Welcome to the Microsoft Security Community!
Protect it all with Microsoft Security Eliminate gaps and get the simplified, comprehensive protection, expertise, and AI-powered solutions you need to innovate and grow in a changing world. The Microsoft Security Community is your gateway to connect, learn, and collaborate with peers, experts, and product teams. Gain access to technical discussions, webinars, and help shape Microsoft’s security products. Get there fast To stay up to date on upcoming opportunities and the latest Microsoft Security Community news, make sure to subscribe to our email list. Find the latest skilling content and on-demand videos – subscribe to the Microsoft Security Community YouTube channel. Catch the latest announcements and connect with us on LinkedIn – Microsoft Security Community and Microsoft Entra Community. Index Community Calls: December 2025 | January 2026 | February 2026 Upcoming Community Calls December 2025 Dec. 8 | 9:00am | Microsoft Security Store | Security, Simplified: A look inside the Security Store Welcome to Microsoft Security Store! During this session, you’ll learn all about this centralized destination where customers can discover, deploy, and manage trusted security solutions built to extend Microsoft’s security platforms like Defender, Sentinel, Entra, Purview, and Intune. Dec. 9 | 8:00am | Microsoft Defender XDR | A Deep Dive into Automated Attack Disruption Learn what’s new in Microsoft Sentinel! See deeper Defender integration, evolving data lake capabilities for scalable security, plus demos and real-world use cases to help you stay ahead. Dec. 9 | 9:00am | Microsoft Sentinel | Part 1: Stop Waiting, Start Onboarding: Get Sentinel Defender-Ready Today The Microsoft Sentinel portal retires July 2026—explore the Defender unified portal! Learn to manage incidents in a unified queue, enrich investigations with UEBA and Threat Intelligence, and leverage automation and dashboards for smarter SOC operations. Dec. 10 | 8:00am | Azure Network Security | Deep Dive into Azure DDoS Protection Explore Azure DDoS Protection! Learn to secure apps and infrastructure with end-to-end architecture, detection and mitigation flow, telemetry, analytics, and seamless integration for visibility and protection. Dec. 10 | 9:00am | Microsoft Defender for Cloud | Expose Less, Protect More with Microsoft Security Exposure Management Join us for an in-depth look at how Microsoft Security Exposure Management helps organizations reduce risk by identifying and prioritizing exposures before attackers can exploit them. Learn practical strategies to minimize your attack surface, strengthen defenses, and protect what matters most. Dec. 11 | 8:00am | Microsoft Defender for Cloud | Modernizing Cloud Security with Next Generation Microsoft Defender for Cloud Discover how Microsoft Defender for Cloud simplifies multi-cloud security. Learn to streamline posture management and threat protection across Azure, AWS, and GCP, improving efficiency, reducing risk, and enabling smarter prioritization. Dec. 11 | 9:00am | Microsoft Sentinel data lake | Transforming data collection for AI-ready security operations with Microsoft Sentinel See how Microsoft Sentinel transforms multi-cloud/multiplatform data collection. Learn a unified, cloud-native approach; ingest from on-prem, Microsoft workloads, and multicloud via codeless connectors (350+; App Assure), plus the roadmap for scaling to AI driven SecOps. Dec. 15 | 9:00am | Microsoft Entra | Diving into the New Microsoft Entra Agent ID Join our first session in the Microsoft Entra Agent ID series to learn why agent identity matters, explore core concepts, and see how it fits into Microsoft’s identity ecosystem. Perfect for developers and product owners building AI agents. Dec. 16 | 8:00am | Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks Engage in this interactive panel with Microsoft MVPs! Get answers to real-world Defender for Office 365 scenarios, best practices, and tips on migration, SOC optimization, Teams protection, and more. Bring your toughest questions for the live discussion. Dec. 16 | 9:00am | Microsoft Sentinel | Part 2: Don’t Get Left Behind: Complete Your Sentinel Move to Defender Prepare for the July 2026 transition! Unlock Microsoft Defender’s full potential with data onboarding, retention, governance, Content Hub, analytic rules, MTO for simplified management, and Security Copilot for AI-driven insights. Dec. 18 | 8:00am | Security Copilot Skilling Series | What's New in Security Copilot for Defender Discover the latest innovations in Microsoft Security Copilot embedded in Defender that are transforming how organizations detect, investigate, and respond to threats. This session will showcase powerful new capabilities like AI-driven incident response, contextual insights, and automated workflows that help security teams stop attacks faster and simplify operations. January 2026 Jan 14. | 8:00am | 425 Show | Microsoft MCP Server for Enterprise: Transforming User, Security & Identity Tasks with AI See Microsoft’s MCP Server in action! Discover how AI-powered workflows simplify tasks and strengthen security. Packed with demos, this session shows how to operationalize AI across your organization. Jan. 20 | 8:00am | Microsoft Defender for Cloud | What’s New in Microsoft Defender CSPM Cloud security posture management (CSPM) continues to evolve, and Microsoft