Microsoft Security Copilot Blog articles

From alert overload to decisive action: How Security Copilot agents are transforming security and IT

Lizzie_Heinze — Tue, 21 Apr 2026 22:55:44 GMT

Security and IT teams operate in a constant stream of alerts, incidents, and investigations. As environments expand across identities, endpoints, cloud, and data, the challenge becomes clear: identifying real risk quickly enough to act.

Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. Security Copilot is now included with Microsoft 365 E5 and E7 licenses at no additional cost, so teams can start using agents right away.

Over the past year, organizations have used Security Copilot to triage alerts, surface real threats earlier, and move faster from investigation to action. At this RSA 2026 conference, we are announcing new capabilities that reflect a continuous wave of innovation, evolving from built-in AI assistance and automated summaries to new agents that can analyze signals, investigate incidents, and execute security workflows.

Real-world impact: measurable results

Security Copilot agents help security and IT teams identify and respond to risk more effectively. Customers are seeing that impact in their day-to-day operations.

At St. Luke’s University Health Network, the Security Alert Triage Agent (previously named Phishing Triage Agent) in Microsoft Defender saves security analysts more than 200 hours every month, automatically triaging phishing alerts and surfacing those that actually matter.

Independent randomized controlled studies reinforce the results. Security professionals using the Security Alert Triage Agent triaged alerts up to 78% faster, delivered 77% more accurate verdicts, and identified 6.5 times more malicious emails.

Note: The Phishing Triage Agent has since been expanded and is now called the Security Alert Triage Agent. Learn more at aka.ms/SATA

That same impact extends beyond the SOC into other critical areas of security and IT.

A data security team at a large telecommunications organization used the Data Security Triage Agent in Microsoft Purview to triage more than 40,000 Data Loss Prevention (DLP) alerts in 90 days, surfacing the 10% most critical alerts that required investigation.

Identity teams are also seeing huge improvements with the Conditional Access Optimization Agent in Microsoft Entra, which continuously analyzes access policies against Zero Trust baselines and recommends actions. In controlled productivity studies, identity admins completed policy-related tasks 43% faster and 48% more accurately when identifying configuration weaknesses.

IT teams are also seeing impact using the Vulnerability Remediation Agent in Microsoft Intune, which continuously detects new vulnerabilities as threats emerge. As one CTO at a renewable energy and technology company shared, the agent is “dramatically changing the way we approach working with vulnerabilities in our environment. A two‑week process is now a two‑minute process, really huge number for us.”

Across these scenarios, teams begin investigations with clearer context and a better understanding of what actually matters. Instead of piecing together signals across dozens of tools, they can focus on the highest-risk issues and move from investigation to action with confidence.

As environments continue expanding across identities, endpoints, applications, and data, quickly connecting signals and understanding risk becomes essential.

New Security Copilot agents and capabilities announced at RSA Conference

Our innovation continues. Microsoft is introducing new Security Copilot agents and expanded capabilities designed to help organizations analyze complex security data, triage alerts more effectively, and strengthen security posture across identity, endpoint, cloud, and data environments.

New and updated Security Copilot agents built by Microsoft

Security Analyst Agent in Microsoft Defender

Security teams are often sitting on enormous volumes of security data, but turning that data into answers takes time. The Security Analyst Agent helps teams move from raw telemetry to real understanding much faster. By performing deep, multi-step investigations across Microsoft Defender and Sentinel telemetry, the agent can analyze up to ~100MB of security data to uncover anomalies, hidden risks, and high-impact threats that might otherwise stay buried. Analysts can chat directly with the agent to ask questions, explore hypotheses, and dig deeper into findings. The results include transparent reasoning and supporting evidence, helping teams quickly understand what matters and move forward with confidence.

Security Alert Triage Agent in Microsoft Defender

One of the biggest challenges for SOC teams is deciding which alerts actually deserve attention. The Security Alert Triage Agent helps cut through that noise so analysts can focus on the threats that truly matter. Building on its existing phishing triage capabilities, the agent now extends autonomous triage to identity and cloud alerts. Each verdict includes clear, transparent reasoning so analysts can quickly understand the outcome and prioritize the alerts that matter most.

New capabilities for Conditional Access Optimization Agent in Microsoft Entra

Identity environments are constantly evolving as organizations add new apps, users, and authentication methods. New capabilities in the Conditional Access Optimization Agent help identity teams identify and close critical policy gaps faster, with recommendations tailored to their organization’s needs. The agent now delivers business-context-aware recommendations, supports phased rollout of new policies, enables automated least-privilege enforcement for supported third-party agent identities, and helps drive passkey adoption. Together, these capabilities help organizations continuously strengthen identity security while maintaining productivity.

New capabilities for Data Security Posture Agent in Microsoft Purview

Sensitive data often moves through documents, emails, chats, and collaboration tools, which makes it easy for credentials or secrets to end up where they shouldn’t be. A new credential scanning capability in the Data Security Posture Agent helps data security teams proactively identify exposed credentials within their data environment. By analyzing data signals and access patterns, the agent surfaces potential credential exposure risks and helps teams quickly investigate and remediate them. This gives organizations better visibility into hidden data risks and strengthens overall protection of critical systems.

New capabilities for Data Security Triage Agent in Microsoft Purview Insider Risk Management

Investigating insider risk alerts often requires piecing together signals from many different sources to understand what is really happening. The Data Security Triage Agent now introduces an advanced AI reasoning layer that helps security teams evaluate those signals more holistically. By performing deeper, multi-step analysis across behavioral signals from users, devices, and data activity, the agent can surface the incidents that truly require investigation while filtering out noise. The result is faster, more accurate investigations and better confidence when responding to potential insider risks.

New capabilities for Data Security Triage Agent in Microsoft Purview Data Loss Prevention

Custom Sensitive Information Types (SITs) are often difficult for analysts to interpret quickly because the underlying definitions and patterns lack clear context at triage time. This latest enhancement makes custom Sensitive Information Types (SITs) easier for both the agent and analysts to understand in Data Loss Prevention alerts. Purview interprets custom SIT definitions, generates semantic descriptions of the data, and surfaces that context directly within the agent. This allows the agent to classify and prioritize alerts involving custom data more accurately, helping analysts quickly recognize real risk and respond appropriately.

New Security Copilot agents built by partners

To meet customers where they are across their existing security stack, the Security Copilot ecosystem continues to grow with more than 70 partner-built agents available today in the Security Store, bringing additional signals and investigation capabilities into the platform. Some of these agents include the following:

Security Investigation Agent by Commvault – Correlates backup anomalies with identity and security signals across platforms such as Entra, CrowdStrike, Netskope, and Darktrace.
MITRE Attack Coverage Insight Agent by Inspira – Evaluates analytic rule coverage, calculates ATT&CK coverage, identifies detection gaps, generates detection recommendations, and provides SOC detection maturity scoring.
Endpoint Risk Insights Agent by Avanade – Provides endpoint risk insights by correlating signals across security telemetry.
Identity Role Mining Agent by Invoke – Allows user to discover and analyze administrator roles in Microsoft Entra ID with ease and precision.
Identity Threat Triage Agent by Silverfort - Correlates Silverfort's identity risk signals with Entra ID and Defender for Endpoint data in the Sentinel data lake to surface risky sign‑ins, MFA abuse, suspicious processes, and anomalies.

Together, these partner agents extend Security Copilot’s ability to connect signals across Microsoft and third-party security platforms, giving organizations broader visibility and stronger investigation capabilities across their security environment. To explore all new Security Copilot agents, visit the Microsoft Security Store.

New Security Copilot innovations that turn insight into action

Security Copilot continues to integrate more deeply into the tools security and IT teams already use every day. These capabilities bring AI directly into the environments where investigations happen, helping teams explore threats, understand context, and take action without switching between tools.

Security Copilot interactive chat experience in Microsoft Defender

Analysts can ask questions, explore investigative hypotheses, and follow threat activity across incidents, alerts, identities, devices, and IPs without leaving their investigation. Copilot understands the context of the page analysts are working on and grounds responses in the relevant signals already available in Defender. As analysts ask questions, Copilot can run investigative steps, gather additional evidence, and surface new insights. This allows teams to iterate quickly, validate assumptions, and dig deeper into threats while staying in the same workflow.

Secret finder skill in Security Copilot is now generally available

Available in the Security Copilot standalone portal, the Secret Finder skill can be invoked to analyze unstructured content such as emails, chats, documents, and investigation notes to identify exposed credentials hidden in real-world workflows. Using agentic capabilities such as multi-step reasoning rather than simple pattern matching, it detects real, usable secrets and the systems they unlock, helping security teams quickly understand potential exposure and respond with confidence. Additional integrations and use cases are planned to expand how this capability can be used across security workflows.

Security Copilot trigger in Logic Apps

Building on how many organizations already use Logic Apps to automate security workflows, a new connector action for Security Copilot in Logic Apps flows allows teams to easily invoke partner-built agents and custom agents they create as part of repeatable workflows. This brings deeper AI-driven investigation, context, and decision support into tasks such as incident triage, threat intelligence analysis, and policy validation.

See Security Copilot in action at RSA Conference

Join us at RSA Conference to see the latest Security Copilot agents and capabilities in action. Stop by the Microsoft booth to connect with the team, explore new innovations, and experience how agents are helping security and IT teams investigate threats, understand risk, and strengthen security posture.

Hear from Microsoft Security product leaders in these booth sessions

March 23 | 5:15 PM
Empowering the SOC with assistive and autonomous AI, Yuval Derman
March 24 | 3:00 PM
Security Copilot agents: Insight. Action. Impact., Lizzie Heinze and Donna Lee
March 25 | 10:30 AM
Turning Data Risk into Action with Security Copilot Agents, Paige Johnson and Tanay Baldua
March 26 | 12:00 PM
Defend identity autonomously with agentic AI in Microsoft Entra, Mitch Muro, Rahul Prakash, Nikhil Reddy

Join our deep dive session

March 24 | 8:30 AM | The Palace Hotel
Security Copilot in action: An agentic approach to modern security
Register here: Microsoft Security RSAC Events | Microsoft Corporate

Stop by the Microsoft booth for a hands-on experience

Test out the latest Security Copilot agents at the demo station and connect with our experts.
Agentic AI Arena: Try a fun, gamified experience that shows how Security Copilot agents investigate threats, surface risk, and help security teams respond faster.

Start using Security Copilot in your daily workflows

If you have received access to Security Copilot as part of your Microsoft 365 E5 plan, we recommend following steps to get started quickly:

Sign up for the Security Copilot skilling series
Review new agentic scenarios and developer capabilities in the Security Copilot Adoption Hub
Learn what’s included with your Microsoft 365 E5 plan in documentation
Request assistance from a Microsoft 365 FastTrack specialist to unlock the full value of Security Copilot

Introducing Secret Finder: Finding Real Credentials Where Traditional Tools Fail

Zixiao_Chen — Wed, 18 Mar 2026 20:27:24 GMT

Secret Finder is an AI-powered capability in Microsoft Security Copilot that detects leaked credentials in unstructured content, such as emails, chat logs, documents, and screenshots, where traditional pattern-matching tools struggle. It relies on a multi‑step, multi‑agent reasoning workflow rather than a single pass detector. Detection, verification, and contextual analysis are handled by distinct reasoning stages, allowing Secret Finder to find real credentials without flooding users with false positives. Unlike regex-based scanners, Secret Finder uses reasoning to identify not just credentials, but the systems they unlock, helping security teams understand exposure and respond faster. In benchmark testing on synthetic datasets, Secret Finder achieved 98.33% true credential detection with zero false alarms on realistic emails, chats, notes, and documents—while traditional regex scanners detected only about 40% of the same credentials. Secret Finder is now generally available in Security Copilot, supporting 20+ credential types with high precision and actionable context.

The Problem: Credentials Hide Where Traditional Tools Can't See

When security incidents happen, leaked credentials don't always appear in clean, predictable formats. They show up buried in email threads, pasted into Teams messages, embedded in Word documents, or captured in screenshots of logs and terminals. These are exactly the places where security teams spend the most time and where traditional secret scanning tools fail.

Most existing tools rely on regular expressions or simple pattern matching. This works reasonably well for structured environments like source code repositories, where credentials follow predictable formats. But in real-world incidents, secrets look different. A storage key might be split across multiple messages in an email thread. A credential could be reformatted, partially redacted, or embedded alongside explanatory text.

In these situations, pattern matching produces two painful outcomes: it misses real credentials because the format doesn’t match a known rule, or it floods analysts with false positives that waste time. Security teams are left manually reviewing content, guessing which findings are real, and piecing together what systems might actually be at risk. In practice, this failure mode has a real human cost that security analysts end up reviewing thousands of alerts, manually inspecting email threads and chat logs, and trying to determine whether a suspicious string actually unlocks a storage account, API, or production service. Teams can spend days reconstructing context across messages and documents just to understand what a credential grants access to, slowing containment and increasing risk during active incidents.

This is the gap Secret Finder was built to close.

The Solution: Secret Finder Brings Reasoning to Secret Detection

Secret Finder approaches secret detection as a reasoning problem, not a string-matching exercise. Instead of asking "does this text match a pattern?" It asks human-like questions: Is this text describing a credential or access mechanism? Does the value look real and usable? What system or resource could this access?

This shift is subtle but powerful. Secret Finder doesn't just detect credentials, it connects them to doors: the specific targets those credentials unlock, such as API endpoints, storage accounts, applications, or services. This is critical for triage. Instead of stopping at “this looks like a credential,” Secret Finder tells analysts what that credential actually opens. Without context, a credential triggers manual follow‑up. When it’s linked to a specific target, analysts can immediately assess impact and act.

By understanding messy, real-world content the way a human investigator would, Secret Finder delivers findings that security teams can trust and act on immediately. It's designed specifically for the unstructured, noisy environments where incidents actually unfold.

Why Secret Finder Outperforms Traditional Pattern Matching

Traditional secret scanners are built for clean data. Secret Finder is built for reality.

Traditional tools struggle when:

Credentials appear in natural language descriptions rather than code
Context determines whether a string is sensitive or benign
Credentials are incomplete, malformed, or partially redacted

Secret Finder excels because it:

Reasons through context, understanding surrounding text to identify what's truly sensitive
Detects credentials and their associated resources together, providing the "what" and the "where" in a single pass
Handles noisy, unstructured inputs like emails, chat logs, documents
Assigns confidence scores to help teams prioritize findings and reduce alert fatigue

What Secret Finder Can Do Today

Secret Finder is now generally available in Microsoft Security Copilot, with capabilities shaped directly by real security workflows across incident response, red teaming, and SOC operations.

It detects over 20 major credential categories, spanning cloud provider credentials like Azure Storage Keys and AWS Access Keys, authentication credentials including Microsoft Entra passwords and OAuth tokens, database connection strings, SSH private keys, API keys, and generic secrets that don't fit predefined patterns. This broad coverage means analysts can scan investigation artifacts without worrying whether the secret type is supported.

What makes Secret Finder particularly effective is where it works. Email threads where credentials are discussed across multiple messages. Teams chats where credentials are pasted quickly during troubleshooting. Word documents and internal wikis where credentials are documented for operational handoffs. Incident reports and post-mortem notes written under pressure. These are the environments where traditional pattern-matching tools fail, and where Secret Finder delivers the most value.

In benchmark evaluations, Secret Finder achieved 100% recall with 0% false positives on synthetic datasets containing embedded Azure Storage credentials, compared to 40% recall from traditional regex‑based tools such as CredScan. In more complex scenarios involving multiple credential types and noisy email content, Secret Finder maintained 98.33% recall with 0% false positives. These results were observed on synthetically generated evaluation datasets spanning emails, chats, notes, and documents, designed to reflect how engineers communicate and how credentials may be inadvertently shared in real‑world workflows.

Scenario	Precision	Recall
Single credential type	100%	100%
Complex, multiple credential types	100%	98.33%

Secret Finder is currently integrated into Security Copilot, actively supporting incident response workflows, and working toward deeper integrations with developer platforms such as GitHub to bring contextual secret detection to source code analysis at scale.

Using Secret Finder in Security Copilot

Secret Finder is available as a skill in Microsoft Security Copilot, making credential detection a seamless part of analyst workflows.

How to use Secret Finder:

Enable the Secret Finder skill in Security Copilot via "Manage Sources" → "Manage Plugins" (Figure 1)
Select "FindSecretInText" from Promptbook (Figure 2)
Submit unstructured content directly in the Copilot prompt: paste the text blob that might contain credentials
Secret Finder analyzes the content using its multi-agent workflow, detecting credentials and associated doors
Review actionable findings with contextual details

Figure 1. Enabling the Secret Finder skill in Microsoft Security Copilot (Due to recent naming changes, users might see "Agentic secret finder" in Security copilot. Naming changes will reflect in a few weeks)

Figure 2. Selecting the FindSecretInText prompt, which invokes Secret Finder’s multi‑step credential detection and verification workflow

Figure 3. Submitting a text blob containing embedded credentials for analysis (example is synthetic)

Figure 4. Secret Finder output with detected credentials and associated doors (example credentials and associated doors are synthetic)

What's Next for Secret Finder

Secret Finder is a living capability. Over the next six months, we are working towards coverage and deepening integrations:

Exploring integrations with GitHub to reduce false positives in secret scanning for code repositories
Optimizing for large-scale analysis to handle enterprise-wide scans efficiently with reduced latency
Exploring graph-based risk modeling to map relationships between credentials, services, and attack paths

Our long-term vision goes beyond detection: we want to help security teams understand how credentials are used, what risks exist if they're exposed, and what the impact of rotation or revocation would be. By moving from "what's leaked" to "what does it mean," Secret Finder will enable smarter prioritization, faster response, and more confident decision-making.

