Plugins overview Microsoft Security Copilot
Security Copilot comes with many default plugins and supports several non-Microsoft plugins. You can also extend Security Copilot's capabilities by adding or creating your own plugin. The Security Copilot platform enables developers and users to write plugins that can be invoked to perform specialized tasks.
Note
Products that integrate with Security Copilot as plugins need to be purchased separately.
For more information on how to develop plugins that use the OpenAI schema, see Plugins for Microsoft Copilot documentation.
Preinstalled plugins
Get familiar with the plugins Security Copilot can use to source information or take action when it's responding to your prompts. Depending on which services your organization uses, any of the plugins in the following lists might be available to you.
To find out which plugins Security Copilot can use when you interact with it, select the plugin button. Check for plugins that are toggled on in the list that opens. Security Copilot automatically uses the available plugins without any extra setup from you.
Microsoft plugins
Security Copilot uses the on-behalf-of authentication flow to provide access to other Microsoft services that your organization already has access to. For more information, see Understand authentication.
- Azure AI Search (Preview)
- Azure Firewall (Preview)
- Azure Web Application Firewall (Preview)
- Microsoft Defender External Attack Surface Management
- Microsoft Defender Threat Intelligence
- Microsoft Defender XDR
- Microsoft Entra
- Microsoft Intune
- Microsoft Purview
- Microsoft Sentinel (Preview)
- Natural Language to KQL for Microsoft Defender XDR
- Natural Language to KQL for Microsoft Sentinel (Preview)
Non-Microsoft plugins
- AbuseIPDB (Preview) - Report and identify IP addresses that have been associated with malicious activity online.
- Aviatrix (Preview) - Allows customers to leverage Microsoft Defender Threat Intelligence with Aviatrix to gain insight into new threats and mitigate them through firewall policy enforcement.
- CheckPhish (Preview) - Analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.
- CIRCL Hash Lookup (Preview) - Validate suspicious files in the form of hashes, either MD5, SHA-1, or SHA-256.
- CrowdSec CTI - Find information about IP addresses and verification or identification of potential aggressive IP addresses.
- CyberArk Privilege Cloud - Get information about privileged identity accounts.
- Cybersixgill - Offers real-time threat intelligence solutions to help security teams detect and respond to imminent threats from the clear, deep, and dark web.
- Cyware Intel Exchange (Preview) - An automated Threat Intelligence Platform (TIP) for ingestion, enrichment, analysis, prioritization, actioning, and bidirectional sharing of threat data.
- Cyware Respond - Gain context and enrichments to analyze, prioritize and remediate.
- Darktrace - Proactively detect, investigate, and respond to threats across your digital ecosystem.
- Foresout Risk and Exposure Management (Preview) - Gives a single view of device risk and vulnerabilities, including a timeline to track events and changes to a device risk value.
- Forescout Vedere Labs - Provides a threat intelligence feed containing IP, URL, and File hash indicators for all activity seen and monitored by Forescout, including information on Known Exploited Vulnerabilities and Vedere Labs own reported CVEs.
- GreyNoise Enterprise and GreyNoise Community - Get information about IP addresses, scanning activity, and attacker behaviors.
- Intel 471 Threat Intelligence - Delivers relevant and timely insights into the cyber underground.
- IPGeolocation (Preview) - Provides comprehensive geolocation data, time zone information, currency details, security insights (such as VPN, proxy, and bot detection), and hostname resolution based on IP addresses.
- IPinfo (Preview) - Allows users to get diverse metadata information on internet-connected devices, create robust threat intel models, and run effective security control measurements.
- Jamf - Gather MDM inventory insights and facilitate seamless collaboration between your IT and security teams.
- Netskope - Cloud-native platform that offers converged security and networking services to enable your Secure Access Services Edge (SASE) and Zero Trust transformation.
- Quest Security Guardian (Preview) - Reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention.
- Red Canary - Enhance your security operations with intelligence from Red Canary.
- ReversingLabs - Summarize complex file reputation information and file analysis reports for quicker triage and response time.
- Saviynt (Preview) - Offers comprehensive insights into identity-related risks.
- SGNL (Preview) - Understand and identify fine-grained access decisions and trends across your organization.
- Shodan (Preview) - Find specific types of devices connected to the internet, where they're located, and who's using them.
- Silverfort - This plugin empowers security teams to enhance their threat detection and response capabilities through intuitive natural language queries and detailed insights.
- Tanium - Assess incidents with endpoint visibility and resolve with recommended remediation actions.
- UrlScan (Preview) - Helps users assess the safety and trustworthiness of a website or a specific web page.
- Valence Security (Preview) - Respond to SaaS threats with enriched context from posture, identity, threat detection alerts, data shares, and integration context.
- Whoisfreaks - Helps elevate your cyber-security strategy with domain and IP intelligence services.
For more information about how to set up other plugins as outlined in the above list, read Other plugins.
Websites
- Public web
Custom plugins
You can create new plugins to extend what Copilot can do by following the steps in Create new plugins.
To add and manage your custom plugins to Security Copilot, follow the steps in Manage custom plugins.