Merge pull request #3436 from MicrosoftDocs/diannegali-phishingtriage

Phishing triage agent

Author: diannegali

defender-xdr/TOC.yml

@@ -416,6 +416,12 @@
           href: advanced-hunting-security-copilot.md
         - name: Create incident reports
           href: security-copilot-m365d-create-incident-report.md
+        - name: Security Copilot agents in Microsoft Defender
+          items:
+          - name: Overview
+            href: security-copilot-agents-defender.md          
+          - name: Phishing Triage Agent
+            href: phishing-triage-agent.md
     - name: Enhance security operations
       items:
       - name: Security operations guide

defender-xdr/phishing-triage-agent.md

@@ -0,0 +1,66 @@
+---
+title: Security Copilot Phishing Triage Agent in Microsoft Defender
+description: Learn about the Security Copilot Phishing Triage Agent, including requirements for setup and providing feedback to the agent.
+ms.service: defender-xdr
+f1.keywords:
+- NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- security-copilot
+- magic-ai-copilot 
+ms.topic: concept-article
+search.appverid:
+- MOE150
+- MET150
+ms.date: 04/28/2025
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Defender for Office 365 Plan 2
+#customer intent: As a security analyst, I want to learn about the Phishing Triage Agent in Microsoft Defender so that I can triage and classify user-submitted phishing incidents efficiently.
+---
+
+# Microsoft Security Copilot Phishing Triage Agent in Microsoft Defender
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
+
+Phishing remains one of the most common ways attackers gain initial access. It also represents one of the highest-volume challenges security operations center (SOC) teams face, due to the large number of user-reported suspicious emails that must be investigated daily.
+
+To help security teams address phishing efficiently, Microsoft Security Copilot is introducing the Phishing Triage Agent in Microsoft Defender. This AI-powered virtual agent is designed to scale security teams' response in triaging and classifying user-submitted phishing incidents, allowing organizations to improve their efficiency by reducing manual effort and streamlining their phishing response.
+
+The Phishing Triage Agent uses advanced large language model (LLM)-based analysis to understand the content of reported emails and autonomously determine whether a submission is a genuine phishing attempt or a false alarm. Unlike rule-based systems, it doesn't rely on predefined input or code to operate. Instead, it applies dynamic reasoning to analyze and act on incoming reports at scale.
+
+By removing false alarms from the queue, the agent significantly reduces the team's manual workload and allows them to focus on higher-priority tasks. With this automation, security teams can more efficiently process hundreds or thousands of phishing submissions, accelerating detection and response for incidents that require immediate attention.
+
+## Overview
+
+Security Copilot brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
+
+The Phishing Triage Agent is a [Security Copilot agent](/copilot/security/agents-overview) in Microsoft Defender designed to scale your security operations teams' processes in classifying and triaging user-submitted phishing incidents. Some of the agent’s highlights include:
+
+- It operates autonomously. The Phishing Triage Agent leverages advanced AI tools to perform sophisticated assessments and determine whether a phishing submission is a real threat or a false alarm, without requiring step-by-step human input or code.
+- It provides a transparent rationale for its classification verdicts in natural language, including the reasoning behind its decisions and the evidence it used to arrive at those conclusions. It also shows a visual representation of its reasoning process for every decision.
+- It continuously learns and improves its accuracy based on feedback provided by analysts. Over time, this feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification.
+
+## Prerequisites
+
+The following are organizational requirements to run Phishing Triage Agent in your environment:
+
+|Components|Details|
+|:---|:---|
+|Products|- An active subscription to Security Copilot and provisioned capacity in Security Compute Units (SCU) to power Security Copilot workload. See [Get started with Security Copilot](/copilot/security/get-started-security-copilot) for more information </br> - Microsoft Defender for Office 365 Plan 2 deployed|
+|Microsoft Defender required features|- Unified role-based access control (URBAC) must be enabled in your organization. See [Unified role-based access control (URBAC)](manage-rbac.md) for more information </br> - *Monitor reported messages in Outlook* is configured. See [User reported settings](/defender-office-365/submissions-user-reported-messages-custom-mailbox) for more information </br> - The alert policy **Email reported by user as malware or phish** must be turned on. See [Alert policies in the Microsoft Defender portal](alert-policies.md) for more information|
+|Security Copilot plugins required|The following [Microsoft plugins](/copilot/security/plugin-overview#microsoft-plugins) must be enabled in Security Copilot: </br> - Microsoft Defender XDR </br> - Microsoft Threat Intelligence </br> - Phishing Triage Agent|
+
+## Related content
+
+- [Microsoft Security Copilot agents](/copilot/security/agents-overview)
+- [Responsible AI FAQs for Security Copilot](/copilot/security/rai-faqs-security-copilot)