Acknowledgments

Secret Finder has been a cross-team effort over the past year, evolving from early research and prototyping through private preview, public preview, and now general availability.

This milestone reflects contributions across many phases from initial system design and technical direction, to evaluation, product integration, and deployment at scale.

Contributors include Mariko Wakabayashi leading the early research through production and to the team including Zixiao Chen and Avy Challa for GA improvements and bringing Secret Finder to production readiness.

We also appreciate Tony Twum-Barimah, Malachi Jones, and the Security Copilot team, including Austin Trapp and Vinod Jagannathan for their technical and product support throughout the process, as well as Christian Rudnick and Helen Chang for guiding us through the responsible AI reviews before launch.

Finally, a huge thanks to the incident responders and security researchers who shared valuable insights along the way. Secret Finder wouldn’t have been possible without their work and feedback.

Where Partners Build and Scale: Partner-Built Security Copilot Agents in Security Store

Vikram_2026 — Mon, 26 Jan 2026 16:00:00 GMT

At Microsoft, we believe that security is a team sport. That’s why we are committed to meeting customers where they are, integrating with the solutions they already use to ensure that everyone can take advantage of the agentic capabilities of Security Copilot.

And it’s not just an idea—it’s a reality. We’re excited to share why partners such as BlueVoyant, OneTrust, and Tanium chose to build agents with Security Copilot—and the value this brings to their customers.

By watching the videos featuring BlueVoyant, OneTrust, and Tanium, you’ll see firsthand how collaboration drives innovation and empowers security teams to tackle today’s threats with agility and confidence. Together, these partner-built agents show how organizations and partners can transform Security Copilot into an integrated force multiplier—proving that security is a team sport.

Partner-built agents power smarter protection

BlueVoyant – Specializing in comprehensive cyber risk management, BlueVoyant provides a suite of services to protect organizations from cyberattacks. In this video, we learn about BlueVoyant Watchtower and how their agents help customers get the most out of their Sentinel and Defender products by using an agent to always review the environment and recommend updated rules, configurations, and policies that catch bad actors Security Copilot gives us the advantage of moving more quickly.” – Micah Heaton, Executive Director, Microsoft Product & Innovation Strategy at BlueVoyant

OneTrust – OneTrust, a privacy and consent management platform, specializes in helping customers responsibly use data and AI. By partnering with Microsoft—specifically Microsoft’s Sentinel platform—OneTrust is able to provide their customers with a full view of their data estate. The Privacy Breach Response Agent by OneTrust combines the deep privacy and regulatory expertise of OneTrust with the robust generative AI capabilities of Microsoft Security Copilot, automating privacy risk assessments improving their accuracy.

Tanium – Specializing in endpoint management and security, Tanium gives IT teams visibility and control over every device in their environment. Tanium’s partnership with Microsoft provides Tanium with seamless integration into Microsoft’s Security products via Copilot, which combined with Tanium’s real-time environment insights, power powerful end to end workflows across Defender, Entra, Tanium, and Intune. The Security Triage Agent by Tanium accelerates alert triage, providing security teams with the context they need to make informed decisions on Tanium Threat Response alerts swiftly.

The work of partners like BlueVoyant, OneTrust, and Tanium is shaping a new security ecosystem—one where the Microsoft Security Store is a launchpad for partner innovation to drive real-world customer impact. The Store turns partner-built agents into enterprise-ready solutions by providing Microsoft-validated certification, high‑quality metadata, consistent deployment flows, secure authentication and transactions, and in‑product visibility inside Defender, Entra, and Security Copilot. These deployed agents run securely in your Security Copilot zero-trust environment.

The power of the Security Store is that it doesn’t just distribute agents—it amplifies them. It gives partners a unified, trusted surface where their solutions are discoverable directly within Microsoft Security products; where customers can compare capabilities through standardized metadata; where installation is guided and repeatable; and where Microsoft’s AI foundation elevates the value of every partner-built capability. For customers, this means direct access to the best of partner-driven security innovation. Partner-built agents deliver value at every stage of the security journey: proactively monitoring sensor health, surfacing actionable insights, accelerating investigations, and automating incident response. These capabilities help organizations strengthen their security posture, respond faster to threats, and stay ahead of attackers.

For partners, success begins with identifying the unique value their agent brings to customers and designing real security outcomes—such as improved detection, automated investigations, and measurable risk reduction. As more partners publish agents, the ecosystem expands- unlocking advanced scenarios like phishing and identity alert triage, incident enrichment, policy optimization, and automated remediation. By combining Microsoft’s AI foundation with specialized partner expertise, Security Copilot agents deliver differentiated solutions that address a wide range of security challenges—from privacy and compliance workflows to vulnerability management and forensics—helping customers strengthen their security posture and respond faster to threats.

Explore resources and documentation

Explore all the partner-built agents in Security Copilot and partner SaaS offerings at the Microsoft Security Store and at the Security Store Learn page Security Store documentation - Security Store | Microsoft Learn. Or read more documentation on Security Copilot agents to learn:

What agents are and how they work in Security Copilot
How partners build and integrate agents
Links to related resources for development and deployment

What's new in Microsoft Security Copilot

Lizzie_Heinze — Fri, 10 Oct 2025 16:24:10 GMT

A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store.

Let’s take a look at what’s new.

Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI

Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments.

Read more in the Sentinel announcement blog: Introducing Microsoft Sentinel graph

Build your own Security Copilot agents, no coding required

Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do.

Learn more: Build your own Security Copilot agent

New Microsoft and partner ready-made agents for real challenges

These new agents help teams address common security and IT challenges faster and smarter:

Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks.

o Learn more: The Microsoft Entra agent for smarter access governance: Access Review Agent

Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation.

The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like:

Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster.
Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security.
Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents.
Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture.
Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security.
Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl.

o Find these agents and more in the Microsoft Security Store

Microsoft Security Store – one, centralized place to find agents and SaaS solutions

The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows.

Read more in the announcement blog: Introducing Microsoft Security Store

Stay tuned and explore more!

Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating.

We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:

Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action
Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details
Security Copilot Adoption Hub – Access rollout guides, templates, and best practices

Don’t miss Microsoft Ignite - we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security.

Redefining Cyber Defence with Microsoft Security Exposure Management (MSEM) and Security Copilot

shrutiailani — Tue, 07 Oct 2025 18:19:39 GMT

Introduction

Microsoft Security Exposure Management (MSEM) provides the Cyber Defense team with a unified, continuously updated awareness of assets exposure, relevant attack paths and provides classifications to these findings. While MSEM continuously creates and updates these finding, the Security Operations Center (SOC) Engineering team needs to reach to this data and interact with it as a part of their proactive discovery exercises.

Microsoft Security Copilot (SCP) on the other hand, acts as an always-ready AI-powered copilot to the SOC Engineering team. When combined, the situational awareness from MSEM and the quick and consistent retrieval capabilities of SCP, MSEM and SCP empower the SOC Engineers with a natural-language front door into exposure insights and attack paths, this combination also opens the door to include MSEM content, and the reasoning over this content in Security Copilot prompts, in prompt books and allows the use of this content in automation scenarios that leverage security copilot.

Traditionally, a SOC person needs to navigate to Microsoft Security Advanced Hunting, retrieve data related to assets with a certain level of exposure, and then start building plans for each asset to reduce its exposure, a plan that needs to take into consideration the nature of the exposure, the location the asset is hosted and the characteristics of the asset and requires working knowledge of each impacted system. This approach:

Is a time-consuming process, especially when taking into consideration the learning curve associated with learning about each exposure before deciding on the best course of exposure reduction; and
Can result in some undesired habits like adapting a reactive approach, rather than a proactive approach; Prioritizing assets with a certain exposure risk level; or attending to exposures that are already familiar to the person reviewing the list of exposures and attack paths.

Overview of Exposure Management

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk.

Who uses Security Exposure Management?

Security Exposure Management is aimed at:

Security and compliance admins responsible for maintaining and improving organizational security posture.

Security operations (SecOps) and partner teams who need visibility into data and workloads across organizational silos to effectively detect, investigate, and mitigate security threats.

Security architects responsible for solving systematic issues in overall security posture.

Chief Information Security Officers (CISOs) and security decision makers who need insights into organizational attack surfaces and exposure in order to understand security risk within organizational risk frameworks.

What can I do with Security Exposure Management?

With Security Exposure Management, you can:

Get a unified view across the organization

Manage and investigate attack surfaces

Discover and safeguard critical assets

Manage exposure

Connect your data

Reference links:

Overview

What is Microsoft Security Exposure Management (MSEM)?

What's new in MSEM

Get started

Start using MSEM

MSEM prerequisites

How to import data from external data connectors in MSEM

Concept

Learn about critical asset management in MSEM

Learn about attack surface management in MSEM

Learn about exposure insights in MSEM

Learn about attack paths in MSEM

How-To Guide

Review and classify critical assets in MSEM

Review security initiatives in MSEM

Investigate security metrics in MSEM

Review security recommendations in MSEM

Query the enterprise exposure graph MSEM

Explore with the attack surface map in MSEM

Review potential attack paths in MSEM

Integration and licensing for MSEM

Compare MSEM with Secure Score

Overview of Security Copilot plugins and skills

Microsoft Security Copilot is a generative AI-powered assistant designed to augment security operations by accelerating detection, investigation, and response. Its extensibility through plugins and skills enables organizations to tailor the platform to their unique environments, integrate diverse data sources, and automate complex workflows.

Plugin Architecture and Categories:

Security Copilot supports a growing ecosystem of plugins categorized into:

First-party plugins: Native integrations with Microsoft services such as Microsoft Sentinel, Defender XDR, Intune, Entra, Purview, and Defender for Cloud.

Third-party plugins: Integrations with external security platforms and ISVs, enabling broader telemetry and contextual enrichment.
Custom plugins: User-developed extensions using KQL, GPT, or API-based logic to address specific use cases or data sources.

Plugins act as grounding sources—providing context, verifying responses, and enabling Copilot to operate across embedded experiences or standalone sessions. Users can toggle plugins on/off, prioritize sources, and personalize settings (e.g., default Sentinel workspace) to streamline investigations.

Skills and Promptbooks

Skills in Security Copilot are modular capabilities that guide the AI in executing tasks such as incident triage, threat hunting, or policy analysis. These are often bundled into promptbooks, which are reusable, scenario-driven workflows that combine plugins, prompts, and logic to automate investigations or compliance checks.

Security analysts can create, manage, and share promptbooks across tenants, enabling consistent execution of best practices. Promptbooks can be customized to include plugin-specific logic, such as querying Microsoft Graph API or running KQL-based detections.

Role-Based Access and Governance

Security Copilot enforces role-based access through Entra ID security groups:

Copilot Owners: Full access to manage plugins, promptbooks, and tenant-wide settings.

Copilot Contributors: Can create sessions and use promptbooks but have limited plugin publishing rights.

Each embedded experience may require additional service-specific roles (e.g., Sentinel Reader, Endpoint Security Manager) to access relevant data. Governance files and onboarding templates help teams align plugin usage with organizational policies.

Connecting Exposure Management with Security Copilot

There are multiple benefits of connecting MSEM with Security Copilot (as explained in section 1 [Introduction] of this paper). We wrote a plugin with two skills to harness the Exposure Management insights within Security Copilot and to eventually understand the exposure of assets hosted in a particular cloud platform by your organization and of assets belonging to a specific user.

A high-level architecture of the connectivity looks like this:

The two skills of the plugins correspond to the following two use cases:

Obtain exposure of an asset hosted on a particular cloud platform by your organization
Obtain exposure of an asset belonging to a specific user

As a user you could also specify the exposure level for which you want to extract the data, in each of the above use cases.

Plugin Code (YAML)

GitHub - Microsoft Security Exposure Management plugin for Security Copilot - YAML

Proof of Concept (screen video)

Conclusion

Here, we proposed an alternative approach that drives up the SOC’s efficiency and helps the organization reduce the time from exposure discovery to exposure reduction. The alternative approach proposed allows the SOC person to retrieve assets that fit a certain profile, i.e. prompt Security Copilot to “List all assets hosted on Azure with Low Exposure Level” and after all affected assets are retrieved, the user can then prompt Security Copilot to “For each asset, help me create a 7-days plan to reduce these exposures” and can then finally conclude with the prompt “Create an Executive Report, start by explaining to none-technical audience the risks associated with the identified exposures, then list all affected assets, along with a summary of the steps needed to reduce the exposures identified”. These prompts can also be organized in a promptbook, further reducing the burden on the SOC person, and can also be made using Automation on regular intervals, where the automation can later email the report to intended audience or can be further extended to create relevant tickets in the IT Service Management System.

An additional approach to risk management is to keep an eye on highly targeted personas within the organization, with the proposed integration a SOC person can prompt Security Copilot to find “What are the exposure risks associated with the devices owned by the Contoso person john.doe@contoso.com”. This helps the SOC person identify and remediate attack paths targeting devices used by highly targeted persons, where the SOC person can, within the same session, start digging deeper into finding any potential exploitation of these exposures, get recommendations on how to reduce these exposures, and draft an action plan.

From idea to Security Copilot agent: Create, customize, and deploy

Lizzie_Heinze — Fri, 03 Oct 2025 01:05:23 GMT

This week at Microsoft Secure, we announced the next big step forward in agentic security. In addition to Microsoft and partner-built agents, you can now create your own Security Copilot agents, extending the growing ecosystem of agents that help teams automate workflows, close gaps, and drive stronger security and IT outcomes.

Why it matters: no two environments are the same. Out-of-the-box agents give you powerful starting points, but your workflows are unique. With custom agents, you get the flexibility to design and deploy solutions that fit your organization.

Two ways to build: Your choice, your workflow

Security Copilot gives you options. Analysts can easily build with a no-code interface. Developers can stay in their preferred coding environment. Either way, you end up with a fully functional, testable, and deployable agent.

For full documentation and detailed guidance on building agents, check out the Microsoft Security Copilot documentation. But now, let’s walk through the key steps so you can get started building your own agent today.

Option 1: Build in Security Copilot, no coding required

Step 1: Create in natural language

Click ‘Build’ in the left nav, describe what you want your agent to do in plain language, and submit. Security Copilot will engage in a back-and-forth conversation to clarify and capture your intent so you start with precision.

Step 2: Auto-generate the configuration
Security Copilot instantly creates a starter setup, giving you:

An agent name and description
Clear instructions and input parameters
Recommended tools pulled from the catalog, including Microsoft, partner, and Sentinel MCP tools

This saves time and generates a strong foundation you can build on

Step 3: Customize to fit your needs
Tailor the configuration to your needs, you can edit any part. Update instructions, swap tools, or add new ones from the tool catalog. If the right tool isn’t available, you can create one in natural language or a form-based experience. You’re in full control of how your agent works.

Step 4: Keep YAML and no-code views aligned
Every change you make is automatically reflected in the underlying YAML code. This ensures consistency between the no-code visual and code views, so both analysts and developers can work with confidence. Toggle on ‘view code’ to see it live.

Step 5: Test and elevate with autotune instruction optimization
Run full end-to-end tests or test individual components to see how your agent performs. Security Copilot shows detailed outputs and a step-by-step activity map of the agent’s dynamic plan, including the tools, inputs, and outputs.

While you can test without it, turning on autotune instruction optimization delivers major advantages:

Refined instruction recommendations you can copy directly into your config
AI quality scoring on clarity, grounding, and detail to ensure your agent is effective before publishing
Faster iteration with confidence your agent is tuned for real-world use

Explore the activity graph tab to view a visual node map of the run, and click any node to see details of what happened at each step.

Step 6: Publish and share
When you’re ready, publish the agent into your Security Copilot instance at either a user or workspace scope (depending on admin permissions). If you’re a partner, you can also download the agent code, publish to the Microsoft Partner Center and contribute it to the Microsoft Security Store for broader visibility and adoption by customers.

Benefit: Build production-ready agents in minutes without writing a single line of code.

It’s that easy to build an agent tailored to your unique workflows, and you are not limited to the Security Copilot portal. If you prefer a developer-friendly environment, you can build entirely in VS Code using GitHub Copilot and Microsoft Sentinel MCP tools. You still get AI-powered guidance, YAML scaffolding, and testing support, along with rich context from Sentinel data and the full platform toolset, all while staying in the environment that works best for you.

Option 2: Build in VS Code using GitHub Copilot + Microsoft Sentinel MCP Tools

Step 1: Set up your development environment
Enable the Microsoft Sentinel MCP server in VS Code. This gives you direct access to the collection of Security Copilot agent creation MCP tools and integrates with GitHub Copilot for code generation – all while staying in your preferred workspace.

Step 2: Define agent behavior from natural language with platform context
Describe the agent you want to build in natural language. GitHub Copilot interprets your intent, selects the relevant MCP tools, find relevant skills and tools in Security Copilot for your agent, and crafts the agent instructions. The agent YAML gets generated and outputted back to you. Because your agent is built on Microsoft Security Copilot and Sentinel, it automatically leverages rich data and tooling across the platform for context-aware, more effective results.

Step 3: Iterate, customize and extend your agent
Modify instructions, add tools, or create new tools as needed. Use prompts to vibe code your edits or copy the YAML into the code editor and directly modify the agent YAML there. GitHub Copilot keeps the chat and code in sync.

Step 4: Deploy to Security Copilot for testing
Once you’re ready to test your agent YAML, prompt GitHub Copilot to deploy the agent to your user scope. Then head to the Security Copilot portal to test and optimize your agent with autotune instruction optimization. Take advantage of detailed outputs, activity maps, and AI scoring to refine instructions and ensure your agent performs effectively in real-world scenarios.

Step 5: Publish and share your agent

Once validated, publish the agent into your Security Copilot instance at either user or workspace scope (depending on admin permissions). Partners can also download the agent code, publish to the Microsoft Partner Center, and contribute it to the Microsoft Security Store for broader discoverability and adoption.

