Merge pull request #50418 from MicrosoftDocs/NEW-CEPEREZB-security-copilot-describe-agents

New ceperezb security copilot describe agents

Author: v-ccolin

learn-pr/wwl-sci/security-copilot-describe-agents/1-introduction.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: Describe Microsoft Security Copilot agents.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 1
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/security-copilot-describe-agents/2-describe-agents.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.describe-agents
+title: Describe Microsoft Security Copilot agents
+metadata:
+  title: Describe Microsoft Security Copilot agents
+  description: Describe Microsoft Security Copilot agents.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 1
+content: |
+  [!include[](includes/2-describe-agents.md)]

learn-pr/wwl-sci/security-copilot-describe-agents/3-describe-threat-intelligence-briefing-agent.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.describe-threat-intelligence-briefing-agent
+title: Describe the Threat Intelligence Briefing Agent
+metadata:
+  title: Describe the Threat Intelligence Briefing Agent
+  description: Describe the Threat Intelligence Briefing Agent.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 4
+content: |
+  [!include[](includes/3-describe-threat-intelligence-briefing-agent.md)]

learn-pr/wwl-sci/security-copilot-describe-agents/4-describe-conditional-access-optimization-agent.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.describe-conditional-access-optimization-agent
+title: Describe the Conditional Access Optimization Agent
+metadata:
+  title: Describe the Conditional Access Optimization Agent
+  description: Describe the Conditional Access Optimization Agent.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 6
+content: |
+  [!include[](includes/4-describe-conditional-access-optimization-agent.md)]

learn-pr/wwl-sci/security-copilot-describe-agents/5-describe-phishing-triage-agent.yml

@@ -0,0 +1,18 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.describe-phishing-triage-agent
+title: Describe the Phishing Triage Agent
+metadata:
+  title: Describe the Phishing Triage Agent
+  description: Describe the Phishing Triage Agent.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 4
+content: |
+  [!include[](includes/5-describe-phishing-triage-agent.md)]
+
+
+

learn-pr/wwl-sci/security-copilot-describe-agents/6-module-assessment.yml

@@ -0,0 +1,82 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.module-assessment
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: Describe Microsoft Security Copilot agents.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+  ai_generated_module_assessment: false
+durationInMinutes: 2
+
+content: |
+  [!include[](includes/6-module-assessment.md)]
+
+quiz:
+  title: Check your knowledge
+  questions:
+
+  - content: What is the primary purpose of agents in Microsoft Security Copilot?
+    choices:
+      - content: To replace Microsoft Defender and Microsoft Entra.
+        isCorrect: false
+        explanation: "Incorrect. Agents integrate with Microsoft Defender and Microsoft Entra to enhance their functionality, not replace them."
+      - content: To automate and optimize security operations.
+        isCorrect: true
+        explanation: "Correct. Agents are specialized tools designed to streamline security workflows by automating tasks and providing insights."
+      - content: To manage organizational permissions for all users.
+        isCorrect: false
+        explanation: "Incorrect. While permissions are important for agent functionality, managing organizational permissions is not their primary purpose."
+
+  - content: Which of the following describes how plugins extend the capabilities of agents in Microsoft Security Copilot?
+    choices:
+      - content: Plugins replace agents to perform specialized tasks.
+        isCorrect: false
+        explanation: "Incorrect. Plugins do not replace agents; they complement them by extending their capabilities."
+      - content: Plugins are used exclusively for managing permissions within the environment.
+        isCorrect: false
+        explanation: "Incorrect. While permissions are important, plugins are primarily used to expand agent functionality rather than manage permissions."
+      - content: Plugins allow agents to connect with external systems and analyze additional data sources.
+        isCorrect: true
+        explanation: "Correct. Plugins enhance agent functionality by enabling integration with external services and expanding their analytical capabilities."
+
+  - content: Which component of a Security Copilot agent determines when an action should be initiated?
+    choices:
+      - content: Plugins
+        isCorrect: false
+        explanation: "Incorrect. Plugins extend the agent's capabilities but do not determine when actions are initiated."
+      - content: Triggers
+        isCorrect: true
+        explanation: "Correct. Triggers are events or conditions that initiate an agent's actions, such as a scheduled interval or manual activation."
+      - content: Permissions
+        isCorrect: false
+        explanation: "Incorrect. Permissions define what the agent is authorized to access or perform, not when actions are initiated."
+
+  - content: A security engineer wants to classify and triage user-reported phishing emails. Which Microsoft Defender agent should they use?
+    choices:
+      - content: Microsoft Defender XDR
+        isCorrect: false
+        explanation: "Incorrect. Microsoft Defender XDR is a broader tool for extended detection and response, not specifically for phishing email triage."
+      - content: Threat Intelligence Briefing Agent
+        isCorrect: false
+        explanation: "Incorrect. The Threat Intelligence Briefing Agent focuses on gathering and analyzing threat intelligence, not phishing email classification."
+      - content: Phishing Triage Agent
+        isCorrect: true
+        explanation: "Correct. The Phishing Triage Agent is specifically designed to classify and triage user-reported phishing incidents, helping reduce false positives and prioritize threats."
+
+  - content: What is the primary function of the intelligence briefing agent in Microsoft Security Copilot?
+    choices:
+      - content: To monitor network traffic for suspicious activity.
+        isCorrect: false
+        explanation: "Incorrect. While monitoring network traffic is a security task, it is not the specific role of the intelligence briefing agent."
+      - content: To automate threat intelligence gathering and reporting.
+        isCorrect: true
+        explanation: "Correct. The intelligence briefing agent automates the process of collecting, analyzing, and correlating threat data to streamline threat intelligence reporting."
+      - content: To manage user permissions within Microsoft Defender.
+        isCorrect: false
+        explanation: "Incorrect. Managing user permissions is not the primary function of the intelligence briefing agent; its focus is on threat intelligence gathering and reporting."
+