Defender CSPM is leading the way with powerful enhancements introduced at Microsoft Ignite. This session will showcase the latest innovations designed to help security teams strengthen their posture and streamline operations. Jan. 22 | 8:00am | Azure Network Security | Advancing web application Protection with Azure WAF: Ruleset and Security Enhancements Explore the latest Azure WAF ruleset and security enhancements. Learn to fine-tune configurations, reduce false positives, gain threat visibility, and ensure consistent protection for web workloads—whether starting fresh or optimizing deployments. RESCHEDULED for Jan.27 | 9:00am | Microsoft Sentinel | AI-Powered Entity Analysis in Sentinel’s MCP Server Simplify entity risk assessment with Entity Analyzer. Eliminate complex playbooks; get unified, AI-driven analysis using Sentinel’s semantic understanding. Accelerate automation and enrich SOAR workflows with native Logic Apps integration. February 2026 Feb. 26 | 9:00am | Azure Network Security | Azure Firewall Integration with Microsoft Sentinel Learn how Azure Firewall integrates with Microsoft Sentinel to enhance threat visibility and streamline security investigations. This webinar will demonstrate how firewall logs and insights can be ingested into Sentinel to correlate network activity with broader security signals, enabling faster detection, deeper context, and more effective incident response. Looking for more? Join the Microsoft Customer Connection Program (MCCP)! As a MCCP member, you’ll gain early visibility into product roadmaps, participate in focus groups, and access private preview features before public release. You’ll have a direct channel to share feedback with engineering teams, influencing the direction of Microsoft Security products. The program also offers opportunities to collaborate and network with fellow security experts and Microsoft product teams. Join the MCCP that best fits your interests: www.aka.ms/joincommunity. Additional resources Microsoft Security Hub on Tech Community Virtual Ninja Training Courses Microsoft Security Documentation Azure Network Security GitHub Microsoft Defender for Cloud GitHub Microsoft Sentinel GitHub Microsoft Defender XDR GitHub Microsoft Defender for Cloud Apps GitHub Microsoft Defender for Identity GitHub Microsoft Purview GitHubSecurity Copilot Skilling Series
Starting this October, Security Copilot joins forces with your favorite Microsoft Security products in a skilling series miles above the rest. The Security Copilot Skilling Series is your opportunity to strengthen your security posture through threat detection, incident response, and leveraging AI for security automation. These technical skilling sessions are delivered live by experts from our product engineering teams. Come ready to learn, engage with your peers, ask questions, and provide feedback. Upcoming sessions are noted below and will be available on-demand on the Microsoft Security Community YouTube channel. Coming Up December 4 | Discussion of Ignite Announcements Join Us for a Microsoft Ignite 2025 Recap & Discussion of Security Copilot Ignite 2025 is all about driving impact in the era of AI—and security is at the center of it. In this session, we’ll unpack the biggest Security Copilot announcements from Ignite on agents and discuss how Copilot capabilities across Intune, Entra, Purview, and Defender deliver end-to-end protection. Why Attend? Get insights into incident response enhancements, Zero Trust integrations, and data security innovations announced at Ignite. Learn how AI-powered security tools help you stop attacks faster, protect identities and data, and simplify compliance. Engage with product experts and get your questions answered. Register now! Speakers: Copilot in Intune - Mike Danoski, Aasawari Navathe, Zineb Takafi, Rishita Sarin Copilot in Entra - Margaret Garcia Fani Copilot in Purview - Patrick David, Thao Phan, Alexandra Roland Copilot in Defender - Doug Helton, Joey Cruz ____ Please stand by for an updated flight list; many more sessions coming soon. Click "follow" in the upper right of this article to be notified of updates. December 8 | What's New in Security Copilot for Defender Speaker: Doug Helton Discover the latest innovations in Microsoft Security Copilot embedded in Defender that are transforming how organizations detect, investigate, and respond to threats. This session will showcase powerful new capabilities—like AI-driven incident response, contextual insights, and automated workflows—that help security teams stop attacks faster and simplify operations. Why Attend: Stay Ahead of Threats: Learn how cutting-edge AI features accelerate detection and remediation. Boost Efficiency: See how automation reduces manual effort and improves SOC productivity. Get Expert Insights: Hear directly from product leaders and explore real-world use cases. Don’t miss this opportunity to future-proof your security strategy and unlock the full potential of Security Copilot in Defender! Register now! Now On-Demand November 13 | Microsoft Entra AI: Unlocking Identity Intelligence with Security Copilot Skills and Agents Speakers: Mamta Kumar, Sr. Product Manager; Margaret Garcia Fani, Sr. Product Manager This session will demonstrate how Security Copilot in Microsoft Entra transforms identity security by introducing intelligent, autonomous capabilities that streamline operations and elevate