Go to glueckkanja Website

Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to security incident, alert, device, and identity risk data through Security Copilot Plugins. It is designed to assist with forensic and threat investigations in Microsoft Defender XDR by analyzing incidents, correlating context, and enriching results with external intelligence sources.

How It Works

The agent connects securely to your Microsoft Defender XDR environment through Security Copilot Plugins to collect incident details, alerts, advanced hunting results, and related entity data. It then enriches these findings with external threat intelligence to generate a unified investigation view.

All interactions follow these principles:

  • Read-only access: The agent does not modify, resolve, or delete incidents or alerts.

  • Least privilege: Only the roles necessary to read incident and threat data are required.

  • Transparency: All data access is auditable in Microsoft Entra and follows standard security and compliance controls.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Security Reader

Provides read-only access to Defender XDR incidents, alerts, and investigation data.

Global Reader

Grants read-only access across Microsoft 365 services for correlation and cross-domain context.

Optional Roles for Enhanced Analysis

Role
Description

Security Administrator

Allows execution of advanced hunting queries and deeper data correlation within Defender XDR.

Assigning Security Administrator enables advanced hunting capabilities but is not required for standard analysis.

Data Access Transparency

The following table outlines what data the agent can access and for what purpose.

Data Type
Access Level
Purpose

Security incidents and alerts

Read-only

To investigate and correlate alerts, identify root causes, and assess impact.

Advanced hunting data

Read-only

To perform pattern and behavior analysis across entities and telemetry.

Device and endpoint data

Read-only

To link alerts to devices, processes, and network activity.

Identity risk data

Read-only

To analyze user behavior and correlate incidents with potential identity compromise.

External threat intelligence indicators

Read-only

To enrich alerts and entities with contextual risk information.

Data handling:

  • The agent does not modify or export customer data outside the tenant boundary.

  • All access is limited to Security Copilot Plugins using delegated or application-level permissions.

  • Access activity is logged in Microsoft Entra audit logs for compliance and traceability.

Agent Usage

When running the agent, provide the required input to analyze incidents or generate investigation summaries.

Input Type
Description
Example

Required

Incident ID

"Analyze incident 12345"

Optional

Additional parameters for context

"Generate forensic report for incident ID 67890"

Optional

Deep-dive or summary mode

"Deep dive into incident 45678"

Incident IDs can be found in the Microsoft 365 Defender portal under: Incidents & alerts → Incidents.

External Threat Intelligence Services

The agent automatically enriches indicators using the following external services — no configuration or API keys are required:

Service
Purpose

Shodan

Port scanning, service detection, and vulnerability discovery.

SSL/TLS Analysis

Certificate metadata inspection and validation.

WHOIS Services

Domain registration and ownership lookup.

CIRCL

Malware hash lookups and file reputation checks.

IP/Domain Reputation Services

Scoring and contextual risk evaluation for external indicators.

These services are queried automatically as part of each analysis to enhance detection context and improve investigative accuracy.

Security and Compliance Considerations

  • All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services.

  • The agent adheres to Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Verify that the administrator account has the required roles assigned.

  • Ensure Defender XDR and related telemetry sources are active and contain recent incident data.

  • Review the investigation results within Security Copilot for contextual recommendations.

PreviousOverviewNextChangelog

Last updated

Was this helpful?