What’s new in Defender: How Copilot for Security can transform your SOC

What’s new in Defender: How Copilot for Security can transform your SOC

What’s new in Defender: How Copilot for Security can transform your SOC

Today at Secure, we announced that Microsoft Copilot for Security will be generally available on April 1.  Copilot equips security teams with purpose-built capabilities at every stage of the security lifecycle, embedded right into the unified security operations platform in the Defender portal. Early users of Copilot for Security have already seen significant measurable results when integrated in their SOC, transforming their operations and boosting their defense and posture against both ongoing and emerging threats. Read on to learn about the capabilities to GA on 4/1 embedded in the Defender portal for Defender XDR and Microsoft Sentinel data and how early access customers are already enjoying its value.


Prevent breaches with dynamic threat insight

Copilot for Security leverages the rich portfolio of Microsoft Security products to produce enriched insights for security analysts in the context of their workflow. At GA, you will be able to use Copilot for Security with Microsoft Defender Threat Intelligence and Threat Analytics in the Defender portal to tap into high-fidelity threat intelligence on threat actors, tooling and infrastructure and easily discover and summarize recommendations specific to your environment’s risk profile, all using natural language. These insights can help security teams improve their security posture by prioritizing threats and managing exposures proactively against adversaries, keeping their organizations protected from potential breaches.


Identify and prioritize with built-in context

“Copilot for Security is allowing us to re-envision security operations. It will be critical in helping us close the talent gap.” Greg Petersen Sr. Director - Security Technology & Operations, Avanade 

Automation of common manual tasks with Copilot frees up analyst time and allows them to focus on more complex and urgent demands. For example, analysts need to understand the attack story and impact to determine next steps, and this often requires time and effort to collect and understand all of the relevant details. To make this task faster and easier, Copilot’s incident summaries, with AI-powered data processing and contextualization, provides this content readily available, saving significant triage time. Complimenting Microsoft Defender XDR’s unique ability to correlate incidents from a variety of workloads, Copilot’s incident summary provides the attack story and potential impact directly in the incident page. At GA, asset summaries become available for use in investigation. The first of these is a device summary, where Copilot provides highlights about the device based on all cross-workload information available in Defender XDR, as well as other device data integrated in from Intune. This further improves efficiency during triage and enables analysts to more quickly assess and prioritize incidents, leading to faster response.

As part of incident investigation and response, analysts often reach out to employees to get more information about unusual activity on their devices or to communicate about an incident or a limitation in access. New at GA, Copilot now makes this faster by generating tailored messages with all the details an employee would need and enabling analysts to send those messages through Microsoft Teams or Outlook – directly from the portal. Copilot links directly to many tasks that would normally require going to another view or product – another example of added efficiency for security teams.

During Early access, 97%* of security professionals reported they would make consistent use of Copilot capabilities in their day-to-day workflows.


Accelerate full resolution for every incident

“Copilot for Security can democratize security to the end user. It is no longer just with the subject matter expert. The average analyst training time used to be a couple of months, and that can reduce drastically if you’re using Copilot.”  Chandan Pani, Chief Information Security Officer, LTIMindtree 


During an incident, every second counts. With additional Copilot capabilities, like guided response and automated incident reports, analysts of all levels can move an average of 22% faster* and accelerate time to resolution.

Guided response, provided by Copilot during incident investigation and report in the Defender portal, helps analysts determine what to do next, based on the specific incident at hand.

Example recommendations include:

  • Triaging an incident with a recommended classification and threat category
  • Steps to take to contain an incident, such as suspending a compromised account
  • Investigation actions, such as finding all emails that were part of a phishing campaign
  • How to remediate an incident, such as resetting a user’s password

Action recommendations are provided with links to the next steps, which can be taken directly in the Copilot window, reducing time spent switching views.

After successfully closing out an incident, analysts often spend time drafting reports for peers and leadership to provide a summary of the attack and remediation steps taken. Using Copilot, an incident report is easily generated with the click of a button, instantly delivering a high-quality summary ready to share or save for documentation. For GA, exporting the report to a detailed formatted PDF is now available, making for a great executive-shareable report.


Elevate analysts with intelligent assistance

“Copilot for Security allows us to quickly analyze Python and PowerShell scripts. This means that staff with less experience can quickly analyze scripts, saving valuable time in the cybersecurity area where time is so important.”  Mark Marshall, Assistant Chief Information Officer , Peel District School Board 


Security teams are made up of individuals with a variety of different skillsets and levels of experience, and as demands and requirements change, up-leveling becomes critical. It can take time and expertise to learn how to effectively manage hunting jobs or analyze malicious scripts, which many organizations simply don’t have. Copilot makes expert tasks significantly simpler, reducing the time spent onboarding new recruits and training analysts while driving faster results.

For example, Copilot assists less experienced analysts with hunting during an investigation in the Defender Portal. An analyst can now create KQL queries simply using natural language – for example just asking for “all devices that logged on in the last hour”.  The user can then choose to run the generated query or have Copilot execute them automatically. Copilot can also recommend the best filters to apply after results are surfaced or suggest common next steps. Security teams see significant benefits with this as more senior analysts are now able to delegate threat hunting projects to newer or less experienced employees.

Another task commonly reserved to more experienced analysts is reverse engineering PowerShell, Python or other scripts, often used in HumOR and other attacks, and not every team even has this  expertise. Copilot's script analysis feature gives security teams the ability to examine these scripts easily, without needing any prior knowledge of how to do so. This feature is also into the investigation process with a button prompting a user to "analyze with Copilot” anytime an alert contains a script. The resulting analysis is a line-by-line explanation of what the script is trying to do, with excerpts from the script for each explained section. Wit this, an analyst can quickly tell if a script is potentially harmful or not. New at GA, these capabilities extend to suspicious file analysis as well (executable or other), delivering details about the file’s internal characteristics and behavior and an easy way to assess maliciousness.


Interested in getting started with Copilot for Security?

The pace of innovation in AI is moving at lightning speed and we expect many more security teams to see significant benefits of the technology with the general availability of Copilot for Security. To learn more about Microsoft Copilot for Security, click here  or contact your Microsoft sales representative.

Learn more about Copilot skills for Defender XDR announced at early access : Operationalizing Microsoft Security Copilot to Reinvent SOC Productivity

*Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024.










Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy