Securing data in an AI-first world with Microsoft Purview
Announcing a set of capabilities in Microsoft Purview and Microsoft Defender to help you secure your data and apps as you leverage generative AI. At Microsoft, we are committed to helping you protect and govern your data – no matter where it lives or travels.Microsoft Copilot for Security is now generally available
We are excited to share Copilot for Security is now available for purchase and customers can get started by provisioning capacity to run all Copilot workloads, both for standalone and for those embedded in our security products beginning with Microsoft Defender XDR.Microsoft Copilot for Security Attains ISO 27001, 27017, and 27018 Certifications
We are thrilled to announce that Microsoft Copilot for Security, the first Generative Artificial Intelligence (GAI) security solution, has earned the prestigious ISO 27001, 27017, and 27018 certifications. Copilot for Security streamlines compliance endeavors by meeting rigorous regulatory standards.Azure Lighthouse support for MSSP use of Security Copilot Sentinel scenarios in Public Preview
Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now in public preview. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: Use the same natural language based prompts using Sentinel skills on customer data Create custom promptbooks using Sentinel skills to automate their investigations Use Logic Apps to trigger these promptbooks While this release doesn’t support all Security Copilot skills across customer tenants for MSSPs, it is an important development on the road to full support for Security Copilot for MSSPs using Azure Lighthouse. Read on to learn more about what this means for your practice, and how to get started. What is Azure Lighthouse? Azure Lighthouse is built into the Azure portal and allows IT partners to manage multiple tenants for Azure services. It provides a unified management experience, enabling partners to view and manage resources across all their customers' Azure environments from a single pane of glass. It supports multi-customer management, meaning partners can perform actions across multiple customer tenants simultaneously. This is particularly useful for Managed Service Providers (MSPs) who need to manage resources at scale. What is changing? We are introducing Azure Lighthouse support for MSSPs to use Security Copilot on their customer tenants without requiring customers to purchase Security Compute Units (SCUs). With Azure Lighthouse support, SCUs should be purchased by a MSSP admin for use on their customer’s tenant . To get started, MSSPs can go to Azure to onboard on to Security Copilot and apply their purchased SCUs to their Azure Lighthouse subscription. In Azure Lighthouse, the MSSP needs to ensure that they have access setup to their customer’s Sentinel environment. Once the setup is completed, MSSPs can invoke Sentinel skills on the customer tenant via the Security Copilot Standalone portal and use the SCUs associated to the Azure Lighthouse subscription. MSSPs can further use custom promptbooks and logic apps to automate their workflows. In future, managed service support will continue to expand to include other skills and capabilities such as Entra, Intune and Purview skills. We will also add support to run the skills in parallel on multiple workspaces across customer tenants so that the same prompt can return the response from multiple tenants for better analysis. What other access controls are supported? As of December 2024, we now support M365 Partner Center GDAP (Granular Delegated Admin Privileges) which allows the managing tenant to operate directly in their customer’s environment using their customer’s Security Copilot tenant. M365 Partner Center GDAP: GDAP is focused on Microsoft 365 services and is available through the Partner Center. It provides more granular and time-bound access to customer workloads, addressing security concerns by offering least-privileged access. Unlike Azure Lighthouse, GDAP relationships are more specific and time-bound, with a maximum duration of two years. Partners can request and manage these relationships through the Partner Center. GDAP is designed to help partners provide services to customers who have regulatory requirements or security concerns about high levels of partner access. MSSPs can get access to customer tenants via GDAP and log into the Security Copilot standalone portal or the embedded experience to get their jobs done. The MSSP will be able to execute all the skills in Security Copilot (Entra, Defender, Purview, Intune, XDR etc.,), a full list of skills is available here as GDAP supports all these services. In this configuration, the customer is the one purchasing Security Copilot SCUs and the MSSP uses these SCUs associated to the customer tenant, rather than SCUs associated to the MSSP’s tenant. Since Entra, Defender, Purview, Intune are not supported in Azure Lighthouse, the only way for MSSPs to use Security Copilot on their customer tenant for these products is by directly logging into the customer tenant and utilizing the SCUs purchased by customers. Additional Resources Understand authentication in Microsoft Security Copilot | Microsoft Learn Grant MSSPs access to Microsoft Security Copilot | Microsoft Learn Microsoft Security Copilot Frequently Asked Questions | Microsoft Learn Microsoft 365 Lighthouse frequently asked questions (FAQs) GDAP frequently asked questions - Partner Center | Microsoft LearnIgnite 2024: Transforming Security with Microsoft Security Copilot
