Busting myths on Microsoft Security Copilot
This blog aims to dispel common misconceptions surrounding Microsoft Security Copilot, a cutting-edge tool designed to enhance cybersecurity measures. By addressing these myths, we hope to provide clarity on how this innovative solution can be leveraged to strengthen your organization's security.Automate cybersecurity at scale with Microsoft Security Copilot agents
When we introduced Microsoft Security Copilot last year, we set out to transform the way defenders approach cybersecurity. As one of the industry's first generative AI solutions for security and IT teams, Security Copilot is empowering teams to catch what others miss, respond faster, and strengthen team expertise in an evolving threat landscape. Customers like Eastman are already seeing the impact. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster”, said David Yates, Senior Cybersecurity Analyst at Eastman. “That helps me to make a better decision and respond faster to an attacker.” A recent study of Copilot users showed that using Security Copilot reduced mean time to resolution by 30%, helping accelerate response times and minimizing the impact of security incidents. But as defenders evolve, so have attackers. Adversaries are now leveraging AI to launch more sophisticated attacks with unprecedented speed and scale. Security and IT teams – already overwhelmed by a huge volume of alerts, data, and threats – are struggling to keep up. Traditional automation, while useful, lacks the flexibility and adaptability to keep up. Today, we’re taking the next leap forward in generative AI-powered cybersecurity. I am thrilled to introduce agents in Microsoft Security Copilot. AI-powered agents represent the natural evolution of Security Copilot, going beyond AI assistant capabilities. They autonomously manage high-volume security and IT tasks, seamlessly integrated with Microsoft Security solutions and partner solutions. Purpose-built for security, these agents learn from feedback, adapt to organizational workflows with your team fully in-control, and operate securely within Microsoft’s Zero-Trust framework. Delivering powerful automation across threat protection, identity management, data security, and IT operations, these agents empower teams to accelerate responses, prioritize risks, and drive efficiency at scale. By reducing manual workloads, they enhance operational effectiveness and strengthen overall security posture – allowing defenders to stay ahead. To bring this automation to life, we’re introducing six security agents from Microsoft and five security agents from partners which will be available for preview in April. Empowering security and IT teams with Security Copilot agents Our goal is to provide generative AI-powered security for everyone. Integrating Copilot with Microsoft Security products helps IT and security teams benefit from increased speed and accuracy. Now, you can use embedded Security Copilot agents with capabilities specific to use cases for your role in the products you know and love: Phishing Triage Agent SOC analysts often face the challenge of managing hundreds of user-submitted phishing alerts each week, with each alert taking up to 30 minutes for manual triage. This process requires meticulous sifting through submissions to find the needle in the haystack – the genuine threat amidst all the noise. Security Copilot solves this challenge with an AI-powered agent embedded in Microsoft Defender, that works in the background to autonomously triage user-submitted phishing incidents. Powered by advanced multi-modal AI tools, it determines whether an alert is a genuine phishing attempt or a false alarm with exceptional precision. The agent not only delivers natural language explanations for its decisions but also dynamically refines its detection capabilities based on analyst feedback. By alleviating the burden of reactive work, it empowers SOC analysts to focus on proactive security measures, ultimately strengthening the organization's overall security posture. Learn more about the Phishing Triage Agent here. Alert Triage Agents for Data Loss Prevention and Insider Risk Management Data security admins regularly struggle to manage the volume of alerts they receive daily, addressing only about 60% of them due to time and resource constraints1. The Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM) identify the alerts that pose the greatest risk to your organization and should be prioritized first. These agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and selected policies, to categorize alerts based on the impact they have on sensitive data. Additionally, they provide a comprehensive explanation on the logic behind that categorization, allowing admins to analyze a risk in just a few minutes. These agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins in natural language and fine-tunes the triage results to better match the organizations’ priorities. The agent learns from this feedback, using that rationale to calibrate the prioritization of future alerts in DLP and IRM. Learn more about the Alert Triage Agents for DLP and IRM here. Conditional Access Optimization Agent As organizations grow, identity and IT admins must continuously ensure that access policies adapt to new