As organizations evaluate Microsoft Security Copilot, CISOs are increasingly focused on quantifying marketing claims related to cost reductions or greater efficiency of SecOps workflows. These discussions present an opportunity to spotlight how the integration between Microsoft Security Copilot and SecOps tools helps enhance overall effectiveness. Through this blog series I intend to help you better facilitate those conversations by going beyond buzzwords to demystify Microsoft Security Copilot Experiences.
This blog post is part of a series. This is post 1.
Let’s start with defining what “Security Copilot experience” even means. Basically, there are two ways to access (read: experience) Security Copilot.
- Way 1 – the “standalone” experience is similar to how a member of your SecOps Team would access any of the security and compliance tools they use every day – by directly logging in to the respective portal (i.e.: the Microsoft Defender portal, or the Microsoft Purview portal). Security Copilot can also be accessed directly in a “standalone” way through https://securitycopilot.microsoft.com. The main benefit to this approach is if what you’re trying to do or see is something you can only do via Security Copilot.
- Way 2 – the “embedded” experience is where a member of your SecOps Team works in the way they’ve always worked, but opportunistically leverages “embedded” Security Copilot to speed up or otherwise enhance their investigation and response processes (bypassing the “standalone” experience).
There’s quite an extensive list of embedded experiences which I will be spotlighting throughout this series. Each post will focus on a specific set of products where Security Copilot embedded experiences are currently supported. I will cover what the embedded experiences are, and the main benefit. In this post, let’s focus on the embedded experience within Microsoft Defender XDR, Defender for Cloud, and Defender Threat Intelligence.
NOTE: the list of experiences is current as of June 2025, with more expected to be added in the future.
Product: Microsoft Defender XDR.
| Embedded experience | Main benefits |
|---|---|
| Analyze files | Sophisticated file assessment and analysis provides certificate details and content summary needed for further investigation. |
| Analyze scripts, codes | Detect obfuscation of scripts and PowerShell command lines that are otherwise challenging to discover, and to stop attacks from progressing further. |
| Summarize incidents | Incidents with up to 100 alerts can be summarized in a single summary, including attack start time, involved assets and entities, Indicators of Compromise (IoCs), and a timeline summary. |
| Create incident reports | One-click comprehensive and clear incident reports that also list manual and automated actions implemented, along with analysts’ comments |
| Generate KQL queries for hunting | Kusto Query Language can be daunting and it can take a while before analysts become proficient. It’s more efficient to ask a question in natural language (e.g.: get all alerts involving user admin123). |
| Summarize device information | No more sifting through device data to determine a device’s security posture, vulnerabilities, or unusual behaviour. |
| Summarize identities | Security Copilot can help identify suspicious or risky identity-related changes and potential misconfigurations. At the time of this writing, this capability is only available for users but is expected to be expanded to service accounts in the future. |
| Use guided response | Guided responses from Security Copilot can recommend actions related to triage, containment, investigation, and remediation. |
Product: Microsoft Defender for Cloud.
| Embedded experience | Main benefits |
|---|---|
| Analyze and summarize recommendations | Security Copilot will summarize recommendations to understand the specific risks and vulnerabilities in your environment in natural language, which lets your SecOps teams prioritize remediation efforts. |
| Remediate recommendations | Once a recommendation is summarized, you can use natural language prompts to have Security Copilot assist with remediation. If you’re unable or unsure how to remediate a recommendation, you can ask Copilot for additional information to assist you with more prompts! |
| Delegate recommendations | Recommendations from the above step can be delegated in alignment with your SecOps triage and response process, so the right people or teams address the risks and vulnerabilities in your environment. |
| Remediate code | Infrastructure as Code (IaC) misconfigurations and vulnerabilities in your code repositories can be addressed promptly and early in the development cycle by automatically generating Pull Requests (PRs) that correct the weaknesses identified. |
Product: Microsoft Defender Threat Intelligence.
| Embedded experience | Main benefits |
|---|---|
| Using Security Copilot for threat intelligence | Built-in Defender Threat Intelligence prompts within Security Copilot can quickly summarize the latest threats related to your organization, prioritize which threats to focus on, and learn more about the threat actors involved. |
If your organization is currently using Microsoft Security Copilot, I’d be eager to know which of these embedded experiences your SecOps teams are using most frequently. The next post within this series will detail the embedded experiences within Microsoft Purview. Come back to check that out too!
Thanks for reading, and please reach out if you have a question or just want to chat more!