Today’s security and IT teams are working within increasingly complex and fragmented environments. They are constantly balancing a broad and varied tech landscape, a fast-changing regulatory environment, and increasingly sophisticated cyberthreats, while challenged with a global cybersecurity skills shortage, data overload, and the risk of missing critical vulnerabilities - slowing response times, and ultimately leading to security gaps. The evolving threat landscape has highlighted the critical role that AI can play in organizations’ security efforts. To address these growing challenges, Microsoft introduced Microsoft Security Copilot (formerly known as Microsoft Copilot for Security) last April, enabling customers to use generative AI-powered assistance for daily operations in security and IT. Security Copilot is built to enhance every facet of an organization’s security operations across identities, devices, data, clouds, and apps. It turns global threat intelligence, industry best practices, and organizations’ own data into actionable insights to help teams catch what others miss, respond faster, and strengthen team expertise. Since Security Copilot has been generally available, customers and partners have discovered powerful applications for the tool. We've seen customers like Eastman, a specialty materials manufacturer, have experienced significant benefits, including cost savings, improved threat detection, and junior staff upskilling, with Security Copilot enabling faster KQL learning and reducing technical workloads. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster. That helps me to make a better decision and respond faster to an attacker.” - David Yates, Senior Cybersecurity Analyst, Eastman Supporting this impact, new research from Microsoft -- conducted between March to August 2024 -- showed a 30% reduction in security incident mean time to resolution (MTTR) for security incidents three months post-adoption of Security Copilot. Given that recent estimates suggest analysts spend, on average, 2.7 hours per day resolving incidents costing $3.3 billion in the US alone, these results highlight the significant potential time and cost savings that Security Copilot can provide in security operations. Read the full research paper here. What’s New at Ignite 2024 Just seven months after its general availability, Security Copilot continues to introduce new feature enhancements that strengthen its position as the leading gen-AI tool for security. The latest exciting advancements extend Security Copilot's capabilities beyond SOC teams, empowering data, identity, and IT teams to leverage powerful AI-driven insights and automation. Security Copilot Beyond the SOC Data Security: Copilot in Purview Data security admins now have comprehensive, AI-powered visibility with new features, in public preview, for Copilot in Purview -- enabling faster, more accurate risk analysis across their data landscape. With Data Security Posture Management (DSPM), admins receive natural language insights on risks based on suggested or customizable prompts to prioritize and deepen their investigations. Copilot simplifies Data Loss Prevention (DLP) policy analysis by providing easy-to-read summaries and identifying DLP policy gaps, while eDiscovery case summaries streamline case management so users can quickly access natural language summaries of eDiscovery cases, and searches. New DLP investigative prompts and the Copilot-powered Knowledge Hub further enhance data security team capabilities, providing actionable insights and guidance that assist admins to manage risks and upskill teams of all experience levels effectively. Identity & Access: Copilot in Entra With Security Copilot embedded in Microsoft Entra available in preview, identity admins can simplify their workflows, reduce administrative overload, and improve decision-making efficiency, from directly within the Entra portal. Copilot in Entra offers identity protection with AI-driven risk detection, insights, and mitigation capabilities, allowing identity and security teams to stay ahead of potential threats. With automated data gathering and correlation, admins can easily identify and respond to suspicious activity involving high-risk users, applications, and workload identities. It also allows admins to quickly troubleshoot access failures, offering automation and actionable insights around sign-in logs, user details, group details, audit logs, and diagnostic logs. Copilot transforms this complex data into natural language summaries, offering recommendations on how to quickly reduce risk and resolve access issues, even in highly sensitive situations. Endpoint Management: Copilot in Intune IT admins can now leverage expanded capabilities for Copilot in Intune, available in preview, to further reduce attack surface, improve IT efficiency, and streamline complex admin workflows. These new capabilities include support for investigating app elevation details and identifying potential signs of compromised apps before approving Endpoint Privilege Management requests. Copilot also assists with KQL query creation for single- and multi-device analysis, making it easier to retrieve device data—minimizing the need for admins to have deep KQL expertise. Additionally, Copilot in Intune expands to simplify update management with Windows Autopatch. This integration enables Copilot to support essential update