Security Copilot in Defender: empowering the SOC with assistive and autonomous AI
Security operations centers are increasingly overwhelmed. Analysts must triage large volumes of alerts, investigate complex signals across multiple environments, and determine which threats require immediate action. Much of this work still involves manually gathering context, reconstructing timelines, and making decisions under time pressure. As Microsoft Ignite 2025, we introduced how Security Copilot is bringing agentic AI directly into Microsoft Defender to transform how SOC teams detect, triage, and investigate threats. Building on that vision, Copilot continues to expand its capabilities with two complementary forms of AI: autonomous agents that reason dynamically to execute complex security tasks, and assistive experiences that help analysts complete their daily workflows faster and with greater scale. Together, these innovations are designed to reduce operational burden while enabling analysts to focus on the decisions that matter most. Autonomous AI: agents that triage alerts and investigate risk Our vision is to bring autonomous AI across the SOC lifecycle, moving from isolated AI-enabled tasks to outcome-driven agentic transformation that elevates SOC teams across all experience levels. By applying frontier LLM reasoning to security telemetry and threat intelligence, Security Copilot is uniquely positioned to embed specialized agents at every stage—from anticipating risk and preventing attacks, to detecting, triaging, investigating, and responding. The result is a SOC that operates at machine speed while keeping humans firmly in control. During RSA Conference 2026, we’re expanding that vision within the triage and investigation stage of the SOC lifecycle with the launch of one expanded agent and one new agent. We’ve already demonstrated the impact of outcome-driven autonomous workflows with agentic phishing triage: our agent identifies 6.5 times more malicious alerts than human analysts working alone. Today, that same capability is extending beyond phishing to identity and cloud alerts. The Security Alert Triage Agent helps analysts autonomously determine whether phishing, identity and cloud alerts represent real threats or just false alarms. The agent provides natural language verdicts and transparent, step-by-step reasoning that explains how it reached each decision. At Public Preview, for identity, it supports triage of alert types involving password spray attempts, suspicious inbox rules associated with business email compromise (BEC), and accounts potentially compromised following a password spray attack. For cloud, it supports more than 30 alert types related to cloud container activity. This agent is designed to handle alerts that are both high risk and high noise. Identity and cloud alerts often require longer and more complex investigations, and missing them has important implications. For identity alerts, the challenge is scale—high-volume signals such as password spray generate noise, making it difficult to quickly isolate real compromise. The agent helps by rapidly triaging these alerts and filtering out false positives, allowing analysts to focus on identity activity that truly indicates risk. For cloud alerts, the challenge is different: alert volume may be lower, but investigations are inherently more complex and require deep expertise. In these cases, the agent applies advanced analysis across multiple signals to investigate alerts that would otherwise be burdensome and difficult to analyze manually, helping ensure critical cloud threats are surfaced quickly and not overlooked. By providing natural language verdicts and transparent decision logic, the agent walks teams step-by-step through investigations that would typically require senior-level expertise. Clear explanations and visual decision graphs show how each conclusion was reached, reducing investigation effort and increasing confidence in outcomes. This transparency frees teams to focus on responding to real threats, while giving junior analysts visibility into the reasoning behind each verdict. The result is specialized expertise embedded directly into daily SOC workflows, raising the floor for the entire team. At RSA Conference 2026, we’re also announcing the Security Analyst Agent in Microsoft Defender. This agent performs deep, multi-step investigations across Microsoft Defender and Sentinel telemetry to surface high-impact risks and deliver prioritized insights in minutes. Each finding includes clear reasoning and supporting evidence, enabling analysts to quickly understand and act on the results. Today, teams often rely on advanced hunting to investigate potential threats by writing queries, iteratively refining hypotheses, and correlating results across multiple datasets. While powerful, this process typically requires manually piecing together context across tools, reconstructing timelines, and sifting through large volumes of telemetry to determine whether suspicious activity represents real risk. Given the breadth and complexity of modern threats, these investigations can take days or even weeks. The Security Analyst Agent builds on the power of advanced hunting by autonomously orchestrating parts of that investigative process. The agent retrieves and analyzes large volumes of security data (up to ~100MB), correlates signals across telemetry sources, and iteratively explores hypotheses to surface patterns and threats that might otherwise go unnoticed. The results are synthesized into clear, risk-relevant findings with supporting evidence trails, helping analysts quickly understand what matters most. In doing so, the agent performs the kind of deep analytical work typically carried out by experienced security