MicrosoftDocs
diff --git a/‎defender-xdr/copilot-in-defender-device-summary.md‎
Lines changed: 31 additions & 11 deletions b/‎defender-xdr/copilot-in-defender-device-summary.md‎
Lines changed: 31 additions & 11 deletions
diff --git a/‎defender-xdr/copilot-in-defender-file-analysis.md‎
Lines changed: 30 additions & 10 deletions b/‎defender-xdr/copilot-in-defender-file-analysis.md‎
Lines changed: 30 additions & 10 deletions
diff --git a/‎defender-xdr/investigate-users.md‎
Lines changed: 4 additions & 3 deletions b/‎defender-xdr/investigate-users.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎defender-xdr/security-copilot-defender-identity-summary.md‎
Lines changed: 31 additions & 9 deletions b/‎defender-xdr/security-copilot-defender-identity-summary.md‎
Lines changed: 31 additions & 9 deletions
@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 04/01/2024
+ms.date: 10/04/2024
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -30,13 +30,27 @@ appliesto:
 
 [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal helps security teams in speeding up device inspection through AI-powered investigation capabilities.
 
+## Know before you begin
+
+If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
+
+- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot)
+- [Copilot for Security experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Copilot for Security](/security-copilot/authentication)
+- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot)
+
 Security operations teams are tasked to sift through device data to find suspicious activities or entities to prevent malicious attacks. These teams need to summarize large amounts of data and simplify complex information to quickly assess, triage, and connect a device's status and activities to potentially malicious attacks.
 
 The device summary capability of Copilot in Defender enables security teams to get a device's security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device's summary to speed up their investigation of incidents and alerts.
 
-The device summary capability is available in the Microsoft Defender portal through the [Copilot for Security license](/security-copilot/faq-security-copilot). This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin.
+## Copilot for Security integration in Microsoft Defender
+
+The device summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. 
+
+This capability is also available in the Copilot for Security standalone portal through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
 
-## Summarize device information
+## Key features
 
 The device summary generated by Copilot contains noteworthy information about the device, including:
 
@@ -61,18 +75,24 @@ You can access the device summary capability through the following ways:
 
    :::image type="content" source="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="/defender/media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png":::
 
-Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
+Review the results of the device summary. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
 
-You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png).
+## Sample device summary prompt
+
+In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary:
+
+- *Summarize device information in Defender incident {incident number.*
+
+> [!TIP]
+> When investigating devices in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the device summary capability delivers the results.
+
+## Provide feedback
+
+Your feedback helps improve the quality of the results generated by Copilot. You can provide feedback about the results by navigating to the bottom of the Copilot pane and selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png).
 
 ## See also
 
-- [Run script analysis](security-copilot-m365d-script-analysis.md)
-- [Analyze files](copilot-in-defender-file-analysis.md)
-- [Summarize an incident](security-copilot-m365d-incident-summary.md)
-- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)
-- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
 - [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)
-- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)
+- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 04/01/2024
+ms.date: 10/04/2024
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -30,13 +30,27 @@ appliesto:
 
 [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in the Microsoft Defender portal enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.
 
+## Know before you begin
+
+If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
+
+- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot)
+- [Copilot for Security experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Copilot for Security](/security-copilot/authentication)
+- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot)
+
 Security operations teams tracking and resolving attacks need tools and techniques to quickly analyze potentially malicious files. Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. In addition, new-to-the-field security analysts might require time and gain significant experience to use available analysis tools and techniques.
 
 The file analysis capability of Copilot in Defender reduces the barrier to learning file analysis by immediately delivering reliable and complete file investigation results. This capability empowers security analysts from all levels to complete their investigation with a shorter turnaround time. The report includes an overview of the file, details of the file's contents, and a summary of the file's assessment.
 
-The file analysis capability is available in Microsoft Defender through the [Copilot for Security license](/security-copilot/faq-security-copilot). Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin.
+## Copilot for Security integration in Microsoft Defender
+
+The file analysis capability is available in Microsoft Defender for customers who have provisioned access to Copilot for Security. 
+
+Copilot for Security standalone portal users also have the file analysis capability and other Defender XDR capabilities through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
 
-## Analyze a file
+## Key features
 
 The file analysis results generated by Copilot usually contains the following information:
 
@@ -59,16 +73,22 @@ You can access the file analysis capability through the following ways:
 
 You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the file analysis card.
 
-Always review the results generated by Copilot in Defender. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) at the bottom of the Copilot pane to provide feedback.
+## Sample file analysis prompt
+
+In the Copilot for Security standalone portal, you can use the following prompt to generate a device summary:
+
+- *Tell me about the files in Defender incident {incident number). Which files are malicious?*
+
+> [!TIP]
+> When investigating files in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the file analysis capability delivers the results.
+
+## Provide feedback
+
+Always review the results generated by Copilot in Defender. Your feedback helps improve the quality of the results generated by Copilot. Select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) at the bottom of the Copilot pane to provide feedback.
 
 ## See also
 
-- [Run script analysis](security-copilot-m365d-script-analysis.md)
-- [Summarize an incident](security-copilot-m365d-incident-summary.md)
-- [Generate device summary](copilot-in-defender-device-summary.md)
-- [Resolve incidents with guided responses](security-copilot-m365d-guided-response.md)
-- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
-- [Know more about preinstalled plugins in Microsoft Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins)
 - [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)
+- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
@@ -141,13 +141,14 @@ The lateral movement path report, which can be viewed by date, is always availab
 
 ## Timeline
 
-The timeline displays user activities and alerts observed from a user's identity in the last 30 days. It unifies the user's identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint workloads. By using the timeline, you can focus on activities a user performed or were performed on them in specific timeframes.
+The timeline displays user activities and alerts observed from a user's identity in the last 180 days. It unifies the user's identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint workloads. By using the timeline, you can focus on activities a user performed or were performed on them in specific timeframes.
 
