Extending Microsoft Copilot for Security Capabilities with Azure Function Apps
Azure Function Apps offer a convenient way to execute functions in a server-less environment. They allow users to write functions in C#, Java, JavaScript, PowerShell, Python and Typescript which can then be called using several trigger options. One of the most common triggers is the HTTP trigger allowing functions to be called like a REST API. This article shows how to build a Copilot for Security API plugin that calls an Azure Function App.How to build a Copilot for Security API Plugin – Part 1
In this article, we discuss the steps required to build a simple API plugin using a GET API request. Using a basic Python/Flask based webservice we also look under the hood to see how Copilot selects a plugin and the steps taken to make the REST API call.Leveraging Generative AI for Efficient Security Investigation Summaries
Generative AI (GAI) has revolutionized how we interact with technology, especially in the realm of cybersecurity. By understanding natural language, GAI enables us to instruct complex operations in simple terms. This post explores how to utilize GAI for creating concise, accurate summaries of security investigations, using Security Copilot as a prime example.Agentic security your way: Build your own Security Copilot agents
Microsoft Security Copilot is redefining how security and IT teams operate. Today at Microsoft Secure, we’re unveiling powerful updates that put genAI and agent-driven automation at the center of modern defense. In a world where threats move faster than ever, alerts pile up, and resources stay tight, Security Copilot delivers the competitive edge: contextual intelligence, a growing network of agents, and the flexibility to build your own. The announcements focus on three key areas: building your own Security Copilot agents for tailored workflows, expanding the agent ecosystem with new Microsoft and partner solutions, and improving agent quality and performance. These updates build on the agents first introduced in March while giving security and IT teams more flexibility and control. This is the blueprint for the next era of agentic defense, and it starts now. Build your own Security Copilot agents, your way While we already offer a growing catalog of ready-to-use agents built by Microsoft and partners, we know that no two environments are alike. That’s why Security Copilot empowers you to create custom agents your way for tailored workflows – whether you're an analyst with limited coding experience or a developer using your favorite platform – you can build agents that fit your needs. Build agents in the Security Copilot portal Users can now build agents with a simplified, no-code interface in the standalone Security Copilot experience. Simply describe the task or workflow in natural language, and Copilot automatically generates the agent code. You can edit components, add any additional tools, including Sentinel MCP tools from our rich tool catalog, test the agent, optimize its instructions, and publish directly to your tenant. Create dynamic, ready-to-use agents in minutes – without writing any code. Build agents in a preferred MCP server-enabled development environment For teams with experienced developers, you can also use natural language and vibe-coding to build agents in a preferred MCP server-enabled coding platform, such as VS Code using GitHub Copilot. By enabling the Sentinel MCP server, developers can access MCP tools to build, refine, and deploy custom agents directly within their workspace. This approach gives full control over code, tools, and deployment while keeping the process within familiar development platforms. These options empower both technical and non-technical teams to rapidly create, test, and deploy custom Security Copilot agents. Organizations can automate workflows faster, design agents to their unique needs, and improve security and IT operations across the board. Discover new Security Copilot agents Since Security Copilot agents were first introduced in March, we have delivered more than a dozen Microsoft and partner-developed agents that help organizations tackle real challenges in security and IT operations. Analysts using the Conditional Access Optimization Agent in Microsoft Entra have been able to quickly uncover policy gaps, closing an average of 26 gaps per customer in just one month, with 73% of early adopters acting on at least one recommendation. The Phishing Triage Agent in Microsoft Defender has allowed analysts to shift from reactive sifting to proactive resolution, reducing triage time by up to 78%. Read how St Lukes University saves nearly 200 hours monthly in phishing alert triage and creating incident reports in minutes instead of hours. The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts. - Krista Arndt, ACISO, St. Luke’s University Health Network We’re continuing to build on this momentum with new agents designed to address additional security and IT scenarios. The new Access Review Agent in Microsoft Entra tackles a common challenge: reduce access review fatigue and approving access without review. It analyzes ongoing reviews, flags