Share via


What's new in Microsoft Security Copilot?

Security Copilot receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

  • The latest releases
  • Known issues
  • Plans for changes

Each item describes where the enhancement can be experienced. For more information, see Security Copilot experiences.

This page updates monthly, so revisit it regularly.

May 2025

Censys - Public preview

Type: New capability
Experience: Standalone

This plugin allows Security Copilot users to enrich investigations using threat intelligence from the Censys Platform.

For more information, see Censys

HP Workforce Experience Platform - Public preview

Type: New capability
Experience: Standalone

Allows users to query data about their fleet and get responses back quickly and efficiently. This plugin can answer questions about PC warranty, Windows 11 readiness, resource consumption. It can also answer device age/stability/health, security, blue screens, and app performance including hangs and crashes.

For more information, see HP Workforce Experience Platform

Copilot Studio connector - General Availability

Type: New capability
Experience: Standalone

This connector helps users submit natural language prompts to create a new Security Copilot investigation through Copilot Studio. After completion, the evaluation result is returned to the workflow.

For more information, see Copilot Studio connector.

April 2025

Overage SCUs - General Availability

Type: New capability
Experience: Standalone

Customers can set an overage amount of SCUs to ensure that additional SCUs are available when initially provisioned units are depleted during unexpected workload spikes. Overage units are billed on-demand and can be set as unlimited or a maximum amount.

For more information, see Manage usage.

Splunk - Public preview

Type: New feature
Experience: Standalone

The Splunk plugin enables customers to perform searches in Splunk, retrieve alerts, and others.

For more information, see Splunk.

Type: Changed
Experience: Standalone

When investigating a vulnerability or attack utilizing an exploit, it's critical to understand the recommended actions for mitigation. This information is now available through the Microsoft Threat Intelligence plugin.

Microsoft Threat Intelligence - Malware encyclopedia integration - Public preview

Type: New capability
Experience: Standalone

When investigating an incident involving a malware it's critical to quickly get the information about this malware, relevant Defender for Endpoint version and guidance for next steps. This capability allows customers to query this information directly in Security Copilot.

Microsoft Threat Intelligence - Reason for inclusion - General Availability

Type: New capability
Experience: Standalone

When the analyst receives a response with multiple results – such as multiple actors or attacks, multiple articles, and others, it's sometimes difficult to understand which result is the most relevant for the next level of drill-down. With this enhancement it's easier to understand the relevance of each result.

Microsoft Threat Intelligence - Suggested prompts - General Availability

Type: New capability
Experience: Standalone

During a session in Security Copilot customers often need help selecting the next prompt for their investigation. This is a critical part of a guided experience.

Microsoft Threat Intelligence - Indicator skills - General Availability

Type: New capability
Experience: Standalone

Microsoft Threat Intelligence indicator skills allow direct access to all suspicious IOC and the mass datasets of web scan data including DNS, WHOIS, host pairs, certificates, detonation data, and others.

March 2025

Global Copilot experience - Public preview

Type: New feature
Experience: Embedded

The Global Copilot experience is a new global entry point in the Suite Header on the Microsoft Purview compliance portal home page and all solution pages. This capability allows for easy invocation of the Copilot experience. For each page, Copilot offers readily available prompts for you to get started, learn more about Purview, and troubleshoot issues.

For more information, see Security Copilot in Microsoft Purview.

Microsoft Surface Management integration - Public preview

Type: New feature
Experience: Embedded

With Copilot in Intune, IT Admins can quickly search for and resolve specific device issues, summarize warranty information, and access support tickets and service orders related to their organization’s Surface devices. This reduces the time and effort needed for routine maintenance tasks, creating more time to focus on other initiatives. In addition, Copilot pulls contextually relevant data from your Intune-enrolled Surface devices along with public information into a single view, streamlining the management process and enhancing overall efficiency.

For more information, see Security Copilot in Microsoft Surface Management Portal .

CheckPhish - General Availability

Type: New feature
Experience: Standalone

This plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.

For more information, see CheckPhish.

Plugin management - General Availability

Type: New feature
Experience: Standalone

You can personalize the way Security Copilot interacts with you by managing plugins.

For more information, see Manage plugins.

KQL response explanation feature in Query assistant - General Availability

Type: New feature
Experience: Standalone / Embedded

The Security Copilot Query Assistant in Advanced hunting generates KQL queries from user requests in natural language, allowing junior and first-tier analysts that aren't familiar with KQL to easily hunt for threats. With this new feature, customers can see the logic behind the KQL queries generated by Copilot, including a breakdown of the query. This enhancement helps customers validate that the query aligns with their intent and needs, even if they don't have a deep understanding of KQL. Additionally, this feature helps customers improve their knowledge and proficiency in KQL, and will also increase their trust in the Query Assistant.

