayed, along with the estimated SCU consumption.
Copilot saves generated incident summaries for a week. If the incident you select has a summary already in the cache, and the incident didn't change significantly, the summary is automatically redisplayed at no cost regardless of the setting.
To generate a summary on demand for an incident that doesn't automatically generate, select the Generate button.
Sample incident summary prompt
In the Security Copilot standalone portal, you can use the following prompt to generate incident summaries:
- Provide a summary for Defender incident {incident ID}.
Tip
When you generate an incident summary in the Security Copilot portal, include the word Defender in your prompts to ensure that the incident summary capability delivers the results.
Provide feedback
Microsoft highly encourages you to provide feedback to Copilot, as it's crucial for a capability's continuous improvement. You can provide feedback on the summary by selecting the feedback icon 
found on the bottom of the Copilot pane.
See also
- Learn about other Security Copilot embedded experiences
- Privacy and data security in Security Copilot
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.