tasks—from planning and troubleshooting to analyzing deployment outcomes—empowering IT teams to proactively address and resolve update issues. Empower Security Teams and Automate Security Tasks Innovations to enhance your SOC The latest Security Copilot innovations for SOC, now generally available, empower security analysts to investigate incidents with more actionable user insights and greater user control. The new Identity Summary provides a comprehensive overview of the user identity information for quicker identification and resolution of potential security threats. The improved Copilot side panel experience remembers its open or closed state across tab changes, allowing users to maintain their preferred setting in the embedded experience. Threat Intelligence A Unified Threat Intelligence (TI) Experience, now in public preview, offers a complete view of threats by integrating a wider range of threat intelligence sources, including CVE data and advanced internet data sets, to help security teams quickly understand the impact of threats on the organization. New out-of-the-box promptbooks, now generally available, leverage this expanded breadth of intelligence through guided experiences that simplify complex workflows and empower SOC and threat intel analysts to investigate and respond to threats faster and more effectively. Task Automation Customer feedback has indicated significant value in using Copilot for task automation via Logic Apps and promptbooks. Users are able to do this by sequencing and automating common tasks enriched by gen AI insights to streamline security operations -- for example, a security analyst could create a Logic App that leverages Copilot promptbooks to automate the examination of user-reported phishing emails and determine the likelihood of a phishing event. Now generally available, the Security Copilot Logic Apps connector allows SOC teams to integrate promptbooks directly from Logic Apps to simplify the configuration of automation workflows. Building on Enterprise Readiness In addition to enhancing embedded capabilities for Security Copilot, we’re excited to announce several new platform features that help organizations to integrate, automate, monitor, and scale their security programs more efficiently. By connecting to existing tools via integrations, Security Copilot can extend and bring more value to users. We are also introducing features that help customers with monitoring, providing them with visibility and control over their audits, access, and usage. Partner Ecosystem As part of our effort to provide customers with truly end-to-end security protection, we have prioritized building out our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. At Ignite, we are announcing the general availability of over 15 plug-ins across different categories including threat intelligence and device, network, and endpoint management. Third-party Threat Intelligence plugins enable security teams to bring rich information about threat actors, indicators of compromise, tools, and vulnerabilities into Copilot, enabling them to gain a holistic view of threats, understand their impact, and receive recommendations and guidance on how to respond. New GA Threat Intelligence plugins include CrowdSec, Cybersixgill, Whoisfreaks, Reversing Labs Spectra Analyze, Reversing Labs Spectra Intelligence, CywareRespond, Intel 471, Forescout Vedere Labs, GreyNoise’s Enterprise plugin, GreyNoise’s Community plugin, and Darktrace. Third-party Device, Network, and Identity plugins provide additional insights into device health and compliance, network traffic patterns, and user authentication activities. These integrations allow for a holistic view of the security landscape, enabling more effective monitoring and management of potential threats. Additionally, these plugins can help organizations enforce security policies, detect anomalies, and respond to incidents in a timely manner. New GA Device, Network, and Identity plugins include Red Canary, Netskope, Tanium, Silverfort, CyberArk, and Jamf. Additionally, new administrator controls for plugin management provide administrators with the ability to control which plugins can be enabled within their organizations. This feature provides more control and predictability of SCU consumption through plugins, helping organizations manage costs. New Platform Features We are also excited to introduce new platform features that would help Security Copilot customers with visibility, guidance, and access control. An update to role-based access control (RBAC), now in preview, refines contributor role permissions by replacing the 'everyone' option with a 'recommended roles' bundle. This grants access to users with flagship roles in Entra, Intune, Purview, and the unified security operations platform, and will be the default setting for new tenants, preventing unintended access by users outside enabled groups. Additionally, the general availability of audit logs provides a comprehensive record of all security analyst and admin activities -- available through Purview Audit and UAL -- allowing organizations to detect and analyze interactions for compliance with regulatory requirements. We are also announcing the preview of a new Prompt Library which provides prompts and promptbooks that may be used in Security Copilot. Customers who require more guidance in Copilot can leverage this library and filter by persona so they can easily find and use prompts and promptbooks that are