analysts. Assistive AI: Chat experience in the analyst’s flow of work While autonomous agents help execute complex security tasks with dynamic reasoning, Security Copilot also brings assistive AI directly into analysts’ daily workflows. These capabilities are designed to accelerate manual tasks, helping analysts gather context, and make decisions faster. Today, Copilot is already embedded across Microsoft Defender experiences. Analysts can generate natural language summaries of incidents, receive guided response recommendations, draft incident reports, generate KQL queries with natural language, and more. These capabilities help accelerate specific tasks, but interactions with Copilot typically occur as individual actions within a side panel or embedded experience. We’re now taking the next step by introducing a chat experience for Security Copilot directly within Microsoft Defender, enabling teams to interact with AI through an ongoing, two-way conversation. Analysts can ask questions, explore hypotheses, and follow investigative threads across incidents, alerts, identities, devices, IPs, and other evidence—without switching tools or manually piecing together context. Copilot understands the analyst’s investigation context, grounding each response in the relevant signals and telemetry already available in Defender. Throughout the interaction, Copilot does more than respond. It actively advances the investigation by initiating step-by-step analysis, such as examining a specific entity, while continuously incorporating new signals as they emerge. Analysts can follow up in real time, refining their line of inquiry and digging deeper as the conversation evolves. This creates a more fluid, iterative workflow that lowers the barrier to AI adoption and enables SOC teams to operate with the speed and scale needed to stay ahead of modern threats. Alongside this new embedded chat experience for Security Copilot, we are also extending conversational capabilities to third-party agents. From the Agents library in Defender, teams can start a chat with any eligible agent to validate findings, gather additional context, and accelerate response. For example, users can interact with XBOW’s Pentest Analysis Agent to determine whether vulnerabilities flagged by Microsoft Defender for Cloud are truly exploitable. The agent can initiate a pentest, explain the results, and recommend next steps—such as improving detection coverage in Microsoft Sentinel—to strengthen defenses. Learn more at RSA Conference 2026! To learn more about Security Copilot in Microsoft Defender, visit us at booth #5744. Our team will be demonstrating how AI is helping SOC teams move faster through alert triage, investigation, and response. You can join our booth sessions: Empowering the SOC with assistive and autonomous AI with Yuval Derman | March 23 rd at 5.15PM Security Copilot agents: Insight. Action. Impact. with Lizzie Heinze and Donna Lee | March 24th at 3.00PM You can also register for Security Copilot in action: An agentic approach to modern security on March 24 th at 8.30AM here.Security Copilot for SOC: bringing agentic AI to every defender
Cybersecurity has entered an era of relentless complexity. As threat actors increasingly leverage artificial intelligence to automate attacks, evade detection, and scale their tactics, defenders are challenged to keep up. In this new era, security operations centers (SOCs) must transform to not just react, but to anticipate, disrupt, and outpace the next wave of cyberthreats. Microsoft’s goal is to empower every organization to meet this challenge head-on by transforming how security operates. We believe the future of the SOC is more than just agentic: it’s predictive and proactive. This means moving beyond fragmented tools and manual processes, and instead embracing a unified, intelligent approach where AI-driven skills and agents work in concert with human expertise. To bring this vision to life, it’s essential to look at the SOC through the lens of its lifecycle—a dynamic continuum that spans from anticipation and prevention through to recovery and optimization—and to recognize the unique challenges and opportunities within each stage. With Security Copilot’s GenAI and agentic capabilities woven across this lifecycle, Microsoft is delivering an integrated defense platform that enables defenders to move faster, act smarter, and stay ahead of adversaries. Introducing agentic innovation across the SOC lifecycle At Ignite, our agentic innovations are concentrated in three of the five SOC lifecycle pillars, and each one represents a leap forward in how analysts anticipate, detect, triage and investigate threats. Predict and prevent Threat Intelligence Briefing Agent: Introduced in March, this agent has already helped security teams move from reactive to anticipatory defense. At Ignite, we’re announcing that the Threat Intelligence Briefing Agent is now fully embedded in the Microsoft Defender portal, delivering daily, tailored briefings that synthesize Microsoft’s unparalleled global intelligence with organization-specific context in just minutes. Teams no longer need to spend hours gathering TI from disparate sources—the agent automates this process, offering the most current and relevant insights. Analysts can reference the summary to prioritize action, using the agent’s risk assessments, clear recommendations, and links to vulnerable assets to proactively address exposures. Detect and disrupt Dynamic Threat Detection Agent: Detections have long been bottlenecked by the limitations of traditional alerting systems, which rely on predefined logic that can’t scale fast enough to match the speed and variability of modern attacks— resulting in blind spots and missed threats. The Dynamic Threat