Merged
Conversation
Documented the provisioning process for Security Copilot Units (SCUs), including implementation effort, user impact, and configuration details.
Added information about Microsoft Entra ID RBAC for Security Copilot.
Added a new document detailing the management and monitoring of Security Compute Units (SCUs) for Microsoft Security Copilot, including implementation effort, user impact, and configuration guidance.
Document the management of plugins in Microsoft Security Copilot, including implementation effort and user impact.
Added documentation for the Threat Hunting Agent in Microsoft Defender, detailing implementation effort, user impact, overview, and configuration instructions.
Added documentation for the Defender Threat Intelligence Agent, detailing its implementation effort, user impact, and overview of its capabilities.
Document the use of Security Copilot for incident summaries and remediation.
Added documentation for analyzing potentially malicious files and scripts using Microsoft Security Copilot, including implementation effort, user impact, and overview of capabilities.
This document outlines the capabilities of Microsoft Security Copilot in providing AI-generated summaries of identities and devices, aiding security analysts in investigations and governance tasks.
Added documentation for Microsoft Defender Experts for XDR, detailing implementation effort, user impact, overview, configuration steps, and references.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new Security Operations workshop-guidance Markdown pages covering Microsoft Security Copilot capabilities and Microsoft Defender Experts for XDR, expanding the documentation set in src/react/docs/workshop-guidance/securityoperations.
Changes:
- Added 8 new Security Copilot-focused SVA guidance pages (SCU provisioning/monitoring, plugins, agents, incident/file/identity summaries).
- Added a new Microsoft Defender Experts for XDR guidance page (Sentinel025).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/react/docs/workshop-guidance/securityoperations/SVA_Sentinel025.md | New guidance page for Microsoft Defender Experts for XDR onboarding/value. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI001.md | New guidance page on provisioning Security Compute Units (SCUs). |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI002.md | New guidance page on monitoring/managing SCU usage. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI003.md | New guidance page on managing Security Copilot plugins. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI004.md | New guidance page for the Threat Hunting Agent in Defender (formatting noted in comments). |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI005.md | New guidance page for the Threat Intelligence Briefing Agent / Defender Threat Intelligence Agent. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI006.md | New guidance page for incident summaries and guided response in Defender XDR. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI007.md | New guidance page for file/script analysis using Security Copilot. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI008.md | New guidance page for identity/device summaries using Security Copilot. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+3
to
+4
| **Implementation Effort: Medium** – This requires IT and Security Operations teams to configure access and incorporate the Threat Hunting Agent into existing Defender XDR hunting workflows, which is a project rather than a long‑term operational program. | ||
| **User Impact: Low** – Only administrators and security analysts interact with this capability; standard users do not need to take action. |
| ## Overview | ||
| The Defender Threat Intelligence Agent (referred to in Microsoft Learn as the *Threat Intelligence Briefing Agent*) is an AI‑driven capability in Microsoft Security Copilot that generates tailored threat intelligence summaries based on signals from Microsoft Defender for Endpoint and Microsoft Defender External Attack Surface Management. It provides analysts with context-rich information on adversary activity, threat infrastructure, and relevant indicators, helping teams speed up investigations and identify active risks. | ||
| If this capability is not leveraged, security teams may miss correlations across Defender signals or spend more time manually gathering intelligence, increasing the risk of delayed detection and slower response. | ||
| This capability aligns to the Zero Trust principle of **Assume breach** by enhancing visibility, exposing attacker infrastructure, and improving threat detection quality. |
Comment on lines
+14
to
+15
|
|
||
|
|
| If this capability is not deployed, analysts must rely on manual reverse-engineering and static/dynamic analysis processes, which take more time and increase the risk that threats remain undetected, spread laterally, or exfiltrate data. | ||
|
|
||
| **Zero Trust Connection — Assume Breach:** | ||
| This aligns with the “assume breach” principle by continuously validating potentially harmful code and enhancing threat detection visibility through AI-powered analysis. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
tylchan
approved these changes
Mar 17, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new Security Operations workshop-guidance markdown pages covering Microsoft Security Copilot capabilities and Microsoft Defender Experts for XDR, following the existing “Implementation Effort / User Impact / Overview / Reference” structure used across SVA content.
Changes:
- Introduces 8 new “SVA_AI00x” guidance pages for Microsoft Security Copilot features (SCU management, plugins, agents, investigation summaries).
- Adds a new “SVA_Sentinel025” guidance page describing Microsoft Defender Experts for XDR onboarding and references.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/react/docs/workshop-guidance/securityoperations/SVA_Sentinel025.md | New guidance page for considering Defender Experts for XDR, with onboarding path and reference links. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI008.md | New guidance page on using Security Copilot to summarize identity/device details. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI007.md | New guidance page on Security Copilot-assisted file/script analysis. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI006.md | New guidance page on incident summaries and guided remediation in Defender XDR. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI005.md | New guidance page describing the Threat Intelligence Briefing Agent/Defender Threat Intelligence Agent. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI004.md | New guidance page for the Threat Hunting Agent in Defender, including where to access it. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI003.md | New guidance page on managing Security Copilot plugins (including MCP). |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI002.md | New guidance page on monitoring/managing Security Compute Unit (SCU) usage. |
| src/react/docs/workshop-guidance/securityoperations/SVA_AI001.md | New guidance page on provisioning SCUs and related RBAC considerations. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+3
to
+4
| **Implementation Effort: Medium** – This requires IT and Security Operations teams to configure access and incorporate the Threat Hunting Agent into existing Defender XDR hunting workflows, which is a project rather than a long‑term operational program. | ||
| **User Impact: Low** – Only administrators and security analysts interact with this capability; standard users do not need to take action. |
| @@ -0,0 +1,24 @@ | |||
| # View Incident Summaries and Use Guided Response to Remediate | |||
| **User Impact:** Low – All actions occur within admin/SOC workflows; non‑privileged users do not need to take action. | ||
|
|
||
| ## Overview | ||
| Microsoft Defender Experts for XDR is a managed extended detection and response service that combines Microsoft’s automation and human security expertise to help SOC teams triage incidents, investigate threats, and accelerate response. It works across Microsoft Defender for Endpoint, Office 365, Identity, Cloud Apps, and Microsoft Entra ID. It reduces alert fatigue, improves prioritization, and ensures high‑severity threats are investigated with expert support [1](https://learn.microsoft.com/en-us/defender-xdr/dex-xdr-overview). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
added security copilot for defender and some additional docs