What is Microsoft Security Copilot and when should it be used?

Microsoft Security Copilot works as an assistant or copilot for security professionals, such as security operations center (SOC) analysts, IT admins and compliance analysts. It is based on OpenAI’s GPT-4 large language model (LLM), enhanced by a layer of security-specific knowledge derived from Microsoft vast amounts of security data, including trillion of daily signals, threat intelligence and real-world incident data. It integrates information from Microsoft security products like Microsoft Sentinel and Defender XDR, third-party solutions, and Microsoft’s vast threat intelligence feed.

There are two modes of operation: the standalone experience and embedded experiences.

Standalone experience

The standalone experience, accessed from https://securitycopilot.microsoft.com, proceeds as follows:

1. The user issues a prompt — a question or request in natural language. Examples include “Show high severity Defender XDR incidents” and “Which devices copied data to a USB drive in the last week?” Alternatively, the user can run a promptbook, a predefined series of prompts designed to accomplish a specific task, such as perform a vulnerability assessment for a particular CVE. Microsoft supplies a library of promptbooks, and users can easily create their own.
2. Security Copilot runs the prompt through a process called grounding, improving it to help ensure a relevant and actionable response, and sends the modified prompt to its large language model.
3. Security Copilot processes the response from the LLM, including enhancing it using contextualized information from plugins.
4. Security Copilot returns the response to the user, such as an analysis or explanation, recommended remediation actions, or code. The user can then issue follow-up prompts to continue the interaction, with the context preserved.

Embedded experiences

Intuitive embedded experiences bring the power of Security Copilot right into the dashboards of other Microsoft security solutions. Embedded experiences are available in Microsoft Defender tools, Microsoft Entra, Microsoft Intune and Microsoft Purview. For example, Microsoft Defender XDR can apply the capabilities of Copilot for Security to summarize incidents, analyze scripts and code, and create incident reports, while the embedded experience in Microsoft Entra ID helps IT admins and SOC analysts investigate identity risk and respond to identity-related threats.

Security Copilot can be used in a wide variety of ways to enhance an organization’s cybersecurity posture. The core use cases can be grouped into three categories: threat protection & cloud security; data security, compliance & privacy; and identity & management.

Threat protection & cloud security

Security Copilot integrates with Microsoft Sentinel, Microsoft Defender and solutions from select third-party vendors to deliver enhanced threat protection and cloud security.

Key use cases include:

• Vulnerability management — The solution pulls real-time security data from servers and endpoint devices and servers, including details about software versions, and uses threat intelligence feeds to check for known security vulnerabilities. Moreover, it will generate step-by-step guidance mitigate the issues it finds, or even update the vulnerable software automatically.
• Security monitoring — Microsoft Security Copilot has access to security events from a variety of sources, including Sentinel and Defender. Using AI, it analyzes this data to uncover trends and patterns, empowering security teams to stay ahead of potential threats.

Data security, compliance & privacy

Security Copilot also helps organizations enhance data security and data privacy as required by modern compliance requirements. Integrations with Microsoft Purview, Microsoft Priva and third-party plug-ins enable capabilities such as:

• Threat hunting — Security Copilot can uncover threats that might not be detected by less advanced security solutions. Using its insight into the tactics, techniques and procedures (TTPs) that threat actors are using, it will identify threat scenarios and search for emerging cyber threats across the IT ecosystem.
• Incident response — Security Copilot facilitates more in-depth responses to active threats within minutes, savings hours of time. It can perform assessment and triage and offer initial response actions, and then proceed to deeper forensic analysis and investigation that yields steps for broader incident containment and mitigation.
• Remediation and recovery — Security Copilot can help SOC teams develop an effective plan to restore affected systems after an incident. It will also suggest security controls and patches that can reduce the risk of a similar incident in the future, based on built-in Microsoft best practices.
• Compliance assessment and monitoring — Security Copilot streamlines the task of achieving and maintaining compliance with industry standards and regulatory mandates. It can assess the organization’s compliance with various requirements and provide steps for remediating any deficiencies it uncovers. It can generate reports, provide the underlying data to enable end-to-end compliance monitoring, and automatically deliver updates on changes to relevant requirements.

Identity & management

Security Copilot also works with Microsoft Entra, Microsoft Intune and solutions from key third-party vendors to improve identity security and device management.

Identity security

Security Copilot is embedded in Microsoft Entra, so security pros can access it capabilities right from the Microsoft Entra admin center. Key use cases include the following:

• Identity risk mitigation — Copilot can help security teams improve the organization’s identity security posture. In particular, it can assess the risk of Microsoft Entra users and find gaps in access policies, and then recommend steps for mitigating those vulnerabilities.
• Streamlined identity management — Using real-time machine learning, Security Copilot can generate Microsoft Entra identity workflows and help security pros troubleshoot issues more efficiently.
• Identity threat detection and response — Using information about Microsoft Entra users and groups and data from sign-in and audit logs, Copilot can spot identity-related threats, provide SOC teams with the context required to investigate, and offer recommendations for rapid incident mitigation.

