Script analysis with Microsoft Copilot in Microsoft Defender
Applies to:
- Microsoft Defender XDR
- Microsoft Defender unified security operations center (SOC) platform
Through AI-powered investigation capabilities from Microsoft Copilot for Security in the Microsoft Defender portal, security teams can speed up their analysis of malicious or suspicious scripts and command lines.
Most complex and sophisticated attacks like ransomware evade detection through numerous ways, including the use of scripts and PowerShell command lines. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. Security operations teams need to quickly analyze scripts to understand capabilities and apply appropriate mitigation, immediately stopping attacks from progressing further within a network.
The script analysis capability provides security teams added capacity to inspect scripts without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign. Script analysis is also available in the Copilot for Security standalone experience through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Copilot for Security.
This guide describes what the script analysis capability is and how it works, including how you can provide feedback on the results generated.
Analyze a script
You can access the script analysis capability within the attack story below the incident graph on an incident page and in the device timeline.
To begin analysis, perform the following steps:
Open an incident page then select an item on the left pane to open the attack story below the incident graph. Within the attack story, select an event with a script or command line that you want to analyze. Click Analyze to start the analysis.
Alternately, you can select an event to inspect in the device timeline view. On the file details pane, select Analyze to run the script analysis capability.
Copilot runs script analysis and displays the results in the Copilot pane. Select Show code to expand the script, or Hide code to close the expansion.
Select the More actions ellipsis (...) on the upper right of the script analysis card to copy or regenerate the results, or view the results in the Copilot for Security standalone experience. Selecting Open in Copilot for Security opens a new tab to the Copilot standalone portal where you can input prompts and access other plugins.
Review the results. You can provide feedback on the results by selecting the feedback icon
found at the end of the script analysis card.
See also
- Analyze files
- Generate device summary
- Respond to incidents using guided responses
- Generate KQL queries
- Create an incident report
- Get started with Microsoft Copilot for Security
- Learn about other Copilot for Security embedded experiences
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for