Microsoft opens early access to AI assistant for infosec, Security Copilot

Copilotization of all things continues... as helper offers incident reports to share with the boss and more

Microsoft is opening up the early access program for its flagship cybersecurity AI product, which marks the inevitable folding in of Copilot into its infosec suite.

First teased in March, Security Copilot is embedded within the Microsoft 365 Defender XDR platform and comes bundled with the claim it could free up 40 percent more time that would otherwise be spent on other routine security operations tasks.

Besides positioning it as a general time-saver for experienced pros, Microsoft also claims the tool will help upskill existing staff, offering insights they may not be able to generate themselves at their current experience level.

The notion is that less-skilled security analysts can be more effective when step-by-step instructions on how to manage an incident are provided to them, something that will help teams work faster when they aren't fully equipped with the level of talent they need, for example. It's something many of us, particularly the critics of Microsoft's CoPilotization of everything will be curious to see in action.

Microsoft's Copilot logo

Microsoft introduces AI meddling to your files with Copilot in OneDrive


"Security Copilot can effectively upskill a security team, regardless of its expertise, save them time, enable them to find what previously they might have missed, and free them to focus on the most impactful projects," said Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft.

Jakkal previously highlighted the steep rise in per-second password attacks from 579 to 1,287, underlining the demand for time-saving tech for understaffed security teams.

Among the tool's main capabilities is the ability to summarize security incidents into natural language reports. Copilot's generative AI analyzes a security incident by breaking it down into key events such as when a malicious URL was detected, when it was clicked, and what happened after it was clicked.

Rather than spending lengthy periods of time manually triaging an incident and writing up a report by hand, including a full summary of the event timeline and recommended remediation actions, Copilot compiles all of this into a report automatically.

The remediation actions aim to reduce the time security analysts take to respond to threats, a particularly helpful tool for those at lower skill levels, and Security Copilot's ability to break down a malicious script into its key functions offers a quick view into how the threat would impact an organization.

Redmond also talked up the tool's ability to craft queries in Kusto Query Language (KQL) for analysts hunting for threats in their environment. Security teams can generate prompts for Copilot using natural language to create an Advanced Hunting query that takes known indicators of compromise (IOCs) of a brand-new exploit, for example, or searches for successful exploits to remediate.

Along with Copilot's natural language queries, every customer who signs up for early access to the tool will also get access to Microsoft Defender Threat Intelligence and its API "for no extra cost."

It's a robust resource complete with everything Microsoft knows about each threat and the groups behind them, offering information on IOCs - which can be used for AI-augmented threat hunting - connected to other intelligence sources.

In theory, security analysts can learn everything they need to about emerging threats from the sources available via Microsoft Defender Threat Intelligence and then craft custom queries using natural language that can help hunt for their organization's exposure to them.

"As Security Copilot enriches security incidents and alerts with Microsoft's vast knowledge of cyberthreats, customers may now access Defender Threat Intelligence directly to expose and eliminate modern cyberthreats and cyberattacker infrastructure, identify cyberattackers and their tools, and accelerate cyberthreat detection and remediation," said Jakkal.

Additional Security Copilot capabilities include vulnerability and patch management support by pulling version information and cross-checking it with known issues from threat intelligence data to more easily idenitfy the endpoints that need securing.

"Delivering security in a coherent way across the broadest set of cyberthreat vectors is a fundamental promise of XDR," said Jakkal. "Today organizations struggle to manually traverse multiple disconnected tools and datasets from numerous vendors to protect email, endpoints, cloud apps, and more.

"With the embedded experience for Security Copilot in Microsoft 365 Defender, we are making the industry-leading XDR solution even more powerful and easy to use."

Customers that already have early access to Security Copilot can also bring in their MSSPs, if they work with one, and extend their environment so partners can make use of the same generative AI tech even if they don't have access themselves.

There's no general availability date for Security Copilot yet, but the early access program still has spots available for qualified organizations, Microsoft said. It hasn't publicly detailed what these qualifying criteria are. ®

More about


Send us news

Other stories you might like