Device management

Security Copilot works with Microsoft Intune and third-party solutions to enable a proactive, AI-driven approach to securing and managing enterprise devices. It empowers IT administrators to enforce robust device policies, quickly identify and remediate potential security threats, and streamline compliance with organizational standards, thereby enhancing overall security posture and operational efficiency. Key capabilities include the following:

• Device policy management — Security Copilot helps security pros understand the impact of a policy on the IT environment by summarizing what the policy does, its settings, and the users and groups assigned to the policy. When a setting is added to an Intune policy, Copilot offers to explain the impact of that setting, check for potential conflicts and recommend an appropriate value. As a result, admins can make informed decisions to enforce security standards and ensure that security policies are effectively implemented and adhered to across the organization.
• Device review and troubleshooting — Security Copilot streamlines device review and troubleshooting by offering a range of diagnostic tools. Administrators can analyze device configuration error codes to quickly identify and resolve issues. Additionally, they can determine the primary user of the device, review device group memberships and discover managed apps on devices, ensuring comprehensive oversight of device configurations. Copilot also facilitates comparing device configurations, making it easier to spot and rectify discrepancies between managed devices.
• Create KQL queries — Security Copilot’s integration with Intune enhances the creation and optimization of Kusto Query Language (KQL) queries. Administrators can leverage AI-driven suggestions to craft queries that extract key insights from the vast amounts of device management data. These queries enable detailed reporting on policy assignments, device configurations and app management, helping admins proactively identify and address potential security issues. For example, the solution can generate a KQL query to get the expired certificates for a device, or its most recent five app crash events.

In a nutshell, Microsoft Security Copilot helps security professionals do their jobs faster and better. Specific benefits include the following:

• Enhanced threat detection — Security Copilot helps defenders cut through the noise generated in today’s complex IT ecosystems to promptly and accurately identify threats, including those that might otherwise go unnoticed. Moreover, the solution helps them prioritize those threats in real time and even anticipate an adversary’s next move using Microsoft’s global threat intelligence feed and third-party intelligence feeds.
• Faster incident response — Microsoft Security Copilot accelerates incident response with AI-powered threat investigation, quick incident summaries, and step-by-step guidance for shutting down attacks and mitigating damage. In addition, reporting can be tuned to various audiences, enabling security teams to easily keep various stakeholders in the loop.
• Increased effectiveness of security teams — Security Copilot helps mitigate the impact of today’s global shortage of experienced security professionals. By streamlining and automating routine tasks, it frees up skilled personnel to focus on complex issues and strategic initiatives. At the same time, it empowers less experienced team members by providing detailed answers to their questions and guiding them through processes such as vulnerability mitigation and threat response, thus enhancing their effectiveness and professional growth.
• Comprehensive visibility — Security Copilot consolidates security data from multiple sources and delivers a unified view of the organization’s security posture. This holistic perspective enables security teams to make more informed decisions and develop effective strategies to strengthen the organization’s overall security.
• Integration capabilities — Microsoft Security Copilot offers seamless integration with multiple Microsoft security products, including Sentinel, Intune, Purview and Defender, while also attracting a growing number of third-party vendors, such as Shodan, CyberArk, CrowdSec, Quest and Darktrace. This robust integration positions Copilot as a key player in advancing cybersecurity mesh architecture (CSMA) to promote a decentralized, flexible security ecosystem. Through AI-driven orchestration, Copilot can enable these modular tools to work cohesively, laying the groundwork for enhanced threat response, scalability and resilience. As the industry evolves, Copilot could be instrumental in bringing the promise of CSMA to life.
• Cost savings — Microsoft Security Copilot can help organizations reduce costs in multiple ways. Of course, automating and streamlining security-related tasks enables IT teams to do more with less. But the biggest savings may come from preventing costly security breaches, minimizing business disruptions and compliance violations, thereby avoiding steep fines and lasting reputational damage.

The pros of deploying Security Copilot include the following:

• Actionable insight — The solution provides clear recommendations that empower security teams to act quickly and effectively.
• Automation — The tool automates routine tasks and streamlines more complex processes, reducing the burden on security professionals while improving speed and accuracy.
• Integration — Security Copilot offers seamless integration with multiple Microsoft security products, including Sentinel, Intune, Purview and Defender, and is attracting a growing number of third-party vendors. This integration capability supports a flexible and comprehensive security ecosystem that aligns with CSMA principles.
• Constant improvement — Security Copilot uses big data analysis and user feedback to generate more accurate responses in the future. For instance, over time in a given environment, it will generate fewer false positive alerts so security teams can focus on real threats.

The cons of Copilot for Security include the following:

• Complexity — Because Microsoft Security Copilot is an AI-powered security solution, it is evolving rapidly. Accordingly, using effectively can involve a significant learning curve and require constant attention.
• Privacy concerns — The solution aggregates and analyzes huge volumes of security data from multiple sources, which can raise concerns about the privacy of sensitive and regulated information.
• Dependence on AI — Microsoft readily acknowledges that Security Copilot makes mistakes, such as false positives and false negatives during threat detection. Organizations should anticipate speed bumps as the underlying technologies advance.
• Cost — Adopting Security Copilot can lead to cost savings in the long run by empowering security professionals to be more efficient and reducing the risk of breaches and downtime. However, the initial investment and ongoing costs may be significant for some organizations.

