Securing data in an AI-first world with Microsoft Purview
Announcing a set of capabilities in Microsoft Purview and Microsoft Defender to help you secure your data and apps as you leverage generative AI. At Microsoft, we are committed to helping you protect and govern your data – no matter where it lives or travels.Microsoft Copilot for Security is now generally available
We are excited to share Copilot for Security is now available for purchase and customers can get started by provisioning capacity to run all Copilot workloads, both for standalone and for those embedded in our security products beginning with Microsoft Defender XDR.Microsoft Copilot for Security Attains ISO 27001, 27017, and 27018 Certifications
We are thrilled to announce that Microsoft Copilot for Security, the first Generative Artificial Intelligence (GAI) security solution, has earned the prestigious ISO 27001, 27017, and 27018 certifications. Copilot for Security streamlines compliance endeavors by meeting rigorous regulatory standards.Azure Lighthouse support for MSSP use of Security Copilot Sentinel scenarios in Public Preview
Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now in public preview. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: Use the same natural language based prompts using Sentinel skills on customer data Create custom promptbooks using Sentinel skills to automate their investigations Use Logic Apps to trigger these promptbooks While this release doesn’t support all Security Copilot skills across customer tenants for MSSPs, it is an important development on the road to full support for Security Copilot for MSSPs using Azure Lighthouse. Read on to learn more about what this means for your practice, and how to get started. What is Azure Lighthouse? Azure Lighthouse is built into the Azure portal and allows IT partners to manage multiple tenants for Azure services. It provides a unified management experience, enabling partners to view and manage resources across all their customers' Azure environments from a single pane of glass. It supports multi-customer management, meaning partners can perform actions across multiple customer tenants simultaneously. This is particularly useful for Managed Service Providers (MSPs) who need to manage resources at scale. What is changing? We are introducing Azure Lighthouse support for MSSPs to use Security Copilot on their customer tenants without requiring customers to purchase Security Compute Units (SCUs). With Azure Lighthouse support, SCUs should be purchased by a MSSP admin for use on their customer’s tenant . To get started, MSSPs can go to Azure to onboard on to Security Copilot and apply their purchased SCUs to their Azure Lighthouse subscription. In Azure Lighthouse, the MSSP needs to ensure that they have access setup to their customer’s Sentinel environment. Once the setup is completed, MSSPs can invoke Sentinel skills on the customer tenant via the Security Copilot Standalone portal and use the SCUs associated to the Azure Lighthouse subscription. MSSPs can further use custom promptbooks and logic apps to automate their workflows. In future, managed service support will continue to expand to include other skills and capabilities such as Entra, Intune and Purview skills. We will also add support to run the skills in parallel on multiple workspaces across customer tenants so that the same prompt can return the response from multiple tenants for better analysis. What other access controls are supported? As of December 2024, we now support M365 Partner Center GDAP (Granular Delegated Admin Privileges) which allows the managing tenant to operate directly in their customer’s environment using their customer’s Security Copilot tenant. M365 Partner Center GDAP: GDAP is focused on Microsoft 365 services and is available through the Partner Center. It provides more granular and time-bound access to customer workloads, addressing security concerns by offering least-privileged access. Unlike Azure Lighthouse, GDAP relationships are more specific and time-bound, with a maximum duration of two years. Partners can request and manage these relationships through the Partner Center. GDAP is designed to help partners provide services to customers who have regulatory requirements or security concerns about high levels of partner access. MSSPs can get access to customer tenants via GDAP and log into the Security Copilot standalone portal or the embedded experience to get their jobs done. The MSSP will be able to execute all the skills in Security Copilot (Entra, Defender, Purview, Intune, XDR etc.,), a full list of skills is available here as GDAP supports all these services. In this configuration, the customer is the one purchasing Security Copilot SCUs and the MSSP uses these SCUs associated to the customer tenant, rather than SCUs associated to the MSSP’s tenant. Since Entra, Defender, Purview, Intune are not supported in Azure Lighthouse, the only way for MSSPs to use Security Copilot on their customer tenant for these products is by directly logging into the customer tenant and utilizing the SCUs purchased by customers. Additional Resources Understand authentication in Microsoft Security Copilot | Microsoft Learn Grant MSSPs access to Microsoft Security Copilot | Microsoft Learn Microsoft Security Copilot Frequently Asked Questions | Microsoft Learn Microsoft 365 Lighthouse frequently asked questions (FAQs) GDAP frequently asked questions - Partner Center | Microsoft LearnIgnite 2024: Transforming Security with Microsoft Security Copilot
