Securing data in an AI-first world with Microsoft Purview
Announcing a set of capabilities in Microsoft Purview and Microsoft Defender to help you secure your data and apps as you leverage generative AI. At Microsoft, we are committed to helping you protect and govern your data – no matter where it lives or travels.Microsoft Copilot for Security is now generally available
We are excited to share Copilot for Security is now available for purchase and customers can get started by provisioning capacity to run all Copilot workloads, both for standalone and for those embedded in our security products beginning with Microsoft Defender XDR.Microsoft Copilot for Security Attains ISO 27001, 27017, and 27018 Certifications
We are thrilled to announce that Microsoft Copilot for Security, the first Generative Artificial Intelligence (GAI) security solution, has earned the prestigious ISO 27001, 27017, and 27018 certifications. Copilot for Security streamlines compliance endeavors by meeting rigorous regulatory standards.RSA Conference 2025: Security Copilot Agents now in preview
In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer resources. Microsoft Security Copilot was built to bridge that gap, delivering an AI-driven assistant that enhances detection, investigation, and response across the entire Microsoft Security stack. Since it was launched in April 2024, Copilot has been integrated into customer environments to assist security professionals at every level – amplifying human expertise, streamlining complex workflows, and helping teams stay ahead of evolving threats. New research from Microsoft live operations highlights Security Copilot’s tangible impact, showing productivity gains across security and IT. Organizations using Security Copilot have seen: At this year’s RSA Conference, we are excited to share updates that make Security Copilot even more powerful, flexible, and accessible to customers and partners. Security Copilot agents are now in preview Last month at Microsoft Secure, we introduced Security Copilot agents - autonomous AI designed to tackle high-volume security tasks. Built on Security Copilot and seamlessly integrated with Microsoft Security solutions and partner ecosystem, these agents are tailored to security-specific use cases, adapt to your workflows, and learn from feedback, all while keeping your team fully in control. Every agent launched is built on the Security Copilot platform, ensuring a consistent, secure, and unified experience across capabilities. Starting today, we’re beginning a phased public preview rollout which will gradually expand to more customers to ensure a smooth and scalable experience. The following agents are now available in preview to select customers: Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click. Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval. Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure. And there’s more to come. Over the next few weeks, additional agents will become available to customers: Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback. Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback. Partner agents from OneTrust, Tanium, BlueVoyant, Fletch, and Aviatrix that automate tasks like privacy breach response, SOC assessment, alert triage, task optimization, and root cause analysis. We’re also thrilled to announce two new partner agents that have joined our growing ecosystem since our Secure event last month, now in private preview: Email Threat Analyst Agent by Performanta conducts investigations into email-based threats and compromised user activity and provides an impact and recommended mitigation assessment. IAM Supervisor Agent by Performanta uncovers and triages identity and access threats and provides an impact and recommended mitigation assessment. With these additions, our growing ecosystem of Security Copilot agents – now in preview – offers broader insights and powerful automation to help security teams respond faster and more effectively. We are excited to continue advancing agentic capabilities both at Microsoft and through collaboration with our third-party partners. Please visit the new Security Copilot video hub for demos or deep dives of Security Copilot agents. Partner ecosystem updates Azure Lighthouse support for Sentinel use cases Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now generally available. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: Use the same natural language-based prompts using Sentinel skills on customer data Create custom promptbooks using Sentinel skills to automate their investigations Use Logic Apps to trigger these promptbooks Learn more about how to get started with Azure Lighthouse Support for Sentinel use cases here. New Security Copilot plugins As part of our effort to provide customers with truly end-to-end security protection, we continue to prioritize expanding our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. The following plugins are now in preview: Censys plugin enables users to enrich investigations using threat intelligence from the Censys platform to scan a URL or domain and scan an IP address. HP Workforce Experience Platform (WXP) plugin for Security Copilot allows users to gain insight into warranty of devices, application crashes, data about their fleet, and more. Splunk plugin allows Security Copilot users to make calls to Splunk to perform queries to create, retrieve, and dispatch saved Splunk searches, and retrieve and view