| title | Microsoft Security Copilot Dynamic Threat Detection Agent | ||
|---|---|---|---|
| description | Investigate incidents and alerts using the Microsoft Security Copilot Dynamic Threat Detection Agent in the Microsoft Defender portal. | ||
| ms.service | defender-xdr | ||
| f1.keywords |
|
||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | orspodek | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.topic | article | ||
| search.appverid |
|
||
| ms.date | 12/22/2025 | ||
| appliesto |
|
[!INCLUDE Microsoft Defender XDR rebranding]
Important
Microsoft Security Copilot Dynamic Threat Detection Agent is currently in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Microsoft Security Copilot in Microsoft Defender includes the Dynamic Threat Detection Agent, an always-on, adaptive backend service that uncovers hidden threats across Defender and Microsoft Sentinel environments. This article provides an overview of the agent, including steps to use it when investigating incidents and alerts.
Security teams often face the risk of false negatives—threats that go undetected by traditional, rule-based detection systems. The Dynamic Threat Detection Agent uses AI to identify gaps and uncover false negatives by correlating alerts, events, anomalies, and threat intelligence. When the agent identifies a gap, it generates a dynamic alert with the full context in the alert details, including natural language explanations, mapped MITRE ATT&CK techniques, and tailored remediation steps.
The Dynamic Threat Detection Agent is always on, operates seamlessly in the Defender backend, and requires no setup or onboarding. These features and capabilities empower organizations to detect and respond to threats with greater speed, accuracy, and confidence.
- Find what traditional detection rules miss - The agent's adaptive AI-driven detection continuously investigates across Defender and Microsoft Sentinel signals to uncover false negatives and blind spots.
- Reduce noise and increase confidence - The agent minimizes security operations center (SOC) noise and boosts analyst confidence with its customer-validated precision and by providing clear risk context and concrete next steps in the alert details.
- Always on and zero-touch - Because the agent runs in the Defender backend, it automatically generates alerts into your existing Defender workflows with no tuning or onboarding required.
- Deep integration across the Microsoft security ecosystem - The agent works with Security Copilot, Defender, and Microsoft Sentinel, correlating native and third-party signals to surface missed behaviors and deliver richer context across your SOC workflows.
Users with access to Security Copilot can use the Dynamic Threat Detection Agent.
Like the other available tools and methods in the Defender portal for investigation and response, the Threat Detection Agent helps with triage, investigation, and resolution of incidents.
The Dynamic Threat Detection Agent runs automatically in the background. When it generates an alert, the alert shows up in your incidents and alerts queues with Security Copilot as the Detection source.
:::image type="content" source="/defender-xdr/media/dynamic-threat-detection-agent/threat-detection-agent-source.png" alt-text="Screenshot of an alert generated by the dynamic threat detection agent in the Defender portal." lightbox="/defender-xdr/media/dynamic-threat-detection-agent/threat-detection-agent-source.png":::
To view more details about the alert, select the alert title. The Dynamic Threat Detection Agent provides a summary and recommended actions in the alert page.
:::image type="content" source="/defender-xdr/media/dynamic-threat-detection-agent/threat-detection-agent-details.png" alt-text="Screenshot of the alert details generated by the dynamic threat detection agent." lightbox="/defender-xdr/media/dynamic-threat-detection-agent/threat-detection-agent-details.png":::
Important
- The Dynamic Threat Detection Agent is free to use during public preview. It starts to consume Security Compute Units (SCUs) when it becomes generally available.
- The summary and recommended actions are AI-generated, so review and verify them for accuracy.
As needed for in-process incidents, continue your investigation.