What you get: Full code-level control and the same AI-powered agent development experience while staying in your preferred workspace.

Whichever approach you choose, you can build, test, and deploy agents that fit your workflows and environment. Microsoft Security Copilot and Microsoft Sentinel give you the tools and advanced AI guidance to create agents that work for your organization.

Explore the Microsoft Security Store

Automate your workflows with pre-built solutions. The Microsoft Security Store gives you a central place to discover and deploy agents and SaaS solutions created by Microsoft and partners. Browse ready-to-use solutions, learn from proven approaches, and adapt them with your own customizations. It’s the quickest way to expand your ecosystem of agents and accelerate impact. More resources about the Security Store: What is Security Store? Microsoft Learn

Build, deploy, defend

Security Copilot puts the power of agentic AI directly in your hands. Start with ready-to-use agents from Microsoft and partners, or create custom agents designed specifically for your environment and workflows. These agents streamline decision-making, surface critical insights, and free your team to focus on strategic security initiatives - making operations faster, smarter, and more responsive.

Join us at Microsoft Ignite, online or in-person, for hands-on demos and insights on how Security Copilot agents empower teams to act faster and protect better.

More resources on building Security Copilot agents:

Watch the Mechanics video to see agents in action: Security Copilot agents Mechanics video
For more detailed guidance on building agents, check out the Microsoft Security Copilot documentation

Special thanks to my co-authors, Namrata Puri (Principal PM, Security Copilot) and Sherie Pan (PM, Security Copilot), for their insights and contributions

Agentic security your way: Build your own Security Copilot agents

Dorothy_Li — Tue, 30 Sep 2025 13:31:50 GMT

Microsoft Security Copilot is redefining how security and IT teams operate. Today at Microsoft Secure, we’re unveiling powerful updates that put genAI and agent-driven automation at the center of modern defense. In a world where threats move faster than ever, alerts pile up, and resources stay tight, Security Copilot delivers the competitive edge: contextual intelligence, a growing network of agents, and the flexibility to build your own.

The announcements focus on three key areas: building your own Security Copilot agents for tailored workflows, expanding the agent ecosystem with new Microsoft and partner solutions, and improving agent quality and performance. These updates build on the agents first introduced in March while giving security and IT teams more flexibility and control. This is the blueprint for the next era of agentic defense, and it starts now.

Build your own Security Copilot agents, your way

While we already offer a growing catalog of ready-to-use agents built by Microsoft and partners, we know that no two environments are alike. That’s why Security Copilot empowers you to create custom agents your way for tailored workflows – whether you're an analyst with limited coding experience or a developer using your favorite platform – you can build agents that fit your needs.

Build agents in the Security Copilot portal

Users can now build agents with a simplified, no-code interface in the standalone Security Copilot experience. Simply describe the task or workflow in natural language, and Copilot automatically generates the agent code. You can edit components, add any additional tools, including Sentinel MCP tools from our rich tool catalog, test the agent, optimize its instructions, and publish directly to your tenant. Create dynamic, ready-to-use agents in minutes – without writing any code.

Build agents in a preferred MCP server-enabled development environment

For teams with experienced developers, you can also use natural language and vibe-coding to build agents in a preferred MCP server-enabled coding platform, such as VS Code using GitHub Copilot. By enabling the Sentinel MCP server, developers can access MCP tools to build, refine, and deploy custom agents directly within their workspace. This approach gives full control over code, tools, and deployment while keeping the process within familiar development platforms.

These options empower both technical and non-technical teams to rapidly create, test, and deploy custom Security Copilot agents. Organizations can automate workflows faster, design agents to their unique needs, and improve security and IT operations across the board.

Discover new Security Copilot agents

Since Security Copilot agents were first introduced in March, we have delivered more than a dozen Microsoft and partner-developed agents that help organizations tackle real challenges in security and IT operations. Analysts using the Conditional Access Optimization Agent in Microsoft Entra have been able to quickly uncover policy gaps, closing an average of 26 gaps per customer in just one month, with 73% of early adopters acting on at least one recommendation. The Phishing Triage Agent in Microsoft Defender has allowed analysts to shift from reactive sifting to proactive resolution, reducing triage time by up to 78%. Read how St Lukes University saves nearly 200 hours monthly in phishing alert triage and creating incident reports in minutes instead of hours.

The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.
- Krista Arndt, ACISO, St. Luke’s University Health Network

We’re continuing to build on this momentum with new agents designed to address additional security and IT scenarios.

The new Access Review Agent in Microsoft Entra tackles a common challenge: reduce access review fatigue and approving access without review. It analyzes ongoing reviews, flags anomalies or unusual access patterns, and delivers actionable guidance in a conversational interface. Reviewers can approve, revoke, or request more details right in Microsoft Teams, helping them focus on the riskiest access, make faster decisions, and strengthen compliance. With innovations like this, we’re not just reducing fatigue—we’re redefining how access governance is done, setting the standard for security agents that adapt to the way people work. Learn more about the Access Review Agent here.

And, with the growing range of agentic use cases, the new Microsoft Security Store is your one-stop shop to discover, purchase, and deploy Security Copilot agents built by Microsoft and trusted partners. Find solutions aligned for SOC, IT, privacy, compliance, and governance teams, all in one place. By uniting discovery, deployment, and publishing in a single experience, Security Store powers a thriving ecosystem that gives your team a unique advantage: access to an ever-expanding range of agent capabilities that evolve as fast as the challenges they face.

In addition to helping customers find the right solutions, Security Store also enables partners to bring their innovations to market. Partners can build and publish Security Copilot agents and SaaS solutions to grow their business and reach new customers. Today, we are announcing 30 new partner-built agents as well as 50 partner SaaS solutions in the Security Store.

The launch of 30 new partner-built agents brings forward solutions like:

A Forensic Agent by glueckkanja AG delivers deep-dive analysis of Defender XDR incidents to accelerate investigations, while their Privileged Admin Watchdog Agent helps enforce zero standing privilege principles by getting rid of persistent admin identities. These innovations, along with their other 6 agents in the Security Store today, demonstrate how glueckkanja AG is empowering organizations to tackle a wide range of security and IT challenges.

3 agents from adaQuest focused on automating investigation and response to focus security teams on what matters. A Ransomware Kill Chain Investigator Agent by adaQuest automates ransomware triage, an Entity Guard Investigator Agent by adaQuest investigates Defender incidents, and an Admin Guard Insight Agent analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, offering actionable insights to improve administrative security posture.

An Identity Workload ID Agent by Invoke empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, helping to reduce risk, strengthen compliance, provide more control over identity sprawl.

To learn more about all new partner-built agents as well as partner SaaS offerings, read the blog or head to the Microsoft Security Store.

Smarter, faster Security Copilot agents

High-quality LLM instructions are critical to agent performance, yet manually fine-tuning them is time-consuming and error-prone. We’re excited to introduce tools that help improve custom-built agent quality and performance, starting with autotune instruction optimization. Autotune eliminates the need for manual tuning by automatically analyzing and refining agent instructions for optimal performance. Simply enable autotune during testing and submit, then receive a detailed results report with suggested prompt changes boost your agent’s AI quality score quickly and effortlessly. This optimization not only delivers better outcomes faster, but it also ensures that every agent in our ecosystem is always evolving - making them smarter, sharper, and more effective over time.

But instructions are only part of the picture. To truly empower agents, context and data is key. By combining rich security signals from Microsoft Sentinel with advanced AI reasoning, Microsoft is setting a new standard for what agents can achieve—resolving incidents faster, optimizing workflows, and delivering deeper, more actionable insight. Security Copilot leverages a unified foundation of structured, graph, and semantic data from Sentinel to give agents the context they need to connect the dots across your environment. This deep integration transforms what AI can do, enabling agents to reason, adapt, and act with precision at machine speed. Read the Sentinel graph announcement here.

Get Started Today

With Security Copilot, the power of AI is now in your hands. Deploy ready-to-use agents from Microsoft and partners, or design custom agents built for your environment and workflows. These agents accelerate decision-making, surface critical insights, and let teams focus on strategic security work - turning complexity into clarity and speed. Explore Security Store today to experience how agentic automation is reshaping security operations and unlocking the full potential of your team. Learn more about how to create your own agents.

Deep dive into these innovations at Microsoft Secure on Sept. 30, Oct. 1 or on demand. Then, join us at Microsoft Ignite, Nov, 17–21 in San Francisco, CA or online—for more innovations, hands-on labs, and expert connections.

Supercharging Security Copilot with Logic Apps: Best practices and pro tips

Inwafula — Wed, 24 Sep 2025 15:00:00 GMT

Integrating Microsoft Security Copilot with Azure Logic Apps enables security teams to automate investigations, orchestrate fast incident response, and unify workflows across the modern enterprise. By leveraging the unique strengths of both platforms, organizations can achieve scalable, efficient, and actionable security automation.

Why Integrate Security Copilot with Logic Apps?

Security Copilot brings AI-powered reasoning, automation, and natural language-to-action workflow capabilities. When paired with Logic Apps, it enables:

Seamless orchestration: Launch incident investigations or automated email analysis with a single trigger.
Advanced automation: Integrate across Microsoft and third-party security tools without heavy coding.
Consistent, repeatable outcomes: Use Security Copilot's prompts and promptbooks for security-centric routines and reduce potential for error .

Common scenarios include incident response initiation, scheduled security reports, and automated threat intelligence gathering.

Best Practices for designing robust workflows:

Identify your use case

Not all scenarios require automation. Likewise, not all use cases benefit equally from combining automation with AI enrichment. The first step in unlocking value from Azure Logic Apps and Security Copilot is selecting the right use cases—those that align with both operational needs and the capabilities of these tools.

To identify a suitable use case, we suggest the following guidelines:

- - Start with repetitive tasks: Look for tasks that are performed frequently and follow a predictable pattern, such as alert enrichment, ticket creation, or user access reviews. These are ideal candidates for automation via Logic Apps.
  - Assess the complexity of decision-making: If a task involves nuanced decision-making or contextual analysis—like investigating suspicious sign-ins or correlating threat indicators—Security Copilot’s AI capabilities can add significant value.
  - Evaluate data availability and integration points: Ensure the use case involves systems and data sources that Logic Apps can connect to easily (e.g., Microsoft Sentinel, Entra ID, Office 365 E-mail). While it is possible to build your own custom, connectors, the availability of built-in connectors is a key consideration for the success of the integration.
  - Consider the impact on security operations: Prioritize use cases that reduce manual effort, accelerate response times, or improve accuracy in threat detection and remediation.
  - Check for existing playbooks or templates: Use cases that align with existing Logic Apps templates or Security Copilot skills are easier to implement and test. Microsoft’s GitHub repository for Copilot for Security or the Sentinel GitHub repos are great places to start.
  - Validate with stakeholders: Collaborate with SOC managers, incident responders, and IT admins to confirm that the selected use case addresses a real pain point and fits within current workflows.

Optimize for performance, cost, and scale

- - Leverage direct skill invocation: This has the effect of cost reduction and faster execution as the planning process that natural language prompts must go through is bypassed.
  - Optimize Security Copilot calls: Limit Copilot calls within workflows to actions that benefit from AI-value addition such as reducing cognitive load on the Security Analyst or providing reasoning over disparate sets of facts while taking advantage of the investigation context powered by the wide range of Security Copilot skills that are native to the product
  - Logic App tuning: Fine-tune trigger frequency and need for AI-value addition i.e. you may only need to attach a Logic App that submits security copilot prompts as part of its flow based on the complexity of the expected incidents vs all detection rules and resulting incidents

Pro Tips

i. Prototype cost-effective, complex workflows

Prototype complex workflows with test data before deploying to production environments. You can do this by simulating Security Copilot prompts by using variable instead of actual calls to Security Copilot during the testing phase. Follow the following steps to do this:

a. Run the prompt or promptbook within Security Copilot to obtain the desired payload

b. In this example we need to execute the following promptbook as part of a workflow that involves extraction of firewall device names and their owners so that we can send them an e-mail, alerting them to block public IPs exhibiting suspicious behaviors:

Fig. 1 : Sample Promptbook for demo

c. Execute the promptbook

Fig 2. Sample promptbook run

d. Next, we prompt Security Copilot to generate an output that can be used to generate a JSON formatted payload which we will eventually use to create a schema for our Logic App ParseJSON step.

Fig 3. Output from promptbook run

e. Next, use a LLM, preferably an enterprise grade one such as Microsoft 365 or Security Copilot to generate the JSON payload

Fig. 4: Generated sample payload

f. Next, use the sample payload to create the input schema for the ParseJSON step in the Logic App

Fig. 5: Generate the schema using the sample payload

g. Initialize a variable and save the sample JSON-this will act as simulated output Parsed from the EvaluationResult of the Promptbook from Security Copilot-effectively avoiding any costs involved with submitting the promptbook multiple times while you test and refine your Logic App

Fig. 6 Image showing initialization and saving of variable

h. You can now run the Logic App several times without submitting any prompts to Security Copilot . If you must test with payloads that vary considerably you can still do that by not saving it in the variable, and selecting the “Run with payload” option then pasting your payload in the resulting box

Fig. 7 Logic App snippet showing manual execution of Logic App

i. Once happy with Logic App flow and output you can replace the variable with the actual Security Copilot connection for your prompt or promptbook

Fig. 8 Partial snapshot of sample Logic App

ii. Session management: Use the Session Id field to maintain investigative context—enabling multiple prompts within a workflow to share data without re-authentication. However, you can also spawn new sessions which allows for parallel execution of tasks without dependency on current session content

iii. Provide descriptive connector names: Rename default connector names as you build out your logic app. This helps to troubleshoot the Logic App or maintain it, especially if it is being done by someone other than the one that built the original one. Example below describes exactly what the step does vs the default connector names:

Fig. 9. Partial snapshot of Logic App showing descriptive names for Logic App connectors

iv. Use custom code: Enhance workflows with inline Python or Function App steps for specialized operations, such complex text transformations or data extractions. In the example below, a function app is used to apply a regex operation to extract the e-mail GUID. This comes in handy when you do not have a built-in connector for specific requirements or existing ones are not as efficient tor flexible as a function app would be.

Fig. 9 Logic App snippet showing use of the Function connector

v. Secure your Logic App workflows

- Managed identities: Leverage managed identities across all connectors that support this authentication method whenever you use them in your flows.
- Obfuscate secrets in run histories: Actions that handle passwords, secrets, keys, or other sensitive information are visible by default from the run history of the Logic App. For example, if your logic app gets a secret from Azure Key Vault to use when authenticating an HTTP action, you may want to hide that secret from view by enabling the toggle button for supported actions. See below:

Fig. 10 showing toggle set to "on" to enable securing of outputs

You may also use source IP addresses to perform access restrictions to this data. See details in this document

Log and monitor activities: Enable logging for action taken by Logic Apps in your environment for greater visibility and control. If using Microsoft Sentinel, you can send Logic App activities to your Log Analytics workspace and benefit from queries such as the one below:

SentinelHealth

| where TimeGenerated > ago(30d)

| where SentinelResourceType == "Playbook"

| extend triggeredBy = ExtendedProperties.TriggeredByName.UserDisplayName

vi. Use parameters

Parameters allow workflows to be dynamic and reusable by enabling the injection of context-specific data—such as usernames, incident IDs, or IP addresses—at runtime. This flexibility means a single Logic App can serve multiple scenarios without hardcoding values, improving maintainability and scalability. Additionally, parameters help enforce security best practices by supporting secure input/output handling, which protects sensitive information during execution.

Conclusion

Security Copilot and Logic Apps together unlock a flexible, AI-powered automation platform for any security operations team. By following these best practices—efficient prompt design, session context management, robust security controls, and scheduled automation—organizations can level up their security response and proactivity. To go even further, explore Microsoft’s official documentation, the Security Copilot Adoption Hub, Techcommunity blog portal and our GitHub repo. I f you have any feedback or ideas on how you think we can further improve the value delivered by these solutions working together, please reach out. Always happy to hear back from you.

Additional resources

Security-Copilot/Logic Apps

Microsoft Security Copilot – Microsoft Adoption

Category: Security Copilot | Microsoft Community Hub

What’s new in Microsoft Security Copilot

Lizzie_Heinze — Mon, 11 Aug 2025 17:47:10 GMT

Security and IT teams move fast - and so does Security Copilot. This month, we’re delivering powerful new capabilities that help security and IT professionals investigate threats, manage identities, and automate protection with greater speed and precision. From AI-powered triage and policy optimization to smarter data exploration and expanded language support, these updates are designed to help you stay ahead of threats, reduce manual effort, and unlock new levels of efficiency.

Let’s dive into what’s new.

Improve IT efficiency with Copilot in Microsoft Intune – now generally available

IT admins can now use Security Copilot in Intune which includes a dedicated data exploration experience, allowing them to ask questions, extract insights, and take action - all from within the Intune admin center. Whether it’s identifying non-compliant devices, managing updates, or automating remediation, Copilot simplifies complex workflows and brings data and actions together in one place.
Learn more: Copilot in Microsoft Intune announcement

Streamline identity security with Copilot in Microsoft Entra – now generally available

Security Copilot in Microsoft Entra now brings AI-assisted investigation and identity management directly into the Entra admin center. Admins can ask natural language questions to troubleshoot sign-ins, review access, monitor tenant health, and analyze role assignments - without writing queries or switching tools. With expanded coverage and improved performance, Copilot helps teams move faster, close gaps, and stay ahead of threats.
Learn more: Copilot in Microsoft Entra announcement

Close gaps quickly with the Conditional Access Optimization Agent – now generally available

The Conditional Access Optimization Agent in Microsoft Entra brings AI-powered automation to identity workflows. The agent runs autonomously to detect gaps, overlaps, and outdated policy assignments - then recommends precise, one-click remediations to close them fast.