protection. Customers will discover how to leverage AI-driven tools to optimize conditional access, automate access reviews, and proactively manage identity and application risks - empowering them into a more secure, and efficient digital future. October 30 | What's New in Copilot in Microsoft Intune Speaker: Amit Ghodke, Principal PM Architect, CxE CAT MEM Join us to learn about the latest Security Copilot capabilities in Microsoft Intune. We will discuss what's new and how you can supercharge your endpoint management experience with the new AI capabilities in Intune. October 16 | What’s New in Copilot in Microsoft Purview Speaker: Patrick David, Principal Product Manager, CxE CAT Compliance Join us for an insider’s look at the latest innovations in Microsoft Purview —where alert triage agents for DLP and IRM are transforming how we respond to sensitive data risks and improve investigation depth and speed. We’ll also dive into powerful new capabilities in Data Security Posture Management (DSPM) with Security Copilot, designed to supercharge your security insights and automation. Whether you're driving compliance or defending data, this session will give you the edge. October 9 | When to Use Logic Apps vs. Security Copilot Agents Speaker: Shiv Patel, Sr. Product Manager, Security Copilot Explore how to scale automation in security operations by comparing the use cases and capabilities of Logic Apps and Security Copilot Agents. This webinar highlights when to leverage Logic Apps for orchestrated workflows and when Security Copilot Agents offer more adaptive, AI-driven responses to complex security scenarios. All sessions will be published to the Microsoft Security Community YouTube channel - Security Copilot Skilling Series Playlist __________________________________________________________________________________________________________________________________________________________________ Looking for more? Keep up on the latest information on the Security Copilot Blog. Join the Microsoft Security Community mailing list to stay up to date on the latest product news and events. Engage with your peers one of our Microsoft Security discussion spaces.
Microsoft Sentinel MCP server - Generally Available With Exciting New Capabilities
Today, we’re excited to announce the General Availability of Microsoft Sentinel MCP (Model Context Protocol) server, a fully managed cloud service built on an open standard that empowers AI agents to seamlessly access your entire security context through natural language, eliminating the need for complex data engineering as you build agents. This unlocks new levels of AI agent performance and effectiveness, enabling them to do more for you. Since the public preview launch on September 30, hundreds of customers have explored MCP tools that provide semantic access to their entire security context. These tools allow security AI agents to operate with unprecedented precision by understanding your unique security context in natural language. Today, we’re introducing multiple innovations and new capabilities designed to help even more customers unlock more with AI-driven security. This post offers a high-level overview of what’s new. Stay tuned for deep-dive blogs that will unpack each feature in detail. Connect to Sentinel MCP server from Multiple AI Platforms By adopting the MCP open standard, we can progress on our mission to empower effective AI agents wherever you choose to run them. Beyond Security Copilot and VSCode Github Copilot, Sentinel MCP server is now natively integrated with Copilot Studio and Microsoft Foundry agent-building experiences. When creating an agent in any of these platforms, you can easily select Sentinel MCP tools, no pre-configuration required. It’s ready to use, so if you are using any of these platforms, dive in and give it a try. Click here for detailed guidance Additionally, you can now connect OpenAI ChatGPT to Sentinel MCP server through a secured OAuth authentication through a simple configuration in Entra. Learn how here assess threat impact on your organization Custom KQL Tools Many organizations rely on a curated library of KQL queries for incident triage, investigation, and threat hunting used in manual Standard Operating Procedures (SOP) or SOAR playbooks—often managed within Defender Advanced Hunting. Now, with Sentinel MCP server, you can instantly transform these saved KQL queries into custom tools with just a click. This new capability allows you to empower your AI agents with precise, actionable data tailored to your unique security workflows. Once a KQL query is saved as a tool, Sentinel MCP server automatically creates and maintains a corresponding MCP tool—ensuring it’s always in sync with the latest version of your saved query in Defender Advanced Hunting. Any connected agent can invoke this tool, confident it reflects your most current logic and requirements. Learn more here Entity Analyzer Assessing the risk of entities is a core task for SOC teams—whether triaging incidents, investigating threats, or automating response workflows. Traditionally, this has required building complex playbooks or custom logic to gather and analyze fragmented security data from multiple sources. With entity analyzer, this complexity is eliminated. The tool leverages your organization’s security data in Sentinel to deliver comprehensive, reasoned risk assessments for any entity your agents