Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This article discusses the Threat Intelligence Briefing Agent embedded experience in Microsoft Defender portal. To learn more about the standalone experience in Security Copilot, read Threat Intelligence Briefing Agent (standalone experience).
Threat intelligence analysts face many challenges when they create useful, actionable briefings. Building a briefing requires collecting data from multiple threat feeds, tools, and portals. Analysts must then filter, correlate, and analyze this data to map risks to their organization. All of this work happens before they can even start writing the report. Because these steps can take hours or even days, threats often change before the briefing is ready, which can make it outdated.
The Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender addresses these pain points. It generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information in a matter of minutes. It can help security teams save time by creating a customized, relevant report that provides CISOs, security managers, and analysts with key situational awareness and a solid foundation for defense work.
The agent uses automation and generative AI along with broad threat intelligence data. As it builds the briefing, it picks each next step based on the result of the previous one. This lets it decide in real time which threats to include and rank. The agent then turns the collected threat intelligence and vulnerability findings into a clear report that different audiences can read and act on.
The Threat Intelligence Briefing Agent is best suited for customers who turn on Microsoft Defender for Endpoint and Microsoft Defender External Attack Surface, as the agent relies on signals and insights from these first-party integrations to deliver accurate and context-rich reports.
Watch this video to see the Threat Intelligence Briefing Agent in action, from setup to generating your first briefing.
Where to find the Threat Intelligence Briefing Agent
You can find the Threat Intelligence Briefing Agent as a banner at the top of the Threat analytics page in the Defender portal.
To open Threat analytics, go to Threat intelligence > Threat analytics in the navigation menu.
Prerequisites
Before you set up the Threat Intelligence Briefing Agent, make sure you have the following products, plugins, and permissions in place.
Products
You need Microsoft Security Copilot to run this agent.
Security Copilot plugins
To run this agent, you need the following plugins:
- Microsoft Threat Intelligence
- Microsoft Threat Intelligence agents
The following plugin is optional but can add more context to the output:
- Microsoft Defender External Attack Surface Management
User account permissions
Important
Identity and permissions requirement: This agent must connect to a user account or a new agent identity (recommended). The agent can read data from Defender External Attack Surface Management and Defender Vulnerability Management. Set up the right permissions on the account or identity before you configure the agent.
The user account connected to the agent or the created agent identity must have these permissions:
Required permissions:
- Microsoft Defender for Endpoint: Access to Defender Vulnerability Management data
- Security Reader: Access to Threat Analytics and agent results
- Security Admin: Access to agent onboarding and configuration
Optional permissions:
- Exposure Management (read): Access to Microsoft Security Exposure Management insights, including External Attack Surface Management data
Role-based access:
- Owners and contributors can see the report generated by the Threat Intelligence Briefing Agent within the Microsoft Security Copilot agent library page
Important
After setting up permissions, activate the Microsoft Defender unified role-based access control (RBAC) model for the role to take effect.
Tip
Consider using a dedicated service account for running agents to maintain separation of duties and enhance security monitoring.
Trigger
This agent runs at the set time interval that you configured during setup, or manually when you want to run it.
Set up an agent identity for the agent
A service principal is an application identity in Microsoft Entra ID that lets an app access resources on its own behalf. The Threat Intelligence Briefing Agent can run under a dedicated agent identity (service principal) with only the minimal read permissions required in Microsoft Defender. This section describes how you can create or reuse a least-privileged role, register the agent's service principal, and assign the role.
Before setting up an agent identity for the Threat Intelligence Briefing Agent, make sure that you have the agent in your environment. You must also have the following prerequisites:
- Tenant-level admin rights to register a service principal and assign roles.
- Azure CLI installed and authenticated (az login). For more information, see Get started with Azure CLI.
- Access to Defender unified RBAC or equivalent permissions management.
To set up an agent identity:
Create or reuse a least-privileged role
Create a role or reuse an existing role that includes the following minimum permissions:
- Security operations > Security data > Security data basics (read)
- Security posture > Posture management > Vulnerability management (read)
You can reuse other roles that provide at least these levels of read access. Apply least privilege and scope assignments narrowly.