Key benefits include:

Autonomous protection: Automatically identifies users and apps not covered by policies
Explainable decisions: Plain-language summaries and visual activity maps
Custom adaptability: Learns from natural-language feedback and supports business rules
Full auditability: All actions logged for compliance and transparency

As one security leader put it:

“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one... It’s a secure path to innovation that every chief information security officer can trust.”
—Julian Rasmussen, Senior Consultant and Partner, Point Taken, Microsoft MVP
Learn more: Conditional Access Optimization Agent in Microsoft Entra GA announcement

Investigate phishing alerts faster with the new Phishing Triage Agent in Microsoft Defender

The Phishing Triage Agent in Microsoft Defender is now in public preview, bringing autonomous, AI-powered threat detection to your SOC workflows. Powered by large language models, the agent performs deep semantic analysis of emails, URLs, and files to determine whether a submission is a phishing threat or a false alarm - without relying on static rules.

It learns from analyst feedback, adapts to your organization’s patterns, and provides clear, natural language explanations for every verdict. A visual decision map shows exactly how the agent reached its conclusion, making the process fully transparent and reviewable.

Learn more: Announcing public preview Phishing Triage Agent in Microsoft Defender

The Threat Intelligence Briefing Agent is now in Public Preview: Build organization-specific briefings in just minutes

The Threat Intelligence Briefing Agent has entered public preview in the Security Copilot standalone experience, transforming how security teams stay ahead of emerging threats. With this powerful agent, creating highly relevant, organization-specific threat intelligence briefings now takes minutes rather than hours or days, empowering teams to act with speed and confidence. Through real-time dynamic reasoning, the agent surfaces the most relevant threat intelligence based on attributes such as the organization's industry, geographic location, and unique attack surface to deliver critical context and invaluable situational awareness.

Learn more: aka.ms/ti-briefing-agent

Streamline operations with workspace-level management

Security Copilot now supports workspaces, giving organizations a flexible way to segment environments by team, region, or business unit. With workspaces now in public preview, admins can align access, data boundaries, and SCU capacity with operational and compliance needs. Each workspace supports role-based access control, localized prompt history, and independent capacity planning – making it easier to manage complex, distributed security and IT operations.

As part of this model, workspace-level plugin management is now generally available, allowing admins to configure plugin settings at the workspace or organization level. This eliminates the need for per-user setup and improves efficiency across large environments.

Learn more: New tools for Security Copilot management and capacity planning

Plan smarter with the new Security Copilot Capacity Calculator

The Security Copilot Capacity Calculator is now available in the standalone experience (Azure account required), helping teams estimate how many SCUs they may need.
Security Copilot supports:

Provisioned SCUs for predictable workloads
Overage SCUs to scale with variable workloads

Teams can estimate initial capacity using the capacity calculator, monitor usage in the in-product usage dashboard, and adjust their SCU allocation as needed. Learn more about Security Copilot pricing here.

Learn more: New tools for Security Copilot management and capacity planning

Automate Entra workflows with embedded NL2API skill

Security Copilot can now reason over Microsoft Graph APIs to answer complex, multi-stage questions across Entra resources. This embedded experience in Entra, powered by the NL2API skill, is now generally available - bringing advanced automation and intelligence directly into your Entra workflows.

Get faster suggestions with dynamic suggested prompts for Entra skills

Dynamic suggested prompts are now generally available for Entra skills, offering faster and more deterministic follow-up suggestions using direct skill invocation - bypassing the orchestrator for improved performance.

Meet compliance needs with FedRAMP High authorization for Security Copilot

Security Copilot is now included within the Federal Risk and Authorization Management Program (FedRAMP) High Authorization for Azure Commercial. This Provisional Authorization to Operate (P-ATO) within the existing FedRAMP High Azure Commercial environment was approved by the FedRAMP Joint Authorization Board (JAB). This milestone marks a significant step forward in our mission to bring Microsoft Security Copilot’s cutting-edge AI-powered security capabilities to our Government Community Cloud (GCC) customers. Stay tuned for updates on when Security Copilot will be fully available for GCC customers.

Expand global reach with Korean language and Swiss data residency

Security Copilot now supports Korean in both standalone and embedded experiences. For a full list of supported languages, visit Supported languages in Microsoft Security Copilot

Additionally, customers in Switzerland can now benefit from Swiss region data residency, ensuring Security Copilot data is stored within Swiss boundaries to meet local compliance requirements.

Learn more: Availability and recovery of Security Copilot

Improve accuracy and scale with GPT-4.1 and large output support

We’ve upgraded Security Copilot to support GPT-4.1 across all experiences at the evaluation level, offering larger context windows, improved interactions, and up to 50% accuracy improvements in some scenarios.

Also now generally available is large output support, which removes the previous 2MB limit for data used in LLMs – giving teams more flexibility when working with large datasets.

Audit agent changes with Purview UAL integration

Agent administration auditing is now generally available in Microsoft Purview Unified Audit Log, allowing teams to trace agent creation, updates, and deletions with detailed metadata for improved visibility and compliance.

Learn more: Access the Security Copilot audit log

Stay tuned and explore more!

We’ll be back in September with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:

Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action
Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details
Security Copilot Adoption Hub – Access rollout guides, templates, and best practices

Don’t miss Microsoft Secure digital event on September 30^th - we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security. Register now to be the first to hear the announcements and see what’s coming.

Smarter Prompts for Smarter Investigations: Dynamic Prompt Suggestions in Security Copilot

xinye-tang — Mon, 14 Jul 2025 16:18:28 GMT

When a security analyst turns to an AI system for help—whether to hunt threats, investigate alerts, or triage incidents—the first step is usually a natural language prompt. But if that prompt is too vague, too general, or not aligned with the system’s capabilities, the response won’t be helpful. In high-stakes environments like cybersecurity, that’s not just a missed opportunity, it’s a risk.

That’s exactly the problem we tackled in our recent paper, Dynamic Context-Aware Prompt Recommendations for Domain-Specific Applications, now published and deployed as a new skill in Security Copilot.

Why Prompting Is a Bigger Problem in Security Than It Seems

LLMs have made impressive progress in general-purpose settings—helping users write emails, summarize documents, or answer trivia. These systems often include smart prompt recommendations based on the flow of conversation. But when you shift into domain-specific systems like Microsoft Security Copilot, the game changes.

Security analysts don’t ask open-ended questions. They ask task-specific ones:

“List devices that ran a malicious file in the last 24 hours.”
“Correlate failed login attempts across services.”
“Visualize outbound traffic from compromised machines.”

These questions map directly to skills—domain-specific functions that query data, connect APIs, or launch workflows. And that means prompt recommendations need to be tightly aligned with the available skills, underlying datasets, and current investigation context. General-purpose prompt systems don’t know how to do that.

What Makes Domain-Specific Prompting Hard

Designing prompt recommendations for systems like Security Copilot comes with unique constraints:

Constrained Skill Set: The AI can only take actions it’s configured to support. Prompts must align with those skills—no hallucinations allowed.
Evolving Context: A single investigation might involve multiple rounds of prompts, results, follow-ups, and pivots. Prompt suggestions must adapt dynamically.
Deep Domain Knowledge: It’s not enough to suggest “Check network logs.” A useful prompt needs to reflect how real analysts work—across Defender, Sentinel, and more.
Scalability: As new skills are added, prompt systems must scale without requiring constant manual curation or rewriting.

Our Approach: Dynamic, Context-Aware, and Skill-Constrained

We introduce a dynamic prompt recommendation system for Security Copilot. The key innovations include:

Contextual understanding of the session: We track the user’s investigation path and surface prompts that are relevant to what they’re doing now, not just generic starters.
Skill-awareness: The system knows what internal capabilities exist (e.g., “list devices,” “query login events”) and only recommends prompts that can be executed via those skills.
Domain knowledge injection: By encoding metadata about products, datasets, and typical workflows (e.g., MITRE attack stages), the system produces prompts that make sense in security analyst workflows.
Scalable prompt generation: Rather than relying on hardcoded lists, our system dynamically generates and ranks prompt suggestions.

What It Looks Like in Action

The dynamic prompt suggestion system is now live in Microsoft Entra, available in both Embedded and Immersive experiences. When a user enters a natural language prompt, the system automatically suggests several context-aware follow-up prompts, based on the user's prior interactions and the system’s understanding of the current task.

These suggestions are generated in real time—users can simply click on a suggestion, and it’s executed immediately, allowing for quick and seamless follow-up queries without needing to rephrase or retype.

Let’s walk through two examples:

Embedded Experience

We begin with the prompt: "How does Microsoft determine Risky Users?"

The system returns the response and generates 3 follow-up suggestions, such as: "List dismissed risky detections."

We click on that suggestion, which executes the query and shows the results.

New suggestions continue to appear after each prompt execution, making it easy to explore related insights.

Immersive Experience

We start with a prompt: "Who am I?"

Among the 5 suggested prompts, we select: "List the groups user nase74@woodgrove.ms is a member of."

The user clicks, the query runs, and more follow-up suggestions appear, enabling a natural, guided flow throughout the session.

Why This Matters for the Future of Security AI

Prompting isn’t just an interface detail—it’s the entry point to intelligence. And in cybersecurity, where time, accuracy, and reliability matter, we need AI systems that are not just capable, but cooperative. Our research contributes to a future where security analysts don’t have to be prompt engineers to get the most out of AI.

By making prompt recommendations dynamic, contextual, and grounded in real domain knowledge, we help close the gap between LLM potential and security reality.

Interested in learning more?
Check out the full paper: Dynamic Context-Aware Prompt Recommendations for Domain-Specific Applications

If you're using or building upon this work in your own research, we’d appreciate you citing our paper:

@article {tang2025dynamic, title={Dynamic Context-Aware Prompt Recommendation for Domain-Specific AI Applications}, author={Tang, Xinye and Zhai, Haijun and Belwal, Chaitanya and Thayanithi, Vineeth and Baumann, Philip and Roy, Yogesh K}, journal={arXiv preprint arXiv:2506.20815}, year={2025} }

New tools for Security Copilot management and capacity planning

donnalee — Wed, 16 Jul 2025 18:21:36 GMT

Last year, we launched Microsoft Security Copilot with a bold goal: to help organizations protect at the speed of AI. Since then, Security Copilot has been transforming how IT and security operations teams respond to threats and manage their environments. In fact, research from live operations indicates that Security Copilot users have seen impact like a 30% reduction in mean time to resolution for SOC teams, and a 54% decrease in time to resolve a device policy conflict for IT teams.

As adoption has grown, so has the complexity of customer needs. In many organizations, different teams, business units, and regions require distinct approaches to data access, capacity planning, and tooling. At the same time, customers want the flexibility to start small, test scenarios, and scale usage over time, without committing to long-term contracts.

To meet these needs, Security Copilot is offered as a consumptive solution, allowing organizations to provision Security Compute Units (SCUs) as needed. This flexible model lowers the barrier to entry and encourages experimentation. And now, with workspaces and the Security Copilot capacity calculator to help manage capacity, customers can adopt Security Copilot with even more confidence and control.

Workspaces

Security operations don’t happen in a vacuum – different teams, business units, and regions have unique operational needs. This is why we’re excited to launch workspaces in public preview – a major enhancement to how teams can manage access, resources, and collaboration within Security Copilot. Workspaces provide a flexible way to segment environments, making it easier to align access and capacity with organizational needs, legal structures, or compliance requirements.

Let’s take the example of a multinational organization with separate security and IT teams in North America, Europe, and Asia. With workspaces, this company can realize benefits in:

Data boundaries: Each regional team operates within its own dedicated workspace, keeping data like prompt history local and accessible only to that team. This isolation ensures information stays relevant to the team and supports compliance with regional data residency requirements and internal policies.

Role-based access control: Only authorized users specified by the admin have access to each workspace, and workspace management is restricted to users with administrator roles.

Capacity planning: SCUs can be provisioned per workspace, giving admins the ability to right-size capacity based on each team’s workload. APAC can scale up during a surge while the US conserves usage during a quiet period.

Note: multi-workspace support is now available in Security Copilot, enabling users to manage prompt sessions across multiple workspaces. However, available agents that run autonomously are currently limited to a single workspace, and embedded experiences continue to route traffic exclusively through the tenant-level default workspace. Please refer to the documentation for full details.

Security Copilot capacity calculator

One of the most common questions we hear from customers is: “How many SCUs do I need to get started with Security Copilot?” Given the dynamic nature of AI-powered security workflows, forecasting compute needs can be a challenge, especially for teams just starting their journey. To make planning easier, we’re excited to announce the launch of the Security Copilot capacity calculator, now available in the Security Copilot standalone experience (Azure account required).

This tool offers a practical starting point to help estimate how many SCUs your organization may require. With a few clicks, customers can get an idea of estimated SCU usage based on inputs like number of users in an embedded Security Copilot experience. While actual consumption may vary as it depends on real-time prompt activity, the calculator serves as a helpful guide for initial provisioning and budget planning.

Once you’ve estimated your baseline needs, you can get started in Security Copilot or in the Azure portal. Security Copilot offers two flexible models to support both predictable workloads and unplanned spikes in usage:

Provisioned SCUs: Ideal for predictable, ongoing operations. A minimum of one provisioned SCU is required.

Overage SCUs: Designed for variable demand. Overage SCUs allow usage to scale seamlessly, and customers only pay for what they use, up to their chosen optional overage limit.

With the capacity calculator, organizations can confidently begin their Security Copilot journey and better manage usage to align with their business needs. After getting started, teams can monitor consumption through the in-product usage dashboard and adjust capacity as demand fluctuates. Learn more about Security Copilot pricing here.

Get Started with Security Copilot today

Together, workspaces and the capacity calculator provide organizations with deeper insight, flexibility, and control over their Security Copilot usage. These features address the real-world challenges of managing diverse teams, complex environments, and evolving workloads. Whether you’re just starting your Security Copilot journey or looking to optimize your existing usage, these tools help you right-size capacity, maintain compliance, and deliver actionable AI assistance for your security and IT teams.

Discover Security Copilot use cases, best practices, and customer success stories in the Security Copilot adoption hub. Learn more about our most recent Security Copilot innovations for IT teams here. If you have questions or need support, don’t hesitate to contact us or reach out to your account manager.

Using parameterized functions with KQL-based custom plugins in Microsoft Security Copilot

Inwafula — Mon, 02 Jun 2025 17:17:26 GMT

In this blog, I will walk through how you can build functions based on a Microsoft Sentinel Log Analytics workspace for use in custom KQL-based plugins for Security Copilot. The same approach can be used for Azure Data Explorer and Defender XDR, so long as you follow the specific guidance for either platform. A link to those steps is provided in the Additional Resources section at the end of this blog.

But first, it’s helpful to clarify what parameterized functions are and why they are important in the context of Security Copilot KQL-based plugins. Parameterized functions accept input details (variables) such as lookback periods or entities, allowing you to dynamically alter parts of a query without rewriting the entire logic

Parameterized functions are important in the context of Security Copilot plugins because of:

Dynamic prompt completion:
Security Copilot plugins often accept user input (e.g., usernames, time ranges, IPs). Parameterized functions allow these inputs to be consistently injected into KQL queries without rebuilding query logic.
Plugin reusability:
By using parameters, a single function can serve multiple investigation scenarios (e.g., checking sign-ins, data access, or alerts for any user or timeframe) instead of hardcoding different versions.
Maintainability and modularity:
Parameterized functions centralize query logic, making it easier to update or enhance without modifying every instance across the plugin spec. To modify the logic, just edit the function in Log Analytics, test it then save it- without needing to change the plugin at all or re-upload it into Security Copilot. It also significantly reduces the need to ensure that the query part of the YAML is perfectly indented and tabbed as is required by the Open API specification, you only need to worry about formatting a single line vs several-potentially hundreds.
Validation:
Separating query logic from input parameters improves query reliability by avoiding the possibility of malformed queries. No matter what the input is, it's treated as a value, not as part of the query logic.
Plugin Spec mapping:
OpenAPI-based Security Copilot plugins can map user-provided inputs directly to function parameters, making the interaction between user intent and query execution seamless.

Practical example

In this case, we have a 139-line KQL query that we will reduce to exactly one line that goes into the KQL plugin. In other cases, this number could be even higher. Without using functions, this entire query would have to form part of the plugin

Note: The rest of this blog assumes you are familiar with KQL custom plugins-how they work and how to upload them into Security Copilot.