encounter – starting with users and urls. By providing a unified, out-of-the-box solution for entity analysis, entity analyzer enables your AI agents to make smarter decisions and automate more tasks—without the need to manually engineer risk evaluation logic for each entity type. This not only accelerates agent development, but also ensures your agents are always working with the most relevant and up-to-date context from across your security environment. Entity Analyzer is now available to any MCP client integrated with Sentinel MCP Server. And for those building SOAR workflows, entity analyzer is natively integrated with Logic Apps, making it easy to enrich entities and automate verdicts within your playbooks. Learn how to build a Logic Apps playbook with Entity Analyzer Graph Tools Microsoft Sentinel graph connects assets, identities, activities, and threat intelligence into a unified security graph, uncovering insights that structured data alone can’t provide such as relationships, blast radius, and attack paths. The graph is now generally available, and these advanced insights can be accessed by AI agents in natural language through a dedicated set of MCP tools. Graph MCP tools are offered in a sign-up preview. Triage Incidents and Alerts Sentinel MCP server extends to enable natural language access to a set of APIs that enable incident and alert triage. AI agents can use these tools to carry out autonomous triage and investigation of Defender XDR and Sentinel alerts and incidents. In the next couple of weeks, it will be available, out of the box, to all customers using Microsoft Defender XDR, Microsoft Sentinel or Microsoft Defender for Endpoint. Stay tuned. Smarter Security, Less Effort With the latest innovations in Sentinel MCP server, security teams can now harness the full power of AI-driven automation with unprecedented simplicity and impact. From seamless integration with leading AI platforms to instant creation of custom KQL tools and out-of-the-box entity analysis, Sentinel MCP server empowers your agents to deliver smarter, faster, and more effective security outcomes. These advancements eliminate manual complexity, accelerate agent development, and ensure your SOC is always equipped with the most relevant context. Currently, features like entity analysis are available at no additional charge; as we continue to evolve the platform, we’ll share updates on future pricing well in advance. Try out the new features today and stay tuned for deep-dive updates as we continue to push the boundaries of AI-powered security automation. Learn how to get startedUnlocking Developer Innovation with Microsoft Sentinel data lake
Introduction Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. In our recent webinar: Introduction to Sentinel data lake for Developers, we explored how developers can leverage Sentinel’s unified data lake, extensible architecture, and integrated tools to build innovative security solutions. This post summarizes the key takeaways and actionable insights for developers looking to harness the full power of Sentinel. The Sentinel Platform: A Foundation for Agentic Security Unified Data and Context Sentinel centralizes security data cost-effectively, supporting massive volumes and diverse data types. This unified approach enables advanced analytics, graph-enabled context, and AI-ready data access—all essential for modern security operations. Developers can visualize relationships across assets, activities, and threats, mapping incidents and hunting scenarios with unprecedented clarity. Extensible and Open Platform Sentinel’s open architecture simplifies onboarding and data integration. Out-of-the-box connectors and codeless connector creation make it easy to bring in third-party data. Developers can quickly package and publish agents that leverage the centralized data lake and MCP server, distributing solutions through Microsoft Security Store for maximum reach. The Microsoft Security Store is a storefront for security professionals to discover, buy, and deploy vetted security SaaS solutions and AI agents from our ecosystem partners. These offerings integrate natively with Microsoft Security products—including the Sentinel platform, Defender, and Entra, to deliver end‑to‑end protection. By combining curated, deploy‑ready solutions with intelligent, AI‑assisted workflows, the Store reduces integration friction and speeds time‑to‑value for critical tasks like triage, threat hunting, and access management. Advanced Analytics and AI Integration With support for KQL, Spark, and ML tools, Sentinel separates storage and compute, enabling scalable analytics and semantic search. Jupyter Notebooks hosted in on-demand Spark environments allow for rich data engineering and machine learning directly on the data lake. Security Copilot agents, seamlessly integrated with Sentinel, deliver autonomous and adaptive automation, enhancing both security and IT operations. Developer Scenarios: Unlocking New Possibilities The webinar showcased several developer scenarios enabled by Sentinel’s platform components: Threat Investigations Over Extended Timelines: Query historical data to uncover slow-moving attacks and persistent threats. Behavioral Baselining: Model normal behavior using months of sign-in logs to detect anomalies. Alert Enrichment: Correlate alerts with firewall and NetFlow data to improve accuracy and reduce false