Edit

Share via

What is Microsoft Security Copilot?

  • Article

Microsoft Security Copilot (Security Copilot) is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale.

Security Copilot provides a natural language, assistive copilot experience. Security Copilot helps support security professionals in various end-to-end scenarios such as incident response, threat hunting, intelligence gathering, posture management, and more. For more information, see Security Copilot primary use cases.

Designed with integration in mind, Security Copilot offers a standalone experience and also seamlessly integrates with products in the Microsoft Security portfolio. Security Copilot integrates with products such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and other third-party services such as Red Canary and Jamf. For more information, see Security Copilot experiences.

Tip

Visit the Microsoft Security Copilot Adoption hub to access useful links to training, videos, GitHub repository for sample plugins, and other technical readiness information.

The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. By using plugins as data point sources, security professionals have wider visibility into threats and gain more context. Incident responders also have the opportunity to extend the solution's functionalities. For more information about plugins, read Manage plugins.

Note

Disclaimer: This documentation is only intended for customers using commercial clouds. Currently, Security Copilot is not designed for use by customers using US government clouds, including but not limited to GCC, GCC High, DoD, and Microsoft Azure Government. For more information, consult with your Microsoft representative.

Security Copilot primary use cases

Security Copilot focuses on making the following use cases easy to accomplish.

  • Investigate and remediate security threats - gain context for incidents to quickly triage complex security alerts into actionable summaries and remediate quicker with step-by-step response guidance
  • Build KQL queries or analyze suspicious scripts - eliminate the need to manually write query-language scripts or reverse engineer malware scripts with natural language translation to enable every team member to execute technical tasks
  • Understand risks and manage security posture of the organization - get a broad picture of your environment with prioritized risks to uncover opportunities to improve posture more easily
  • Troubleshoot IT issues faster - synthesize relevant information rapidly and receive actionable insights to identify and resolve IT issues quickly
  • Define and manage security policies - define a new policy, cross-reference it with others for conflicts, and summarize existing policies to manage complex organizational context quickly and easily
  • Configure secure lifecycle workflows - build groups and set access parameters with step-by-step guidance to ensure a seamless configuration to prevent security vulnerabilities
  • Develop reports for stakeholders - get a clear and concise report that summarizes the context and environment, open issues, and protective measures prepared for the tone and language of the report’s audience

Read Use cases for Security Copilot to delve deeper into the different security team roles like CISOs, threat intelligence analysts, IT admins, and the like, who can benefit from each highlighted use case.

How does Security Copilot work?

Security Copilot capabilities can be accessed through an immersive standalone experience and through intuitive embedded experiences available in other Microsoft security products. The foundation language model and proprietary Microsoft technologies work together in an underlying system that helps increase the efficiency and capabilities of defenders.

  • Microsoft security solutions such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune integrate seamlessly with Security Copilot. There are some embedded experiences available in Microsoft security solutions that give access to Security Copilot and prompting capabilities in the context of their work within those solutions.

  • Plugins from Microsoft and third-party security products are a means to extend and integrate services with Security Copilot. Plugins bring more context from event logs, alerts, incidents, and policies from both Microsoft security products and supported third-party solutions such as ServiceNow.

  • Security Copilot also has access to threat intelligence and authoritative content through plugins. These plugins can search across Microsoft Defender Threat Intelligence articles and intel profiles, Microsoft Defender XDR threat analytics reports, and vulnerability disclosure publications, among others.

    Image of how Security Copilot works.

Here's an explanation of how Security Copilot works:

  • User prompts from security products are sent to Security Copilot.

  • Security Copilot then preprocesses the input prompt through an approach called grounding, which improves the specificity of the prompt to help you get answers that are relevant and actionable to your prompt. Security Copilot accesses plugins for preprocessing, then sends the modified prompt to the language model.

  • Security Copilot takes the response from the language model and post-processes it. This post-processing includes accessing plugins to gain contextualized information.

  • Security Copilot returns the response, where the user can review and assess the response.

Security Copilot iteratively processes and orchestrates these sophisticated services to help produce results that are relevant to your organization because they're contextually based on your organizational data.

Next steps

Security Copilot training

Get started with Microsoft Security Copilot

Learn about Microsoft Security Copilot, an AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed, and the AI concepts upon which it's built.

Security Copilot Customer Connection Program

Join the Security Copilot Customer Connection Program (CCP) to stay up to date with Security Copilot. CCP community members have access to:

  • The latest technical product information and access to private previews
  • Free weekly technical trainings and product skilling webinars
  • A Teams Community to discuss with Security Copilot product experts and engineers

Click here to opt in to join the community.