# Permissions ### Overview This page describes the permissions and access model for this agent.\ The agent uses **read-only access** to security incident, alert, device, and identity risk data through **Security Copilot Plugins**.\ It is designed to assist with forensic and threat investigations in Microsoft Defender XDR by analyzing incidents, correlating context, and enriching results with external intelligence sources. *** ### How It Works The agent connects securely to your Microsoft Defender XDR environment through Security Copilot Plugins to collect incident details, alerts, advanced hunting results, and related entity data.\ It then enriches these findings with external threat intelligence to generate a unified investigation view. All interactions follow these principles: * **Read-only access:** The agent does not modify, resolve, or delete incidents or alerts. * **Least privilege:** Only the roles necessary to read incident and threat data are required. * **Transparency:** All data access is auditable in Microsoft Entra and follows standard security and compliance controls. *** ### Required Entra ID Roles Assign the following roles to the administrator account that installs and runs the agent: | Role | Description | | ------------------- | ----------------------------------------------------------------------------------------------- | | **Security Reader** | Provides read-only access to Defender XDR incidents, alerts, and investigation data. | | **Global Reader** | Grants read-only access across Microsoft 365 services for correlation and cross-domain context. | #### Optional Roles for Enhanced Analysis | Role | Description | | -------------------------- | --------------------------------------------------------------------------------------------- | | **Security Administrator** | Allows execution of advanced hunting queries and deeper data correlation within Defender XDR. | {% hint style="info" %} Assigning **Security Administrator** enables advanced hunting capabilities but is not required for standard analysis. {% endhint %} *** ### Data Access Transparency The following table outlines what data the agent can access and for what purpose. | Data Type | Access Level | Purpose | | ------------------------------------------- | ------------ | ------------------------------------------------------------------------------------ | | **Security incidents and alerts** | Read-only | To investigate and correlate alerts, identify root causes, and assess impact. | | **Advanced hunting data** | Read-only | To perform pattern and behavior analysis across entities and telemetry. | | **Device and endpoint data** | Read-only | To link alerts to devices, processes, and network activity. | | **Identity risk data** | Read-only | To analyze user behavior and correlate incidents with potential identity compromise. | | **External threat intelligence indicators** | Read-only | To enrich alerts and entities with contextual risk information. | **Data handling:** * The agent does **not** modify or export customer data outside the tenant boundary. * All access is limited to **Security Copilot Plugins** using delegated or application-level permissions. * Access activity is logged in **Microsoft Entra audit logs** for compliance and traceability. *** ### Agent Usage When running the agent, provide the required input to analyze incidents or generate investigation summaries. | Input Type | Description | Example | | ------------ | --------------------------------- | -------------------------------------------------- | | **Required** | Incident ID | `"Analyze incident 12345"` | | **Optional** | Additional parameters for context | `"Generate forensic report for incident ID 67890"` | | **Optional** | Deep-dive or summary mode | `"Deep dive into incident 45678"` | Incident IDs can be found in the **Microsoft 365 Defender portal** under:\ **Incidents & alerts → Incidents.** *** ### External Threat Intelligence Services The agent automatically enriches indicators using the following external services — no configuration or API keys are required: | Service | Purpose | | --------------------------------- | --------------------------------------------------------------- | | **Shodan** | Port scanning, service detection, and vulnerability discovery. | | **SSL/TLS Analysis** | Certificate metadata inspection and validation. | | **WHOIS Services** | Domain registration and ownership lookup. | | **CIRCL** | Malware hash lookups and file reputation checks. | | **IP/Domain Reputation Services** | Scoring and contextual risk evaluation for external indicators. | These services are queried automatically as part of each analysis to enhance detection context and improve investigative accuracy. *** ### Security and Compliance Considerations * All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services. * The agent adheres to Microsoft’s **zero trust** and **least privilege** principles. * Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**. *** ### Next Steps * Verify that the administrator account has the required roles assigned. * Ensure Defender XDR and related telemetry sources are active and contain recent incident data. * Review the investigation results within Security Copilot for contextual recommendations. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/forensic-agent-core/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.