positives. Retrospective Threat Hunting: React to new indicators of compromise by running historical queries across the data lake. ML-Powered Insights: Build machine learning models for anomaly detection, alert enrichment, and predictive analytics. These scenarios demonstrate how developers can leverage Sentinel’s data lake, graph capabilities, and integrated analytics to deliver powerful security solutions. End-to-End Developer Journey The following steps outline a potential workflow for developers to ingest and analyze their data within the Sentinel platform. Data Sources: Identify high-value data sources from your environment to integrate with Microsoft Security data. The journey begins with your unique view of the customer’s digital estate. This is data you have in your platform today. Bringing this data into Sentinel helps customers make sense of their entire security landscape at once. Data Ingestion: Import third-party data into the Sentinel data lake for secure, scalable analytics. As customer data flows from various platforms into Sentinel, it is centralized and normalized, providing a unified foundation for advanced analysis and threat detection across the customer’s digital environment. Sentinel data lake and Graph: Run Jupyter Notebook jobs for deep insights, combining contributed and first-party data. Once data resides in the Sentinel data lake, developers can leverage its graph capabilities to model relationships and uncover patterns, empowering customers with comprehensive insights into security events and trends. Agent Creation: Build Security Copilot agents that interact with Sentinel data using natural language prompts. These agents make the customer’s ingested data actionable, allowing users to ask questions or automate tasks, and helping teams quickly respond to threats or investigate incidents using their own enterprise data. Solution Packaging: Package and distribute solutions via the Microsoft Security Store, reaching customers at scale. By packaging these solutions, developers enable customers to seamlessly deploy advanced analytics and automation tools that harness their data journey— from ingestion to actionable insights—across their entire security estate. Conclusion Microsoft Sentinel’s data lake and platform capabilities open new horizons for developers. By centralizing data, enabling advanced analytics, and providing extensible tools, Sentinel empowers you to build solutions that address today’s security challenges and anticipate tomorrow’s threats. Explore the resources below, join the community, and start innovating with Sentinel today! App Assure: For assistance with developing a Sentinel Codeless Connector Framework (CCF) connector, you can contact AzureSentinelPartner@microsoft.com. Microsoft Security Community: aka.ms/communitychoice Next Steps: Resources and Links Ready to dive deeper? Explore these resources to get started: Get Educated! Sentinel data lake general availability announcement Sentinel data lake official documentation Connect Sentinel to Defender Portal Onboarding to Sentinel data lake Integration scenarios (e.g. hunt | jupyter) KQL queries Jupyter notebooks (link) as jobs (link) VS Code Extension Sentinel graph Sentinel MCP server Security Copilot agents Microsoft Security Store Take Action! Bring your data into Sentinel Build a composite solution Explore Security Copilot agents Publish to Microsoft Security Store List existing SaaS apps in Security StoreGenAI vs Cyber Threats: Why GenAI Powered Unified SecOps Wins
Cybersecurity is evolving faster than ever. Attackers are leveraging automation and AI to scale their operations, so how can defenders keep up? The answer lies in Microsoft Unified Security Operations powered by Generative AI (GenAI). This opens the Cybersecurity Paradox: Attackers only need one successful attempt, but defenders must always be vigilant, otherwise the impact can be huge. Traditional Security Operation Centers (SOCs) are hampered by siloed tools and fragmented data, which slows response and creates vulnerabilities. On average, attackers gain unauthorized access to organizational data in 72 minutes, while traditional defense tools often take on average 258 days to identify and remediate. This is over eight months to detect and resolve breaches, a significant and unsustainable gap. Notably, Microsoft Unified Security Operations, including GenAI-powered capabilities, is also available and supported in Microsoft Government Community Cloud (GCC) and GCC High/DoD environments, ensuring that organizations with the highest compliance and security requirements can benefit from these advanced protections. The Case for Unified Security Operations Unified security operations in Microsoft Defender XDR consolidates SIEM, XDR, Exposure management, and Enterprise Security Posture into a single, integrated experience. This approach allows the following: Breaks down silos by centralizing telemetry across identities, endpoints, SaaS apps, and multi-cloud environments. Infuses AI natively into workflows, enabling faster detection, investigation, and response. Microsoft Sentinel exemplifies this shift with its Data Lake architecture (see my previous post on Microsoft Sentinel’s New Data Lake: Cut Costs & Boost Threat Detection), offering schema-on-read flexibility for petabyte-scale analytics without costly data rehydration. This means defenders can query massive datasets