As organizations evaluate Microsoft Security Copilot, CISOs are increasingly focused on quantifying marketing claims related to cost reductions or greater efficiency of SecOps workflows. These discussions present an opportunity to spotlight how the integration between Microsoft Security Copilot and SecOps tools helps enhance overall effectiveness. Through this blog series I intend to help you better facilitate those conversations by going beyond buzzwords to demystify Microsoft Security Copilot Experiences.
This blog post is part of a series. This is post 2. Click here if you want to check out post 1.
In my previous post in this series, I clarified the difference between standalone vs. embedded Security Copilot experiences and detailed the embedded experiences within Microsoft Defender. In this post, I’ll describe the main benefits of the embedded experiences in Microsoft Purview. The integration between Microsoft Security Copilot and Microsoft Purview can be quite helpful for large and increasingly more complex organizations that are straining CISO resources. Here is a list of these “embedded” Security Copilot experiences, and the main benefits of each.
NOTE: the list of experiences is current as of June 2025, with more expected to be added in the future.
Product: Microsoft Purview.
| Embedded experience | Main benefits |
|---|---|
| Investigate Purview Data Loss Prevention alerts | Cuts through alert volume fatigue to neatly summarize the top DLP policy alerts, providing info on alert title and severity, name of the policy that was matched, the name of the file involved (and a link to the file), alert status, and the email address of the user who performed the action that triggered the DLP policy. |
| Investigate insider risk management activities | Summarizes all essential details about the alert, including which policy was triggered and what activity triggered it, who triggered it. Here’s the best part: Copilot can consolidate information about the user from all their alerts and in-scope policies and emphasizes the user’s top risk factors. Suggested prompts will then allow your SecOps analysts to gain additional insights to expedite their investigative workflow (e.g.: Show key actions performed by the user in the last 10 days). |
| Summarize Communication Compliance messages by using Security Copilot | Produce a contextual summary of a Teams, email, or Viva Engage message included in a Communications Compliance policy match in the context of a trainable classifier that has flagged a message. This can often save a lot of investigative time if the message content is lengthy. Keep in mind there are limitations to what can be summarized currently such as message length (between 100 and 15,000 words), language (English only), and summaries of Teams messages (individual messages only, not group messages or surrounding conversation). |
| Summarize eDiscovery message by using Security Copilot | Case reviews take time! This embedded experience saves reviewers time by providing contextual summaries of most items in a review set. Security Copilot summarizes the entire item, including any documents, meetings transcripts, or attachments. Most of the common document file types are supported. Keep in mind there are limitations to what can be summarized currently such as supported file types (plain text view must be available), content length (between 100 and 15,000 words), language (English only), and summaries of Teams messages (individual messages only, not group messages or surrounding conversation). |
| Data hunting in Activity Explorer. | Security Copilot skills help drill down into activity data to identify top activities, files with sensitive info, users, and other details that are relevant to an investigation. This reduces the amount of time it takes to perform this sort of data hunting. |
If your organization is currently using Microsoft Security Copilot, and is a heavy user of Microsoft Purview capabilities, I’d be eager to know which of these embedded experiences your SecOps teams are using most frequently. The next post within this series will detail the embedded experiences within Microsoft Entra, Intune and Azure Firewall. Come back to check that out too!
Thanks for reading, and please reach out if you have a question or just want to chat more!