 For users of the unified SOC platform to see alerts from Microsoft Sentinel based on data sources other than the ones in the previous paragraph, they can find these alerts and other information in the **Sentinel events** tab, [described below](#sentinel-events).
 
-- **Custom time range picker:** You can choose a timeframe to focus your investigation on the last 24 hours, the last 3 days and so on. Or you can choose a specific timeframe by clicking on **Custom range**. For example:
+- **Custom time range picker:** You can choose a timeframe to focus your investigation on the last 24 hours, the last 3 days and so on. Or you can choose a specific timeframe by clicking on **Custom range**. Filtered data older than 30 days is displayed in seven-day intervals.  
+For example:
 
-  :::image type="content" source="/defender/media/image.png" alt-text="Screenshot that shows how to choose time frame." lightbox="/defender/media/image.png":::
+    :::image type="content" source="/defender/media/image.png" alt-text="Screenshot that shows how to choose time frame." lightbox="/defender/media/image.png":::
 
 - **Timeline filters:** In order to improve your investigation experience, you can use the timeline filters: Type (Alerts and/or user's related activities), Alert severity, Activity type, App, Location, Protocol. Each filter depends on the others, and the options in each filter (drop-down) only contains the data that is relevant for the specific user.
 
 
@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid:
   - MOE150
   - MET150
-ms.date: 09/23/2024
+ms.date: 10/14/2024
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -30,8 +30,28 @@ appliesto:
 
 Security operations teams investigating users can easily understand identity information with the identity summary capability in [Microsoft Copilot for Security](/security-copilot/microsoft-security-copilot) in Microsoft Defender. Through generative AI and harnessing the power of Microsoft Defender for Identity, Copilot creates contextual insights about an identity in an organization, helping analysts quickly understand important data to speed up their investigation.
 
+This guide describes what the identity summary capability is and how it works, including how you can provide feedback on the results generated.
+
+## Know before you begin
+
+If you're new to Copilot for Security, you should familiarize yourself with it by reading the following articles:
+
+- [What is Copilot for Security?](/security-copilot/microsoft-security-copilot)
+- [Copilot for Security experiences](/security-copilot/experiences-security-copilot)
+- [Get started with Copilot for Security](/security-copilot/get-started-security-copilot)
+- [Understand authentication in Copilot for Security](/security-copilot/authentication)
+- [Prompting in Copilot for Security](/security-copilot/prompting-security-copilot)
+
 With the identity summary capability, analysts can immediately identify suspicious or risky identity-related changes and actions that can negatively impact an organization. The summary also includes potential misconfigurations that affects an identity. Using natural language, Copilot delivers clear and actionable user information that analysts can use in their incident investigation activities. The capability currently focuses on users and will include service accounts in its next iteration.
 
+## Copilot for Security integration in Microsoft Defender
+
+The identity summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. 
+
+Users who access the Copilot for Security standalone portal can use this capability through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
+
+## Key features
+
 The identity summary contains essential information about an identity, including:
 
 - The date when a user account is created, and whether the user account is of high, medium, or low criticality
@@ -42,12 +62,6 @@ The identity summary contains essential information about an identity, including
 - Risks associated with a user based on Microsoft Entra ID
 - General information like a user’s professional title and contact information, department, and their manager’s contact information
 
-The identity summary capability is available in the Microsoft Defender portal for customers who have provisioned access to Copilot for Security. Users who access the Copilot for Security standalone portal can use this capability through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Copilot for Security](/security-copilot/manage-plugins#preinstalled-plugins).
-
-This guide describes what the script analysis capability is and how it works, including how you can provide feedback on the results generated.
-
-## Summarize identity information
-
 You can access the identity summary capability in the following ways:
 
 - From an incident page, choose an identity on the incident graph and then (1) select **User details**. In the user details pane, (2) select **Summarize**. The results are displayed in the Copilot side panel.
@@ -72,8 +86,16 @@ You can access the identity summary capability in the following ways:
 
 Review the identity summary results. You can copy the results to clipboard, regenerate the results, or open Security Copilot by selecting the More actions ellipsis (...) on top of the identity summary card. You can extend your investigation of identity using prompts and other plugins in the Copilot for Security portal.
 
+## Sample identity summary prompt
+
+In the Copilot for Security standalone portal, you can use the following prompt to generate an identity summary:
+
+- *Show the Defender summary of this user in the last {time frame}.*
+
 > [!TIP]
-> When investigating users in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the identity summary capability delivers the results. For example, you can use the prompt *Show the Defender summary of this user in the last {time frame}* to generate the identity summary of a user account within the time frame indicated. You can specify up to 120 days on the time frame, with the default being 30 days when you don’t indicate one.
+> When investigating users in the Copilot for Security portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the identity summary capability delivers the results. You can specify up to 120 days on the investigation time frame, with the default being 30 days when you don’t indicate one.
+
+## Provide feedback
 
 Microsoft highly encourages you to provide feedback to Copilot, as it’s crucial for a capability’s continuous improvement. To provide feedback, navigate to the bottom of the Copilot side panel and select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/create-report/copilot-defender-feedback.png).
 
@@ -83,7 +105,7 @@ Fill in the dedicated text box to share your thoughts, experiences, and requests
 
 ## See also
 
-- [Get started with Microsoft Copilot for Security](/security-copilot/get-started-security-copilot)
 - [Learn about other Copilot for Security embedded experiences](/security-copilot/experiences-security-copilot)
+- [Privacy and data security in Copilot for Security](/copilot/security/privacy-data-security)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]