in real time, accelerating threat hunting and forensic analysis. GenAI: A Force Multiplier for Cyber Defense Generative AI transforms security operations from reactive to proactive. Here’s how: Threat Hunting & Incident Response GenAI enables predictive analytics and anomaly detection across hybrid identities, endpoints, and workloads. It doesn’t just find threats—it anticipates them. Behavioral Analytics with UEBA Advanced User and Entity Behavior Analytics (UEBA) powered by AI correlates signals from multi-cloud environments and identity providers like Okta, delivering actionable insights for insider risk and compromised accounts. [13 -Micros...s new UEBA | Word] Automation at Scale AI-driven playbooks streamline repetitive tasks, reducing manual workload and accelerating remediation. This frees analysts to focus on strategic threat hunting. Microsoft Innovations Driving This Shift For SOC teams and cybersecurity practitioners, these innovations mean you spend less time on manual investigations and more time leveraging actionable insights, ultimately boosting productivity and allowing you to focus on higher-value security work that matters most to your organization. Plus, by making threat detection and response faster and more accurate, you can reduce stress, minimize risk, and demonstrate greater value to your stakeholders. Sentinel Data Lake: Unlocks real-time analytics at scale, enabling AI-driven threat detection without rehydration costs. Microsoft Sentinel data lake overview UEBA Enhancements: Multi-cloud and identity integrations for unified risk visibility. Sentinel UEBA’s Superpower: Actionable Insights You Can Use! Now with Okta and Multi-Cloud Logs! Security Copilot & Agentic AI: Harnesses AI and global threat intelligence to automate detection, response, and compliance across the security stack, enabling teams to scale operations and strengthen Zero Trust defenses defenders. Security Copilot Agents: The New Era of AI, Driven Cyber Defense Sector-Specific Impact All sectors are different, but I would like to focus a bit on the public sector at this time. This sector and critical infrastructure organizations face unique challenges: talent shortages, operational complexity, and nation-state threats. GenAI-centric platforms help these sectors shift from reactive defense to predictive resilience, ensuring mission-critical systems remain secure. By leveraging advanced AI-driven analytics and automation, public sector organizations can streamline incident detection, accelerate response times, and proactively uncover hidden risks before they escalate. With unified platforms that bridge data silos and integrate identity, endpoint, and cloud telemetry, these entities gain a holistic security posture that supports compliance and operational continuity. Ultimately, embracing generative AI not only helps defend against sophisticated cyber adversaries but also empowers public sector teams to confidently protect the services and infrastructure their communities rely on every day. Call to Action Artificial intelligence is driving unified cybersecurity. Solutions like Microsoft Defender XDR and Sentinel now integrate into a single dashboard, consolidating alerts, incidents, and data from multiple sources. AI swiftly correlates information, prioritizes threats, and automates investigations, helping security teams respond quickly with less manual work. This shift enables organizations to proactively manage cyber risks and strengthen their resilience against evolving challenges. Picture a single pane of glass where all your XDRs and Defenders converge, AI instantly shifts through the noise, highlighting what matters most so teams can act with clarity and speed. That may include: Assess your SOC maturity and identify silos. Use the Security Operations Self-Assessment Tool to determine your SOC’s maturity level and provide actionable recommendations for improving processes and tooling. Also see Security Maturity Model from the Well-Architected Framework Explore Microsoft Sentinel, Defender XDR, and Security Copilot for AI-powered security. Explains progressive security maturity levels and strategies for strengthening your security posture. What is Microsoft Defender XDR? - Microsoft Defender XDR and What is Microsoft Security Copilot? Design Security in Solutions from Day One! Drive embedding security from the start of solution design through secure-by-default configurations and proactive operations, aligning with Zero Trust and MCRA principles to build resilient, compliant, and scalable systems. Design Security in Solutions from Day One! Innovate boldly, Deploy Safely, and Never Regret it! Upskill your teams on GenAI tools and responsible AI practices. Guidance for securing AI apps and data, aligned with Zero Trust principles Build a strong security posture for AI About the Author: Hello Jacques "Jack” here! I am a Microsoft Technical Trainer focused on helping organizations use advanced security and AI solutions. I create and deliver training programs that combine technical expertise with practical use, enabling teams to adopt innovations like Microsoft Sentinel, Defender XDR, and Security Copilot for stronger cyber resilience. #SkilledByMTT #MicrosoftLearnSecurity Copilot Agents: The New Era of AI, Driven Cyber Defense
