Microsoft reveals general availability of Copilot for Security

Microsoft Copilot for Security, which interprets data from all Microsoft’s security products and provides automated explanations and suggested remedies, will be generally available from April 1, one year after it was first announced and five months after its preview period.

Copilot for Security is embedded into Microsoft’s entire security portfolio of products, and it works in Defender, for example, similar to an assistant box where the insights and remediation guidance is generated. Beyond providing insights through the vendor’s security portfolio, Microsoft Copilot for Security also brings insights from other software vendors.

Microsoft Copilot for Security main benefits

Based on the early access progress Microsoft has found four areas with greatest benefits to users, which are incident summarization, impact analysis, reverse engineering of scripts and step-by-step incident response. Copilot for Security provides incident summaries using generative AI to turn complex alerts into clear actionable summaries. It also uses AI-driven analytics to assess the potential impact of security incidents, offering insights into affected systems and data to prioritize response efforts.

Microsoft Copilot for Security analyzes complex command line scripts and translate them into natural language with clear explanations of actions. It extracts and links indicators found in the script to their respective entities in the user environment.

Copilot for Security provides actionable step-by-step guidance for incident response, including directions for triage, investigation, containment, and remediation. Relevant deep links to recommended actions allow for quicker response.

One of the main benefits of these features is that they help junior professionals write queries in natural language and get responses that they can understand. This can come in handy considering the “large and chronic talent shortage” as Microsoft VP of security marketing Andrew Conway called it. According to Microsoft’s own data from the early access use, experienced security analysts were 22% faster with Copilot and were 7% more accurate across all tasks when using Copilot. Almost all, 97%, said they want to use Copilot the next time they perform the same task.

Beyond Copilot for Security’s early access

Beyond the general availability globally and the previously mentioned access of Microsoft Copilot for Security through other vendors, some of the new capabilities include the creation of custom workbooks and the ability to write plugins. “One of the constructs with Copilot for Security is that it’s not just for Microsoft products and Microsoft data, essentially, we’ve been working with ISVs directly but also with customers to write plugins. Any data source, any product in the environment that you can connect into, you can have Copilot reason over,” Conway tells CSO.

Copilot for Security comes with two options for interaction: one as a standalone experience, that works across all Microsoft Security products, and one with an experience embedded right in the Defender portal. Once live, customers will be able to leverage Microsoft Defender Threat Intelligence within the embedded Defender experience to discover threats and attack techniques, and to gain recommendations specific to a particular environment’s risk profile using natural language.

Microsoft Entra (previously Azure Active Directory) has added identity skills to Copilot including user details, group details, sign-in logs, audit logs, and diagnostic logs. In Microsoft Purview, Copilot will help SOC teams identify risky user activities and sensitive data that could be at risk when investigating a security incident. Copilot will provide summary of alerts in Microsoft Purview Data Loss Prevention and Insider Risk Management. It also provides contextual summaries of communications in Microsoft Purview Communication Compliance and documents in review sets in Microsoft Purview eDiscovery.

Copilot for Security will be available under a pay-as-you-go model with a flexible consumption-based pricing, very much like the Azure model. Customers measure the capacity needed in what Microsoft call “compute units” with the vendor recommending a starting point at three compute units. If you are running out of capacity, the product will notify of it and more can be added. If use reduces, users may deprovision unneeded compute units.