CloudAppEvents | where RawEventData.TargetDomain has_any ( 'grok.com', 'x.ai', 'mistral.ai', 'cohere.ai', 'perplexity.ai', 'huggingface.co', 'adventureai.gg', 'ai.google/discover/palm2', 'ai.meta.com/llama', 'ai2006.io', 'aibuddy.chat', 'aidungeon.io', 'aigcdeep.com', 'ai-ghostwriter.com', 'aiisajoke.com', 'ailessonplan.com', 'aipoemgenerator.org', 'aissistify.com', 'ai-writer.com', 'aiwritingpal.com', 'akeeva.co', 'aleph-alpha.com/luminous', 'alphacode.deepmind.com', 'analogenie.com', 'anthropic.com/index/claude-2', 'anthropic.com/index/introducing-claude', 'anyword.com', 'app.getmerlin.in', 'app.inferkit.com', 'app.longshot.ai', 'app.neuro-flash.com', 'applaime.com', 'articlefiesta.com', 'articleforge.com', 'askbrian.ai', 'aws.amazon.com/bedrock/titan', 'azure.microsoft.com/en-us/products/ai-services/openai-service', 'bard.google.com', 'beacons.ai/linea_builds', 'bearly.ai', 'beatoven.ai', 'beautiful.ai', 'beewriter.com', 'bettersynonyms.com', 'blenderbot.ai', 'bomml.ai', 'bots.miku.gg', 'browsegpt.ai', 'bulkgpt.ai', 'buster.ai', 'censusgpt.com', 'chai-research.com', 'character.ai', 'charley.ai', 'charshift.com', 'chat.lmsys.org', 'chat.mymap.ai', 'chatbase.co', 'chatbotgen.com', 'chatgpt.com', 'chatgptdemo.net', 'chatgptduo.com', 'chatgptspanish.org', 'chatpdf.com', 'chattab.app', 'claid.ai', 'claralabs.com', 'claude.ai/login', 'clipdrop.co/stable-diffusion', 'cmdj.app', 'codesnippets.ai', 'cohere.com', 'cohesive.so', 'compose.ai', 'contentbot.ai', 'contentvillain.com', 'copy.ai', 'copymatic.ai', 'copymonkey.ai', 'copysmith.ai', 'copyter.com', 'coursebox.ai', 'coverler.com', 'craftly.ai', 'crammer.app', 'creaitor.ai', 'dante-ai.com', 'databricks.com', 'deepai.org', 'deep-image.ai', 'deepreview.eu', 'descrii.tech', 'designs.ai', 'docgpt.ai', 'dreamily.ai', 'editgpt.app', 'edwardbot.com', 'eilla.ai', 'elai.io', 'elephas.app', 'eleuther.ai', 'essayailab.com', 'essay-builder.ai', 'essaygrader.ai', 'essaypal.ai', 'falconllm.tii.ae', 'finechat.ai', 'finito.ai', 'fireflies.ai', 'firefly.adobe.com', 'firetexts.co', 'flowgpt.com', 'flowrite.com', 'forethought.ai', 'formwise.ai', 'frase.io', 'freedomgpt.com', 'gajix.com', 'gemini.google.com', 'genei.io', 'generatorxyz.com', 'getchunky.io', 'getgptapi.com', 'getliner.com', 'getsmartgpt.com', 'getvoila.ai', 'gista.co', 'github.com/features/copilot', 'giti.ai', 'gizzmo.ai', 'glasp.co', 'gliglish.com', 'godinabox.co', 'gozen.io', 'gpt.h2o.ai', 'gpt3demo.com', 'gpt4all.io', 'gpt-4chan+)', 'gpt6.ai', 'gptassistant.app', 'gptfy.co', 'gptgame.app', 'gptgo.ai', 'gptkit.ai', 'gpt-persona.com', 'gpt-ppt.neftup.app', 'gptzero.me', 'grammarly.com', 'hal9.com', 'headlime.com', 'heimdallapp.org', 'helperai.info', 'heygen.com', 'heygpt.chat', 'hippocraticai.com', 'huggingface.co/spaces/tiiuae/falcon-180b-demo', 'humanpal.io', 'hypotenuse.ai', 'ichatwithgpt.com', 'ideasai.com', 'ingestai.io', 'inkforall.com', 'inputai.com/chat/gpt-4', 'instantanswers.xyz', 'instatext.io', 'iris.ai', 'jasper.ai', 'jigso.io', 'kafkai.com', 'kibo.vercel.app', 'kloud.chat', 'koala.sh', 'krater.ai', 'lamini.ai', 'langchain.com', 'laragpt.com', 'learn.xyz', 'learnitive.com', 'learnt.ai', 'letsenhance.io', 'letsrevive.app', 'lexalytics.com', 'lgresearch.ai', 'linke.ai', 'localbot.ai', 'luis.ai', 'lumen5.com', 'machinetranslation.com', 'magicstudio.com', 'magisto.com', 'mailshake.com/ai-email-writer', 'markcopy.ai', 'meetmaya.world', 'merlin.foyer.work', 'mieux.ai', 'mightygpt.com', 'mosaicml.com', 'murf.ai', 'myaiteam.com', 'mygptwizard.com', 'narakeet.com', 'nat.dev', 'nbox.ai', 'netus.ai', 'neural.love', 'neuraltext.com', 'newswriter.ai', 'nextbrain.ai', 'noluai.com', 'notion.so', 'novelai.net', 'numind.ai', 'ocoya.com', 'ollama.ai', 'openai.com', 'ora.ai', 'otterwriter.com', 'outwrite.com', 'pagelines.com', 'parallelgpt.ai', 'peppercontent.io', 'perplexity.ai', 'personal.ai', 'phind.com', 'phrasee.co', 'play.ht', 'poe.com', 'predis.ai', 'premai.io', 'preppally.com', 'presentationgpt.com', 'privatellm.app', 'projectdecember.net', 'promptclub.ai', 'promptfolder.com', 'promptitude.io', 'qopywriter.ai', 'quickchat.ai/emerson', 'quillbot.com', 'rawshorts.com', 'read.ai', 'rebecc.ai', 'refraction.dev', 'regem.in/ai-writer', 'regie.ai', 'regisai.com', 'relevanceai.com', 'replika.com', 'replit.com', 'resemble.ai', 'resumerevival.xyz', 'riku.ai', 'rizzai.com', 'roamaround.app', 'rovioai.com', 'rytr.me', 'saga.so', 'sapling.ai', 'scribbyo.com', 'seowriting.ai', 'shakespearetoolbar.com', 'shortlyai.com', 'simpleshow.com', 'sitegpt.ai', 'smartwriter.ai', 'sonantic.io', 'soofy.io', 'soundful.com', 'speechify.com', 'splice.com', 'stability.ai', 'stableaudio.com', 'starryai.com', 'stealthgpt.ai', 'steve.ai', 'stork.ai', 'storyd.ai', 'storyscapeai.app', 'storytailor.ai', 'streamlit.io/generative-ai', 'summari.com', 'synesthesia.io', 'tabnine.com', 'talkai.info', 'talkpal.ai', 'talktowalle.com', 'team-gpt.com', 'tethered.dev', 'texta.ai', 'textcortex.com', 'textsynth.com', 'thirdai.com/pocketllm', 'threadcreator.com', 'thundercontent.com', 'tldrthis.com', 'tome.app', 'toolsaday.com/writing/text-genie', 'to-teach.ai', 'tutorai.me', 'tweetyai.com', 'twoslash.ai', 'typeright.com', 'typli.ai', 'uminal.com', 'unbounce.com/product/smart-copy', 'uniglobalcareers.com/cv-generator', 'usechat.ai', 'usemano.com', 'videomuse.app', 'vidext.app', 'virtualghostwriter.com', 'voicemod.net', 'warmer.ai', 'webllm.mlc.ai', 'wellsaidlabs.com', 'wepik.com', 'we-spots.com', 'wordplay.ai', 'wordtune.com', 'workflos.ai', 'woxo.tech', 'wpaibot.com', 'writecream.com', 'writefull.com', 'writegpt.ai', 'writeholo.com', 'writeme.ai', 'writer.com', 'writersbrew.app', 'writerx.co', 'writesonic.com', 'writesparkle.ai', 'writier.io', 'yarnit.app', 'zevbot.com', 'zomani.ai' ) | extend sit = parse_json(tostring(RawEventData.SensitiveInfoTypeData)) | mv-expand sit | summarize Event_Count = count() by tostring(sit.SensitiveInfoTypeName), CountryCode, City, UserId = tostring(RawEventData.UserId), TargetDomain = tostring(RawEventData.TargetDomain), ActionType = tostring(RawEventData.ActionType), IPAddress = tostring(RawEventData.IPAddress), DeviceType = tostring(RawEventData.DeviceType), FileName = tostring(RawEventData.FileName), TimeBin = bin(TimeGenerated, 1h) | extend SensitivityScore = case(tostring(sit_SensitiveInfoTypeName) in~ ("U.S. Social Security Number (SSN)", "Credit Card Number", "EU Tax Identification Number (TIN)","Amazon S3 Client Secret Access Key","All Credential Types"), 90, tostring(sit_SensitiveInfoTypeName) in~ ("All Full names"), 40, tostring(sit_SensitiveInfoTypeName) in~ ("Project Obsidian", "Phone Number"), 70, tostring(sit_SensitiveInfoTypeName) in~ ("IP"), 50,10 ) | join kind=leftouter ( IdentityInfo | where TimeGenerated > ago(lookback) | extend AccountUpn = tolower(AccountUPN) ) on $left.UserId == $right.AccountUpn | join kind=leftouter ( BehaviorAnalytics | where TimeGenerated > ago(lookback) | extend AccountUpn = tolower(UserPrincipalName) ) on $left.UserId == $right.AccountUpn //| where BlastRadius == "High" //| where RiskLevel == "High" | where Department == User_Dept | summarize arg_max(TimeGenerated, *) by sit_SensitiveInfoTypeName, CountryCode, City, UserId, TargetDomain, ActionType, IPAddress, DeviceType, FileName, TimeBin, Department, SensitivityScore | summarize sum(Event_Count) by sit_SensitiveInfoTypeName, CountryCode, City, UserId, Department, TargetDomain, ActionType, IPAddress, DeviceType, FileName, TimeBin, BlastRadius, RiskLevel, SourceDevice, SourceIPAddress, SensitivityScore

With parameterized functions, follow these steps to simplify the plugin that will be built based on the query above

Define the variable/parameters upfront in the query (BEFORE creating the parameters in the UI). This will put the query in a “temporary” unusable state because the parameters will cause syntax problems in this state. However, since the plan is to run the query as a function this is ok

Fig. 1: Image showing partial query with the parameters to defined highlighted in red i.e. lookback and User_Dept

Create the parameters in the Log Analytics UI

Fig 2. Screenshot showing how the function menu in the Log Analytics UI

Give the function a name and define the parameters exactly as they show up in the query in step 1 above. In this example, we are defining two parameters: lookback – to store the lookback period to be passed to the time filter and User_Dept to the user’s department.

Fig. 3. Function menu showing the two parameters defined in the function creation menu of Log Analytics

3. Test the query. Note the order of parameter definition in the UI. i.e. first the User_Dept THEN the lookback period. You can interchange them if you like but this will determine how you submit the query using the function. If the User_Dept parameter was defined first then it needs to come first when executing the function. See the below screenshot. Switching them will result in the wrong parameter being passed to the query and consequently 0 results will be returned.

Fig. 4: Sample run of the function with the parameters specified in the correct order

Effect of switched parameters:

Fig. 5: Sample function run with the functions switched to show effect of this situation

To edit the function, follow the steps below:

Navigate to the Logs menu for your Log Analytics workspace then select the function icon

Fig. 6: Partial view of the function being edited within the Log Analytics UI

Fig. 7: Image showing how to select the code button in the function menu to edit the function code

Once satisfied with the query and function, build your spec file for the Security Copilot plugin. Note the parameter definition and usage in the sections highlighted in red below

Fig. 8: Partial view of the YAML plugin showing the encapsulation of the 139 lines of KWL into a single one

And that’s it, from 139 unwieldy KQL lines to one very manageable one! You are welcome 😊

Let’s now put it through its paces once uploaded into Security Copilot. We start by executing the plugin using its default settings via the direct skill invocation method. We see indeed that the prompt returns results based on the default values passed as parameters to the function:

Fig. 9: View of Secuity Copilot landing page showing an example of direct skill execution of the created pluginFig. 10: Sample output showing records of users from the Sales department

Next, we still use direct skill invocation, but this time specify our own parameters:

Fig. 11: Direct skill invocation example but with specified parameters-Department, and lookback periodFig 12: Prompt run showing the output corresponding to the selections of the previous direct skill invocation prompt

Lastly, we test it out with a natural language prompt:

Fig 13: Security Copilot prompt bar showing example of natural language prompt seeking events related to users in the Human Resources departmentFig 14: Output from previous natural language prompt focused on users from the HR department

Tip: The function does not execute successfully if the default summarize function is used without creating a variable i.e. If the summarize count() command is used in your query, it results in a system-defined output variable named count_. To bypass this issue, ensure to use a user-defined variable such as Event_Count as shown in line 77 below:

Fig. 15: Highlighting the creation of a variable to store results from the summarize count() command

Conclusion

In conclusion, leveraging parameterized functions within KQL-based custom plugins in Microsoft Security Copilot can significantly streamline your data querying and analysis capabilities. By encapsulating reusable logic, improving query efficiency, and ensuring maintainability, these functions provide an efficient approach for tapping into data stored across Microsoft Sentinel, Defender XDR and Azure Data Explorer clusters. Start integrating parameterized functions into your KQL-based Security Copilot plugins today and let us have your feedback.

Additional Resources

Using parameterized functions in Microsoft Defender XDR

Using parameterized functions with Azure Data Explorer

Functions in Azure Monitor log queries - Azure Monitor | Microsoft Learn

Kusto Query Language (KQL) plugins in Microsoft Security Copilot | Microsoft Learn

Harnessing the power of KQL Plugins for enhanced security insights with Copilot for Security | Microsoft Community Hub

Automating Phishing Email Triage with Microsoft Security Copilot

craigfreyman-msft — Thu, 05 Jun 2025 16:44:41 GMT

This blog details automating phishing email triage using Azure Logic Apps, Azure Function Apps, and Microsoft Security Copilot. Deployable in under 10 minutes, this solution primarily analyzes email intent without relying on traditional indicators of compromise, accurately classifying benign/junk, suspicious, and phishing emails. Benefits include reducing manual workload, improved threat detection, and (optional) integration seamlessly with Microsoft Sentinel – enabling analysts to see Security Copilot analysis within the incident itself.

Designed for flexibility and control, this Logic App is a customizable solution that can be self-deployed from GitHub. It helps automate phishing response at scale without requiring deep coding expertise, making it ideal for teams that prefer a more configurable approach and want to tailor workflows to their environment. The solution streamlines response and significantly reduces manual effort.

Access the full solution on the Security Copilot Github:
GitHub - UserReportedPhishing Solution.

For teams looking for a more sophisticated, fully integrated experience, the Security Copilot Phishing Triage Agent represents the next generation of phishing response. Natively embedded in Microsoft Defender, the agent autonomously triages phishing incidents with minimal setup. It uses advanced LLM-based reasoning to resolve false alarms, enabling analysts to stay focused on real threats. The agent offers step-by-step decision transparency and continuously learns from user feedback. Read the official announcement here.

Introduction: Phishing Challenges Continue to Evolve

Phishing continues to evolve in both scale and sophistication, but a growing challenge for defenders isn't just stopping phishing, it’s scaling response. Thanks to tools like Outlook’s "Report Phishing" button and increased user awareness, organizations are now flooded with user-reported emails, many of which are ambiguous or benign. This has created a paradox: better detection by users has overwhelmed SOC teams, turning email triage into a manual, rotational task dreaded for its repetitiveness and time cost, often taking over 25 minutes per email to review.

Our solution addresses that problem, by automating the triage of user-reported phishing through AI-driven intent analysis. It's not built to replace your secure email gateways or Microsoft Defender for Office 365; those tools have already done their job. This system assumes the email:

Slipped past existing filters,
Was suspicious enough for a user to escalate,
Lacks typical IOCs like malicious domains or attachments.

As a former attacker, I spent years crafting high-quality phishing emails to penetrate the defenses of major banks. Effective phishing doesn't rely on obvious IOCs like malicious domains, URLs, or attachments… the infrastructure often appears clean. The danger lies in the intent. This is where Security Copilot’s LLM-based reasoning is critical, analyzing structure, context, tone, and seasonal pretexts to determine whether an email is phishing, suspicious, spam, or legitimate.

What makes this novel is that it's the first solution built specifically for the “last mile” of phishing defense, where human suspicion meets automation, and intent is the only signal left to analyze. It transforms noisy inboxes into structured intelligence and empowers analysts to focus only on what truly matters.

Solution Overview: How the Logic App Solution Works (and Why It's Different)

Core Components:

Azure Logic Apps: Orchestrates the entire workflow, from ingestion to analysis, and 100% customizable.
Azure Function Apps: Parses and normalizes email data for efficient AI consumption.
Microsoft Security Copilot: Performs sophisticated AI-based phishing analysis by understanding email intent and tactics, rather than relying exclusively on predefined malicious indicators.

Key Benefits:

Rapid Analysis: Processes phishing alerts and, in minutes, delivers comprehensive reports that empower analysts to make faster, more informed triage decisions – compared to manual reviews that can take up to 30 minutes. And, unlike analysts, Security Copilot requires zero sleep!
AI-driven Insights: LLM-based analysis is leveraged to generate clear explanations of classifications by assessing behavioral and contextual signals like urgency, seasonal threats, Business Email Compromise (BEC), subtle language clues, and otherwise sophisticated techniques. Most importantly, it identifies benign emails, which are often the bulk of reported emails.
Detailed, Actionable Reports: Generates clear, human-readable HTML reports summarizing threats and recommendations for analyst review.
Robust Attachment Parsing: Automatically examines attachments like PDFs and Excel documents for malicious content or contextual inconsistencies.
Integrated with Microsoft Sentinel: Optional integration with Sentinel ensures central incident tracking and comprehensive threat management. Analysis is attached directly to the incident, saving analysts more time.
Customization: Add, move, or replace any element of the Logic App or prompt to fit your specific workflows.

Deployment Guide: Quick, Secure, and Reliable Setup

The solution provides Azure Resource Manager (ARM) templates for rapid deployment:

Prerequisites:

Azure Subscription with Contributor access to a resource group.
Microsoft Security Copilot enabled.
Dedicated Office 365 shared mailbox (e.g., phishing@yourdomain.com) with Mailbox.Read.Shared permissions.
(Optional) Microsoft Sentinel workspace.

Refer to the up to date deployment instructions on the Security Copilot GitHub page.