defender-xdr/security-copilot-agents-defender.md

@@ -0,0 +1,57 @@
+---
+title: Microsoft Security Copilot Agents in Microsoft Defender
+description: Learn about Security Copilot agents in Microsoft Defender that can help you perform your security tasks easily.
+ms.service: defender-xdr
+f1.keywords:
+- NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier1
+- security-copilot
+- magic-ai-copilot 
+ms.topic: concept-article
+search.appverid:
+- MOE150
+- MET150
+ms.date: 04/28/2025
+appliesto:
+- Microsoft Defender XDR
+- Microsoft Sentinel in the Microsoft Defender portal
+#customer intent: As a security analyst, I want to know about the Security Copilot agents available in Microsoft Defender so that I can use them to perform my security tasks efficiently.
+---
+
+# Microsoft Security Copilot Agents in Microsoft Defender
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+Microsoft Security Copilot agents are available in Microsoft Defender to help you perform your security tasks efficiently. Security Copilot agents are AI-powered assistants that can help you with various tasks by working seamlessly with Microsoft security products.
+
+## Agents in Microsoft Defender
+
+### Phishing Triage Agent
+
+The [Phishing Triage Agent](phishing-triage-agent.md) helps security operations analysts to triage and classify user-submitted phishing incidents. The agent operates autonomously, provides a transparent rationale for its classification verdicts in natural language, and continuously learns and improves its accuracy based on feedback provided by analysts.
+
+#### Trigger
+
+The agent is triggered when a user in your organization submits a phishing incident. The agent autonomously analyzes the submitted email to classify them as either phishing or not phishing based on its training and the context of the organization.
+
+#### Products
+
+Tenants must have the following products enabled to use the agent:
+
+- An active subscription to Security Copilot and provisioned capacity in Security Compute Units (SCU) to power Security Copilot workload. See [Get started with Security Copilot](/copilot/security/get-started-security-copilot) for more information.
+- Microsoft Defender for Office 365 Plan 2 deployed
+
+#### Plugins
+
+The following plugins must be enabled in Security Copilot:
+
+- Microsoft Defender XDR
+- Microsoft Threat Intelligence
+- Phishing Triage Agent

defender-xdr/security-copilot-in-microsoft-365-defender.md

@@ -14,14 +14,16 @@ ms.collection:
 - tier1
 - security-copilot
 - magic-ai-copilot 
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid:
 - MOE150
 - MET150
-ms.date: 03/10/2025
+ms.date: 04/28/2025
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
+#customer intent: As an IT admin, I want to learn about Microsoft Security Copilot capabilities embedded in Microsoft Defender so that I can use them to perform my security tasks efficiently.
+#customer intent: As a security analyst, I want to learn about Microsoft Security Copilot capabilities embedded in Microsoft Defender so that I can use them to perform my security tasks efficiently.
 ---
 
 # Microsoft Copilot in Microsoft Defender
@@ -49,7 +51,7 @@ If you're new to Security Copilot, you should familiarize yourself with it by re
 
 [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) brings together the power of AI and human expertise to help security teams respond to attacks faster and more effectively. Security Copilot is embedded in the Microsoft Defender portal to help provide security teams with enhanced capabilities to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Copilot in Defender is available to users who have provisioned access to Security Copilot.
 
-Furthermore, Security Copilot operates using [Microsoft's AI principles](https://www.microsoft.com/ai/responsible-ai). To know more, see the [Security Copilot Responsible AI FAQs](/copilot/security/rai-faqs-security-copilot).
+Security Copilot operates using [Microsoft's AI principles](https://www.microsoft.com/ai/responsible-ai). To know more, see the [Security Copilot Responsible AI FAQs](/copilot/security/rai-faqs-security-copilot).
 
 ## Key features