What is Microsoft Copilot for Security?

Microsoft Copilot for Security (Copilot for Security) is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale.

Copilot for Security provides a natural language, assistive copilot experience. Copilot for Security helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management.

Designed with integration in mind, Copilot for Security offers a standalone experience and also seamlessly integrates with products in the Microsoft Security portfolio. Copilot for Security integrates with products such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, and other third-party services such as ServiceNow. For more information, see Copilot for Security experiences.

The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. By using plugins as data point sources, security professionals have wider visibility into threats and gain more context, and have the opportunity to extend the solution's functionalities. For more information about plugins, read Manage plugins.

Copilot for Security primary use cases

Copilot for Security focuses on making the following highlighted use cases easy to use:

Incident summarization

Gain context for incidents and improve communication across your organization by leveraging generative AI to swiftly distill complex security alerts into concise, actionable summaries, which then enable quicker response times and streamlined decision-making.

Impact analysis

Utilize AI-driven analytics to assess the potential impact of security incidents, offering insights into affected systems and data to prioritize response efforts effectively.

Reverse engineering of scripts

Eliminate the need to manually reverse engineer malware and enable every analyst to understand the actions executed by attackers. Analyze complex command line scripts and translate them into natural language with clear explanations of actions. Efficiently extract and link indicators found in the script to their respective entities in your environment.

Guided response

Receive actionable step-by-step guidance for incident response, including directions for triage, investigation, containment, and remediation. Relevant deep links to recommended actions allow for quicker response.

How does Copilot for Security work?

Microsoft Copilot for Security capabilities can be accessed through an immersive standalone experience and through intuitive embedded experiences available in other Microsoft security products. The foundation language model and proprietary Microsoft technologies work together in an underlying system that helps increase the efficiency and capabilities of defenders.

  • Microsoft security solutions such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune integrate seamlessly with Copilot for Security. There are some embedded experiences available in Microsoft security solutions that give access to Copilot for Security and prompting capabilities in the context of their work within those solutions.

  • Plugins from Microsoft and third-party security products are a means to extend and integrate services with Copilot for Security. Plugins bring more context from event logs, alerts, incidents, and policies from both Microsoft security products and supported third-party solutions such as ServiceNow.

  • Copilot for Security also has access to threat intelligence and authoritative content through plugins. These plugins can search across Microsoft Defender Threat Intelligence articles and intel profiles, Microsoft Defender XDR threat analytics reports, and vulnerability disclosure publications, among others.

    Image of how Copilot for Security works.

Here's an explanation of how Microsoft Copilot for Security works:

  • User prompts from security products are sent to Copilot for Security.

  • Copilot for Security then preprocesses the input prompt through an approach called grounding, which improves the specificity of the prompt to help you get answers that are relevant and actionable to your prompt. Copilot for Security accesses plugins for preprocessing, then sends the modified prompt to the language model.

  • Copilot for Security takes the response from the language model and post-processes it. This post-processing includes accessing plugins to gain contextualized information.

  • Copilot for Security returns the response, where the user can review and assess the response.

Copilot for Security iteratively processes and orchestrates these sophisticated services to help produce results that are relevant to your organization because they're contextually based on your organizational data.

Next steps

Microsoft Copilot for Security training

Get started with Microsoft Copilot for Security

Learn about Microsoft Copilot for Security, an AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed, and the AI concepts upon which it's built.