Register the agent's service principal (agent identity)
First, get a Microsoft Graph access token. You use this token to authenticate the API calls in the following steps. Run the following commands as a tenant admin:
TOKEN=$(az account get-access-token \ --tenant <your tenant ID> \ --resource-type ms-graph \ --query accessToken -o tsv)Next, create the service principal for the agent identity in your tenant:
curl -X POST https://graph.microsoft.com/v1.0/servicePrincipals \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "appId": "43d7b169-1d9e-4d32-8cd8-06c5974ed90c" }'Optional: Run the following request to look up the service principal by app ID and confirm it was created:
curl -X GET "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '43d7b169-1d9e-4d32-8cd8-06c5974ed90c'" \ -H "Authorization: Bearer $TOKEN"Assign the least-privileged role to the service principal
- In the Defender portal, go to Settings > Roles and permissions (Unified RBAC) > Assignments > Add assignment
- Specify the following parameters:
- Principal: Select the service principal created in step 2.
- Role: Choose the custom role with the two read permissions mentioned in step 1.
- Scope: Select the minimal scope required (specific assets or subscriptions).
- Save the assignment.
Configure Defender for Endpoint role permissions
In addition to the Unified RBAC role assignment, the agent identity must have the required Defender for Endpoint permissions to access vulnerability and device data:
- Sign in to the Microsoft Defender portal.
- Navigate to Settings > Endpoints > Permissions > Roles.
- Locate the custom role assigned to the Threat Intelligence Briefing Agent (for example, "Threat Intelligence Briefing Agent").
- Edit the role and confirm that the following permissions are enabled:
- Advanced Hunting – Read
- Vulnerability Management – Read
- Machine Configuration – Read
- Device Inventory – Read
- Save any changes if updates are made.
Grant Device Group access to the agent identity
The agent identity must also have access to the Device Groups that contain your endpoints. Without this access, the agent can't query device vulnerability data, and the Exposure Report section of the briefing may show as "not available" or return zero results.
- In the Microsoft Defender portal, go to Settings > Endpoints > Device Groups.
- For each Device Group that contains production endpoints:
- Open the Device Group.
- Select the User Access section.
- Add the Threat Intelligence Briefing Agent identity.
- Assign Read access.
- Save the changes.
Wait for permissions to synchronize, then set up the agent
Important
Allow time for permission updates to synchronize across Microsoft Defender services before running the agent.
After permissions synchronize, set up the Threat Intelligence Briefing Agent and connect the created agent identity.
Set up the agent
To run the Threat Intelligence Briefing Agent for the first time, follow these steps:
On the Threat Intelligence Briefing Agent banner at the top of the Threat analytics page, select Set up agent.
On the pop-up window that appears, review the agent details, and then select Next.
Connect a user account or agent identity, and then select Continue. A new window opens where you complete this step.
Wait for the agent to finish connecting to the identity or account, and then select Continue.
Specify the following parameters to customize the agent output:
- Insights: The number of vulnerabilities the agent researches for active threats.
- Look back days: The number of days the agent goes back to research threats against your vulnerabilities.
- Region: The geographical area that the agent checks for relevant threats.
- Industry: The sector or industry vertical that the agent checks for relevant threats.
- Scheduled runs settings: Choose whether to run the agent manually or send briefings at regular intervals. By default, the agent runs every seven days.
- Generated brief recipient: The email address of the user or distribution group that the agent sends the briefing to.
Select Deploy agent. When the agent activates, you can go back to the Threat analytics page or select Manage agent to update your agent parameters.
View briefing and manage the agent
Select Run agent to generate an ad-hoc or the most up-to-date briefing. Select View full brief to view the full report.
When you select View full brief, a side panel opens with a threat summary and detailed technical analysis. The panel covers actively exploited vulnerabilities and their possible impact on your organization. To download the report as a markdown file or copy its contents, select the matching icons at the top of the panel.
Select Manage agent to view and manage the agent's settings.
You can also access the agent settings by:
Select the three dots in the agent banner, then select Manage agent.
Go to System > Settings > Microsoft Defender XDR > Threat Intelligence Briefing Agent in the Defender portal.
Assess and provide feedback on the agent’s output
The Threat Intelligence Briefing Agent saves the reports it generates in the Security Copilot standalone portal, under Activity. You can access this Activity page from the Defender portal by selecting View agent activity from the Threat Intelligence Briefing Agent settings page.
The Activity page displays the times the Threat Intelligence Briefing Agent ran to generate a report, the method of generation, and status. To assess the agent's output, select one of the reports.
To view the agent’s progress toward producing a threat briefing, select View activity. This selection opens an activity map where you can see the details of the activity, providing you with transparency on the steps taken by the agent to produce the output. The Threat Intelligence Briefing Agent dynamically chooses the next step based on the outcome of the previous one as it builds the briefing.
To share feedback about the briefing, select the thumbs up or thumbs down icon. In the window that appears, type your feedback in the text box and select Submit. You can send feedback to the agent to help it learn what you prefer, or to Microsoft to help us improve the results.