most relevant to their role and tasks. Finally, the new Usage Dashboard, now generally available, offers detailed insights into your Security Compute Units (SCU) utilization with advanced filtering and a 90-day data timeframe, enabling data export into formatted Excel sheets for customizable analysis and better consumption management. Learn more about how your organization can benefit from Copilot Microsoft is dedicated to empowering customers with advanced security solutions that drive both robust protection and meaningful cost efficiencies across their security programs. This commitment is underscored by our adherence to industry leading standards like HITRUST, ISO 27001, ISO 27017, ISO 27018, and HIPAA, reflecting Microsoft's commitment to upholding the highest standards of security and data privacy for customers. Further demonstrating Microsoft’s commitment to deliver meaningful cost efficiencies and enhanced productivity across security programs, a recent Total Economic Impact study by Forrester Consulting highlights the significant ROI that organizations can achieve with Security Copilot. In a study of over 300 decision-makers, the implementation of Security Copilot resulted in an average 23-46.7% productivity gain for SecOps tasks, reduced risk of security breaches with a projected value between $546,000 and $1 million, and enabled cost efficiencies worth $86,000 to $257,000 per 3 years. Read the full study. To learn more about the exciting new features and explore how Security Copilot can enhance your organization’s security program, we invite you to connect with us at Microsoft Ignite. This is a great opportunity to engage with our experts, gain deeper insights, and see firsthand how Security Copilot can streamline your security operations. Join us at the Security Copilot sessions listed above, visit our Meet the Experts booth, or reach out for more information. Connect with us today to discover how Security Copilot can transform your security program and meet your evolving security needs.Know Before You Go: Security Copilot at Microsoft Ignite 2024
We are just a few days away from Microsoft Ignite, happening from November 19–22, 2024, and the excitement is palpable! This year, we are thrilled to share Security Copilot with everyone, both in-person and virtual attendees alike. In-Person Experience: For those joining us in person, you'll have the opportunity to interact directly with our experts, attend immersive sessions, and see live demos of Security Copilot. Our hands-on labs and breakout sessions will provide you with practical insights and experiences that you can take back to your organization. Virtual Engagement: We haven’t forgotten about our virtual audience! You’ll have access to live-streamed sessions, interactive Q&As, and virtual demos. We’ve designed a rich and engaging online experience to ensure that you gain the same valuable insights and knowledge as those attending in person. We are excited to announce a series of innovative technical breakout sessions, theater sessions, labs, community opportunities, and demos designed to showcase the cutting-edge capabilities of Security Copilot. These are tailored to provide in-depth insights and hands-on experiences, ensuring attendees gain a comprehensive understanding of how to leverage Security Copilot to its fullest potential. Microsoft Security Copilot is your generative AI-powered assistant that helps teams improve security across organizations. Discover how Security Copilot enables you to protect at the speed and scale of AI by leveraging global threat intelligence, industry best practices, and organizational data from Microsoft and others to deliver tailored insights. Learn about the latest innovations, including AI-driven automation capabilities and new use cases that elevate security organization-wide. Join us for these exciting opportunities, whether in-person at McCormick Place in Chicago or virtually online. Explore how Security Copilot can transform your security operations, optimize efficiency, and enhance your organization's overall security posture. Whether you're a security professional, IT expert, or simply interested in the future of cybersecurity, these sessions offer valuable knowledge and practical tips to help you stay ahead in the ever-evolving world of cybersecurity. We look forward to your participation and can't wait to see you there! Breakout Sessions We are excited to announce our series of innovative technical breakout sessions, designed to showcase the cutting-edge capabilities of Security Copilot. These sessions are tailored to provide in-depth insights and hands-on experiences, ensuring attendees gain a comprehensive understanding of how to leverage Security Copilot to its fullest potential. BRK307: Transform your security with GenAI innovations in Security Copilot - Dorothy Li, Emily Longman, Dilip Radhakrishnan In Chicago + Online - Will be recorded Tuesday, November 19 - 11:30 AM - 12:15 PM Central Standard Time Microsoft Security Copilot is your generative AI-powered assistant that helps teams improve security across organizations. Discover how Security Copilot enables you to protect at the speed and scale of AI by leveraging global threat intelligence, industry best practices and organizational data from Microsoft and others to deliver tailored insights. Learn about the latest innovations, including AI-driven automation capabilities and new use cases that elevate security organization-wide. BRK308: