Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender

Threat intelligence analysts face several challenges in delivering insightful, actionable, contextualized intelligence. The task of developing threat intelligence briefings involves collecting information from various threat feeds, tools, and portals. Analysts must filter and correlate this information, and analyze and map organizational risks. These activities happen before analysts can even start developing the report itself and generating insights for when they deliver the briefing. By then, as these processes can take anywhere from hours to days, the threats facing the organization already evolved, which can render the briefing obsolete.

The Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender addresses these pain points. It generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information in a matter of minutes. It can help security teams save time by creating a customized, relevant report that provides CISOs, security managers, and analysts with key situational awareness and a solid foundation for defense work.

The agent leverages dynamic automation and deep generative AI along with its wealth of threat intelligence knowledge and signals. When building the briefing, the agent dynamically chooses the next step based on the outcome of the previous step. This approach allows it to decide in real-time what threat intelligence to include and prioritize. The agent then translates this technical information into a digestible report that various audiences can consume.

The Threat Intelligence Briefing Agent is best suited for customers who turn on Microsoft Defender for Endpoint and Microsoft Defender External Attack Surface, as the agent relies on signals and insights from these first-party integrations to deliver accurate and context-rich reports.

Watch this video to see the Threat Intelligence Briefing Agent in action, from setup to generating your first briefing.

Where to find the Threat Intelligence Briefing Agent

The Threat Intelligence Briefing Agent appears as a banner at the top of the Threat analytics page in the Microsoft Defender portal.

To access Threat analytics, from the navigation menu, select Threat intelligence > Threat analytics.

Prerequisites

Products

You need Microsoft Security Copilot to run this agent.

Security Copilot plugins

To run this agent, you need the following plugins:

• Microsoft Threat Intelligence
• Microsoft Threat Intelligence agents

The following plugin is optional but can add more context to the output:

• Microsoft Defender External Attack Surface Management

User account permissions

The user account connected to the agent or the created agent identity must have these permissions:

Required permissions:

• Microsoft Defender for Endpoint: Access to Defender Vulnerability Management data
• Security Reader: Access to Threat Analytics and agent results
• Security Admin: Access to agent onboarding and configuration

Optional permissions:

• Exposure Management (read): Access to Microsoft Security Exposure Management insights, including External Attack Surface Management data

Role-based access:

• Owners and contributors can see the report generated by the Threat Intelligence Briefing Agent within the Microsoft Security Copilot agent library page

Trigger

This agent runs at the set time interval that you configured during setup, or manually when you want to run it.

Set up an agent identity for the agent

The Threat Intelligence Briefing Agent can run under a dedicated agent identity (service principal) with only the minimal read permissions required in Microsoft Defender. This section describes how you can create or reuse a least-privileged role, register the agent's service principal, and assign the role.

Before setting up an agent identity for the Threat Intelligence Briefing Agent, make sure that you have the agent in your environment. You must also have the following prerequisites:

• Tenant-level admin rights to register a service principal and assign roles.
• Azure CLI installed and authenticated (az login). For more information, see Get started with Azure CLI.
• Access to Defender XDR Unified RBAC or equivalent permissions management.

To set up an agent identity:

1. Create or reuse a least-privileged role

   Create a role or reuse an existing role that includes the following minimum permissions:

   • Security operations > Security data > Security data basics (read)
   • Security posture > Posture management > Vulnerability management (read)

   You can reuse other roles that provide at least these levels of read access. Apply least privilege and scope assignments narrowly.

2. Register the agent's service principal (agent identity)

   Run the following Azure CLI commands as a tenant admin to create the service principal in your tenant:

   TOKEN=$(az account get-access-token \
      --tenant <your tenant ID> \
      --resource-type ms-graph \
      --query accessToken -o tsv)
   

   curl -X POST https://graph.microsoft.com/v1.0/servicePrincipals \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
         "appId": "43d7b169-1d9e-4d32-8cd8-06c5974ed90c"
      }'
   

   Optional: Validate that the service principal was created:

   curl -X GET "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '43d7b169-1d9e-4d32-8cd8-06c5974ed90c'" \
     -H "Authorization: Bearer $TOKEN"
   

3. Assign the least-privileged role to the service principal

   1. In the Defender portal, go to Settings > Roles and permissions (Unified RBAC) > Assignments > Add assignment
   2. Specify the following parameters:
      • Principal: Select the service principal created in step 2.
      • Role: Choose the custom role with the two read permissions mentioned in step 1.
      • Scope: Select the minimal scope required (specific assets or subscriptions).
   3. Save the assignment.

4. Set up the Threat Intelligence Briefing Agent and connect the created agent identity

Set up the agent

To run the Threat Intelligence Briefing Agent for the first time, follow these steps:

1. On the Threat Intelligence Briefing Agent banner at the top of the Threat analytics page, select Set up agent.

   

2. On the pop-up window that appears, review the agent details, and then select Next.

   

3. Connect a user account or agent identity, and then select Continue to open a new window where you can perform this step.

   

4. Wait for the agent to finish connecting to the identity or account, and then select Continue.

   

5. Specify the following parameters to customize the agent output:

   • Insights: The number of vulnerabilities the agent researches for active threats.
   • Look back days: The number of days the agent goes back to research threats against your vulnerabilities.
   • Region: The geographical area that the agent checks for relevant threats.
   • Industry: The sector or industry vertical that the agent checks for relevant threats.
   • Scheduled runs settings: Choose whether you want to run the agent manually or have it send briefings at regular intervals automatically. By default, the agent runs every seven days.
   • Generated brief recipient: The email address of the user or distribution group that the agent sends the briefing to.

   

6. Select Deploy agent. When the agent activates, you can go back to the Threat analytics page or select Manage agent to update your agent parameters.

   

View briefing and manage the agent

Select Run agent to generate an ad-hoc or the most up-to-date briefing. Select View full brief to view the full report.

When you select View full brief, a side panel appears containing a relevant summary of threat information and detailed technical analysis, including any actively exploited vulnerability and its possible organizational impact. You can download the report as a markdown file or copy its contents by selecting their respective icons at the top of the panel.

Select Manage agent to view and manage the agent's settings.

You can also access the agent settings by:

• Selecting the three dots in the agent banner and then selecting Manage agent.

• Going to System > Settings > Microsoft Defender XDR > Threat Intelligence Briefing Agent in the Defender portal navigation menu.

  

Assess and provide feedback on the agent’s output

The Threat Intelligence Briefing Agent saves the reports it generates in the Security Copilot standalone portal, under Activity. You can access this Activity page from the Defender portal by selecting View agent activity from the Threat Intelligence Briefing Agent settings page.

The Activity page displays the times the Threat Intelligence Briefing Agent ran to generate a report, the method of generation, and status. To assess the agent's output, select one of the reports.

To view the agent’s progress toward producing a threat briefing, select View activity. This selection opens an activity map where you can see the details of the activity, providing you with transparency on the steps taken by the agent to produce the output. The Threat Intelligence Briefing Agent dynamically chooses the next step based on the outcome of the previous one as it builds the briefing.

To provide feedback about the briefing, select the thumbs up or thumbs down icon. In the pop-up window that appears, elaborate your feedback in the text box provided and then select Submit. You can choose to provide your feedback to the agent, so you can teach it what you like and how it can get even better, or to Microsoft, to tell us what you think about the results the agent generates and what we can do to improve them.

See also

• Microsoft Security Copilot agents
• Responsible AI FAQs for Security Copilot Agent