employees, contractors, SaaS apps, and more – keeping security intact without adding complexity. But as their environments evolve, keeping Conditional Access (CA) policies up to date becomes increasingly difficult. New users and apps can slip through, and exclusions can go unaddressed, creating security risks. Even with routine reviews, manually auditing policies and adjusting coverage can take days or weeks –yet gaps can still go unnoticed. The CA Optimization Agent in Microsoft Entra changes that for admins, automating the detection and resolution of policy drift. This agent continuously monitors for newly created users and applications, analyzing their alignment with existing CA policies, and proactively detects security gaps in real time. Unlike static automation, it recommends optimizations and provides one-click fixes, helping admins refine policy coverage effortlessly while ensuring a strong, adaptive security posture. Learn more about the CA Optimization Agent here. Vulnerability Remediation Agent Managing security vulnerabilities is a growing challenge for organizations, as the volume of CVEs and limited resources make it difficult to prioritize and implement critical fixes effectively. Microsoft Intune is designed for organizations that need a modern, cloud-powered approach to endpoint management, one that not only simplifies IT operations but strengthens security in an evolving threat landscape. IT admins require more than just visibility into vulnerabilities; they need a proactive, risk-based security strategy that continuously assesses risk and automates remediation to minimize exposure. That’s why Intune is introducing the Vulnerability Remediation Agent—a solution built to help organizations stay ahead of emerging threats. By leveraging Microsoft Defender Vulnerability Management, the agent automatically identifies, evaluates, and prioritizes vulnerabilities. It continuously monitors newly published threats, assesses their risk levels, and offers clear, actionable recommendations for remediation. With continuous vulnerability detection, risk-based prioritization and guided remediation, the agent reduces exposure time while freeing up IT teams to focus on strategic initiatives. This is the first step toward designing vulnerability remediation at scale. A future, comprehensive approach will work across device platforms, address vulnerabilities in third-party applications, and remediate using configuration changes. Learn more about the Vulnerability Remediation Agent here. Threat Intelligence Briefing Agent Cyber Threat Intelligence analysts often face data overload and resource constraints when sourcing the threat intelligence needed to help their organizations understand, prioritize, and respond to critical threats. Crafting a threat intelligence briefing for security teams and executives can take hours—or even days—due to the constant evolution of both the threat landscape and an organization’s attack surface. The Threat Intelligence Briefing Agent in Security Copilot dramatically expedites this process. It automatically curates up-to-date, context-specific intelligence tailored to your organization’s unique profile and attack surface. Operating autonomously in the background, it taps into Microsoft’s extensive threat intelligence resources (including Microsoft Defender Threat Intelligence and Microsoft Defender External Surface Management) to deliver prioritized reports in just 4-5 minutes. This tool not only cuts down on manual effort but also highlights the most pressing threats and provides actionable recommendations, ensuring your team stays well-informed and ready to respond. Learn more about the Threat Intelligence Briefing Agent here. Extending agentic capabilities with partner solutions We are grateful to our partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI. Our growing partner ecosystem seamlessly integrates Security Copilot with established tools across various applications. Today, I am pleased to share five new upcoming agents in partner solutions, with many more to come. Privacy Breach Response Agent by OneTrust analyzes a data breach based on type of data, geographic jurisdiction, and regulatory requirements to generate guidance for the privacy team on how to meet those requirements. Network Supervisor Agent by Aviatrix determines why a VPN, Gateway, or Site2Cloud connection is down and provides information about the failure. SecOps Tooling Agent by BlueVoyant assesses your security operations center (SOC) and state of controls to make recommendations to optimize security operations to improve controls, efficacy, and compliance. Alert Triage Agent by Tanium provides analysts with necessary context to quickly and confidently make a decision on each alert. Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security. Learn more about our partner integrations at aka.ms/partnerintegrations. Get Started with Security Copilot Agents Microsoft Security Copilot agents will be available in preview starting April 2025. To get started with Security Copilot, check out the website for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and features—join today at aka.ms/JoinCCP. Learn more about the latest innovations at the Microsoft Secure digital event on April 9, 2025. Register now. With agents, Security Copilot continues to lead the way in AI-powered cybersecurity, helping organizations defend against threats faster, smarter, and with greater confidence.The Dolphin and the Monkey – Using Human Intellect in the AI age