With increasing cyber threats, security teams require intelligent agents that adapt and operate throughout the security stack, not just automation. Key statistics from our Microsoft Digital Defense Report 2024 which highlights this concerning trend of Cybersecurity threats: Over 600 million cyberattacks per day targeting Microsoft customers 2.75x increase in ransomware attacks year-over-year 400% surge in tech scams since 2022 Growing collaboration between cybercriminals and nation-state actors In my previous blogs, I explored how AI agents are transforming security operations in Microsoft Defender XDR, Intune, and Entra: Phishing Triage Agent in Defender XDR: Say Goodbye to False Positives and Analyst Fatigue Intune AI Agent: Instant Threat Defense, Invisible Protection Conditional Access Optimization Agent in Microsoft Entra Security Copilot Today, I’ll discuss how Security Copilot, Copilot for Azure in Azure, Defender for Cloud, and Security Copilot Agents in Microsoft Purview use AI to transform security, compliance, and efficiency across the Microsoft ecosystem. What Are Security Copilot Agents? Security Copilot Agents are modular, AI-driven assistants embedded in Microsoft’s security platforms. They automate, high-volume repetitive tasks, deliver actionable insights, and streamline incident responses. By leveraging large language models (LLMs), Microsoft’s global threat intelligence, and your organization’s data, these agents empower security teams to work smarter and faster. Microsoft Security Copilot agents overview Agents are available in both standalone and embedded experiences and can be discovered and configured directly within product portals like Defender, Sentinel, Entra, Intune, and Purview. Why Security Copilot Agents Matter Security Copilot Agents represent a paradigm shift in cyber defense: Automation at Scale: They handle high-volume repetitive tasks, freeing up human expertise for strategic initiatives. Adaptive Intelligence: Agents learn from feedback, adapt to workflows, and operate securely within Microsoft’s Zero Trust framework. Operational Efficiency: By reducing manual workloads, agents accelerate response, prioritize risks, and strengthen security posture. Microsoft Security Copilot Frequently Asked Questions Security Copilot Agents in Azure and Defender for Cloud Azure and Defender for Cloud now feature embedded Security Copilot and Copilot for Azure that help security professionals analyze, summarize, remediate, and delegate recommendations using natural language prompts. This integration streamlines security management by: Risk Exploration: Agents help admins identify misconfigured resources and focus on those posing critical risks, using natural language queries. Accelerated Remediation: Agents generate remediation scripts and automate pull requests, enabling rapid fixes for vulnerabilities. Noise Reduction: By filtering through alerts and recommendations, agents help teams focus on the most impactful remediations. Unified Experience: Security Copilot and Copilot for Azure work together to provide context, explain recommendations, and guide implementation steps, all within the Defender for Cloud portal. Microsoft Security Copilot in Defender for Cloud Security Copilot Agents in Microsoft Purview Microsoft Purview leverages Security Copilot agents to automate and scale Data Loss Prevention (DLP) and Insider Risk Management workflows. Here are more details: Alert Triage Agent (DLP): Evaluates alerts based on sensitivity, exfiltration, and policy risk, sorting them into actionable categories. Alert Triage Agent (Insider Risk): Assesses user, file, and activity risk, prioritizing alerts for investigation. Managed Alert Queue: Agents sift out high-risk activities from lower-risk noise, improving response time and team efficiency. Comprehensive Explanations: Agents provide clear logic behind alert categorization, supporting transparency and compliance. Deployment: Enabling Security Copilot can be done in: Azure portal https://portal.azure.com Security Copilot portal https://securitycopilot.microsoft.com. Security Copilot requires per-seat licenses for human users, while all agent operations are billed by Security Compute Units (SCUs) on a pay-as-you-go basis. Agents do not need separate per-seat licenses; their costs depend solely on SCU consumption, and they typically run under a service or managed identity in the Copilot environment. Security Copilot Agent Responsible AI FAQ Security Copilot Agents: Unified Across the Microsoft Security Ecosystem Security Copilot Agents automate intelligence and security orchestration across Microsoft’s ecosystem, including Defender, Sentinel, Entra, Intune, Azure, Purview, Threat Intelligence, and Office. Their unified design enables consistent protection, swift responses, and scalable automation for security teams. Operating across multiple platforms, these agents provide comprehensive coverage and efficient threat response. End-to-End Visibility: Agents correlate signals across domains, providing context, rich insights and automating common workflows. Custom Agent Creation: Teams can build custom agents using no-code tools, tailoring automation to their unique environments. Marketplace Integration: The new Security Store allows organizations to browse, deploy, and manage agents alongside conventional security tools, streamlining procurement and governance. Intune AI Agents: Device and Endpoint Management Intune AI Agents automate device compliance and endpoint security. They monitor