anomalies or unusual access patterns, and delivers actionable guidance in a conversational interface. Reviewers can approve, revoke, or request more details right in Microsoft Teams, helping them focus on the riskiest access, make faster decisions, and strengthen compliance. With innovations like this, we’re not just reducing fatigue—we’re redefining how access governance is done, setting the standard for security agents that adapt to the way people work. Learn more about the Access Review Agent here. And, with the growing range of agentic use cases, the new Microsoft Security Store is your one-stop shop to discover, purchase, and deploy Security Copilot agents built by Microsoft and trusted partners. Find solutions aligned for SOC, IT, privacy, compliance, and governance teams, all in one place. By uniting discovery, deployment, and publishing in a single experience, Security Store powers a thriving ecosystem that gives your team a unique advantage: access to an ever-expanding range of agent capabilities that evolve as fast as the challenges they face. In addition to helping customers find the right solutions, Security Store also enables partners to bring their innovations to market. Partners can build and publish Security Copilot agents and SaaS solutions to grow their business and reach new customers. Today, we are announcing 30 new partner-built agents as well as 50 partner SaaS solutions in the Security Store. The launch of 30 new partner-built agents brings forward solutions like: A Forensic Agent by glueckkanja AG delivers deep-dive analysis of Defender XDR incidents to accelerate investigations, while their Privileged Admin Watchdog Agent helps enforce zero standing privilege principles by getting rid of persistent admin identities. These innovations, along with their other 6 agents in the Security Store today, demonstrate how glueckkanja AG is empowering organizations to tackle a wide range of security and IT challenges. 3 agents from adaQuest focused on automating investigation and response to focus security teams on what matters. A Ransomware Kill Chain Investigator Agent by adaQuest automates ransomware triage, an Entity Guard Investigator Agent by adaQuest investigates Defender incidents, and an Admin Guard Insight Agent analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, offering actionable insights to improve administrative security posture. An Identity Workload ID Agent by Invoke empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, helping to reduce risk, strengthen compliance, provide more control over identity sprawl. To learn more about all new partner-built agents as well as partner SaaS offerings, read the blog or head to the Microsoft Security Store. Smarter, faster Security Copilot agents High-quality LLM instructions are critical to agent performance, yet manually fine-tuning them is time-consuming and error-prone. We’re excited to introduce tools that help improve custom-built agent quality and performance, starting with autotune instruction optimization. Autotune eliminates the need for manual tuning by automatically analyzing and refining agent instructions for optimal performance. Simply enable autotune during testing and submit, then receive a detailed results report with suggested prompt changes boost your agent’s AI quality score quickly and effortlessly. This optimization not only delivers better outcomes faster, but it also ensures that every agent in our ecosystem is always evolving - making them smarter, sharper, and more effective over time. But instructions are only part of the picture. To truly empower agents, context and data is key. By combining rich security signals from Microsoft Sentinel with advanced AI reasoning, Microsoft is setting a new standard for what agents can achieve—resolving incidents faster, optimizing workflows, and delivering deeper, more actionable insight. Security Copilot leverages a unified foundation of structured, graph, and semantic data from Sentinel to give agents the context they need to connect the dots across your environment. This deep integration transforms what AI can do, enabling agents to reason, adapt, and act with precision at machine speed. Read the Sentinel graph announcement here. Get Started Today With Security Copilot, the power of AI is now in your hands. Deploy ready-to-use agents from Microsoft and partners, or design custom agents built for your environment and workflows. These agents accelerate decision-making, surface critical insights, and let teams focus on strategic security work - turning complexity into clarity and speed. Explore Security Store today to experience how agentic automation is reshaping security operations and unlocking the full potential of your team. Learn more about how to create your own agents. Deep dive into these innovations at Microsoft Secure on Sept. 30, Oct. 1 or on demand. Then, join us at Microsoft Ignite, Nov, 17–21 in San Francisco, CA or online—for more innovations, hands-on labs, and expert connections.Boost SOC automation with AI: Speed up incident triage with Security Copilot and Microsoft Sentinel
