Threat Hunting Agent (Microsoft Defender)
Implementation Effort: Medium – This requires IT and Security Operations teams to configure access and incorporate the Threat Hunting Agent into existing Defender XDR hunting workflows, which is a project rather than a long‑term operational program.
User Impact: Low – Only administrators and security analysts interact with this capability; standard users do not need to take action.
Overview
The Microsoft Security Copilot Threat Hunting Agent enhances Defender XDR’s advanced hunting by letting analysts ask questions in natural language and automatically generating, interpreting, and guiding threat‑hunting queries. It improves analyst efficiency by surfacing insights and walking them through end‑to‑end hunting sessions. Not deploying this tool may lead to slower threat detection, inconsistent query quality, and missed attacker activity because analysts must manually construct complex queries.
This capability supports the Assume Breach principle by improving visibility, accelerating threat detection, and helping analysts quickly investigate suspicious activity.
Where to configure/use it in the product
You can access the Threat Hunting Agent in the Microsoft Defender portal:
Microsoft Defender portal → Advanced hunting → Security Copilot Threat Hunting Agent