Technical Architecture & Workflow:

The automated workflow operates as follows:

Email Ingestion:

Monitors the shared mailbox via Office 365 connector.
Triggers on new email arrivals every 3 minutes.
Assumes that the reported email has arrived as an attachment to a "carrier" email.

Determine if the Email Came from Defender/Sentinel:

If the email came from Defender, it would have a prepended subject of “Phishing”, if not, it takes the “False” branch. Change as necessary.

Initial Email Processing:

Exports raw email content from the shared mailbox.
Determines if .msg or .eml attachments are in binary format and converts if necessary.

Email Parsing via Azure Function App:

Extracts data from email content and attachments (URLs, sender info, email body, etc.) and returns a JSON structure.
Prepares clean JSON data for AI analysis.
This step is required to "prep" the data for LLM analysis due to token limits.
Click on the “Parse Email” block to see the output of the Function App for any troubleshooting. You'll also notice a number of JSON keys that are not used but provided for flexibility.

Security Copilot Advanced AI Reasoning:

Analyzes email content using a comprehensive prompt that evaluates behavioral and seasonal patterns, BEC indicators, attachment context, and social engineering signals.
Scores cumulative risk based on structured heuristics without relying solely on known malicious indicators.
Returns validated JSON output (some customers are parsing this JSON and performing other action).
This is where you would customize the prompt, should you need to add some of your own organizational situations if the Logic App needs to be tuned:

JSON Normalization & Error Handling:

A “normalization” Azure Function ensures output matches the expected JSON schema.
Sometimes LLMs will stray from a strict output structure, this aims to solve that problem.
If you add or remove anything from the Parse Email code that alters the structure of the JSON, this and the next block will need to be updated to match your new structure.

Detailed HTML Reporting:

Generates a detailed HTML report summarizing AI findings, indicators, and recommended actions.
Reports are emailed directly to SOC team distribution lists or ticketing systems.

Optional Sentinel Integration:

Adds the reasoning & output from Security Copilot directly to the incident comments. This is the ideal location for output since the analyst is already in the security.microsoft.com portal. It waits up to 15 minutes for logs to appear, in situations where the user reports before an incident is created.

The solution works pretty well out of the box but may require some tuning, give it a test. Here are some examples of the type of Security Copilot reasoning.

Benign email detection:

Example of phishing email detection:

More sophisticated phishing with subtle clues:

Enhanced Technical Details & Clarifications

Attachment Processing:

When multiple email attachments are detected, the Logic App processes each binary-format email sequentially.
If PDF or Excel attachments are detected, they are parsed for content and are evaluated appropriately for content and intent.

Security Copilot Reliability:

The Security Copilot Logic App API call uses an extensive retry policy (10 retries at 10-minute intervals) to ensure reliable AI analysis despite intermittent service latency.
If you run out of SCUs in an hour, it will pause until they are refreshed and continue.

Sentinel Integration Reliability:

Acknowledges inherent Sentinel logging delays (up to 15 minutes).
Implements retry logic and explicit manual alerting for unmatched incidents, if the analysis runs before the incident is created.

Security Best Practices:

Compare the Function & Logic App to your company security policies to ensure compliance.
Credentials, API keys, and sensitive details utilize Azure Managed Identities or secure API connections. No secrets are stored in plaintext.
Azure Function Apps perform only safe parsing operations; attachments and content are never executed or opened insecurely.

Be sure to check out how the Microsoft Defender for Office team is improving detection capabilities as well Microsoft Defender for Office 365's Language AI for Phish: Enhancing Email Security | Microsoft Community Hub.

Busting myths on Microsoft Security Copilot

YashMudaliar — Tue, 20 May 2025 16:19:56 GMT

Microsoft’s Security Copilot is a new AI-powered security assistant (launched in April 2024) that integrates with Microsoft Defender, Sentinel, Intune, Entra and Purview to help analysts protect and defend at the speed and scale of AI. As a cutting-edge generative AI tool, Security Copilot has naturally sparked interest and close attention from users and experts. This has resulted in various articles and blogs sharing experiences, perspectives, and feedback about the product. As a Microsoft Certified Trainer and a Microsoft ‘Consultant’, I happen to both teach and implement Security Copilot for professionals and organizations respectively. Lucky me! But one thing that I encounter frequently in both my roles, is a list of common myths (or concerns) that people have about Security Copilot especially given that it is a relatively newer product.

Today we are going to talk about such myths (or concerns) and try to see how they are either completely hokum or does have another aspect which you may/may not know about. In other words, we will try to dot all the i’s and cross all the t’s. I’ll do it in respective sections which may have one or more myths included, so let’s get started.

I sincerely appreciate the efforts of all authors and publishers who have shared their insights on Security Copilot. This article is intended to address common concerns and encourage professionals to explore the product with confidence, rather than to challenge or dismiss any shared opinions.

Cost and Licensing

Myth #1: High Consumption Cost:

Validity: The perception of high cost is relative and often lacks full context. While the consumption-based pricing of Security Copilot may appear higher when compared to certain other tools, it delivers significantly greater value through its advanced capabilities, seamless integration with the Microsoft Security ecosystem, and ability to accelerate threat detection and response. When evaluated alongside comparable AI-driven security solutions—both Microsoft and non-Microsoft—Security Copilot stands out for its category-defining use cases and operational efficiency, helping security teams do more with less.
Reasoning: While cost considerations are valid, they should be viewed through the lens of operational impact rather than raw consumption. Security Copilot functions as an intelligent assistant operating around the clock—enhancing threat detection, accelerating incident response, and enabling deeper, more proactive threat hunting. Many organizations have reported significant improvements in reducing mean time to respond (MTTR), increasing automation in routine investigations such as phishing, and expanding their overall security coverage without scaling headcount. By augmenting human expertise with AI, Security Copilot empowers teams to focus on high value tasks and strengthens organizational resilience against evolving threats.

Myth #2: Unpredictable billing:

Validity: This is a complete myth not only with Security Copilot but with any other Microsoft solution.
Reasoning: You get a dedicated usage dashboard in the Security Copilot portal and a link to the billing view that takes you to Microsoft Azure where you can not only see the incurred costs but can also have a reliable forecast of future costs. Whether you are a large organization with multiple instances of Security Copilot or an SMB with a limited usage, these dashboards and views will help you equally to ensure you are not under or overspending on Security Copilot.

Myth #3: It's free or covered by an existing license:

Validity: This misconception likely arises from confusion with other Copilot offerings and becomes a myth!
Reasoning: The overall pricing model of Security Copilot is completely different from other Microsoft Security solutions. While other solutions operate on a licensing model, Security Copilot works on a consumption-based model meaning there is no per user or per device charges here! Hence, no existing license whether Entra or Office 365 based, can give you access to ‘Security Copilot’. Also, please note that Microsoft 365 Copilot (available in Teams, Word, PowerPoint or Azure portal) is not the same as Security Copilot.

Performance and Reliability

Myth #4: Slow responses and high latency:

Validity: This is a completely anecdotal and definitely a myth. There are a variety of factors that affects the response latency of Security Copilot.
Reasoning: You need to consider some important factors like number of SCUs provisioned, concurrent number of Security Copilot users, number of plugins and/or skills being invoked, length and complexity of the prompt etc. in order to understand why you may have gotten a response slower than usual. Moreover, Security Copilot has the feature of showing its response in streaming mode. This approach significantly enhances perceived latency for users, enabling them to begin reading responses as they are generated, like the below image. Reference: What's new in Microsoft Security Copilot?

Source: Security Copilot Portal

Myth #5: Poor Quality or Unreliable responses:

Validity: All I am going to say here is ‘Your Copilot is as good as the quality of your prompts’!
Reasoning: AI is here to augment our intelligence, but it can only do that when it gets sufficient, clear and well thought prompts. There is a reason to call it a ‘Co’-‘Pilot’ because you are driving/flying/learning along with it. BTW, I prefer flying almost any time! Point is, we need to understand that the quality of AI output is heavily influenced by the tone, context and specificity of prompts. There have been numerous users who agree that refined prompts can yield better results if not the best! I am not suggesting going for in-depth prompt engineering classes here but just including the following elements when writing a prompt, should give you a considerable improvement in the quality of responses. More information on effective prompting practices here: Prompting in Microsoft Security Copilot

1. Goal - specific, security-related information that you need
2. Context - why you need this information or how you plan to use it
3. Expectations - format or target audience you want the response tailored to
4. Source - known information, data sources, or plugins Security Copilot should use

Moreover, I also suggest leveraging the OOTB (Out-Of-The-Box) prompts and promptbooks in order to understand the way on how you should structure your prompts. Security Copilot has a dedicated ‘Promptbook Library’ where you can see all the custom and OOTB prompts. You have the option of duplicating and creating a custom promptbook of your own from an OOTB promptbook. This way you can ensure you are leveraging the available resources to make your own use case work more efficiently.

Myth #6: Service Interruptions:

Validity: This is a fact portrayed as a myth. If provisioned Security Copilot Units (SCUs) are fully consumed without additional configuration, service may pause until capacity is restored. This behaviour aligns with standard consumption-based service models.
Reasoning: To maintain continuous service, Security Copilot now supports Overage Units, which automatically activate when the initially provisioned SCUs are exhausted. This helps ensure uninterrupted functionality without requiring manual intervention. Additionally, the platform provides clear usage notifications and warnings in advance, allowing teams to proactively monitor and manage consumption. Combined with its role as a 24/7 AI-powered assistant, Security Copilot continues to deliver high availability and operational efficiency—even under dynamic workloads. For details on how to configure and manage overage units, refer to this blog: Overage Units in Security Copilot.

Near Limit notification in Security Copilot standalone portalAbove Limit notification in Security Copilot standalone portal

Privacy and Data Security

Myth #7: Data sharing with Microsoft:

Validity: This is one of the most common myths that still exists amongst users and make them hesitant to adopt the product.
Reasoning: Microsoft has been very transparent and vocal on claiming that ‘customer data’ is never used to train the underlying LLM model nor is it accessible by any human including any non-relevant Microsoft employees. All Security Copilot data is handled according to Microsoft's commitments to privacy, security, compliance, and responsible AI practices. Access to the systems that house your data is governed by Microsoft's certified processes. Even when enabled by default, the option to share your data does:

- Not shared with OpenAI
- Not used for sales
- Not shared with third parties
- Not used to train Azure OpenAI foundational model

Security Copilot provides options to enable/disable user data collection

Myth #8: Data Privacy Compromises:

Validity: Concerns about data privacy are common with AI tools but this is another completely ironical myth for a security product.
Reasoning: One important thing to know when using Microsoft products and solutions is that Microsoft provides you with contractual commitments on giving you control over your own data! Microsoft takes data security so seriously that even if a law enforcement agency or the government requests your data, you will be notified and provided with a copy of the request! And hence Microsoft defends your data through clearly defined and well-established response policies and processes like:
- Microsoft uses and enables the use of industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec) for any customer data in transit.
- The Microsoft Cloud employs a wide range of encryption capabilities up to AES-256 for data at rest.
- Your control over your data is reinforced by Microsoft compliance with broadly applicable privacy laws, such as GDPR and privacy standards. These include the world’s first international code of practice for cloud privacy, ISO/IEC 27018.

Uncategorized Myths

“Security Copilot will replace our SOC team”:

No! It’s a fact that Security Copilot is an assistant, not an infallible sensor. It is created to “assist security professionals” and acknowledges it may make mistakes (false positives/negatives). The very conception of Security Copilot is essentially taking over the manual and tiresome analysis of raw logs and events while giving time to security professionals to do what they do best, discovering vulnerabilities and securing organizations! Do you ever think why there is not a single capability in Security Copilot to take an action on its own or without your approval? What? You didn’t know that?! This is by design to ensure that you and I are always in the driving seat while our “Co”-pilot augments our capabilities, automates repetitive tasks and provides actionable insights. But users must always validate its advice.

“Copilot only works well with Microsoft products”:

Another anecdotal myth. While Security Copilot is deeply integrated with Microsoft's own security tools, it is also designed to work effectively with a variety of third-party solutions. In fact, Microsoft provides you with more than 35+ non-Microsoft plugins out-of-the-box including some popular tools like Splunk, ServiceNow, Cyware, Shodan etc. And that’s not it, you can create your own custom plugin using one the three methods amongst API, GPT and KQL.

“You cannot track Copilot’s activities”:

The notion that “you cannot track Copilot’s activities” is definitively a myth. Security Copilot’s integration with Microsoft Purview and the Office 365 Management API provides full visibility into every interaction—prompt inputs, AI responses, plugin calls, and admin configurations. Administrators can enable, search, export, and retain these logs for compliance, forensics, or integration into broader SIEM and SOAR workflows, ensuring that Copilot becomes a transparent, auditable extension of your security operations rather than an untraceable “black box.”

Conclusion

As with any transformative technology, Microsoft Security Copilot has naturally invited speculations. However, many of the concerns—ranging from cost and licensing, to performance, reliability, and data privacy—are either based on misconceptions or lack full context. Through this article, we’ve examined these myths objectively and highlighted how Security Copilot’s design, operational model, and deep integration with Microsoft’s security ecosystem work together to empower, not replace, human defenders. It is built to scale security operations with intelligence and agility, not disrupt them with unpredictability. For organizations navigating increasingly complex threat landscapes, Security Copilot offers a way to enhance response, reduce fatigue, and operationalize AI securely and responsibly. The key is not to view it as just another product, but as a strategic co-pilot—working alongside your team to defend at the speed and scale that modern security demands.

Want to have a much deeper understanding of Security Copilot? Check out these awesome resources:

RSA Conference 2025: Security Copilot Agents now in preview

Dilip_Radhakrishnan — Mon, 28 Apr 2025 15:56:45 GMT

In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer resources. Microsoft Security Copilot was built to bridge that gap, delivering an AI-driven assistant that enhances detection, investigation, and response across the entire Microsoft Security stack. Since it was launched in April 2024, Copilot has been integrated into customer environments to assist security professionals at every level – amplifying human expertise, streamlining complex workflows, and helping teams stay ahead of evolving threats.

New research from Microsoft live operations highlights Security Copilot’s tangible impact, showing productivity gains across security and IT. Organizations using Security Copilot have seen:

At this year’s RSA Conference, we are excited to share updates that make Security Copilot even more powerful, flexible, and accessible to customers and partners.

Security Copilot agents are now in preview

Last month at Microsoft Secure, we introduced Security Copilot agents - autonomous AI designed to tackle high-volume security tasks. Built on Security Copilot and seamlessly integrated with Microsoft Security solutions and partner ecosystem, these agents are tailored to security-specific use cases, adapt to your workflows, and learn from feedback, all while keeping your team fully in control. Every agent launched is built on the Security Copilot platform, ensuring a consistent, secure, and unified experience across capabilities.

Starting today, we’re beginning a phased public preview rollout which will gradually expand to more customers to ensure a smooth and scalable experience. The following agents are now available in preview to select customers:

Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click.

Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval.

Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure.

And there’s more to come. Over the next few weeks, additional agents will become available to customers:

Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback.

Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback.

Partner agents from OneTrust, Tanium, BlueVoyant, Fletch, and Aviatrix that automate tasks like privacy breach response, SOC assessment, alert triage, task optimization, and root cause analysis.

We’re also thrilled to announce two new partner agents that have joined our growing ecosystem since our Secure event last month, now in private preview:

Email Threat Analyst Agent by Performanta conducts investigations into email-based threats and compromised user activity and provides an impact and recommended mitigation assessment.

IAM Supervisor Agent by Performanta uncovers and triages identity and access threats and provides an impact and recommended mitigation assessment.

With these additions, our growing ecosystem of Security Copilot agents – now in preview – offers broader insights and powerful automation to help security teams respond faster and more effectively. We are excited to continue advancing agentic capabilities both at Microsoft and through collaboration with our third-party partners. Please visit the new Security Copilot video hub for demos or deep dives of Security Copilot agents.

Partner ecosystem updates

Azure Lighthouse support for Sentinel use cases

Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now generally available. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers.

Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs:

Use the same natural language-based prompts using Sentinel skills on customer data

Create custom promptbooks using Sentinel skills to automate their investigations

Use Logic Apps to trigger these promptbooks

Learn more about how to get started with Azure Lighthouse Support for Sentinel use cases here.

New Security Copilot plugins

As part of our effort to provide customers with truly end-to-end security protection, we continue to prioritize expanding our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot.

The following plugins are now in preview:

Censys plugin enables users to enrich investigations using threat intelligence from the Censys platform to scan a URL or domain and scan an IP address.

HP Workforce Experience Platform (WXP) plugin for Security Copilot allows users to gain insight into warranty of devices, application crashes, data about their fleet, and more.

Splunk plugin allows Security Copilot users to make calls to Splunk to perform queries to create, retrieve, and dispatch saved Splunk searches, and retrieve and view information about fired alerts.

Quest Security Guardian plugin reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention.

The following plugins are now in GA:

CheckPhish plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.

Integration spotlight: ServiceNow SIR plugin

The integration of ServiceNow AI and Microsoft Security Copilot capabilities brings joint capabilities to empower our customers and enhance their security posture. The integration optimizes incident insights within SIR and enhances Microsoft Security product’s security incident resolution status and threat prioritization capabilities, driving continuous security posture and awareness. As a result, security teams benefit from faster, more accurate incident resolution - reinforcing our commitment to delivering cutting- edge, AI-driven solutions that elevate the entire security ecosystem.

Flexibility, scalability, and security for AI

Microsoft Purview for Security Copilot

As organizations adopt AI, implementing data controls and a  Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Security Copilot. By combining Microsoft Purview and Security Copilot, users can:

Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) for AI dashboard to reduce these risks.

Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device.

Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection.

Learn more about Purview for Security Copilot here.