learn-pr/wwl-sci/security-copilot-describe-agents/7-summary.yml

@@ -0,0 +1,18 @@
+### YamlMime:ModuleUnit
+uid: learn.security-copilot-describe-agents.summary
+title: Summary and resources
+metadata:
+  title: Summary and resources
+  description: Summary and resources for the module titled, Describe Microsoft Security Copilot agents.
+  author: wwlpublish
+  ms.author: ceperezb
+  ms.date: 05/08/2025
+  ms.topic: unit
+  ms.collection:
+    - wwl-ai-copilot
+durationInMinutes: 1
+content: |
+  [!include[](includes/7-summary.md)]
+
+
+

learn-pr/wwl-sci/security-copilot-describe-agents/includes/1-introduction.md

@@ -0,0 +1,15 @@
+Microsoft Security Copilot is a cutting-edge AI-driven platform designed to enhance security workflows by automating tasks and providing actionable insights, making it an essential tool for security engineers.
+
+Imagine you're a security engineer at a mid-sized financial institution. Your team is overwhelmed with the sheer volume of security alerts, phishing attempts, and identity access requests that need to be analyzed daily. Recently, a phishing attack slipped through the cracks, leading to a data breach that could have been prevented with better tools and processes. You’re tasked with finding a solution that not only streamlines your team’s workload but also improves the accuracy and speed of threat detection and response. This is where Microsoft Security Copilot comes in. By using specialized agents like the Phishing Triage Agent and Conditional Access Optimization Agent, you can automate repetitive tasks, generate detailed threat intelligence reports, and optimize access policies—all while integrating seamlessly with tools like Microsoft Defender and Microsoft Entra. These capabilities allow your team to focus on high-priority issues, reduce false positives, and strengthen your organization’s overall security posture.
+
+In this module, you get an introduction to some of the Microsoft Security Copilot agents, including the Threat Intelligence briefing agent, the Conditional Access Optimization agent, and the Phishing Triage agent.
+
+> [!NOTE]
+>This module is intended to give you a flavor of just a few of the Microsoft agents available in Security Coplot, through both the standalone and embedded experience. Agents that are available through the embedded Copilot experience, are described in training that relates to the specific security solution in which it's embedded. For example, agents that are embedded in Microsoft Purview solutions are described in the training that relates to that Microsoft Purview solution. 
+
+After completing this module, you’ll be able to:
+
+- Describe the role and functionality of Microsoft Security Copilot agents in automating security workflows.
+- Describe the Threat Intelligence Briefing Agent.
+- Describe the Conditional Access Optimization Agent.
+- Describe the Phishing Triage agent.