Our goal as operators, no matter our discipline, should be to find ways to establish trust in AI outputs but not as we did with previous computer systems. Instead, we should use and/or develop frameworks for conversational understanding and clarity to help trust what facilitates any workflow or job.Boost SOC automation with AI: Speed up incident triage with Security Copilot and Microsoft Sentinel
The Solution This solution leverages AI and automation to speed up incident triage by providing automated response to an incident while infusing AI reasoning into the triage process, allowing the analyst to gain quick context about the gravity of the incident, detailed information about each entity involved and any executed processes. It then goes on to recommend mitigation steps, leading to faster MTTR (Mean Time To Respond). Below are key highlights of the solution: Accelerated triage: One of the scenarios in which analysts could spend a considerable amount of time is when the incident includes, for example, a process name that they have never encountered before. This challenge is compounded when the process execution includes command line elements. In this situation Security Copilot steps in to provide a rapid analysis of the process and associated command line elements and presenting the output to the analyst in a much faster fashion than they would be able to do without AI’s contribution. Similarly, in the case of the device entity Copilot taps into Microsoft Intune to bring in a summary of OS information, compliance status and hardware information, etc., thereby accelerating triage. Additionally, the reality in the SOC is that incidents do not happen at convenient times, several incidents can be triggered at the same time, requiring analysts to triage them as quickly as possible. This is where AI and automation become a force multiplier. Having the logic app trigger automatically upon incident creating and performing the core triage tasks saves the analysts precious time that they would have spent having to manually triage several incidents that could trigger at the same time. Insight consolidation: The Logic App brings together context from multiple sources, spanning across both first and third-party. In this example we are tapping into AbuseIPDB as a third-party enrichment source. The logic app offers this flexibility, giving customers the option to being in enrichment data from third party or custom sources and have Security Copilot build a holistic narrative for the triage summary. In doing so it helps the analyst get as much context as possible without needing to pivot into multiple security tools. Streamlined incident management: Incident comments in Microsoft Sentinel are automatically updated, providing investigators with up-to-date information and reducing manual effort. These comments are also automatically synchronized to Defender XDR portal and are therefore also accessible from that interface. The automated incident investigation summary is structured with the following details: Incident overview – Details matching those used to define the analytics rule Incident description – A summary including the key highlights of the incident Analysis on incident entities – AI-powered analysis of the IP, Account, Host and Process details as extracted from the incident Possible mitigation steps – Depending on the nature of the incident, provide suggested mitigation steps for the incident Conclusion Below is a snapshot of the logic App steps: Sample output Once attached to the selected analytics rules and the associated incident is created, you can expect output the incident to be enriched in a manner similar to what is shown here below and then added as a comment to the triggered Microsoft Sentinel incident Security Copilot skills used Skill Description ProcessAnalyzer Scrutinizes process names and command lines, providing detailed insights into potentially malicious activities. GetEntraUserDetails Retrieves comprehensive user information GetIntineDevices Facilitates the extraction of device details from Intune, ensuring that all devices associated with an incident are thoroughly examined AbuseIPDB Preforms IP address reputation checks, helping to identify and mitigate threats from suspicious IP addresses Deployment prerequisites Before deploying the Logic App, ensure the following prerequisites are met: The user or service principal deploying this logic app should have the Contributor role on the Azure Resource Group that will host the logic App. Microsoft Security Copilot should be enabled in the Azure tenant. The user should have access to Microsoft Security Copilot to submit prompts by authenticating to the Microsoft Copilot for Security connector within the logic app. Microsoft Sentinel is configured and generates incidents. Obtain an AbuseIPDB API key to perform IP address reputation analysis. Follow below link to our Security Copilot GitHub repo to obtain the solution: SecurityCopilot-Sentinel-Incident-Investigation automation on GitHub Conclusion The integration of AI and automation in the Security Operations Center (SOC) through tools like Security Copilot and Logic Apps in Microsoft Sentinel significantly enhances incident triage and management. By leveraging these technologies, organizations can achieve faster, more consistent, and reliable incident handling, ultimately strengthening their overall security posture. Additional resources Overview - Azure Logic Apps | Microsoft Learn Logic Apps connectors in Microsoft Security Copilot | Microsoft Learn Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure Microsoft Security Copilot | Microsoft SecurityUse LogicApps and Copilot for Security to auto-process ISAC Emails