Today’s security and IT teams are working within increasingly complex and fragmented environments. They are constantly balancing a broad and varied tech landscape, a fast-changing regulatory environment, and increasingly sophisticated cyberthreats, while challenged with a global cybersecurity skills shortage, data overload, and the risk of missing critical vulnerabilities - slowing response times, and ultimately leading to security gaps. The evolving threat landscape has highlighted the critical role that AI can play in organizations’ security efforts. To address these growing challenges, Microsoft introduced Microsoft Security Copilot (formerly known as Microsoft Copilot for Security) last April, enabling customers to use generative AI-powered assistance for daily operations in security and IT. Security Copilot is built to enhance every facet of an organization’s security operations across identities, devices, data, clouds, and apps. It turns global threat intelligence, industry best practices, and organizations’ own data into actionable insights to help teams catch what others miss, respond faster, and strengthen team expertise. Since Security Copilot has been generally available, customers and partners have discovered powerful applications for the tool. We've seen customers like Eastman, a specialty materials manufacturer, have experienced significant benefits, including cost savings, improved threat detection, and junior staff upskilling, with Security Copilot enabling faster KQL learning and reducing technical workloads. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster. That helps me to make a better decision and respond faster to an attacker.” - David Yates, Senior Cybersecurity Analyst, Eastman Supporting this impact, new research from Microsoft -- conducted between March to August 2024 -- showed a 30% reduction in security incident mean time to resolution (MTTR) for security incidents three months post-adoption of Security Copilot. Given that recent estimates suggest analysts spend, on average, 2.7 hours per day resolving incidents costing $3.3 billion in the US alone, these results highlight the significant potential time and cost savings that Security Copilot can provide in security operations. Read the full research paper here. What’s New at Ignite 2024 Just seven months after its general availability, Security Copilot continues to introduce new feature enhancements that strengthen its position as the leading gen-AI tool for security. The latest exciting advancements extend Security Copilot's capabilities beyond SOC teams, empowering data, identity, and IT teams to leverage powerful AI-driven insights and automation. Security Copilot Beyond the SOC Data Security: Copilot in Purview Data security admins now have comprehensive, AI-powered visibility with new features, in public preview, for Copilot in Purview -- enabling faster, more accurate risk analysis across their data landscape. With Data Security Posture Management (DSPM), admins receive natural language insights on risks based on suggested or customizable prompts to prioritize and deepen their investigations. Copilot simplifies Data Loss Prevention (DLP) policy analysis by providing easy-to-read summaries and identifying DLP policy gaps, while eDiscovery case summaries streamline case management so users can quickly access natural language summaries of eDiscovery cases, and searches. New DLP investigative prompts and the Copilot-powered Knowledge Hub further enhance data security team capabilities, providing actionable insights and guidance that assist admins to manage risks and upskill teams of all experience levels effectively. Identity & Access: Copilot in Entra With Security Copilot embedded in Microsoft Entra available in preview, identity admins can simplify their workflows, reduce administrative overload, and improve decision-making efficiency, from directly within the Entra portal. Copilot in Entra offers identity protection with AI-driven risk detection, insights, and mitigation capabilities, allowing identity and security teams to stay ahead of potential threats. With automated data gathering and correlation, admins can easily identify and respond to suspicious activity involving high-risk users, applications, and workload identities. It also allows admins to quickly troubleshoot access failures, offering automation and actionable insights around sign-in logs, user details, group details, audit logs, and diagnostic logs. Copilot transforms this complex data into natural language summaries, offering recommendations on how to quickly reduce risk and resolve access issues, even in highly sensitive situations. Endpoint Management: Copilot in Intune IT admins can now leverage expanded capabilities for Copilot in Intune, available in preview, to further reduce attack surface, improve IT efficiency, and streamline complex admin workflows. These new capabilities include support for investigating app elevation details and identifying potential signs of compromised apps before approving Endpoint Privilege Management requests. Copilot also assists with KQL query creation for single- and multi-device analysis, making it easier to retrieve