For more information, see Microsoft Security Copilot in advanced hunting.

Set prompts to continue on failure - General Availability

Type: New feature
Experience: Standalone

The Continue on failure feature is now available in Security Copilot promptbooks. This feature allows users to set a promptbook to continue running the next prompt even after a prompt fails, instead of halting the entire promptbook.

For more information, see Set prompts to continue on failure.

Call system capabilities directly - Public preview

Type: New feature
Experience: Standalone

You can now directly call a Security Copilot system capability during promptbook creation. System capabilities are the various actions that Security Copilot can perform for you. This feature allows you to generate responses more efficiently and might help lower SCU consumption.

For more information, see Call capabilities directly in the prompt.

December 2024

Security Copilot Adoption hub - General Availability

Type: New feature
Experience: Standalone

Access useful links to training, videos, GitHub repository for sample plugins, and other technical readiness information.

For more information, see Security Copilot Adoption hub.

Persona-based prompt library - Public preview

Type: Change
Experience: Standalone

This is a redesign of the standalone portal landing page that is focused on bringing existing Security Copilot capabilities front and center for users and helping you get started more quickly. Users will now find a library of recommended starter prompts that help them to learn what Security Copilot is capable of, help them overcome the "blank page problem", and alleviate the challenge of them having to craft the prompt just right.

For more information, see Prompting in Security Copilot.

Usage dashboard - General Availability

Type: Change
Experience: Standalone

With this feature, the filtering capability on the side filter of the dashboard drills-down the data on the bar graph available within it. This is as opposed to the static bar graph from the earlier version, which continually displayed the total of hourly units consumed irrespective of the set of filters applied for the search.

Additionally SCUs are now rendered as numerics on the exportable excel sheet. This should help analysts directly perform numeric operations with the usage data on the spreadsheet.

For more information, see Manage usage.

Microsoft Entra - Public preview

Type: New feature
Experience: Embedded

Customers can now engage with Security Copilot directly in the Microsoft Entra Admin Center. Identity admins benefit from AI-driven, natural-language summaries of identity context and insights, and help with troubleshooting tasks like resolving identity-related risks and sign-in issues.

For more information, see Copilot in Microsoft Entra.

Aviatrix - Public preview

Type: New feature
Experience: Standalone

Aviatrix and Microsoft Security Copilot have partnered to bring together an AI enabled plugin to allow customers to leverage Microsoft Defender Threat Intelligence with Aviatrix to gain insight into new threats and mitigate them through firewall policy enforcement.

For more information, see Aviatrix.

CheckPhish - Public preview

Type: New feature
Experience: Standalone

This plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks.

For more information, see CheckPhish.

Quest - Public preview

Type: New feature
Experience: Standalone

Quest Security Guardian is an Active Directory security tool designed to reduce your attack surface. From a simplified unified workspace, Security Guardian reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention.

For more information, see Quest.

Role-based access control - General Availability

Type: Changed
Experience: Standalone

Enhancements include:

  • For new tenants, recommended roles will be the default contributor role enabled. This will allow users that belong to these app specific roles (such as Microsoft Intune and Microsoft Entra) to access Security Copilot without having to ask Security Administrators to add them individually to the contributor role.
  • Unintended access by users who do not belong to these groups will be prevented.

For more information, see Understand authentication.

Non-Microsoft plugin updates - General Availability

Type: Changed
Experience: Standalone

More than 15 non-Microsoft plugins are now generally available. This enables customers of Security Copilot to leverage capabilities from their security solutions of choice.

For more information, see Plugins overview.

November 2024

Usage dashboard - General Availability

Type: Changed
Experience: Standalone

The usage dashboard has been updated to provide deeper insights into the consumption of Security Compute Units (SCUs). Key feature improvements include the introduction of new data dimensions, enhanced data filtering capabilities, an extended data timeframe spanning 90 days, and the ability to export usage data into Excel sheets.

For more information, see Manage usage.

Audit log in Microsoft Purview for Security Copilot - General Availability

Type: New feature
Experience: Standalone

Access audit logs through Microsoft Purview and the Office Management API to help you satisfy compliance and regulatory requirements. The audit log gives you visibility into information such as admin events and activity metadata.

For more information, see Access the audit log.

