Plugins overview Microsoft Copilot for Security (Preview)


Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Copilot for Security comes with many default plugins and supports several non-Microsoft plugins. You can also extend Copilot for Security's capabilities by adding or creating your own plugin. The Copilot for Security platform enables developers and users to write plugins that can be invoked to perform specialized tasks.


Products that integrate with Copilot for Security as plugins need to be purchased separately.

For more information on how to develop plugins that use the OpenAI schema, see Plugins for Microsoft Copilot documentation.

Preinstalled plugins

Get familiar with the plugins Copilot for Security can use to source information or take action when it's responding to your prompts. Depending on which services your organization uses, any of the plugins in the following lists might be available to you.

To find out which plugins Copilot for Security can use when you interact with it, select the plugin button. Check for plugins that are toggled on in the list that opens. Copilot for Security automatically uses the available plugins without any extra setup from you.

Microsoft plugins

Copilot for Security uses the on-behalf-of authentication flow to provide access to other Microsoft services that your organization already has access to. For more information, see Understand authentication.

Other plugins

  • CIRCL Hash Lookup (Preview) - Validate suspicious files in the form of hashes, either MD5, SHA-1, or SHA-256.
  • CrowdSec CTI (Preview) - Find information about IP addresses and verification or identification of potential aggressive IP addresses.
  • CyberArk Privilege Cloud - Get information about privileged identity accounts.
  • Cyware Respond (Preview) - Gain context and enrichments to analyze, prioritize and remediate.
  • Darktrace - Proactively detect, investigate, and respond to threats across your digital ecosystem.
  • GreyNoise Enterprise and GreyNoise Community (Preview) - Get information about IP addresses, scanning activity, and attacker behaviors.
  • Jamf - Gather MDM inventory insights and facilitate seamless collaboration between your IT and security teams.
  • Netskope (Preview) - Enrich investigations with alerts and incidents data from malware, malsite, User Behavior Analytics, app access, and connection events.
  • Red Canary - Enhance your security operations with intelligence from Red Canary.
  • ReversingLabs - Summarize complex file reputation information and file analysis reports for quicker triage and response time.
  • SGNL - Understand and identify fine-grained access decisions and trends across your organization.
  • Shodan - Find specific types of devices connected to the internet, where they're located, and who's using them.
  • Tanium (Preview) - Assess incidents with endpoint visibility and resolve with recommended remediation actions.
  • UrlScan (Preview) - Helps users assess the safety and trustworthiness of a website or a specific web page.
  • Valence Security (Preview) - Respond to SaaS threats with enriched context from posture, identity, threat detection alerts, data shares, and integration context.

For more information about how to set up other plugins as outlined in the above list, read Other plugins.


  • Public web

Custom plugins

You can create new plugins to extend what Copilot can do by following the steps in Create new plugins.

To add and manage your custom plugins to Copilot for Security, follow the steps in Manage custom plugins.