Detection Agent addresses this challenge head-on. Instead of depending on static rules or isolated input, it continuously analyzes incidents and telemetry, searching for gaps in coverage and correlating signals across the entire security stack. For example, this is how it surfaced a recent AWS attack: a threat actor used an EntraID account to federate into an AWS admin account to exfiltrate sensitive data. The Dynamic Threat Detection Agent generated an alert before the intruder even authenticated into the single sign-on flow, driven by a correlated signal from Sentinel. That alert didn’t exist beforehand; the agent created it on the fly to stop the attack. The result is an adaptive system that extends Microsoft’s industry-leading, research-based detections with context-aware alerts tailored to each organization, closing gaps and revealing threats that legacy systems miss. Triage and investigate Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts and resolves false positives, escalating only the malicious cases that require human expertise. At Microsoft Ignite, we’re announcing its general availability, backed by strong early results: the agent identifies 6.5 times more malicious alerts, improves verdict accuracy by 77%, and frees analysts to spend 53% more time investigating real threats. St. Luke’s even said it’s saving their team nearly 200 hours each month. Coming soon, we’ll be extending these autonomous triage capabilities beyond phishing to identity and cloud alerts, bringing the same precision and scale to more SOC workflows. Threat Hunting Agent: this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. It levels up the existing Security Copilot NL2KQL capability by enabling teams to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level. Agents built into your workflows To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers. Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notice before activation. Learn more: https://aka.ms/SCP-Ignite25 Discover more: the Security Store The Security Store, now generally available, is the central hub for discovering, deploying, and managing first-party and third-party security agents. Today, it provides instant access to 20+ agents deployable directly in the Microsoft Defender portal, all within a broader ecosystem of 100+ trusted security solutions. Whether you're investigating incidents, hunting threats, or automating response, the Security Store extends Defender with vetted, scenario-aligned tools that can be set up in minutes. Learn more in this blog. Introducing new GenAI embedded capabilities Security Copilot isn’t just growing through agents—it’s also gaining new embedded capabilities: GenAI skills that help SOC teams work faster, operate at greater scale, and get upleveled directly inside Microsoft Defender. Today, we’re excited to introduce new innovations: Analyst Notes represent a meaningful shift in how investigation work is captured and shared. For organizations that choose to opt into this capability, Copilot automatically reconstructs an analyst’s investigation session—from the moment they open an incident to the moment they close it—and turns that activity into clear, structured notes. The system can even track multiple sessions in parallel and attribute actions to the right incident, and analysts can fully review and edit the generated notes before saving them. This not only saves teams valuable time and effort, it preserves the actual investigation path with far greater accuracy and consistency than manual documentation ever could. The result is a living, cumulative record of how the SOC investigates threats: easier handoffs, stronger auditability, faster onboarding, and a deeper shared understanding of how incidents unfold across multiple SecOps members and phases. Standard Operating Procedures (SOPs) for guided response allows organizations to upload their own internal procedures so Security Copilot can align its recommendations with established guidebooks and compliance requirements. Guided response is one of the ways Copilot helps analysts navigate an incident: it offers one-click actions across triage, containment, investigation and remediation that teams can take immediately. With SOPs uploaded, these recommendations draw directly from organizational workflows and policy standards, ensuring they are contextually relevant and trusted. For defenders, this translates into greater confidence and faster, more consistent decision-making. We’re also eager to share that we’re introducing auto-generated content configuration for Security Copilot’s incident summaries. This new feature allows security admins to decide how and when summaries are produced, choosing between always auto-generating, manual trigger only, or auto-generating based on incident severity. The configuration is managed directly in the Microsoft Defender portal, giving organizations flexibility to fine-tune Copilot’s outputs to their operational needs. Join us at Ignite We invite you to learn more and see these innovations in action at Microsoft Ignite. Don’t miss our featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19 th with Allie Mellen, Corina Feuerstein, and Rob Lefferts. Learn more. Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21 st with Corina Feuerstein and Cristina da Gama. Learn more. Join us to discover how Microsoft is shaping the future of cybersecurity—making intelligent, agentic defense accessible to every organization.Introducing TITAN-Powered Recommendations in Security Copilot Guided Response