information about fired alerts. Quest Security Guardian plugin reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention. The following plugins are now in GA: CheckPhish plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks. Integration spotlight: ServiceNow SIR plugin The integration of ServiceNow AI and Microsoft Security Copilot capabilities brings joint capabilities to empower our customers and enhance their security posture. The integration optimizes incident insights within SIR and enhances Microsoft Security product’s security incident resolution status and threat prioritization capabilities, driving continuous security posture and awareness. As a result, security teams benefit from faster, more accurate incident resolution - reinforcing our commitment to delivering cutting- edge, AI-driven solutions that elevate the entire security ecosystem. Flexibility, scalability, and security for AI Microsoft Purview for Security Copilot As organizations adopt AI, implementing data controls and a Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Security Copilot. By combining Microsoft Purview and Security Copilot, users can: Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) for AI dashboard to reduce these risks. Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device. Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection. Learn more about Purview for Security Copilot here. Copilot in Microsoft Defender for Cloud Copilot in Defender for Cloud helps security teams accelerate risk remediation, making it faster and easier for security admins to remediate cloud risks by providing AI-generated summaries, remediation actions, and delegation emails, guiding users in each step of the risk reduction process. Security admins can use AI to quickly summarize a specific recommendation, generate remediation scripts, and delegate tasks via email to resource owners. The capabilities help reduce investigation time, enabling security teams to understand the risk in context and identify resources to quickly remediate. The capabilities are now generally available. Learn more about Copilot in Defender for Cloud here. Enriched Incident Summaries in the Microsoft Sentinel Azure portal We’re excited to announce Security Copilot Incident Summaries in the Microsoft Sentinel Azure portal are now in public preview. This capability provides enriched, easy-to-digest insights into security incidents - streamlining triage and helping analysts quickly understand scope, impact, and next steps. Read the blog post here. Enhanced Consumption Flexibility for Security Copilot This month we introduced enhancements to Security Copilot to enhance customer flexibility and scalability, by supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This capability ensures that users can scale their Copilot workloads beyond their provisioned capacity, for uninterrupted protection. Read the blog post here. Learn more about Security Copilot at RSA Conference 2025 To learn more about Security Copilot and explore how it can elevate your organization’s security strategy, we invite you to connect with us at booth #5744. This is a great opportunity to engage with Microsoft security experts, dive deeper into the latest innovations, and experience how Security Copilot can simplify and strengthen your security operations. Join us for our Security Copilot sessions below, stop by our booth for a live demo, or schedule a one-on-one meeting with our team.Ignite 2024: Transforming Security with Microsoft Security Copilot
Today’s security and IT teams are working within increasingly complex and fragmented environments. They are constantly balancing a broad and varied tech landscape, a fast-changing regulatory environment, and increasingly sophisticated cyberthreats, while challenged with a global cybersecurity skills shortage, data overload, and the risk of missing critical vulnerabilities - slowing response times, and ultimately leading to security gaps. The evolving threat landscape has highlighted the critical role that AI can play in organizations’ security efforts. To address these growing challenges, Microsoft introduced Microsoft Security Copilot (formerly known as Microsoft Copilot for Security) last April, enabling customers to use generative AI-powered assistance for daily operations in security and IT. Security Copilot is built to enhance every facet of an organization’s security operations across identities, devices, data, clouds, and apps. It turns global threat intelligence, industry best practices, and organizations’ own data into actionable insights to help teams catch what others miss, respond faster, and strengthen team expertise. Since Security Copilot has been generally available, customers and partners have discovered powerful applications for the tool. We've seen customers like Eastman, a specialty materials manufacturer, have experienced significant benefits, including cost savings, improved threat detection, and junior staff upskilling, with Security Copilot enabling faster KQL learning and reducing technical workloads. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster. That helps me to make a better decision and respond faster to an attacker.” - David Yates, Senior Cybersecurity Analyst, Eastman Supporting this impact, new research from Microsoft -- conducted between March to August 2024 -- showed a 30% reduction in security incident mean time to resolution (MTTR) for security incidents three months post-adoption of Security Copilot. Given that recent estimates suggest analysts spend, on average, 2.7 hours per day resolving incidents costing $3.3 billion in the US alone, these results highlight the significant potential time and cost savings that Security Copilot can provide in security operations. Read the full research paper here. What’s New at Ignite 2024 Just seven months after its general availability, Security Copilot continues to introduce new feature enhancements that strengthen its position as the leading gen-AI tool for security. The latest exciting advancements extend Security Copilot's capabilities beyond SOC teams, empowering data, identity, and IT teams to leverage powerful AI-driven insights and automation. Security Copilot Beyond the SOC Data Security: Copilot in Purview Data security admins now have comprehensive, AI-powered visibility with new features, in public preview, for Copilot in Purview -- enabling faster, more accurate risk analysis across their data landscape. With Data Security Posture Management (DSPM), admins receive natural language insights on risks based on suggested or customizable prompts to prioritize and deepen their investigations. Copilot simplifies Data Loss Prevention (DLP) policy analysis by providing easy-to-read summaries and identifying DLP policy gaps, while eDiscovery case summaries streamline case management so users can quickly access natural language summaries of eDiscovery cases, and searches. New DLP investigative prompts and the Copilot-powered Knowledge Hub further enhance data security team capabilities, providing actionable insights and guidance that assist admins to manage risks and upskill teams of all experience levels effectively. Identity & Access: Copilot in Entra With Security Copilot embedded in Microsoft Entra available in preview, identity admins can simplify their workflows, reduce administrative overload, and improve decision-making efficiency, from directly within the Entra portal. Copilot in Entra offers identity protection with AI-driven risk detection, insights, and mitigation capabilities, allowing identity and security teams to stay ahead of potential threats. With automated data gathering and correlation, admins can easily identify and respond to suspicious activity involving high-risk users, applications, and workload identities. It also allows admins to quickly troubleshoot access failures, offering automation and actionable insights around sign-in logs, user details, group details, audit logs, and diagnostic logs. Copilot transforms this complex data into natural language summaries, offering recommendations on how to quickly reduce risk and resolve access issues, even in highly sensitive situations. Endpoint Management: Copilot in Intune IT admins can now leverage expanded capabilities for Copilot in Intune, available in preview, to further reduce attack surface, improve IT efficiency, and streamline complex admin workflows. These new capabilities include support for investigating app elevation details and identifying potential signs of compromised apps before approving Endpoint Privilege Management requests. Copilot also assists with KQL query creation for single- and multi-device analysis, making it easier to retrieve device data—minimizing the need for admins to have deep KQL expertise. Additionally, Copilot in Intune expands to simplify update management with Windows Autopatch. This integration enables Copilot to support essential update tasks—from planning and troubleshooting to analyzing deployment outcomes—empowering IT teams to proactively address and resolve update issues. Empower Security Teams and Automate Security Tasks Innovations to enhance your SOC The latest Security Copilot innovations for SOC, now generally available, empower security analysts to investigate incidents with more actionable user insights and greater user control. The new Identity Summary provides a comprehensive overview of the user identity information for quicker identification and resolution of potential security threats. The improved Copilot side panel experience remembers its open or closed state across tab changes, allowing users to maintain their preferred setting in the embedded experience. Threat Intelligence A Unified Threat Intelligence (TI) Experience, now in public preview, offers a complete view of threats by integrating a wider range of threat intelligence sources, including CVE data and advanced internet data sets, to help security teams quickly understand the impact of threats on the organization. New out-of-the-box promptbooks, now generally available, leverage this expanded breadth of intelligence through guided experiences that simplify complex workflows and empower SOC and threat intel analysts to investigate and respond to threats faster and more effectively. Task Automation Customer feedback has indicated significant value in using Copilot for task automation via Logic Apps and promptbooks. Users are able to do this by sequencing and automating common tasks enriched by gen AI insights to streamline security operations -- for example, a security analyst could create a Logic App that leverages Copilot promptbooks to automate the examination of user-reported phishing emails and determine the likelihood of a phishing event. Now generally available, the Security Copilot Logic Apps connector allows SOC teams to integrate promptbooks directly from Logic Apps to simplify the configuration of automation workflows. Building on Enterprise Readiness