Optimize with Security Copilot: Real-world insights and expert advice - Dennis Mercer, Heena Macwan In Chicago + Online - Will be recorded Thursday, November 21 - 3:45 PM - 4:30 PM Central Standard Time Discover how to unlock Microsoft Security Copilot's full potential. This session offers deep dives into valuable case studies, the latest efficiency data, and practical tips from product experts. Learn best practices and insider tricks to maximize Copilot’s benefits, ensuring quick value realization and enhanced security and IT operations. BRK316: One goal, many roles: Microsoft Security Copilot use cases for all - Nick Goodman, Ryan Munsch In Chicago + Online - Will be recorded Thursday, November 21 - 5:00 PM - 5:45 PM Central Standard Time Experience how Microsoft Security Copilot supports multiple cybersecurity roles through practical, real-world incidents. This session highlights Copilot's seamless integration with Microsoft’s security suite—Entra, Defender, Purview, and Intune - and its ability to provide tailored solutions that address a broad range of security functions beyond traditional SOC roles. BRK331: Security Partner Growth: Harness the Power of AI in Security Copilot - Vicki Beizer, Mona Ghadiri, James Key, Jose Lazaro In Chicago Only - Will be recorded Friday, November 22 - 10:15 AM - 11:00 PM Central Standard Time Discover new Security Copilot product capabilities built to enable partners to run their managed services business and expand their ISV solutions. Find out how Partners can maximize the capabilities of your technical resources to support customers more effectively. You will receive a preview of the new partner benefits and product developments coming next year and learn how you can get ahead of the curve. Don't miss this chance to stay ahead in the ever-evolving security landscape. Theater Sessions We are thrilled to announce our series of innovative Theater Sessions, designed to spotlight the pioneering capabilities of Security Copilot. These sessions provide a dynamic platform for learning, engaging, and exploring the future of cybersecurity. THR653: Mastering custom plugins in Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 11:15 AM - 11:45 AM Central Standard Time Dive into the technical intricacies of Microsoft Security Copilot in this hands-on session. Gain practical knowledge on building plugins to customize Copilot for your organization's unique requirements. The session provides detailed instructions on creating custom integrations and automations, with a focus on plugin development. This is tailored for security and IT professionals looking to elevate Copilot's capabilities through advanced customization and seamless integration with existing security tools. THR555: Threat Intelligence at machine speed with Microsoft Security Copilot - Ryan Munsch In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 9:00 AM - 9:15 AM Central Standard Time Threat intelligence is crucial for protecting against evolving threats, but extracting actionable insights from vast data can be overwhelming. Join Microsoft expert Ryan Munsch to discover how Security Copilot's generative AI streamlines threat intelligence. He'll show how Copilot acts as a research assistant, analyst, and responder, using guided experiences and prompts to simplify threat management and reduce the time, resources, and stress involved in defending your organization. Labs We're excited to invite you to dive deep into the cutting-edge capabilities of Security Copilot through our hands-on labs. These instructor led sessions are designed to provide a comprehensive, interactive experience, enabling you to fully understand and leverage the power of Security Copilot in your organization. LAB462: Boost security and IT efficiency with Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 3:00 PM - 4:15 PM Central Standard Time Join us for an interactive lab to experience Microsoft Security Copilot in action. Through expert-led simulations, explore how generative AI streamlines incident response, expedites troubleshooting, and enhances decision-making across security and IT. Test-drive Security Copilot and see firsthand how it helps teams identify, respond to, and mitigate threats efficiently. Ideal for security professionals eager to experience the real-world impact of generative AI in security & IT. LAB462-R1: Boost security and IT efficiency with Microsoft Security Copilot - Rod Trent In Chicago Only - Will NOT be Recorded Thursday, November 21 - 8:30 AM - 9:45 AM Central Standard Time Join us for an interactive lab to experience Microsoft Security Copilot in action. Through expert-led simulations, explore how generative AI streamlines incident response, expedites troubleshooting, and enhances decision-making across security and IT. Test-drive Security Copilot and see firsthand how it helps teams identify, respond to, and mitigate threats efficiently. Ideal for security professionals eager to experience the real-world impact of generative AI in security & IT. Community We are excited to invite you to our series of Community Tabletops, designed to foster collaboration and innovation around Security Copilot. These sessions provide an interactive environment where you can engage with peers, share experiences, and explore the latest advancements in cybersecurity. COM1028: Community Roundtable: Security Copilot for IT Pros – Bill Mccluskey In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 1:00 PM - 2:00 PM Central Standard