device data—minimizing the need for admins to have deep KQL expertise. Additionally, Copilot in Intune expands to simplify update management with Windows Autopatch. This integration enables Copilot to support essential update tasks—from planning and troubleshooting to analyzing deployment outcomes—empowering IT teams to proactively address and resolve update issues. Empower Security Teams and Automate Security Tasks Innovations to enhance your SOC The latest Security Copilot innovations for SOC, now generally available, empower security analysts to investigate incidents with more actionable user insights and greater user control. The new Identity Summary provides a comprehensive overview of the user identity information for quicker identification and resolution of potential security threats. The improved Copilot side panel experience remembers its open or closed state across tab changes, allowing users to maintain their preferred setting in the embedded experience. Threat Intelligence A Unified Threat Intelligence (TI) Experience, now in public preview, offers a complete view of threats by integrating a wider range of threat intelligence sources, including CVE data and advanced internet data sets, to help security teams quickly understand the impact of threats on the organization. New out-of-the-box promptbooks, now generally available, leverage this expanded breadth of intelligence through guided experiences that simplify complex workflows and empower SOC and threat intel analysts to investigate and respond to threats faster and more effectively. Task Automation Customer feedback has indicated significant value in using Copilot for task automation via Logic Apps and promptbooks. Users are able to do this by sequencing and automating common tasks enriched by gen AI insights to streamline security operations -- for example, a security analyst could create a Logic App that leverages Copilot promptbooks to automate the examination of user-reported phishing emails and determine the likelihood of a phishing event. Now generally available, the Security Copilot Logic Apps connector allows SOC teams to integrate promptbooks directly from Logic Apps to simplify the configuration of automation workflows. Building on Enterprise Readiness In addition to enhancing embedded capabilities for Security Copilot, we’re excited to announce several new platform features that help organizations to integrate, automate, monitor, and scale their security programs more efficiently. By connecting to existing tools via integrations, Security Copilot can extend and bring more value to users. We are also introducing features that help customers with monitoring, providing them with visibility and control over their audits, access, and usage. Partner Ecosystem As part of our effort to provide customers with truly end-to-end security protection, we have prioritized building out our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. At Ignite, we are announcing the general availability of over 15 plug-ins across different categories including threat intelligence and device, network, and endpoint management. Third-party Threat Intelligence plugins enable security teams to bring rich information about threat actors, indicators of compromise, tools, and vulnerabilities into Copilot, enabling them to gain a holistic view of threats, understand their impact, and receive recommendations and guidance on how to respond. New GA Threat Intelligence plugins include CrowdSec, Cybersixgill, Whoisfreaks, Reversing Labs Spectra Analyze, Reversing Labs Spectra Intelligence, CywareRespond, Intel 471, Forescout Vedere Labs, GreyNoise’s Enterprise plugin, GreyNoise’s Community plugin, and Darktrace. Third-party Device, Network, and Identity plugins provide additional insights into device health and compliance, network traffic patterns, and user authentication activities. These integrations allow for a holistic view of the security landscape, enabling more effective monitoring and management of potential threats. Additionally, these plugins can help organizations enforce security policies, detect anomalies, and respond to incidents in a timely manner. New GA Device, Network, and Identity plugins include Red Canary, Netskope, Tanium, Silverfort, CyberArk, and Jamf. Additionally, new administrator controls for plugin management provide administrators with the ability to control which plugins can be enabled within their organizations. This feature provides more control and predictability of SCU consumption through plugins, helping organizations manage costs. New Platform Features We are also excited to introduce new platform features that would help Security Copilot customers with visibility, guidance, and access control. An update to role-based access control (RBAC), now in preview, refines contributor role permissions by replacing the 'everyone' option with a 'recommended roles' bundle. This grants access to users with flagship roles in Entra, Intune, Purview, and the unified security operations platform, and will be the default setting for new tenants, preventing unintended access by users outside enabled groups. Additionally, the general availability of audit logs provides a comprehensive record of all security analyst and admin activities -- available through Purview Audit and UAL -- allowing organizations to detect and analyze interactions