Announcing Alert Triage Agents in Microsoft Purview, powered by Security Copilot

In today's digital landscape, securing data has become a critical concern across all industries. Organizations face an average of 66 alerts per day, up from 52 in 2023, with teams able to review only 63% of these alerts. Given the sheer volume of data security alerts, it is no surprise that most organizations struggle to keep up[1]. The challenge of addressing the most important risks, combined with a staggering shortage of 4 million security professionals[2], has made it increasingly difficult for organizations to stay ahead of potential dangers such as data breaches and unauthorized access to sensitive information. This can overwhelm data security teams and allows for potentially serious data risks to slip through the cracks.

To help customers increase the efficacy of their data security programs, address key alerts, and focus on the most critical data risks, we’re thrilled to announce Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM).

These autonomous Security Copilot capabilities integrated into Microsoft Purview offer an agent-managed alert queue that identifies the DLP and IRM alerts that pose the greatest risk to your organization and should be prioritized first. Alert Triage Agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and risk tolerance. Additionally, they provide a comprehensive explanation for the logic behind that categorization.

(Figure 1: Alert Triage Agent in DLP queue)

Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools[3], which are often ineffective, create blind spots, and can slow down risk mitigation. These new agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins and can also calibrate triage results to better match the organization’s priorities.

(Figure 2: Alert Triage Agent in IRM queue, with prioritization rationale window option)

Alert Triage Agents in DLP and IRM will leverage the power of Generative AI to provide organizations with the following core benefits:

• Enhanced alert management: Significantly improve alert prioritization, ensuring that critical risks are addressed first. This leads to faster response times, as teams can focus on the most pressing issues without being distracted by less urgent alerts. Evaluating sometimes complex alerts on DLP and IRM can be time-consuming and speeding the triage process allows teams to spend more time on the most critical cases.
• Increased team efficiency: Increase the efficacy of your team, regardless of the experience level, by triaging and providing relevant information about the top risks. They complement your teams’ skills and allow your team to efficiently handle more incidents, as the most crucial alerts are already identified. Thereby improving key metrics such as overall response time and percentage of alerts addressed.
• Dynamic responses: The agent will learn from the data security team’s feedback and fine-tune its logic, which can be provided based on parameters in natural language. This feedback loop will autonomously adjust how agents categorize the alerts.

(Figure 3: Feedback loop for fine-tuning alert prioritization)

A data security admin will be able to select the relevant policies that the agent will evaluate and set the restrictions for the categorization. For example, the admin can select the IRM policies ‘Data Leaks’ and ‘Data Theft’, then ask the agent to ‘prioritize alerts including intellectual property related to Project Obsidian’. The agent then identifies alerts as ‘Needs attention' or ‘Less urgent’ and provides the rationale behind the logic applied. Additionally, the admin can tailor the agent's responses by changing the alert categorization as needed and offering feedback on the changes in natural language, to which the agent will adapt in a few hours. For example, an admin can move an alert from ‘Needs attention’ to ‘Less urgent’ category, and teach the agent to better evaluate alerts by providing properties the agent should focus less on, such as sensitivity labels, or by indicating that an action is a regular business activity for that group.

Alert Triage Agents are seamlessly integrated within Purview, allowing customers to easily improve the efficiency of their current trusted workflows. These agents empower data security admins by leveraging the power of Security Copilot, a trusted and reliable platform that adheres to global compliance and privacy standards, and that dynamically learns and adapts to emerging threats with a proven track record[4].

Alert Triage Agents in Purview public preview starts rolling out on April 27. To get started, check out the visit the Security Copilot product page for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and try the new features — join today at aka.ms/JoinCCP.

Strengthening data security, compliance and governance with Generative AI

In addition to Alert Triage Agents, we are announcing the general availability of several Security Copilot embedded capabilities within Microsoft Purview that help customers accelerate and scale investigations and upskill their teams.

Most organizations struggle with understanding the impact of DLP alerts on data and users and assessing the overall efficacy of their DLP policies. Enhanced hunting prompts allow teams to go deeper into alert summaries, providing a detailed exploration of data and users involved in an incident. Additionally, Security Copilot also guides admins through activity explorer insights, offering a birds-eye view of top activities detected over the past week. Admins can use natural language to apply the correct investigation filters to pinpoint specific activities or data. Moreover, the DLP policy insights skill summarizes the intent, scope, and impact of all or selected DLP policies to provide a summarized view of your DLP policies’ coverage. This skill provides insights such as the DLP policies deployed for each workload, the sensitive information types they aim to detect, and the number of rule matches associated with those policies. With this information, security admins can swiftly identify and address any protection gaps in their DLP program.

(Figure 3: DLP policy insights)

Data security, compliance, and governance teams can also leverage the Knowledge Base Hub in Microsoft Purview to guide their experiences across Microsoft Purview. This skill provides instant answers to questions about the Purview platform using public Microsoft documentation. This experience aims to improve user experience by offering direct answers, reducing the need for multiple tabs and searches. Accessible through the Purview portal, Knowledge Base Copilot addresses queries related to all Purview solutions.

Stay tuned for more information about the innovative integration of Security Copilot and Microsoft Purview and leverage the power of generative AI to take your organization’s data security to the next level.

Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9.

Get started

• Learn more about Copilot for Security in Purview with Microsoft Documentation.
• If you are a security partner interested in using Microsoft Security Copilot with your solutions, sign up to join the Security Copilot Partner Ecosystem.
• Stay up to date on Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview.
• Learn more about these solutions in the Microsoft Purview compliance portal. Visit your Microsoft Purview compliance portal to activate your free trial and begin using our new features. An active Microsoft 365 E3 subscription is required as a prerequisite to activate the free trial.
• Join the community - https://aka.ms/JoinCCP
• Get started with Microsoft Copilot for Security - Get started with Microsoft Copilot for Security - Training | Microsoft Learn
• Copilot for Security Ninja - How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training

[1] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog

[2] Cybersecurity Awareness Month: Microsoft resources for security teams | Microsoft Security Blog

[3] What is AI-Powered Alert Triage? | Intezer

[4] Randomized Controlled Trial for Copilot for Security