Time This session will bring together experts and peers to explore real-world applications, share best practices, and discuss the latest features of Security Copilot. Attendees will gain invaluable insights into optimizing security measures, enhancing threat detection, and streamlining incident response. Join us to collaborate, network, and learn from the collective experience of your fellow IT pros in a dynamic and interactive environment. COM1029: Community Roundtable: Security Copilot for the SOC - Michael Pinch In Chicago Only - Will NOT be Recorded Tuesday, November 19 - 4:00 PM - 5:00 PM Central Standard Time Join us for an engaging roundtable discussion tailored specifically for Security Operations Center (SOC) professionals focused on optimizing the use of Security Copilot. This session will facilitate an interactive exchange of ideas, challenges, and best practices related to the deployment and management of Security Copilot within the SOC. Participants will gain insights into leveraging Security Copilot to enhance threat detection, streamline incident response, and improve overall SOC efficiency. This is a unique opportunity to network with peers, learn from industry experts, and collaboratively explore innovative solutions to common SOC challenges. Come prepared to share your experiences and take away actionable strategies to elevate your SOC's security posture. COM1030: Community Roundtable: Developing Security Copilot Plugins - Rod Trent In Chicago Only - Will NOT be Recorded Wednesday, November 20 - 11:00 AM - 12:00 PM Central Standard Time Join us for an engaging community roundtable focused on the development of plugins for Microsoft Security Copilot. This session provides a platform for developers, IT professionals, and cybersecurity enthusiasts to collaborate and exchange ideas on creating innovative plugins that enhance Security Copilot's capabilities. Attendees will gain insights into the plugin development process, explore successful case studies, and discuss best practices for integrating custom plugins into their security workflows. Whether you're a seasoned developer or new to plugin creation, this roundtable offers valuable takeaways and networking opportunities to help you expand Security Copilot's functionality and improve your organization's security posture. Demos and Networking Don't miss the opportunity to visit the Copilot demo station at the Expert meet-up. Our team will be showcasing the latest demos of Security Copilot, highlighting its powerful features and capabilities. Our experts will be on-hand to answer your questions and provide insights into how Security Copilot can enhance your security posture. Whether you're interested in learning about our innovative tools or need guidance on specific features, we're here to help. Be sure to stop by and experience firsthand how Security Copilot can help you stay ahead in the ever-evolving world of cybersecurity. We look forward to meeting you!From alert overload to decisive action: How Security Copilot agents are transforming security and IT
Security and IT teams operate in a constant stream of alerts, incidents, and investigations. As environments expand across identities, endpoints, cloud, and data, the challenge becomes clear: identifying real risk quickly enough to act. Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. Security Copilot is now included with Microsoft 365 E5 and E7 licenses at no additional cost, so teams can start using agents right away. Over the past year, organizations have used Security Copilot to triage alerts, surface real threats earlier, and move faster from investigation to action. At this RSA 2026 conference, we are announcing new capabilities that reflect a continuous wave of innovation, evolving from built-in AI assistance and automated summaries to new agents that can analyze signals, investigate incidents, and execute security workflows. Real-world impact: measurable results Security Copilot agents help security and IT teams identify and respond to risk more effectively. Customers are seeing that impact in their day-to-day operations. At St. Luke’s University Health Network, the Security Alert Triage Agent (previously named Phishing Triage Agent) in Microsoft Defender saves security analysts more than 200 hours every month, automatically triaging phishing alerts and surfacing those that actually matter. Independent randomized controlled studies reinforce the results. Security professionals using the Security Alert Triage Agent triaged alerts up to 78% faster, delivered 77% more accurate verdicts, and identified 6.5 times more malicious emails. Note: The Phishing Triage Agent has since been expanded and is now called the Security Alert Triage Agent. Learn more at aka.ms/SATA That same impact extends beyond the SOC into other critical areas of security and IT. A data security team at a large telecommunications organization used the Data Security Triage Agent in Microsoft Purview to triage more than 40,000 Data Loss Prevention (DLP) alerts in 90 days, surfacing the 10% most critical alerts that required investigation. Identity teams are also seeing huge improvements with the Conditional Access Optimization Agent in Microsoft Entra, which continuously analyzes access policies against Zero Trust baselines and recommends actions. In controlled productivity studies, identity admins completed policy-related tasks 43% faster and 48% more accurately when identifying configuration weaknesses. IT