for compliance with regulatory requirements. We are also announcing the preview of a new Prompt Library which provides prompts and promptbooks that may be used in Security Copilot. Customers who require more guidance in Copilot can leverage this library and filter by persona so they can easily find and use prompts and promptbooks that are most relevant to their role and tasks. Finally, the new Usage Dashboard, now generally available, offers detailed insights into your Security Compute Units (SCU) utilization with advanced filtering and a 90-day data timeframe, enabling data export into formatted Excel sheets for customizable analysis and better consumption management. Learn more about how your organization can benefit from Copilot Microsoft is dedicated to empowering customers with advanced security solutions that drive both robust protection and meaningful cost efficiencies across their security programs. This commitment is underscored by our adherence to industry leading standards like HITRUST, ISO 27001, ISO 27017, ISO 27018, and HIPAA, reflecting Microsoft's commitment to upholding the highest standards of security and data privacy for customers. Further demonstrating Microsoft’s commitment to deliver meaningful cost efficiencies and enhanced productivity across security programs, a recent Total Economic Impact study by Forrester Consulting highlights the significant ROI that organizations can achieve with Security Copilot. In a study of over 300 decision-makers, the implementation of Security Copilot resulted in an average 23-46.7% productivity gain for SecOps tasks, reduced risk of security breaches with a projected value between $546,000 and $1 million, and enabled cost efficiencies worth $86,000 to $257,000 per 3 years. Read the full study. To learn more about the exciting new features and explore how Security Copilot can enhance your organization’s security program, we invite you to connect with us at Microsoft Ignite. This is a great opportunity to engage with our experts, gain deeper insights, and see firsthand how Security Copilot can streamline your security operations. Join us at the Security Copilot sessions listed above, visit our Meet the Experts booth, or reach out for more information. Connect with us today to discover how Security Copilot can transform your security program and meet your evolving security needs.Know Before You Go: Security Copilot at Microsoft Ignite 2024
We are just a few days away from Microsoft Ignite, happening from November 19–22, 2024, and the excitement is palpable! This year, we are thrilled to share Security Copilot with everyone, both in-person and virtual attendees alike. In-Person Experience: For those joining us in person, you'll have the opportunity to interact directly with our experts, attend immersive sessions, and see live demos of Security Copilot. Our hands-on labs and breakout sessions will provide you with practical insights and experiences that you can take back to your organization. Virtual Engagement: We haven’t forgotten about our virtual audience! You’ll have access to live-streamed sessions, interactive Q&As, and virtual demos. We’ve designed a rich and engaging online experience to ensure that you gain the same valuable insights and knowledge as those attending in person. We are excited to announce a series of innovative technical breakout sessions, theater sessions, labs, community opportunities, and demos designed to showcase the cutting-edge capabilities of Security Copilot. These are tailored to provide in-depth insights and hands-on experiences, ensuring attendees gain a comprehensive understanding of how to leverage Security Copilot to its fullest potential. Microsoft Security Copilot is your generative AI-powered assistant that helps teams improve security across organizations. Discover how Security Copilot enables you to protect at the speed and scale of AI by leveraging global threat intelligence, industry best practices, and organizational data from Microsoft and others to deliver tailored insights. Learn about the latest innovations, including AI-driven automation capabilities and new use cases that elevate security organization-wide. Join us for these exciting opportunities, whether in-person at McCormick Place in Chicago or virtually online. Explore how Security Copilot can transform your security operations, optimize efficiency, and enhance your organization's overall security posture. Whether you're a security professional, IT expert, or simply interested in the future of cybersecurity, these sessions offer valuable knowledge and practical tips to help you stay ahead in the ever-evolving world of cybersecurity. We look forward to your participation and can't wait to see you there! Breakout Sessions We are excited to announce our series of innovative technical breakout sessions, designed to showcase the cutting-edge capabilities of Security Copilot. These sessions are tailored to provide in-depth insights and hands-on experiences, ensuring attendees gain a comprehensive understanding of how to leverage Security Copilot to its fullest potential. BRK307: Transform your security with GenAI innovations in Security Copilot - Dorothy Li, Emily Longman, Dilip Radhakrishnan In Chicago + Online - Will be recorded Tuesday, November 19 - 11:30 AM - 12:15 PM Central Standard Time Microsoft Security Copilot is your generative