While many security solutions today are starting to utilize artificial intelligence and machine learning, only Security Copilot fully leverages Microsoft’s broad infrastructure, deep expertise, global threat intelligence and comprehensive set of security products.

Specific differences between Microsoft Security Copilot and other AI-powered security products include:

• Integration with Microsoft ecosystem — Security Copilot provides a more unified and comprehensive security experience than other AI security solutions, thanks to its deep integration with Microsoft’s broad portfolio of security solutions, including Defender XDR and Sentinel. Additionally, integrations with solutions from third-party vendors such as Shodan, CyberArk and CrowdSec extend its capabilities, positioning it as a key enabler of a cybersecurity mesh architecture which promotes a decentralized and flexible security ecosystem.
• Deep threat intelligence — Microsoft’s threat intelligence network is powered by trillions of daily signals collected from its global data centers and extensive infrastructure. This network provides Security Copilot with unparalleled visibility into emerging threats. With decades of experience in identity management and providing the tools and expertise to help secure billions of devices across global enterprises, Microsoft combines its extensive expertise with insights from third-party solutions. The result is a precise and effective threat detection and response capability that keeps organizations ahead of evolving security challenges.
• Advanced AI and ML — Microsoft Security Copilot is built on OpenAI’s GPT-4 large language model, enhanced with a robust layer of security-specific knowledge. This knowledge is derived from vast amounts of Microsoft’s security data, including trillions of daily signals, threat intelligence and real-world incident data, and it integrates information from Microsoft’s comprehensive suite of security products. Copilot’s AI leverages this deep integration to proactively identify and mitigate security risks with precision. The combination of advanced machine learning and Microsoft’s extensive security expertise ensures that Copilot remains highly adaptive, delivering effective responses in an ever-evolving threat landscape.
• Ease of use — Microsoft Security Copilot offers a user-friendly chat interface and prebuilt prompt playbooks that enable security pros at every level of experience to gain value quickly. Plus, intuitive embedded experiences make the power of Copilot available right from the dashboards of many other Microsoft security solutions.

Microsoft Security Copilot offers embedded experiences for both Defender XDR and Sentinel that enhance their effectiveness and ease of use. Key benefits include:

• Faster and better threat detection — Security Copilot uses AI to provide additional analysis and insight that enhance the accuracy of threat detection in Defender XDR and Sentinel.
• Deeper threat intelligence — Security Copilot enriches the threat intelligence provided by Sentinel with real-time insights and recommendations, helping organizations stay ahead of emerging threats.
• Easier code analysis and reverse-engineering — Security Copilot will analyze complex scripts and translate them into natural language. As a result, effective malware analysis is no longer limited to the most advanced security pros.
• Faster response — Security Copilot provides AI-assisted incident investigation and response in Defender XDR. In seconds, users can get a summary of an active threat, along with actionable recommendations for effective response. Moreover, Copilot for Security can even respond automatically to some threats.
• Streamlined workflows — Integrated experiences put the power of Microsoft Security Copilot right into the familiar UIs of other Microsoft security solutions, including Defender XDR and Sentinel. This integration enhances visibility across different security layers and streamlines workflows to improve the efficiency and effectiveness of IT teams.

ChatGPT from OpenAI is a versatile AI-powered LLM used for generating human-like text across various formats and applications. In contrast, Microsoft Security Copilot is a specialized tool built on OpenAI’s GPT-4, with extensive modifications and enhancements tailored specifically for cybersecurity. This adaptation highlights Microsoft’s focus on addressing the complex demands of modern cybersecurity through targeted solutions.

Specific differences between ChatGPT and Security Copilot include the following:

• Customization — Microsoft Security Copilot has been meticulously customized and enhanced with a robust security framework that retrained GPT4. This enhanced layer of security-specific knowledge is derived from vast amounts of Microsoft’s security data, including trillions of daily signals, threat intelligence and real-world incident data. This framework incorporates best practices and insights from decades of experience in identity management and providing the tools and expertise to help secure billions of devices across global enterprises.
• Purpose — ChatGPT is a general-purpose LLM that can be used by both individuals and business users for everything from conversational assistance to code generation. Security Copilot is designed specifically to provide IT professionals with guidance and insight for improving cybersecurity.
• Functionality — As a chatbot, ChatGPT generates human-like text in the form of conversations, essays, social media posts, email messages, poems and so on. Microsoft Security Copilot also engages in dialogue, accepting prompts from users and providing responses, but it does far more, including risk assessment, vulnerability mitigation, data analysis, threat detection and reverse-engineering of scripts.
• Integration — ChatGPT operates independently of other tools and infrastructure. Security Copilot is deeply integrated with Microsoft’s other security solutions and select third-party tools.