learn-pr/wwl-sci/security-copilot-describe-agents/includes/2-describe-agents.md

@@ -0,0 +1,54 @@
+Microsoft Security Copilot provides a range of agents designed to enhance security workflows and streamline operations. These agents assist security engineers by automating tasks, providing insights, and integrating with other Microsoft security tools.
+
+### Define agents in Microsoft Security Copilot
+
+Agents in Microsoft Security Copilot help automate repetitive tasks, reduce manual workloads, and optimize security operations. Agents consist of predefined workflows and capabilities tailored to address particular security challenges. They're designed to perform specific tasks, such as analyzing threats, triaging phishing incidents, or optimizing conditional access policies.
+
+Agents utilize security compute units (SCUs) to operate just like other features in Security Copilot. They integrate seamlessly with Microsoft Security solutions and the broader supported partner ecosystem and fit naturally into existing workflows. Agents learn based on feedback and keep you in control on the actions it takes.
+
+### Agent terminology in Microsoft Security Copilot
+
+To effectively use Security Copilot agents, it's essential to understand the terminology used when working with agents.
+
+| Term         | Description |
+|--------------|-------------|
+| **Trigger**  | An event or condition that tells an agentic system to initiate an action or series of actions. |
+| **Permissions** | The level of authorization an AI agent is given by an admin during configuration that enables it to access specific information or carry out its tasks. |
+| **Identity** | The credentials that the agent uses when it runs. |
+| **Plugins**  | A component that extends what an agent can do by giving it access to capabilities in Microsoft and non-Microsoft services and public websites through APIs. While some plugins may be required to run an agent, some agents may employ optional plugins that can enhance its functionality by providing access to more data sources or tools.|
+| **Role-based access control (RBAC)** | Determines who can view and manage the outputs generated by agents in Microsoft Security Copilot, and ensures that sensitive information is accessible only to authorized users. |
+
+### Agents in Microsoft Security Copilot
+
+You can discover Microsoft Security Copilot agents through the standalone and embedded experiences. Copilot agents are also available from partners.
+
+To access the full list of available agents, select Agents from the home menu. Copilot displays the list of available Microsoft and partner agents.
+
+:::image type="content" source="../media/agents-copilot-v2.png" lightbox="../media/agents-copilot-v2.png"  alt-text="Screen capture of the Agents page in Microsoft Security Copilot. The page displays tiles for all available agents from Microsoft and partners.":::
+
+### Microsoft Agents
+
+Security Copilot includes agents that are seamlessly integrated with Microsoft security solutions. Microsoft agents include:
+
+- **Threat Intelligence Briefing Agent**: Curates relevant threat intelligence based on an organization's attributes and exposure.
+- **Conditional Access Optimization Agent**: Embedded in Microsoft Entra, the  Conditional Access optimization agent ensures all users are protected by policy. It recommends policies and changes based on best practices aligned with Zero Trust and Microsoft's learnings. In preview, the agent evaluates policies requiring multifactor authentication (MFA), enforces device based controls (device compliance, app protection policies, and Domain Joined Devices), and blocks legacy authentication and device code flow.
+- **Phishing Triage Agent**: Embedded in Microsoft Defender, the Phishing Triage Agent helps security operations analysts to triage and classify user-submitted phishing incidents. The agent operates autonomously, provides a transparent rationale for its classification verdicts in natural language, and continuously learns and improves its accuracy based on feedback provided by analysts.
+
+This list is not all-inclusive.
+
+### Partner agents
+
+Security Copilot offers integration with Partner agents. Integrating partner agents provides you with the flexibility to use tools you're already familiar with. These agents offer unique capabilities, from privacy breach response to network supervision and alert triage, ensuring you can address diverse security challenges effectively.
+
+Partner agents available in Security Copilot include:
+
+- Network Supervisor Agent by Aviatrix
+Performs root cause analysis and summarizes issues related to VPN, gateway, or Site2Cloud connection outages and failures.
+- SecOps Tooling Agent by BlueVoyant
+Assesses a security operations center (SOC) and state of controls to make recommendations that help optimize security operations and improve controls, efficacy, and compliance.
+- Task Optimizer Agent by Fletch
+Helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security.
+- Privacy Breach Response Agent by OneTrust
+Analyzes data breaches to generate guidance for the privacy team on how to meet regulatory requirements.
+
+This list is not all-inclusive.