In the ever-evolving landscape of cybersecurity, speed and accuracy are paramount. At Microsoft, we’re continuously investing in ways to help analysts make informed decisions under pressure. One of the most powerful of these is Guided Response: a Security Copilot-powered capability in Microsoft Defender that walks analysts through step-by-step investigation and response flows. It provides context-aware recommendations tailored to each incident, enabling teams at all levels to respond with precision and scale. Now, with the integration of Threat Intelligence Tracking via Adaptive Networks (TITAN) recommendations, Guided Response is taking a leap forward. By bringing in real-time threat intelligence (TI) to prioritize and explain suggested actions, it enables analysts to surface, prioritize, and act on the most relevant threats with clarity and efficiency. What is TITAN? TITAN represents a new wave of innovation built on Microsoft Defender Threat Intelligence capabilities, introducing a real-time, adaptive threat intelligence (TI) graph that integrates first and third-party telemetry from the unified security operations platform, Microsoft Defender for Threat Intelligence, Microsoft Defender for Experts, and customer feedback. This graph employs guilt-by-association techniques to propagate known TI labels to unknown neighboring entities (e.g., IP, file, email) at machine scale. By analyzing relationships between entities, TITAN can identify attacker infrastructure before it's leveraged in attacks, giving defenders a critical window to proactively disrupt threats. One of TITAN’s greatest strengths is its ability to learn from indicators of compromise (IOCs) observed throughout the global threat landscape. Microsoft Defender analyzes over 24 trillion security signals every day, across identities, endpoints, apps, and beyond. When a new IOC (such as an IP address, an IP range or an email sender) is identified in one environment, Microsoft Defender rapidly leverages that intelligence to protect other environments. These live, TI-based Guided Response recommendations help identify, manage and block threats before they impact your organization, turning every detection into a defense signal for the entire Microsoft ecosystem. Why bring TITAN into Security Copilot Guided Response? Security Copilot Guided Response already provides analysts with a curated set of recommendations. TITAN enhances this by introducing a new dimension: real-time, threat-intel-driven recommendations that are grounded in global telemetry and threat actor behavior. The integration improves Guided Response by: Expanding coverage to incidents that previously lacked actionable context. Prioritizing recommendations with higher confidence. Surfacing targeted triage and remediation actions based on live threat infrastructure. How it works TITAN suggestions are now integrated into Guided Response as both triage and containment recommendations. When an incident involves an entity with known malicious threat intelligence flagged by TITAN, Security Copilot automatically generates a Guided Response recommendation. Analysts receive prioritized, natural language guidance on how to triage the incident and contain specific threat entities, including: IP addresses IP ranges Internet Message-ID Email senders Real-world impact In early testing, TITAN-powered triage recommendations have shown promising results: Increased model accuracy: TITAN’s integration has helped improve the precision of Guided Response triage recommendations. Improved analyst trust: explainable, threat-intel-backed recommendations, have helped analysts gain more confidence in their response actions. Faster decision-making: TITAN’s real-time scoring and threat attribution have accelerated incident investigation and response times. Evolving Guided Response with threat intelligence TITAN recommendations mark a significant leap in our mission to empower defenders. By combining the scale of Microsoft’s Defender Threat Intelligence with the precision of Security Copilot’s Guided Response, we’re helping analysts move from reactive to proactive— responding faster, working smarter, and acting with greater confidence. Stay tuned for more updates as we continue to evolve this capability. And if you’re already using TITAN recommendations in your environment, we’d love to hear your feedback. Join the Microsoft Customer Connection Program to share your insights and help shape future Microsoft Security products and features. Learn more Check out our resources to learn more about our new approach to AI-driven threat intelligence for Guided Response, and our recent security announcements: See TITAN in action in the session delivered at Ignite Read our blog and conference paper on the TITAN architecture, accepted to KDD 2025, the premier data-mining conference. Read the Security Copilot Guided Response paper & blogThe Best of Microsoft Sentinel — Now in Microsoft Defender
Just over a year ago, we introduced the unified security operations (SecOps) experience within Microsoft Defender, bringing together the full stack of threat protection capabilities across” Security Incident Event Management (SIEM), Extended Detection and Response (XDR), Extended Security Posture Management (XSPM), Cloud Security, Threat Intelligence (TI), and Security Copilot. Thousands of organizations have already embraced this unified SecOps experience to streamline analyst workflows, enhance operational efficiency, and accelerate incident response across their security environments. Today, we are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. This experience encompasses all SIEM features and is accessible to every customer, including large-scale enterprises and partners with complex security environments. With the general availability of multi-tenant and multi-workspace capabilities, security teams can now seamlessly collaborate, investigate threats, and manage incidents across multiple Microsoft Sentinel tenants—all from a