teams are also seeing impact using the Vulnerability Remediation Agent in Microsoft Intune, which continuously detects new vulnerabilities as threats emerge. As one CTO at a renewable energy and technology company shared, the agent is “dramatically changing the way we approach working with vulnerabilities in our environment. A two‑week process is now a two‑minute process, really huge number for us.” Across these scenarios, teams begin investigations with clearer context and a better understanding of what actually matters. Instead of piecing together signals across dozens of tools, they can focus on the highest-risk issues and move from investigation to action with confidence. As environments continue expanding across identities, endpoints, applications, and data, quickly connecting signals and understanding risk becomes essential. New Security Copilot agents and capabilities announced at RSA Conference Our innovation continues. Microsoft is introducing new Security Copilot agents and expanded capabilities designed to help organizations analyze complex security data, triage alerts more effectively, and strengthen security posture across identity, endpoint, cloud, and data environments. New and updated Security Copilot agents built by Microsoft Security Analyst Agent in Microsoft Defender Security teams are often sitting on enormous volumes of security data, but turning that data into answers takes time. The Security Analyst Agent helps teams move from raw telemetry to real understanding much faster. By performing deep, multi-step investigations across Microsoft Defender and Sentinel telemetry, the agent can analyze up to ~100MB of security data to uncover anomalies, hidden risks, and high-impact threats that might otherwise stay buried. Analysts can chat directly with the agent to ask questions, explore hypotheses, and dig deeper into findings. The results include transparent reasoning and supporting evidence, helping teams quickly understand what matters and move forward with confidence. Security Alert Triage Agent in Microsoft Defender One of the biggest challenges for SOC teams is deciding which alerts actually deserve attention. The Security Alert Triage Agent helps cut through that noise so analysts can focus on the threats that truly matter. Building on its existing phishing triage capabilities, the agent now extends autonomous triage to identity and cloud alerts. Each verdict includes clear, transparent reasoning so analysts can quickly understand the outcome and prioritize the alerts that matter most. New capabilities for Conditional Access Optimization Agent in Microsoft Entra Identity environments are constantly evolving as organizations add new apps, users, and authentication methods. New capabilities in the Conditional Access Optimization Agent help identity teams identify and close critical policy gaps faster, with recommendations tailored to their organization’s needs. The agent now delivers business-context-aware recommendations, supports phased rollout of new policies, enables automated least-privilege enforcement for supported third-party agent identities, and helps drive passkey adoption. Together, these capabilities help organizations continuously strengthen identity security while maintaining productivity. New capabilities for Data Security Posture Agent in Microsoft Purview Sensitive data often moves through documents, emails, chats, and collaboration tools, which makes it easy for credentials or secrets to end up where they shouldn’t be. A new credential scanning capability in the Data Security Posture Agent helps data security teams proactively identify exposed credentials within their data environment. By analyzing data signals and access patterns, the agent surfaces potential credential exposure risks and helps teams quickly investigate and remediate them. This gives organizations better visibility into hidden data risks and strengthens overall protection of critical systems. New capabilities for Data Security Triage Agent in Microsoft Purview Insider Risk Management Investigating insider risk alerts often requires piecing together signals from many different sources to understand what is really happening. The Data Security Triage Agent now introduces an advanced AI reasoning layer that helps security teams evaluate those signals more holistically. By performing deeper, multi-step analysis across behavioral signals from users, devices, and data activity, the agent can surface the incidents that truly require investigation while filtering out noise. The result is faster, more accurate investigations and better confidence when responding to potential insider risks. New capabilities for Data Security Triage Agent in Microsoft Purview Data Loss Prevention Custom Sensitive Information Types (SITs) are often difficult for analysts to interpret quickly because the underlying definitions and patterns lack clear context at triage time. This latest enhancement makes custom Sensitive Information Types (SITs) easier for both the agent and analysts to understand in Data Loss Prevention alerts. Purview interprets custom SIT definitions, generates semantic descriptions of the data, and surfaces that context directly within the agent. This allows the agent to classify and prioritize alerts involving custom data more accurately, helping analysts quickly recognize real risk and respond appropriately. New Security Copilot agents built by partners To meet customers where they are across their existing