configuration drift, remediate vulnerabilities, and enforce security baselines across managed devices. By correlating device signals with threat intelligence, these agents proactively identify risks and recommend mitigation actions, reducing manual workload and accelerating incident response. Defender for Cloud AI Agents: Threat Detection and Response Defender for Cloud AI Agents continuously analyze cloud workloads, network traffic, and user behavior to detect threats and suspicious activities. They automate alert triage, escalate high-risk events, and coordinate remediation actions across hybrid environments. Integration with other Copilot Agents ensures unified protection and rapid containment of cloud-based threats. Conditional Access Optimization Agent: Policy Automation The Conditional Access Optimization Agent evaluates authentication patterns, risk signals, and user activity to recommend and enforce adaptive access policies. It automates policy updates based on real-time threat intelligence, ensuring that only authorized users access sensitive resources while minimizing friction for legitimate users. Azure AI Agents: Cloud Security and Automation Azure AI Agents provide automated monitoring, configuration validation, and vulnerability management across cloud resources. They integrate with Defender for Cloud and Sentinel, enabling cross-platform correlation of security events and orchestration of incident response workflows. These agents help maintain compliance, optimize resource usage, and enforce best practices. Purview AI Agents: Compliance and Data Protection Purview AI Agents automate data classification, information protection, and compliance management for AI-powered applications and Copilot experiences. They enforce retention policies, flag sensitive data handling, and ensure regulatory compliance across organizational data assets. Their integration supports transparent security controls and audit-ready reporting. Phishing Triage Defender for Office AI Agents: Email Threat Automation Defender for Office AI Agents specialize in identifying, categorizing, and responding to phishing attempts. They analyze email metadata, attachments, and user interactions to detect malicious campaigns, automate alerting, and initiate containment actions. By streamlining phishing triage, these agents reduce investigation times and enhance protection against targeted attacks. Threat Intelligence Briefing Agent: Contextual Security Insights The Threat Intelligence Briefing Agent aggregates global threat intelligence, correlates it with local signals, and delivers actionable briefings to security teams. It highlights emerging risks, prioritizes vulnerabilities, and recommends remediation based on organizational context. This agent empowers teams with timely, relevant insights to anticipate and counter evolving threats. Marketplace Integration and Custom Agent Creation Organizations can leverage the Security Store to discover, deploy, and manage agents tailored to their specific needs. No-code tools facilitate custom agent creation, enabling rapid automation of unique workflows and seamless integration with existing security infrastructure. Getting Started To deploy Security Copilot Agents across the enterprise, make sure to Check Licensing: Ensure you have the required subscriptions and SCUs provisioned. Enable Agents: Use product portals to activate agents and configure settings. Integrate Across Products: Link agents for enhanced threat detection, compliance, and automated response. Monitor and Optimize: Use dashboards and reports to track effectiveness and refine policies. About the Author: Hi! Jacques “Jack” here, Microsoft Technical Trainer. As a technical trainer, I’ve seen firsthand how Security Copilot Agents accelerate secure modernization and empower teams to stay ahead of threats. Whether you’re optimizing identity protection, automating phishing triage, or streamlining endpoint remediation, these agents are your AI, powered allies in building a resilient security posture. #MicrosoftLearn #SkilledByMTT #MTTBloggingGroupSecurity Copilot- Demystifying SCUs Deep Dive and AMA
Security Compute Units (SCUs) are the required resource units that power Microsoft Security Copilot, ensuring dependable and consistent performance across both standalone and embedded product experiences within Microsoft Security. In this session, we’ll demystify SCUs by unpacking: What SCUs are and how they function The billing models that govern their usage Optimization strategies to maximize value Best practices for SCU planning and deployment You’ll also have the opportunity to engage directly with Security Copilot experts to ask your SCU-related questions and gain practical insights. What is an AMA? An 'Ask Microsoft Anything' (AMA) session is an opportunity for you to engage directly with Microsoft employees! This AMA will consist of a short presentation followed by taking questions on-camera from the comment section down below! Ask your questions/give your feedback and we will have our awesome Microsoft Subject Matter Experts engaging and responding directly in the video feed. We know this timeslot might not work for everyone, so feel free to ask your questions at any time leading up to the event and the experts will do their best to answer during the live hour. This page will stay up so come back and use it as a resource anytime. We hope you enjoy!