single, unified queue. This advancement empowers analysts to operate more efficiently and effectively in today’s dynamic threat landscape. Why Customers Are Making the Move Thousands of organizations have already made the move—and they’re seeing real results. Work smarter: Manage incidents, alerts, and investigations across tenants and workspaces in one unified view. Detect faster: AI-driven insights reduce false positives by 85%* and boost alert correlation speed by 50%*. Respond instantly: Security Copilot delivers guided investigations and automated summaries. Hunt deeper: Investigate threats across Microsoft Sentinel and Defender XDR—no switching, no silos. “The Defender portal is a game-changer. Our team is faster, more focused, and finally working in one place.” — Security Operations Lead, Global Financial Services What’s New—and Why it Matters Advanced Hunting Enhancements Unified queries across Microsoft Sentinel and Defender data, with Security Copilot-assisted KQL generation allows for threat hunting across all data sources from a single portal without context switching and delays. For more information, see Advanced hunting in the Microsoft Defender portal and Security Copilot in advanced hunting. Case Management Use native case workflows in Defender to manage complex investigations efficiently. Features include custom statuses, task assignments, due dates, and multi-incident linking, all while maintaining security context. For more information, see Manage cases natively in Microsoft Defender experience. SOC Optimization Tools Get actionable, tailored recommendations to reduce costs, close data gaps, improve coverage, strengthen your security posture, and maximize ROI. To learn more about the different types of recommendations, see SOC optimization reference. Expanded Threat Intelligence Import indicators in bulk, visualize data better, and map to MITRE ATT&CK. Enrich investigations with deeper context and better visibility into attacker behavior. For more information, see Threat detection features across the Microsoft unified security platform. Embedded Security Copilot The GenAI power of Security Copilot built to the experience. Utilize AI-powered tools to summarize incidents, analyze scripts/files, and generate incident reports directly within the portal. Accelerate response times and reduce analyst fatigue with intelligent automation. For more information, see Security Copilot in Defender. Seamless, Zero-Disruption Onboarding Connecting your Microsoft Sentinel workspace to Defender is fast, simple, and non-disruptive. Your data stays intact, and you can continue using the classic Azure experience while unlocking the full power of Defender. And going forward, all new features and innovations will be delivered exclusively through the Microsoft Defender portal—ensuring you always have access to the most advanced tools in the Microsoft Security ecosystem. Take Action Now Transform your SecOps with Microsoft Defender and take advantage of the latest innovations. Get started today: https://security.microsoft.com Begin the process of onboarding your Microsoft Sentinel workspaces to the Defender portal Transition Guide Pre-recorded webinar Register for upcoming webinars here. *Source: Microsoft internal researchSecurity Copilot: A game changer for modern SOC
In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face relentless pressure to swiftly and accurately detect, investigate, and respond to security incidents. As frontline defenders of an organization’s cybersecurity, security analysts need real-time intelligent insights to boost investigation and response. Microsoft Security Copilot empowers security teams with gen AI-powered capabilities that streamline workflows, automate tasks and upskill teams, enhancing overall SOC efficiency. A recent study showed customers could achieve 30% reduction in MTTR for security incidents. We are committed to continuously improving our products based on valuable customer feedback. By listening to our users and understanding their needs, we have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. AI-powered insights to accelerate investigation and response When SOC analysts investigate and respond to incidents, Security Copilot offers a comprehensive description of the attack, affected systems, and event timelines, paired with clear, actionable steps for swift remediation and mitigation. Some of our recent innovations include: Enhancement! The Microsoft Sentinel Incident Summary, available in the Copilot standalone experience has been enhanced and now aligns with the Defender incident summaries, offering detailed, step-by-step descriptions of the attack. The summary includes key information such as the attack's start time, timelines, involved assets, indicators of compromise (IOCs), kill chain steps, and a direct link to the incident page. These improvements enable you to request a summary of a Microsoft Sentinel incident from either the standalone or the unified security operations platform embedded experience. Microsoft Sentinel incident summary in standalone experience Enhancement! Users can request Copilot to list incidents in Defender and/or Microsoft Sentinel through a prompt in the standalone portal, filtering by assignment, classification, creation time, determination, last update time, severity, and status. List of incidents In addition, users can also retrieve a list of entities for a specified incident. Figure 3: List of entities for an incident These enhancements allow analysts to efficiently retrieve incidents and entities on demand and apply additional filters for more targeted actions. Enhancement! A recent enhancement to Guided Response enables security analysts to easily communicate with end users, a common activity in the SOC