The Solution This solution leverages AI and automation to speed up incident triage by providing automated response to an incident while infusing AI reasoning into the triage process, allowing the analyst to gain quick context about the gravity of the incident, detailed information about each entity involved and any executed processes. It then goes on to recommend mitigation steps, leading to faster MTTR (Mean Time To Respond). Below are key highlights of the solution: Accelerated triage: One of the scenarios in which analysts could spend a considerable amount of time is when the incident includes, for example, a process name that they have never encountered before. This challenge is compounded when the process execution includes command line elements. In this situation Security Copilot steps in to provide a rapid analysis of the process and associated command line elements and presenting the output to the analyst in a much faster fashion than they would be able to do without AI’s contribution. Similarly, in the case of the device entity Copilot taps into Microsoft Intune to bring in a summary of OS information, compliance status and hardware information, etc., thereby accelerating triage. Additionally, the reality in the SOC is that incidents do not happen at convenient times, several incidents can be triggered at the same time, requiring analysts to triage them as quickly as possible. This is where AI and automation become a force multiplier. Having the logic app trigger automatically upon incident creating and performing the core triage tasks saves the analysts precious time that they would have spent having to manually triage several incidents that could trigger at the same time. Insight consolidation: The Logic App brings together context from multiple sources, spanning across both first and third-party. In this example we are tapping into AbuseIPDB as a third-party enrichment source. The logic app offers this flexibility, giving customers the option to being in enrichment data from third party or custom sources and have Security Copilot build a holistic narrative for the triage summary. In doing so it helps the analyst get as much context as possible without needing to pivot into multiple security tools. Streamlined incident management: Incident comments in Microsoft Sentinel are automatically updated, providing investigators with up-to-date information and reducing manual effort. These comments are also automatically synchronized to Defender XDR portal and are therefore also accessible from that interface. The automated incident investigation summary is structured with the following details: Incident overview – Details matching those used to define the analytics rule Incident description – A summary including the key highlights of the incident Analysis on incident entities – AI-powered analysis of the IP, Account, Host and Process details as extracted from the incident Possible mitigation steps – Depending on the nature of the incident, provide suggested mitigation steps for the incident Conclusion Below is a snapshot of the logic App steps: Sample output Once attached to the selected analytics rules and the associated incident is created, you can expect output the incident to be enriched in a manner similar to what is shown here below and then added as a comment to the triggered Microsoft Sentinel incident Security Copilot skills used Skill Description ProcessAnalyzer Scrutinizes process names and command lines, providing detailed insights into potentially malicious activities. GetEntraUserDetails Retrieves comprehensive user information GetIntineDevices Facilitates the extraction of device details from Intune, ensuring that all devices associated with an incident are thoroughly examined AbuseIPDB Preforms IP address reputation checks, helping to identify and mitigate threats from suspicious IP addresses Deployment prerequisites Before deploying the Logic App, ensure the following prerequisites are met: The user or service principal deploying this logic app should have the Contributor role on the Azure Resource Group that will host the logic App. Microsoft Security Copilot should be enabled in the Azure tenant. The user should have access to Microsoft Security Copilot to submit prompts by authenticating to the Microsoft Copilot for Security connector within the logic app. Microsoft Sentinel is configured and generates incidents. Obtain an AbuseIPDB API key to perform IP address reputation analysis. Follow below link to our Security Copilot GitHub repo to obtain the solution: SecurityCopilot-Sentinel-Incident-Investigation automation on GitHub Conclusion The integration of AI and automation in the Security Operations Center (SOC) through tools like Security Copilot and Logic Apps in Microsoft Sentinel significantly enhances incident triage and management. By leveraging these technologies, organizations can achieve faster, more consistent, and reliable incident handling, ultimately strengthening their overall security posture. Additional resources Overview - Azure Logic Apps | Microsoft Learn Logic Apps connectors in Microsoft Security Copilot | Microsoft Learn Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure Microsoft Security Copilot | Microsoft Security