Information Sharing and Analysis Center (ISAC) is an organization that provides a central resource for gathering information on and related threats to critical infrastructure and plays a critical role in safeguarding industries from emerging threats. By bridging the gap between private and public sectors, ISACs provide timely and actionable intelligence on vulnerabilities that impact critical infrastructure. However, manually processing the ISAC threat bulletins can be overwhelming and slow, leaving security teams scrambling to respond in time. This document explores how leveraging automation through Logic Apps and Microsoft's Copilot for Security can streamline ISAC email processing, empowering organizations to respond to vulnerabilities faster and more effectively.Leveraging Generative AI for Efficient Security Investigation Summaries
Generative AI (GAI) has revolutionized how we interact with technology, especially in the realm of cybersecurity. By understanding natural language, GAI enables us to instruct complex operations in simple terms. This post explores how to utilize GAI for creating concise, accurate summaries of security investigations, using Security Copilot as a prime example.Introducing more consumption flexibility with Security Copilot enhancements
In today’s rapidly evolving cybersecurity landscape, efficiently managing security and IT operations is more critical than ever. Organizations need scalable and flexible solutions that offer robust protection. Last year, we launched Microsoft Security Copilot, a generative AI-powered assistant designed to help security and IT teams operate at the speed and scale of AI. Since then, organizations have used Copilot to enhance their security and IT workflows, with companies like QNET reporting a 60% increase in efficiency post-adoption —enabling teams to detect and respond to threats faster than ever before. To further enhance customer flexibility and scalability, we are now supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This update ensures that organizations can confidently scale their Security Copilot workloads dynamically beyond their provisioned capacity, while maintaining cost predictability and control. Ensure uninterrupted Security Copilot assistance Security is a mission-critical necessity, and unexpected threats or workload spikes can arise at any time, demanding a pricing model that is both flexible and scalable to ensure uninterrupted protection. Previously, precise usage estimation was required to avoid throttled workloads. Now, enabling overage SCUs ensures organizations can handle unforeseen security demands without disruption. Security Copilot users can continue using their provisioned SCUs for regular workloads, while overage SCUs provide additional capacity when needed. This hybrid approach allows customers to establish a base fixed SCU provisioned capacity and set a maximum overage limit. Customers only pay for overage SCUs used when they consume beyond their provisioned SCU allocation, ensuring scalability and support during unexpected demand spikes without incurring unnecessary costs. Additionally, they have the option to set an upper limit on overage SCUs, which provides better budget predictability. Get granular insights with the usage dashboard The in-product usage dashboard has also been updated to help organizations track and manage SCU consumption effectively. The dashboard offers detailed insights into SCU usage, allowing admins to monitor consumption against provisioned SCUs, track overage SCU usage, and review granular details such as session initiators, IDs, categories, and experience. The dashboard ensures organizations have the visibility needed to optimize usage while maintaining budget control. The combination of provisioned and overage SCU provides organizations with peace of mind, knowing that critical security operations always have the necessary resources when they’re needed most. Get Started with Overage SCUs today As cyber risks continue to grow, having the right tools to manage security efficiently, cost-effectively, and at-scale is crucial. With this latest enhancement, Microsoft Security Copilot is equipping organizations with the scalability and flexibility needed to secure their environment with confidence. Overage SCUs are generally available today. Existing customers can immediately enable overage SCUs or set a limit on maximum usage in Security Copilot. Learn more about Security Copilot pricing here, and calculate your estimated maximum spend per month using the pricing calculator. Sign up for a free Azure subscription to get started with Security Copilot today.