AI-powered assistant that helps teams improve security across organizations. Discover how Security Copilot enables you to protect at the speed and scale of AI by leveraging global threat intelligence, industry best practices and organizational data from Microsoft and others to deliver tailored insights. Learn about the latest innovations, including AI-driven automation capabilities and new use cases that elevate security organization-wide. BRK308: Optimize with Security Copilot: Real-world insights and expert advice - Dennis Mercer, Heena Macwan In Chicago + Online - Will be recorded Thursday, November 21 - 3:45 PM - 4:30 PM Central Standard Time Discover how to unlock Microsoft Security Copilot's full potential. This session offers deep dives into valuable case studies, the latest efficiency data, and practical tips from product experts. Learn best practices and insider tricks to maximize Copilot’s benefits, ensuring quick value realization and enhanced security and IT operations. BRK316: One goal, many roles: Microsoft Security Copilot use cases for all - Nick Goodman, Ryan Munsch In Chicago + Online - Will be recorded Thursday, November 21 - 5:00 PM - 5:45 PM Central Standard Time Experience how Microsoft Security Copilot supports multiple cybersecurity roles through practical, real-world incidents. This session highlights Copilot's seamless integration with Microsoft’s security suite—Entra, Defender, Purview, and Intune - and its ability to provide tailored solutions that address a broad range of security functions beyond traditional SOC roles. BRK331: Security Partner Growth: Harness the Power of AI in Security Copilot - Vicki Beizer, Mona Ghadiri, James Key, Jose Lazaro In Chicago Only - Will be recorded Friday, November 22 - 10:15 AM - 11:00 PM Central Standard Time Discover new Security Copilot product capabilities built to enable partners to run their managed services business and expand their ISV solutions. Find out how Partners can maximize the capabilities of your technical resources to support customers more effectively. You will receive a preview of the new partner benefits and product developments coming next year and learn how you can get ahead of the curve. Don't miss this chance to stay ahead in the ever-evolving security landscape. Theater Sessions We are thrilled to announce our series of innovative Theater Sessions, designed to spotlight the pioneering capabilities of Security Copilot. These sessions provide a dynamic platform for learning, engaging, and exploring the future of cybersecurity. THR653: Mastering custom plugins in Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 11:15 AM - 11:45 AM Central Standard Time Dive into the technical intricacies of Microsoft Security Copilot in this hands-on session. Gain practical knowledge on building plugins to customize Copilot for your organization's unique requirements. The session provides detailed instructions on creating custom integrations and automations, with a focus on plugin development. This is tailored for security and IT professionals looking to elevate Copilot's capabilities through advanced customization and seamless integration with existing security tools. THR555: Threat Intelligence at machine speed with Microsoft Security Copilot - Ryan Munsch In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 9:00 AM - 9:15 AM Central Standard Time Threat intelligence is crucial for protecting against evolving threats, but extracting actionable insights from vast data can be overwhelming. Join Microsoft expert Ryan Munsch to discover how Security Copilot's generative AI streamlines threat intelligence. He'll show how Copilot acts as a research assistant, analyst, and responder, using guided experiences and prompts to simplify threat management and reduce the time, resources, and stress involved in defending your organization. Labs We're excited to invite you to dive deep into the cutting-edge capabilities of Security Copilot through our hands-on labs. These instructor led sessions are designed to provide a comprehensive, interactive experience, enabling you to fully understand and leverage the power of Security Copilot in your organization. LAB462: Boost security and IT efficiency with Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 3:00 PM - 4:15 PM Central Standard Time Join us for an interactive lab to experience Microsoft Security Copilot in action. Through expert-led simulations, explore how generative AI streamlines incident response, expedites troubleshooting, and enhances decision-making across security and IT. Test-drive Security Copilot and see firsthand how it helps teams identify, respond to, and mitigate threats efficiently. Ideal for security professionals eager to experience the real-world impact of generative AI in security & IT. LAB462-R1: Boost security and IT efficiency with Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Thursday, November 21 - 8:30 AM - 9:45 AM Central Standard Time Join us for an interactive lab to experience Microsoft Security Copilot in action. Through expert-led simulations, explore how generative AI streamlines incident response, expedites troubleshooting, and enhances decision-making across security and IT. Test-drive Security Copilot and see firsthand how it helps teams identify, respond to, and mitigate threats efficiently. Ideal for security professionals eager