In addition to enhancing embedded capabilities for Security Copilot, we’re excited to announce several new platform features that help organizations to integrate, automate, monitor, and scale their security programs more efficiently. By connecting to existing tools via integrations, Security Copilot can extend and bring more value to users. We are also introducing features that help customers with monitoring, providing them with visibility and control over their audits, access, and usage. Partner Ecosystem As part of our effort to provide customers with truly end-to-end security protection, we have prioritized building out our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. At Ignite, we are announcing the general availability of over 15 plug-ins across different categories including threat intelligence and device, network, and endpoint management. Third-party Threat Intelligence plugins enable security teams to bring rich information about threat actors, indicators of compromise, tools, and vulnerabilities into Copilot, enabling them to gain a holistic view of threats, understand their impact, and receive recommendations and guidance on how to respond. New GA Threat Intelligence plugins include CrowdSec, Cybersixgill, Whoisfreaks, Reversing Labs Spectra Analyze, Reversing Labs Spectra Intelligence, CywareRespond, Intel 471, Forescout Vedere Labs, GreyNoise’s Enterprise plugin, GreyNoise’s Community plugin, and Darktrace. Third-party Device, Network, and Identity plugins provide additional insights into device health and compliance, network traffic patterns, and user authentication activities. These integrations allow for a holistic view of the security landscape, enabling more effective monitoring and management of potential threats. Additionally, these plugins can help organizations enforce security policies, detect anomalies, and respond to incidents in a timely manner. New GA Device, Network, and Identity plugins include Red Canary, Netskope, Tanium, Silverfort, CyberArk, and Jamf. Additionally, new administrator controls for plugin management provide administrators with the ability to control which plugins can be enabled within their organizations. This feature provides more control and predictability of SCU consumption through plugins, helping organizations manage costs. New Platform Features We are also excited to introduce new platform features that would help Security Copilot customers with visibility, guidance, and access control. An update to role-based access control (RBAC), now in preview, refines contributor role permissions by replacing the 'everyone' option with a 'recommended roles' bundle. This grants access to users with flagship roles in Entra, Intune, Purview, and the unified security operations platform, and will be the default setting for new tenants, preventing unintended access by users outside enabled groups. Additionally, the general availability of audit logs provides a comprehensive record of all security analyst and admin activities -- available through Purview Audit and UAL -- allowing organizations to detect and analyze interactions for compliance with regulatory requirements. We are also announcing the preview of a new Prompt Library which provides prompts and promptbooks that may be used in Security Copilot. Customers who require more guidance in Copilot can leverage this library and filter by persona so they can easily find and use prompts and promptbooks that are most relevant to their role and tasks. Finally, the new Usage Dashboard, now generally available, offers detailed insights into your Security Compute Units (SCU) utilization with advanced filtering and a 90-day data timeframe, enabling data export into formatted Excel sheets for customizable analysis and better consumption management. Learn more about how your organization can benefit from Copilot Microsoft is dedicated to empowering customers with advanced security solutions that drive both robust protection and meaningful cost efficiencies across their security programs. This commitment is underscored by our adherence to industry leading standards like HITRUST, ISO 27001, ISO 27017, ISO 27018, and HIPAA, reflecting Microsoft's commitment to upholding the highest standards of security and data privacy for customers. Further demonstrating Microsoft’s commitment to deliver meaningful cost efficiencies and enhanced productivity across security programs, a recent Total Economic Impact study by Forrester Consulting highlights the significant ROI that organizations can achieve with Security Copilot. In a study of over 300 decision-makers, the implementation of Security Copilot resulted in an average 23-46.7% productivity gain for SecOps tasks, reduced risk of security breaches with a projected value between $546,000 and $1 million, and enabled cost efficiencies worth $86,000 to $257,000 per 3 years. Read the full study. To learn more about the exciting new features and explore how Security Copilot can enhance your organization’s security program, we invite you to connect with us at Microsoft Ignite. This is a great opportunity to engage with our experts, gain deeper insights, and see firsthand how Security Copilot can streamline your security operations. Join us at the Security Copilot sessions listed above, visit our Meet the Experts booth, or reach out for more information. Connect with us today to discover how Security Copilot can transform your security program and meet your evolving security needs.