security stack, the Security Copilot ecosystem continues to grow with more than 70 partner-built agents available today in the Security Store, bringing additional signals and investigation capabilities into the platform. Some of these agents include the following: Security Investigation Agent by Commvault – Correlates backup anomalies with identity and security signals across platforms such as Entra, CrowdStrike, Netskope, and Darktrace. MITRE Attack Coverage Insight Agent by Inspira – Evaluates analytic rule coverage, calculates ATT&CK coverage, identifies detection gaps, generates detection recommendations, and provides SOC detection maturity scoring. Endpoint Risk Insights Agent by Avanade – Provides endpoint risk insights by correlating signals across security telemetry. Identity Role Mining Agent by Invoke – Allows user to discover and analyze administrator roles in Microsoft Entra ID with ease and precision. Identity Threat Triage Agent by Silverfort - Correlates Silverfort's identity risk signals with Entra ID and Defender for Endpoint data in the Sentinel data lake to surface risky sign‑ins, MFA abuse, suspicious processes, and anomalies. Together, these partner agents extend Security Copilot’s ability to connect signals across Microsoft and third-party security platforms, giving organizations broader visibility and stronger investigation capabilities across their security environment. To explore all new Security Copilot agents, visit the Microsoft Security Store. New Security Copilot innovations that turn insight into action Security Copilot continues to integrate more deeply into the tools security and IT teams already use every day. These capabilities bring AI directly into the environments where investigations happen, helping teams explore threats, understand context, and take action without switching between tools. Security Copilot interactive chat experience in Microsoft Defender Analysts can ask questions, explore investigative hypotheses, and follow threat activity across incidents, alerts, identities, devices, and IPs without leaving their investigation. Copilot understands the context of the page analysts are working on and grounds responses in the relevant signals already available in Defender. As analysts ask questions, Copilot can run investigative steps, gather additional evidence, and surface new insights. This allows teams to iterate quickly, validate assumptions, and dig deeper into threats while staying in the same workflow. Secret finder skill in Security Copilot is now generally available Available in the Security Copilot standalone portal, the Secret Finder skill can be invoked to analyze unstructured content such as emails, chats, documents, and investigation notes to identify exposed credentials hidden in real-world workflows. Using agentic capabilities such as multi-step reasoning rather than simple pattern matching, it detects real, usable secrets and the systems they unlock, helping security teams quickly understand potential exposure and respond with confidence. Additional integrations and use cases are planned to expand how this capability can be used across security workflows. Security Copilot trigger in Logic Apps Building on how many organizations already use Logic Apps to automate security workflows, a new connector action for Security Copilot in Logic Apps flows allows teams to easily invoke partner-built agents and custom agents they create as part of repeatable workflows. This brings deeper AI-driven investigation, context, and decision support into tasks such as incident triage, threat intelligence analysis, and policy validation. See Security Copilot in action at RSA Conference Join us at RSA Conference to see the latest Security Copilot agents and capabilities in action. Stop by the Microsoft booth to connect with the team, explore new innovations, and experience how agents are helping security and IT teams investigate threats, understand risk, and strengthen security posture. Hear from Microsoft Security product leaders in these booth sessions March 23 | 5:15 PM Empowering the SOC with assistive and autonomous AI, Yuval Derman March 24 | 3:00 PM Security Copilot agents: Insight. Action. Impact., Lizzie Heinze and Donna Lee March 25 | 10:30 AM Turning Data Risk into Action with Security Copilot Agents, Paige Johnson and Tanay Baldua March 26 | 12:00 PM Defend identity autonomously with agentic AI in Microsoft Entra, Mitch Muro, Rahul Prakash, Nikhil Reddy Join our deep dive session March 24 | 8:30 AM | The Palace Hotel Security Copilot in action: An agentic approach to modern security Register here: Microsoft Security RSAC Events | Microsoft Corporate Stop by the Microsoft booth for a hands-on experience Test out the latest Security Copilot agents at the demo station and connect with our experts. Agentic AI Arena: Try a fun, gamified experience that shows how Security Copilot agents investigate threats, surface risk, and help security teams respond faster. Start using Security Copilot in your daily workflows If you have received access to Security Copilot as part of your Microsoft 365 E5 plan, we recommend following steps to get started quickly: Sign up for the Security Copilot skilling series Review new agentic scenarios and developer capabilities in the Security Copilot Adoption Hub Learn what’s included with your Microsoft 365 E5 plan in documentation Request assistance from a Microsoft 365 FastTrack specialist to unlock the full value of Security Copilot