to experience the real-world impact of generative AI in security & IT. Community We are excited to invite you to our series of Community Tabletops, designed to foster collaboration and innovation around Security Copilot. These sessions provide an interactive environment where you can engage with peers, share experiences, and explore the latest advancements in cybersecurity. COM1028: Community Roundtable: Security Copilot for IT Pros – Bill Mccluskey In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 1:00 PM - 2:00 PM Central Standard Time This session will bring together experts and peers to explore real-world applications, share best practices, and discuss the latest features of Security Copilot. Attendees will gain invaluable insights into optimizing security measures, enhancing threat detection, and streamlining incident response. Join us to collaborate, network, and learn from the collective experience of your fellow IT pros in a dynamic and interactive environment. COM1029: Community Roundtable: Security Copilot for the SOC - Michael Pinch In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 4:00 PM - 5:00 PM Central Standard Time Join us for an engaging roundtable discussion tailored specifically for Security Operations Center (SOC) professionals focused on optimizing the use of Security Copilot. This session will facilitate an interactive exchange of ideas, challenges, and best practices related to the deployment and management of Security Copilot within the SOC. Participants will gain insights into leveraging Security Copilot to enhance threat detection, streamline incident response, and improve overall SOC efficiency. This is a unique opportunity to network with peers, learn from industry experts, and collaboratively explore innovative solutions to common SOC challenges. Come prepared to share your experiences and take away actionable strategies to elevate your SOC's security posture. COM1030: Community Roundtable: Developing Security Copilot Plugins - Rod Trent In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 11:00 AM - 12:00 PM Central Standard Time Join us for an engaging community roundtable focused on the development of plugins for Microsoft Security Copilot. This session provides a platform for developers, IT professionals, and cybersecurity enthusiasts to collaborate and exchange ideas on creating innovative plugins that enhance Security Copilot's capabilities. Attendees will gain insights into the plugin development process, explore successful case studies, and discuss best practices for integrating custom plugins into their security workflows. Whether you're a seasoned developer or new to plugin creation, this roundtable offers valuable takeaways and networking opportunities to help you expand Security Copilot's functionality and improve your organization's security posture. Demos and Networking Don't miss the opportunity to visit the Copilot demo station at the Expert meet-up. Our team will be showcasing the latest demos of Security Copilot, highlighting its powerful features and capabilities. Our experts will be on-hand to answer your questions and provide insights into how Security Copilot can enhance your security posture. Whether you're interested in learning about our innovative tools or need guidance on specific features, we're here to help. Be sure to stop by and experience firsthand how Security Copilot can help you stay ahead in the ever-evolving world of cybersecurity. We look forward to meeting you!What's new in Microsoft Security Copilot
A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store. Let’s take a look at what’s new. Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments. Read more in the Sentinel announcement blog: Introducing Microsoft Sentinel graph Build your own Security Copilot agents, no coding required Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do. Learn more: Build your own Security Copilot agent New Microsoft and partner ready-made agents for real challenges These new agents help teams address common security and IT challenges faster and smarter: Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks. o Learn more: The Microsoft Entra agent for smarter access governance: Access Review Agent Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation. The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like: Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster. Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security. Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents. Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture. Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security. Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl. o Find these agents and more in the Microsoft Security Store Microsoft Security Store – one, centralized place to find agents and SaaS solutions The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows. Read more in the announcement blog: Introducing Microsoft Security Store Stay tuned and explore more! Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating. We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible: Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details Security Copilot Adoption Hub – Access rollout guides, templates, and best practices Don’t miss Microsoft Ignite - we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security.