Copilot in Microsoft Defender for Cloud

Copilot in Defender for Cloud helps security teams accelerate risk remediation, making it faster and easier for security admins to remediate cloud risks by providing AI-generated summaries, remediation actions, and delegation emails, guiding users in each step of the risk reduction process. Security admins can use AI to quickly summarize a specific recommendation, generate remediation scripts, and delegate tasks via email to resource owners. The capabilities help reduce investigation time, enabling security teams to understand the risk in context and identify resources to quickly remediate. The capabilities are now generally available. Learn more about Copilot in Defender for Cloud here.

Enriched Incident Summaries in the Microsoft Sentinel Azure portal

We’re excited to announce Security Copilot Incident Summaries in the Microsoft Sentinel Azure portal are now in public preview. This capability provides enriched, easy-to-digest insights into security incidents - streamlining triage and helping analysts quickly understand scope, impact, and next steps. Read the blog post here.

Enhanced Consumption Flexibility for Security Copilot

This month we introduced enhancements to Security Copilot to enhance customer flexibility and scalability, by supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This capability ensures that users can scale their Copilot workloads beyond their provisioned capacity, for uninterrupted protection. Read the blog post here.

Learn more about Security Copilot at RSA Conference 2025

To learn more about Security Copilot and explore how it can elevate your organization’s security strategy, we invite you to connect with us at booth #5744. This is a great opportunity to engage with Microsoft security experts, dive deeper into the latest innovations, and experience how Security Copilot can simplify and strengthen your security operations. Join us for our Security Copilot sessions below, stop by our booth for a live demo, or schedule a one-on-one meeting with our team.

Using Security Copilot to Proactively Identify and Prioritize Vulnerabilities

jamilmirza — Wed, 16 Apr 2025 17:04:19 GMT

Introduction

There are many different approaches when it comes to prioritizing the vulnerabilities which need addressing with urgency. Any information or guidance to help you make better informed decisions can be critical but how can you stay informed? Leveraging all the information sources available to you can be the difference and allow you to be proactive when trying to protect your organization.

One useful feed is offered by CISA (Cybersecurity & Infrastructure Security Agency) who works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. The Known Exploited Vulnerabilities (KEV) Catalog is a curated list maintained by CISA. It identifies vulnerabilities that have been actively exploited in the wild, posing significant risks to organizations and individuals. The catalog aims to enhance cybersecurity by providing timely information on these vulnerabilities, enabling proactive mitigation efforts.

Key features of the KEV Catalog include:

Identification: Lists vulnerabilities that are confirmed to be exploited.

Details: Provides technical details, including affected products and versions.

Mitigation: Offers guidance on how to address and remediate the vulnerabilities.

Updates: Regularly updated to reflect new threats and exploited vulnerabilities.

The KEV Catalog serves as a critical resource for cybersecurity professionals, helping them prioritize patching and defense strategies to protect against known threats.

The feed is designed to help organizations stay informed about vulnerabilities that have been exploited in the wild. It is part of CISA's efforts to defend against current threats and build a more secure and resilient infrastructure for the future

Workflow overview

The automated CISA feed solution addresses prioritization challenges by streamlining the process of vulnerability management. This solution checks the latest CISA feed every 24 hours and queries the CVE findings against devices within Microsoft Defender for Endpoint. Security Copilot then checks for remediation actions and enriches the description, providing a comprehensive overview of the vulnerability.

Figure 1: Example of the email output from the Logic App

Key benefits of the Logic App include:

Automated Updates: The Logic App automatically retrieves the latest CISA feed, ensuring that analysts have up-to-date information without manual intervention. This eliminates the need for manual checks and reduces the risk of missing critical updates.

Device Vulnerability Assessment: It queries the CVE findings against devices within the organization, identifying which devices are vulnerable to the reported CVEs. This targeted approach allows analysts to focus on the most critical vulnerabilities affecting their specific environment, enhancing the efficiency of the remediation process.

Remediation Insights: Security Copilot provides detailed remediation actions, helping analysts understand the steps needed to mitigate the vulnerabilities. By enriching the description with actionable insights, it simplifies the decision-making process and accelerates the implementation of security measures.

Email Notifications: An email with the findings is sent to a designated mailbox, allowing for easy review and follow-up. This ensures that all relevant stakeholders are informed promptly, facilitating coordinated responses and continuous monitoring of the organization's security posture.

Figure 2: Screenshot of the CISA Logic App

Click here to get started and install the Logic App today.

Conclusion

To prioritize effectively, gather all necessary information for informed decisions. While the Logic App CISA workflow is one approach, other methods may better suit your organization. Function Apps can enhance decision making by automating and streamlining security operations with integrated tools and processes. The Security Copilot GitHub repository offers AI-powered solutions using machine learning and natural language processing to improve security. These tools help identify vulnerabilities, predict risks, and implement protective measures. Check it out!

Securely integrate On-Prem and Self-Hosted VM instances of Splunk with Microsoft Security Copilot

AntonioFormato — Thu, 10 Apr 2025 15:30:00 GMT

Microsoft Security Copilot is a SaaS-based, AI-powered cybersecurity solution that uses generative AI to empower defenders to protect at speed and scale of AI. Integrating Security Copilot with other SaaS platforms is generally straightforward thanks to native cloud-to-cloud connectivity. This includes native cloud-to-cloud integration with Splunk Cloud, now part of Cisco.

The Security Copilot plugin for Splunk also supports on-premises and self-hosted VM deployments of Splunk; however, additional steps are required to enable secure and reliable communication in these scenarios.

This blog walks you through how to integrate Security Copilot with non-SaaS editions of Splunk using Microsoft Entra ID Application Proxy and Azure Application Gateway with Web Application Firewall (WAF). This setup ensures that your Splunk instance remains protected behind enterprise-grade security controls while still being accessible to Security Copilot for log analysis and threat investigation.

While this guidance is specifically for Splunk the same general principles can be applied to integrate other on-prem solutions with Security Copilot.

Solution overview

In this blog post, we illustrate how to securely integrate Microsoft Security Copilot with Splunk in two common scenarios:

When your Splunk instance is already running within an Azure Virtual Network (VNet).
When your Splunk instance is deployed on-premises but you already have network connectivity to an Azure VNet through VPN or ExpressRoute.

If these conditions are not met—for example, if your Splunk deployment is fully isolated on-premises without connectivity to Azure—it is still possible to securely expose your instance to Security Copilot by using a reverse proxy hosted on-premises instead of Azure Application Gateway. However, that approach is outside the scope of this blog.

The solution presented here relies on a combination of Microsoft Entra ID Application Proxy and Azure Application Gateway with Web Application Firewall (WAF) to create a secure, controlled communication channel between Security Copilot and your Splunk instance.

Entra ID Application Proxy is used to publish the Splunk REST endpoint in a secure manner. This ensures that the Splunk instance is not directly exposed to the Internet and that no inbound ports need to be opened on your firewall.

Azure Application Gateway, equipped with WAF, acts as a reverse proxy that enforces access controls based on source IP addresses. It ensures that only traffic originating from the known Security Copilot egress IPs is allowed to reach the published Splunk endpoint. Additionally, WAF allows you to enforce protections such as the OWASP Top 10, Bot Protection and custom rules adding another layer of defense.

This approach is applicable not only for Splunk instances hosted in Azure, but also for self-hosted VM deployments running on other public clouds such as AWS or GCP, as long as they are reachable via a secure VNet-integrated path.

Below is a high-level view of the architecture:

Splunk hosted on AzureSplunk instance deployed on-premises with network connectivity to an Azure VNet through VPN or ExpressRoute

Step by step deployment guide

The following sections describe the procedures for configuring Microsoft Entra ID Application Proxy and Azure Application Gateway to enable secure integration between Security Copilot and your Splunk instance.

⚠️ Important: While the guidance provided outlines a reference architecture, please make sure to adapt all configuration steps to reflect your actual network topology and IP address space. Specific settings such as subnet ranges, routing paths, and firewall rules should align with your organization’s infrastructure design and security policies.

Entra ID Application Proxy setup and configuration

Download and Configure the Connector Service

To enable secure connectivity between Security Copilot and your on-premises or self-hosted Splunk instance, begin by setting up the Entra ID Application Proxy connector:

Download the connector from the Azure Portal: go to https://portal.azure.com → Entra ID → Application Proxy.

App Proxy Connector download

Ensure your network environment is properly configured for outbound connectivity. Refer to Microsoft's documentation for detailed prerequisites and firewall rules.
The connector must be installed on a Windows Server 2012 R2 or later.
Once installed successfully, the connector establishes a secure outbound communication channel with Azure. You can verify its status under the Health Status section in the portal.

Connector health status

Configure an Entra ID Application for Splunk

The next step is to publish your Splunk instance as an app via Application Proxy. This allows Security Copilot to securely invoke Splunk’s APIs, which are exposed on the default management port 8089.

Note: Ensure that the splunkd service is configured with a valid SSL certificate. The connector requires HTTPS for communication.

In the Application Proxy section, click on “Configure an app”.

Configure an app

Fill in the relevant fields. Under the Pre-authentication section, select "Passthrough".
Since the Security Copilot plugin supports either API Key Authentication or Basic Authentication, it cannot perform Microsoft Entra ID authentication. Therefore, authentication must be handled directly by Splunk.

Configure an app

Important: To add an additional security layer and restrict access only to Security Copilot’s egress IP addresses, a custom WAF Policy will be configured on the Application Gateway, as described in the following section.

Once configured, the app will be visible under Entra ID → App registrations.

Splunk App registration

You can test the application by navigating to the external URL defined during setup.

Note: Although Splunk listens on port 8089, Application Proxy exposes the service externally over port 443 (HTTPS).

Licensing Requirement: Entra ID P1 licenses or higher are required to use Application Proxy.

Application Gateway and WAF Configuration

You can use the Azure Portal wizard to create and configure the Application Gateway with the following steps:

Tip: If you already have Azure DDoS deployed and can use the same Virtual Network there will be no additional charges to the WAF as detailed here: Azure DDoS Protection frequently asked questions | Microsoft Learn

Create the Application Gateway

Navigate to Create a resource > Networking > Application Gateway.
Select the appropriate Resource Group and Azure region.
For Tier, choose WAF V2.
If you already have a WAF Policy, select it. Otherwise, you can create one later using the configuration guidance provided in the next section.
Choose the dedicated subnet (e.g., subnet-appgw) for the Application Gateway instance.

Create Application Gateway

Configure the Frontend IP

Select Private as the frontend IP type.
Assign a static private IP address from the selected subnet. This IP will serve as the entry point for requests coming from Entra ID Application Proxy.

Fronted configuration

Add the Backend Pool

Add your Splunk Search Head as a backend target.
This can be either:
- A VM running in the same VNet as AppGW, or
- A Splunk instance hosted on-premises, reachable via VPN or ExpressRoute.

Add backend pool

Configure Routing Rules

Under the Configuration tab, add a Routing Rule:
- Create a Listener and bind it to the private frontend IP you configured in step 2.
- Upload your Splunk instance’s TLS certificate in PFX format to enable HTTPS.
- Set the backend protocol to HTTPS and the port to 8089, which is the default for Splunk’s management and search APIs.

Add routing rule - listener

Add routing rule - backend

Tags (optional)

Add tags as needed for resource classification, billing, or automation purposes.

Review and Create

Review your configuration and create the Application Gateway.

review and create

Once deployed, the Application Gateway will serve as a secure intermediary, ensuring that only requests from the known Security Copilot egress IPs reach your Splunk instance, and that all communication is encrypted and inspected by WAF.

WAF Policy configuration

Create a WAF Policy, associate it with the Application Gateway, and configure a custom rule as follows to allow traffic only from the Security Copilot egress IPs.
Note: Since the traffic is proxied through Entra ID Application Proxy, the source IP check must be performed on the X-Forwarded-For header.

WAF policy

Configuring your Splunk plugin in Security Copilot

Navigate to the Splunk plugin and select Setup

Plugin set up

Choose your preferred authentication method (API Key) recommended

Plugin authentication

Enter the external url generated by Entra ID App proxy and click save

Plugin settings

Conclusion

By leveraging Microsoft Entra ID Application Proxy and Azure Application Gateway with Web Application Firewall (WAF), you can securely connect on-premises or self-hosted Splunk instances to Microsoft Security Copilot - enabling seamless log analysis and threat investigation without exposing Splunk to the internet. This approach extends Security Copilot’s reach beyond SaaS applications, broadening the context needed for effective investigations across hybrid environments.

Additional resources

Splunk and Microsoft Security Copilot | Microsoft Learn

Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services - Microsoft Entra ID | Microsoft Learn

Plan a Microsoft Entra application proxy Deployment - Microsoft Entra ID | Microsoft Learn

Using Application Gateway WAF to protect your application - Microsoft Entra ID | Microsoft Learn

Web application firewall exclusion lists in Azure Application Gateway - Azure portal | Microsoft Learn

Network topology considerations for Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn

Tutorial - Create S2S VPN connection between on-premises network and Azure virtual network: Azure portal - Azure VPN Gateway | Microsoft Learn

Introducing more consumption flexibility with Security Copilot enhancements

Dilip_Radhakrishnan — Wed, 02 Apr 2025 18:48:11 GMT

In today’s rapidly evolving cybersecurity landscape, efficiently managing security and IT operations is more critical than ever. Organizations need scalable and flexible solutions that offer robust protection. Last year, we launched Microsoft Security Copilot, a generative AI-powered assistant designed to help security and IT teams operate at the speed and scale of AI. Since then, organizations have used Copilot to enhance their security and IT workflows, with companies like QNET reporting a 60% increase in efficiency post-adoption —enabling teams to detect and respond to threats faster than ever before.

To further enhance customer flexibility and scalability, we are now supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This update ensures that organizations can confidently scale their Security Copilot workloads dynamically beyond their provisioned capacity, while maintaining cost predictability and control.

Ensure uninterrupted Security Copilot assistance

Security is a mission-critical necessity, and unexpected threats or workload spikes can arise at any time, demanding a pricing model that is both flexible and scalable to ensure uninterrupted protection. Previously, precise usage estimation was required to avoid throttled workloads. Now, enabling overage SCUs ensures organizations can handle unforeseen security demands without disruption.

Security Copilot users can continue using their provisioned SCUs for regular workloads, while overage SCUs provide additional capacity when needed. This hybrid approach allows customers to establish a base fixed SCU provisioned capacity and set a maximum overage limit. Customers only pay for overage SCUs used when they consume beyond their provisioned SCU allocation, ensuring scalability and support during unexpected demand spikes without incurring unnecessary costs. Additionally, they have the option to set an upper limit on overage SCUs, which provides better budget predictability.

Get granular insights with the usage dashboard

The in-product usage dashboard has also been updated to help organizations track and manage SCU consumption effectively. The dashboard offers detailed insights into SCU usage, allowing admins to monitor consumption against provisioned SCUs, track overage SCU usage, and review granular details such as session initiators, IDs, categories, and experience. The dashboard ensures organizations have the visibility needed to optimize usage while maintaining budget control.

The combination of provisioned and overage SCU provides organizations with peace of mind, knowing that critical security operations always have the necessary resources when they’re needed most.

Get Started with Overage SCUs today

As cyber risks continue to grow, having the right tools to manage security efficiently, cost-effectively, and at-scale is crucial. With this latest enhancement, Microsoft Security Copilot is equipping organizations with the scalability and flexibility needed to secure their environment with confidence.

Overage SCUs are generally available today. Existing customers can immediately enable overage SCUs or set a limit on maximum usage in Security Copilot. Learn more about Security Copilot pricing here, and calculate your estimated maximum spend per month using the pricing calculator. Sign up for a free Azure subscription to get started with Security Copilot today.

Automate cybersecurity at scale with Microsoft Security Copilot agents

Dorothy_Li — Tue, 21 Apr 2026 22:29:17 GMT

When we introduced Microsoft Security Copilot last year, we set out to transform the way defenders approach cybersecurity. As one of the industry's first generative AI solutions for security and IT teams, Security Copilot is empowering teams to catch what others miss, respond faster, and strengthen team expertise in an evolving threat landscape.

Customers like Eastman are already seeing the impact. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster”, said David Yates, Senior Cybersecurity Analyst at Eastman. “That helps me to make a better decision and respond faster to an attacker.” A recent study of Copilot users showed that using Security Copilot reduced mean time to resolution by 30%, helping accelerate response times and minimizing the impact of security incidents.

But as defenders evolve, so have attackers.

Adversaries are now leveraging AI to launch more sophisticated attacks with unprecedented speed and scale. Security and IT teams – already overwhelmed by a huge volume of alerts, data, and threats – are struggling to keep up. Traditional automation, while useful, lacks the flexibility and adaptability to keep up.

Today, we’re taking the next leap forward in generative AI-powered cybersecurity. I am thrilled to introduce agents in Microsoft Security Copilot.

AI-powered agents represent the natural evolution of Security Copilot, going beyond AI assistant capabilities. They autonomously manage high-volume security and IT tasks, seamlessly integrated with Microsoft Security solutions and partner solutions. Purpose-built for security, these agents learn from feedback, adapt to organizational workflows with your team fully in-control, and operate securely within Microsoft’s Zero-Trust framework.

Delivering powerful automation across threat protection, identity management, data security, and IT operations, these agents empower teams to accelerate responses, prioritize risks, and drive efficiency at scale. By reducing manual workloads, they enhance operational effectiveness and strengthen overall security posture – allowing defenders to stay ahead. To bring this automation to life, we’re introducing six security agents from Microsoft and five security agents from partners which will be available for preview in April.