RBAC - Public preview

Type: Changed
Experience: Standalone

Refines contributor role permissions by replacing the 'everyone' option with a 'recommended roles' bundle. This grants access to users with flagship roles in Microsoft Entra, Microsoft Intune, Microsoft Purview, and the unified security operations platform, and will be the default setting for new tenants, preventing unintended access by users outside enabled groups.

For more information, see Understand authentication.

Promptbooks

Type: New promptbooks
Experience: Standalone

Users can now use the following promptbooks:

For more information, see Using promptbooks in Security Copilot.

October 2024

Data retrieval POST operations for API plugins

Type: New feature
Experience: Standalone / Embedded

Users can now harness data in plugins that utilize POST operations to get, retrieve, and list data for security investigations and enrichment.

September 2024

Summarize identity in Microsoft Defender - General Availability

Type: New feature
Experience: Embedded

A new embedded experience in Microsoft Defender is available. Security operations teams investigating users can easily understand identity information with the identity summary capability. Copilot creates contextual insights about an identity in an organization, helping analysts quickly understand important data to speed up their investigation.

For more information, see Summarize identities.

Silverfort plugin - Public preview

Type: New plugin
Experience: Standalone

The Silverfort plugin leverages KQL-based queries to extract and analyze data from Silverfort's security logs within the Microsoft Sentinel workspace. You can customize queries using a range of input parameters to retrieve targeted information, enabling more efficient threat investigation and proactive defense measures.

For more information, see: Silverfort.

Whoisfreaks plugin - Public preview

Type: New plugin
Experience: Standalone

Whoisfreaks helps elevate your cyber-security strategy with domain and IP intelligence services. Designed for analysts, researchers, and brand owners. The platform provides unparalleled insights and monitoring capabilities to protect your digital assets. Stay ahead of threats, ensure brand integrity, and make informed decisions with real-time data you can trust. The platform seamlessly integrates with existing systems, enhancing workflow efficiency and effectiveness.

For more information, see: Whoisfreaks.

Forescout Vedere Labs plugin - Public preview

Type: New plugin
Experience: Standalone

Forescout Vedere Labs research team provides a threat intelligence feed containing IP, URL, and File hash indicators for all activity seen and monitored by Forescout, including information on Known Exploited Vulnerabilities and Vedere Labs own reported CVEs. With the extensive research conducted, this provides indicators and CVE details across IT, OT, IoT and IoMT, allowing anyone to benefit from this research. The research helps security teams speed up threat hunting efforts in combination with Security Copilot. Additionally, this service also allows for lookups against domain names to check for use of Domain Generation Algorithms (DGA) or data exfiltration techniques.

For more information, see: Forescout Vedere Labs.

August 2024

Copilot integration in device query - Public preview

Type: New feature
Experience: Embedded

You can now use Copilot in Microsoft Intune's device query page to help you craft KQL queries. Just use natural language to ask about a device in Microsoft Intune, and Copilot will generate a KQL query that you can run to get the answer.

For more information, see Query with Copilot in device query.

July 2024

Streaming of response

Type: New feature
Experience: Standalone / Embedded

As part of the quality effort to minimize overall latency, one initiative is to show Security Copilot response in streaming mode. This approach significantly enhances perceived latency for users, enabling them to begin reading responses as they are generated, similar to other Copilots.

Microsoft Defender Threat Intelligence - General Availability

Type: New feature
Experience: Embedded

A new embedded experience in the Threat Intelligence blade in Microsoft Defender is available. The feature helps analysts deep dive into threat intelligence context based on sources such as Microsoft Defender Threat Intelligence, threat analytics, and detonation based reputation information. The threat intelligence includes content such as articles and actor profiles, indicators of compromise, and impact to your organization including related incidents, assets and recommendations for remediation.

June 2024

Azure Firewall plugin - Public preview

Type: New plugin
Experience: Standalone

The Azure Firewall plugin has four capabilities that help analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions in the Security Copilot standalone experience.

To learn more about the user journey and value that Copilot can deliver, see the Azure blog. To see these capabilities in action take a look at this Tech Community blog, and to get started see the documentation.

Azure Web Application Firewall - Public preview

Type: New plugin
Experience: Standalone

The Azure Web Application Firewall (WAF) plugin enables deep investigation of Azure WAF events. It can help analysts investigate the logs generated by Azure WAF in a matter of minutes and provide related attack vectors using natural language responses at machine speed. It provides visibility into your environment's threat landscape.

To learn more about the user journey and value that Copilot can deliver, see the Azure blog. To see these capabilities in action take a look at this Tech Community blog, and to get started see the documentation.

