Defending against today's increasingly sophisticated cyberattacks requires security analysts to continuously translate evolving attacker tradecraft into detection logic. This places defenders in a reactive posture, requiring constantly updated expertise across an increasingly fragmented security landscape. We introduce the Dynamic Threat Detection Agent (DTDA), an always-on adaptive agent that continuously investigates security incidents across Microsoft Defender to uncover hidden threats and generate explainable detections when attack-story gaps are found. DTDA combines: (1) a unified activity timeline spanning alerts, events, user and entity behavior analytics, and threat intelligence; (2) versioned LLM prompt contracts with schema validation, grounding requirements, bounded retries, and fail-closed suppression; (3) a planner-executor investigation loop that generates attack-specific hypotheses and gathers supporting and refuting evidence; and (4) dynamic alert generation with a context-relevant title, severity, MITRE mappings, remediation guidance, implicated entities, and natural-language attack description. Integrated into Microsoft Security Copilot and deployed across tens of thousands of Defender customers, DTDA operates continuously at industry scale. In a 120-day online evaluation, DTDA achieves 80.1% precision from customer feedback while generating novel alerts for approximately 15% of investigated incidents. In offline evaluation, DTDA recovers hidden malicious activity with 0.78 F1 using GPT-5.4, improving over GPT-4.1 by 0.12 F1 and outperforming the baseline by 0.26 F1 points. Operationally, DTDA processes single-incident investigations end-to-end in a median of 28 minutes at a median token cost of USD 2.04, with a 0.38% job-level failure rate. These results demonstrate that autonomous agents can identify missed malicious activity at a production scale.

翻译：为应对日益复杂的网络攻击，安全分析师需持续将不断演变的攻击战术转化为检测逻辑。这使得防御者始终处于被动响应状态，需在日益碎片化的安全环境中不断更新专业知识。我们提出动态威胁检测代理（DTDA）——一种始终在线的自适应代理，可持续调查Microsoft Defender中的安全事件，在发现攻击故事断链时揭示隐藏威胁并生成可解释的检测结果。DTDA融合以下核心技术：(1) 统一活动时间线，涵盖告警、事件、用户与实体行为分析及威胁情报；(2) 带版本控制的LLM提示合约，包含模式验证、锚定要求、有限重试及故障封闭抑制机制；(3) 规划器-执行器调查循环，可生成攻击特定假设并收集支持/反驳证据；(4) 动态告警生成，提供上下文相关的标题、严重等级、MITRE映射、修复指导、关联实体及自然语言攻击描述。该代理已集成至Microsoft Security Copilot并部署于数万Defender客户环境中，以行业规模持续运行。在120天在线评估中，DTDA基于客户反馈实现80.1%精确率，为约15%被调查事件生成新型告警。离线评估显示，使用GPT-5.4的DTDA在恢复隐藏恶意活动时F1值达0.78，较GPT-4.1提升0.12个F1点，超出基线0.26个F1点。运营层面，DTDA处理单事件调查的中位完成时间为28分钟，中位令牌成本为2.04美元，作业级故障率仅0.38%。这些结果表明自主代理可在生产规模下有效识别被遗漏的恶意活动。