Empowering security and IT teams with Security Copilot agents

Our goal is to provide generative AI-powered security for everyone. Integrating Copilot with Microsoft Security products helps IT and security teams benefit from increased speed and accuracy. Now, you can use embedded Security Copilot agents with capabilities specific to use cases for your role in the products you know and love:

Security Alert Triage Agent (previously named Phishing Triage Agent)

SOC analysts often face the challenge of managing hundreds of user-submitted phishing alerts each week, with each alert taking up to 30 minutes for manual triage. This process requires meticulous sifting through submissions to find the needle in the haystack – the genuine threat amidst all the noise. Security Copilot solves this challenge with an AI-powered agent embedded in Microsoft Defender, that works in the background to autonomously triage user-submitted phishing incidents. Powered by advanced multi-modal AI tools, it determines whether an alert is a genuine phishing attempt or a false alarm with exceptional precision. The agent not only delivers natural language explanations for its decisions but also dynamically refines its detection capabilities based on analyst feedback. By alleviating the burden of reactive work, it empowers SOC analysts to focus on proactive security measures, ultimately strengthening the organization's overall security posture.

Note: The Phishing Triage Agent has since been expanded and is now called the Security Alert Triage Agent. Learn more at aka.ms/SATA

Alert Triage Agents for Data Loss Prevention and Insider Risk Management

Data security admins regularly struggle to manage the volume of alerts they receive daily, addressing only about 60% of them due to time and resource constraints1. The Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM) identify the alerts that pose the greatest risk to your organization and should be prioritized first. These agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and selected policies, to categorize alerts based on the impact they have on sensitive data. Additionally, they provide a comprehensive explanation on the logic behind that categorization, allowing admins to analyze a risk in just a few minutes. These agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins in natural language and fine-tunes the triage results to better match the organizations’ priorities. The agent learns from this feedback, using that rationale to calibrate the prioritization of future alerts in DLP and IRM. Learn more about the Alert Triage Agents for DLP and IRM here.

Conditional Access Optimization Agent

As organizations grow, identity and IT admins must continuously ensure that access policies adapt to new employees, contractors, SaaS apps, and more – keeping security intact without adding complexity. But as their environments evolve, keeping Conditional Access (CA) policies up to date becomes increasingly difficult. New users and apps can slip through, and exclusions can go unaddressed, creating security risks. Even with routine reviews, manually auditing policies and adjusting coverage can take days or weeks –yet gaps can still go unnoticed. The CA Optimization Agent in Microsoft Entra changes that for admins, automating the detection and resolution of policy drift. This agent continuously monitors for newly created users and applications, analyzing their alignment with existing CA policies, and proactively detects security gaps in real time. Unlike static automation, it recommends optimizations and provides one-click fixes, helping admins refine policy coverage effortlessly while ensuring a strong, adaptive security posture. Learn more about the CA Optimization Agent here.

Vulnerability Remediation Agent

Managing security vulnerabilities is a growing challenge for organizations, as the volume of CVEs and limited resources make it difficult to prioritize and implement critical fixes effectively. Microsoft Intune is designed for organizations that need a modern, cloud-powered approach to endpoint management, one that not only simplifies IT operations but strengthens security in an evolving threat landscape. IT admins require more than just visibility into vulnerabilities; they need a proactive, risk-based security strategy that continuously assesses risk and automates remediation to minimize exposure. That’s why Intune is introducing the Vulnerability Remediation Agent—a solution built to help organizations stay ahead of emerging threats.

By leveraging Microsoft Defender Vulnerability Management, the agent automatically identifies, evaluates, and prioritizes vulnerabilities. It continuously monitors newly published threats, assesses their risk levels, and offers clear, actionable recommendations for remediation. With continuous vulnerability detection, risk-based prioritization and guided remediation, the agent reduces exposure time while freeing up IT teams to focus on strategic initiatives. This is the first step toward designing vulnerability remediation at scale. A future, comprehensive approach will work across device platforms, address vulnerabilities in third-party applications, and remediate using configuration changes. Learn more about the Vulnerability Remediation Agent here.

Threat Intelligence Briefing Agent

Cyber Threat Intelligence analysts often face data overload and resource constraints when sourcing the threat intelligence needed to help their organizations understand, prioritize, and respond to critical threats. Crafting a threat intelligence briefing for security teams and executives can take hours—or even days—due to the constant evolution of both the threat landscape and an organization’s attack surface.

The Threat Intelligence Briefing Agent in Security Copilot dramatically expedites this process. It automatically curates up-to-date, context-specific intelligence tailored to your organization’s unique profile and attack surface. Operating autonomously in the background, it taps into Microsoft’s extensive threat intelligence resources (including Microsoft Defender Threat Intelligence and Microsoft Defender External Surface Management) to deliver prioritized reports in just 4-5 minutes. This tool not only cuts down on manual effort but also highlights the most pressing threats and provides actionable recommendations, ensuring your team stays well-informed and ready to respond. Learn more about the Threat Intelligence Briefing Agent here.

Extending agentic capabilities with partner solutions

We are grateful to our partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI. Our growing partner ecosystem seamlessly integrates Security Copilot with established tools across various applications. Today, I am pleased to share five new upcoming agents in partner solutions, with many more to come.

Privacy Breach Response Agent by OneTrust analyzes a data breach based on type of data, geographic jurisdiction, and regulatory requirements to generate guidance for the privacy team on how to meet those requirements.

Network Supervisor Agent by Aviatrix determines why a VPN, Gateway, or Site2Cloud connection is down and provides information about the failure.

SecOps Tooling Agent by BlueVoyant assesses your security operations center (SOC) and state of controls to make recommendations to optimize security operations to improve controls, efficacy, and compliance.

Alert Triage Agent by Tanium provides analysts with necessary context to quickly and confidently make a decision on each alert.

Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security.

Learn more about our partner integrations at aka.ms/partnerintegrations.

Get Started with Security Copilot Agents

Microsoft Security Copilot agents will be available in preview starting April 2025. To get started with Security Copilot, check out the website for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and features—join today at aka.ms/JoinCCP. Learn more about the latest innovations at the Microsoft Secure digital event on April 9, 2025. Register now.

With agents, Security Copilot continues to lead the way in AI-powered cybersecurity, helping organizations defend against threats faster, smarter, and with greater confidence.

Take Flight with Microsoft Security Copilot Flight School

ryanmunsch — Fri, 14 Mar 2025 01:20:14 GMT

Greetings pilots, and welcome to another pioneering year of AI innovation with Security Copilot. Find out how your organization can reach new heights with Security Copilot through the many exciting announcements on the way at both Microsoft Secure and RSA 2025. This is why now is the time to familiarize yourself and get airborne with Security Copilot.

Go to School

Microsoft Security Copilot Flight School is a comprehensive series charted to take students through fundamental concepts of AI definitions and architectures, take flight with prompting and automation, and hit supersonic speeds with Logic Apps and custom plugins. By the end of the course, students should be equipped with the requisite knowledge for how to successfully operate Security Copilot to best meet their organizational needs. The series contains 11 episodes with each having a flight time of around 10 minutes.

Security Copilot is something I really, really enjoy, whether I’m actively contributing to its improvement or advocating for the platform’s use across security and IT workflows. Ever since I was granted access two years ago – which feels like a millennium in the age of AI – it’s been a passion of mine, and it’s why just recently I officially joined the Security Copilot product team. This series in many ways reflects not only my passion but similar passion found in my marketing colleagues Kathleen Lavallee (Senior Product Marketing Manager, Security Copilot) Shirleyse Haley (Senior Security Skilling Manager), and Shateva Long (Product Manager, Security Copilot). I hope that you enjoy it just as much as we did making it.

Go ahead, and put on your favorite noise-cancelling headphones, it’s time, pilots, to take flight.

Log Flight Hours

There are two options for watching Security Copilot Flight School: either on Microsoft Learn or via the Youtube Playlist found on the Microsoft Security Youtube Channel. The first two episodes focus on establishing core fundamentals of Security Copilot platform design and architecture – or perhaps attaining your instrument rating. The episodes thereafter are plotted differently, around a standard operating procedure. To follow the ideal flight path Security Copilot should be configured and ready to go – head over to MS Learn and the Adoption Hub to get airborne. It’s also recommended that pilots watch the series sequentially, and be prepared to follow along with resources found on Github, to maximize learning and best align with the material. This will mean that you’ll need to coordinate with a pilot with owner permissions for your instance to create and manipulate the necessary resources.

Episode 1 - What is Microsoft Security Copilot?

Not all AI is the same. Different data sciences have different uses in security, which is why we built Copilot.

Security is complex and requires highly specialized skills to face the challenges of today. Because of this, many of the people working to protect an organization work in silos that can be isolated from other business functions. Further, enterprises are highly fragmented environments with esoteric systems, data, and processes. All of which takes a tremendous amount of time, energy, and effort just to do the day-to-day.

Security Copilot is a cloud-based, AI-powered security platform that is designed to address the challenges presented by complex and fragmented enterprise environments by redefining what security is and how security gets done.

What is AI, and why exactly should it be used in a cybersecurity context?

Episode 2 - AI Orchestration with Microsoft Security Copilot

The perfect butter burger cooked to perfection and free of any peanut contamination.

Why is The Paper Clip Pantry a 5-star restaurant renowned the world over for its Wisconsin Butter Burgers? Perhaps it’s how a chef uses a staff with unique skills and orchestrates the sourcing of resources in real time, against specific contexts to complete an order. After watching this episode you’ll understand how AI Orchestration works, why nobody eats a burger with only ketchup, and how the Paper Clip Pantry operates just like the Security Copilot Orchestrator.

Episode 3 – Standalone and Embedded Experiences

Security Copilot has many operators of its platform such as Soc Analysts, IT Admins, and CISOs.

Do you have a friend who eats pizza in an inconceivable way? Maybe they eat a slice crust-first, or dip it into a sauce you never thought compatible with pizza? They work with pizza differently, just like any one security workflow could be different from one task, team, or individual to the next. This philosophy is why Security Copilot has two experiences – solutions embedded within products, and a standalone portal – to augment workflows no matter their current state. This episode will begin covering those experiences.

Episode 4 – Other Embedded Experiences

The different Entra embedded experiences for Security Copilot.

Turns out you can also insist upon putting cheese inside of pizza crust, or bake it thick enough as to require a fork and knife. I imagine, it’s probably something Windows 95 Man would do.

In this episode, the Microsoft Entra, Purview, Intune, and Microsoft Threat Intelligence products showcase how Security Copilot advances their workflows within their portals. Beyond baking in the concepts of many workflows, many operators, the takeaway from this episode is that Security Copilot works with security adjacent workflows – IT, Identity, and DLP.

Episode 5 – Manage Your Plugins

Plugins allow you to extend functionality and source different insights across your environment.

Like our chef in The Paper Clip Pantry, we should probably define what we want to cook, what chefs to use, and set permissions for those that can interact within any input or output from the kitchen. Find out what plugins add to Security Copilot and how you can set plugin controls for your team and organization.

Episode 6 – Prompting

The orchestrator in Security Copilot leverages context to properly select available plugins to provide the most relevant response.

Is this an improv lesson, or a baking show? Or maybe if you watch this episode, you’ll learn how Security Copilot handles natural language inputs to provide you meaningful answers know as responses.

Episode 7 – Prompt Engineering

Effective prompt design improves the quality of a response, consider your goal, the context needed, sources available, and the final presentation of the information to achieve the best result.

With the fundamentals of prompting in your flight log, it’s time to soar a bit higher with prompt engineering. In this episode you will learn how to structure prompts in a way to maximize the benefits of Security Copilot and begin building workflows. Congrats, pilot, your burgers will no longer come with just ketchup.

Episode 8 – Using Promptbooks

Promptbooks are at the core of automation in Security Copilot.

What would it look like to find a series of prompts and run them, in the same sequence with the same output every time? You guessed it, a promptbook, a repeatable workflow in the age of AI. See where to access promptbooks within the platform, and claw back some of your day to perfect your next butter burger.

Episode 9 – Custom Promptbooks

The design scope of a promptbook defines its utility, which is what custom promptbooks help optimize.

You’ve been tweaking your butter burger recipe for months now. You’ve finally landed at the perfect version by incorporating a secret nacho cheese recipe. The steps are defined, the recipe perfect. How do you repeat it?

Just like your butter burger creation, you might discover or design workflows with Security Copilot. With custom promptbooks you can repeat and share them across your organization. In this episode you’ll learn about the different ways Security Copilot helps you develop your own custom AI workflows.

Episode 10 – Logic Apps

Clippy mustache you some questions about your use of Logic Apps and Security Copilot.

System automation, robot chefs? Actions? What if customers could order butter burgers with the click of a button, and the kitchen staff would automatically make one? Or perhaps every Friday at 2pm a butter burger was just delivered to you?

Chances are there are different conditions across your organization that when present requires a workflow to begin. With Logic Apps, Security Copilot can be used to automatically aid workflows across any system a Logic App can connect to. More automation, less mouse clicking, that’s a flight plan everyone can agree on.

Episode 11 – Extending to Your Ecosystem

Custom Plugins, Logic Apps, and Custom Plugins represent different ways to extend Security Copilot to best support your organization's workflows.

A famed restaurant critic stopped into the The Paper Clip Pantry ordered a butter burger, and it’s now the burger everyone is talking about. Business is booming and it's time to expand the menu – maybe a butter burger pizza, perhaps a doughnut butter burger? But you’ll need some new recipes and sources of knowledge to achieve this.

Like a food menu the possibilities of expanding Security Copilot’s capabilities are endless. In this episode learn how this can be achieved with custom plugins and knowledgebases. Once you have that in your log, you will be a certified Ace, and ready to take flight with Security Copilot.

Take Flight

I really hope that you not only learn something new but have fun taking flight with the Security Copilot Flight School. As with any new and innovative technology, the learning never stops, and there will be opportunities to log more flight hours from our expert flight crews. Stay tuned at the Microsoft Security Copilot video hub, Microsoft Secure, and RSA 2025 for more content in the next few months.

If you think it’s time to get the rest of your team and/or organization airborne there’s check out the Security Copilot adoption hub to get started:

aka.ms/SecurityCopilotAdoptionHub

Carry-on Resources

Our teams have been hard at work building solutions to extend Security Copilot, you can find them on our community Github page found at:

aka.ms/SecurityCopilotGitHubRepo

To stay close to the latest in product news, development, and to interact with our engineering teams, please join the Security Copilot CCP to get the latest information:

aka.ms/JoinCCP

Microsoft Security Copilot Blog articles

From alert overload to decisive action: How Security Copilot agents are transforming security and IT

Real-world impact: measurable results

New Security Copilot agents and capabilities announced at RSA Conference

New and updated Security Copilot agents built by Microsoft

New Security Copilot agents built by partners

New Security Copilot innovations that turn insight into action

See Security Copilot in action at RSA Conference

Start using Security Copilot in your daily workflows

Introducing Secret Finder: Finding Real Credentials Where Traditional Tools Fail

The Problem: Credentials Hide Where Traditional Tools Can't See

The Solution: Secret Finder Brings Reasoning to Secret Detection

Why Secret Finder Outperforms Traditional Pattern Matching

What Secret Finder Can Do Today

Using Secret Finder in Security Copilot

What's Next for Secret Finder

Acknowledgments

Where Partners Build and Scale: Partner-Built Security Copilot Agents in Security Store

Partner-built agents power smarter protection

Explore resources and documentation

What's new in Microsoft Security Copilot

Redefining Cyber Defence with Microsoft Security Exposure Management (MSEM) and Security Copilot

Introduction

Overview of Exposure Management

Overview of Security Copilot plugins and skills

Connecting Exposure Management with Security Copilot

Plugin Code (YAML)

Proof of Concept (screen video)

Conclusion

From idea to Security Copilot agent: Create, customize, and deploy

Two ways to build: Your choice, your workflow

Option 1: Build in Security Copilot, no coding required

Option 2: Build in VS Code using GitHub Copilot + Microsoft Sentinel MCP Tools

Explore the Microsoft Security Store

Build, deploy, defend

More resources on building Security Copilot agents:

Agentic security your way: Build your own Security Copilot agents

Build your own Security Copilot agents, your way

Build agents in the Security Copilot portal

Build agents in a preferred MCP server-enabled development environment

Discover new Security Copilot agents

The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts. - Krista Arndt, ACISO, St. Luke’s University Health Network

Smarter, faster Security Copilot agents

Get Started Today

Supercharging Security Copilot with Logic Apps: Best practices and pro tips

Why Integrate Security Copilot with Logic Apps?

Best Practices for designing robust workflows:

Pro Tips

Conclusion

What’s new in Microsoft Security Copilot

Smarter Prompts for Smarter Investigations: Dynamic Prompt Suggestions in Security Copilot

Why Prompting Is a Bigger Problem in Security Than It Seems

What Makes Domain-Specific Prompting Hard

Our Approach: Dynamic, Context-Aware, and Skill-Constrained

What It Looks Like in Action

Embedded Experience

Immersive Experience

Why This Matters for the Future of Security AI

New tools for Security Copilot management and capacity planning

Workspaces

Security Copilot capacity calculator

Get Started with Security Copilot today

Using parameterized functions with KQL-based custom plugins in Microsoft Security Copilot

Practical example

Conclusion

Additional Resources

Automating Phishing Email Triage with Microsoft Security Copilot

Introduction: Phishing Challenges Continue to Evolve

Solution Overview: How the Logic App Solution Works (and Why It's Different)

Deployment Guide: Quick, Secure, and Reliable Setup

Enhanced Technical Details & Clarifications

Busting myths on Microsoft Security Copilot

Cost and Licensing

Myth #1: High Consumption Cost:

Myth #2: Unpredictable billing:

Myth #3: It's free or covered by an existing license:

Performance and Reliability

Myth #4: Slow responses and high latency:

Myth #5: Poor Quality or Unreliable responses:

Myth #6: Service Interruptions:

The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.
- Krista Arndt, ACISO, St. Luke’s University Health Network