that is particularly helpful for incident triage. Copilot now dynamically generates text for analysts to use, describing the observed user activity under investigation. Analysts can contact the user directly via Teams using the readily available Guided Response recommendation button or copy the generated text to their preferred communication tool. Dynamicallygenerated text for analysts to use This allows for quick and efficient communication with end users, accelerating the incident investigation process and saving the analyst from the tedious task of crafting the message with all the necessary information about the incident. New! During incident investigations, analysts commonly review details about participating assets and entities. In addition to the already available insightful Device Summary, the new Identity Summary provides a comprehensive overview of user identities, highlighting behavioral anomalies and potential misconfigurations. This feature is crucial for SOC analysts as it offers clear, contextual insights into identity-related activities, enabling quicker identification and resolution of security issues. By summarizing key information such as login locations, role changes, and authentication methods, the Identity Summary helps analysts understand the full scope of identity behaviors and risks Figure 5: Identity Summary Enhancement! The script and file analysis features in Security Copilot simplify complex investigations by translating what a script does into natural language and streamlining the analysis of multiple executable files. With the new addition of relevant MITRE ATT&CK techniques to the analysis, SOC analysts can quickly understand the attack tactics and techniques used by adversaries and provide faster and better response. Figure 6: MITRE techniques used Enhancement! The Security Copilot incident report compiles all response activities into a detailed report of the security incident. It includes what happened, the actions taken, by whom and when, and the reason for classification. Initially, the incident report gathered its data from Defender and Microsoft Sentinel, including incident management actions like status changes and assignments, comments from the activity log, actions and playbooks performed on entities within the incident, and more. To further streamline report sharing and provide a more holistic view, the incident report now also integrates with the third-party case management system ServiceNow to include in the report incident investigation and remediation steps logged in ServiceNow tickets. This integration requires the bidirectional connector between Microsoft Sentinel and ServiceNow to be installed. Strengthen your security with improved Threat Intelligence content Copilot integrated with Threat Intelligence empowers security teams with comprehensive information about threat actors, threat tools, indicators of compromise (IOCs) related to vulnerabilities and incidents, providing contextual threat intelligence directly from Microsoft Defender Threat Intelligence (Defender TI) to detect, analyze, and respond to threats more effectively. At Ignite, customers will see exciting enhancements to this experience, including: New! The ten new MDTI indicator skills can leverage the full corpus of raw and finished threat intelligence in MDTI to link any IoC (indicator of compromise) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities, including threat infrastructure chaining and analysis, offering defenders a head start on adversaries. Gain critical context with MDTI Enhancement! Copilot can now leverage vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Management (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. This capability helps customers prioritize vulnerabilities and have an in-depth understanding of the impact of this vulnerability on the organization. Overview of vulnerability Improved Copilot sidecar with better user control The recent updates to the Copilot side panel in the embedded experience provide more flexibility, allowing you to open or close Copilot based on your preference. This helps optimize screen space while investigating incidents or entities, using Advanced Hunting, or navigating the Threat Intelligence pages. Once you close the Copilot side panel in any of these scenarios, it will remember your preference and stay closed. gure 9: Close Copilot based on preference You can reopen the Copilot panel anytime for AI-powered insights to aid your SOC workflows. Microsoft recommends keeping the Copilot panel open to ensure you are receiving real time insights to stay ahead of threats. Reopen Copilot panel Looking forward Security Copilot is revolutionizing the way security teams operate by providing advanced AI-driven capabilities that not only enhance their efficiency and effectiveness but also empowers them to stay ahead of threats and protect their organizations at the speed and scale of AI. Microsoft is committed to delivering industry-leading innovation with precise insights for faster and more effective threat detection and response. We are working closely with our customers to collect feedback and will continue to add more functionality. As always, we would love to hear your thoughts. Resources Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn Microsoft Copilot for Security | Microsoft Security Microsoft Copilot for Security - Pricing | Microsoft Azure What’s new in Defender: How Copilot for Security can transform your SOC | Microsoft Community Hub Operationalizing Microsoft Security Copilot to Reinvent SOC Productivity What’s New at Ignite: Unified Threat Intelligence Experience in CopilotMonthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.Monthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.