Microsoft Defender External Attack Surface Management (Defender EASM) natural language to EASM query

Type: New skill
Experience: Standalone

Query your attack surface using natural language (for example: "what assets are using specific technologies, are associated with these IP addresses, were registered by this email?").

For more information, see: Microsoft Security Copilot and Defender EASM.

Defender EASM - Public preview

Type: New experience
Experience: Embedded

Leverage Defender EASM skills within your Defender EASM resource.

For more information, see: Query your attack surface with Defender EASM using Microsoft Copilot in Azure.

AbuseIPDB plugin - Public preview

Type: New plugin
Experience: Standalone

AbuseIPDB helps make the Web safer by providing a central repository for webmasters, system administrators, and other interested parties to report and identify IP addresses that have been associated with malicious activity online.

For more information, see: AbuseIPDB.

Intel 471 plugin - Public preview

Type: New plugin
Experience: Standalone

Intel 471 provides ongoing automated collection, local human intelligence reporting, and high-fidelity alerting of top-tier cybercriminals.

For more information, see: Intel471.

Shodan InternetDB plugin - Public preview

Type: New plugin
Experience: Standalone

Use Shodan's free InternetDB to enrich IP investigations. Retrieve IP information of open ports, hostnames, open ports, vulnerabilities.

For more information, see: Shdoan.

May 2024

Microsoft Purview embedded experience - General Availability

Type: Moved from public preview to GA
Experience: Embedded (Microsoft Purview)

Purview (embedded experience) will provide the ability to answer users Microsoft Purview data related questions in natural language queries using existing data insights API/ solution APIs. The Purview users will be able to use Security Copilot capabilities to summarize alerts and incidents, and get contextual summary of communications.

Purview embedded experience leverages Security Copilot’s natural language assistive copilot experience and enhances the Purview product experience by providing an AI assistant while using Purview.

For more information, see: Microsoft Security Copilot in Microsoft Purview.


CyberArk Privilege Cloud plugin - Public preview

Type: New plugin
Experience: Standalone

CyberArk Privilege Cloud is a SaaS solution that provides a simplified path to securely store, rotate and isolate credentials (for both human and non-human users), monitor sessions, and quickly deliver scalable risk reduction to the business. You can use the CyberArk plugin with Security Copilot to:

  • List privileged accounts in Security Copilot using natural language.
  • Leverage Copilot generative AI abilities to interact with privileged accounts data.

For more information, see: Cyberark Privilege Cloud.


DarkTrace plugin - Public preview

Type: New plugin
Experience: Standalone

Darktrace offers cybersecurity AI services to provide preemptive visibility into security posture, real-time detection, and autonomous response to known and unknown threats. You can use the Darktrace plugin with Security Copilot to proactively detect, investigate, and respond to threats across your digital ecosystem.

For more information, see: DarkTrace.


Jamf Pro plugin - Public preview

Type: New plugin
Experience: Standalone

Jamf Pro provides comprehensive MDM data. You can use the Jamf plugin with Security Copilot to streamline how your security analysts access data, simplify the process of gathering crucial information, and facilitate seamless collaboration between IT and Security teams.

For more information, see: Jamf Pro.


Red Canary plugin - Public preview

Type: New plugin
Experience: Standalone

Red Canary provides managed detection and response (MDR) and other security capabilities to protect endpoints, network, cloud workloads, identities, and SaaS applications. You can use the Red Canary plugin with Security Copilot to enhance your security operations.

For more information, see: Red Canary.


SGNL.ai plugin - Public preview

Type: New plugin
Experience: Standalone

SGNL provides a dynamic access platform that provides a foundation for Zero Standing Privilege (ZSP) initiatives to protect against threats to user sessions and credentials. You can use the SGNL Access Intelligence plugin with Security Copilot to understand and identify fine-grained access decisions and trends across your organization.

For more information, see: SGNL plugin.


Shodan plugin - Public preview

Type: New plugin
Experience: Standalone

Shodan is a search engine that allows users to find specific types of devices connected to the internet using various filters. It provides a global view of how certain devices are connected and can be used to discover which devices are connected to the internet, where they're located, and who is using them. You can use the Shodan plugin with Security Copilot to get enhanced visibility of their internet-facing assets and better detect threats and vulnerabilities.

For more information, see: Shodan.


ReversingLabs Spectra Intelligence plugin - Public preview

Type: New plugin
Experience: Standalone

​ReversingLabs empowers SOC teams to understand the file-based threats in an environment. Analysts can use Security Copilot to summarize complex file reputation information and file analysis reports for quicker triage and response time.

For more information, see: ReversingLabs Spectra Intelligence.