In the face of ever-looming security threats, SOC teams need effective detection and response capabilities. However, identifying risks and knowing what to prioritize is a daunting task, especially in a fragmented landscape where organizations use multiple tools to secure their data and their environment. This requires teams to deduplicate multiple alerts, manually correlate insights, and determine the nature of an incident across teams and solutions - ultimately resulting in longer time to conclude an investigation. It’s therefore no surprise that customers who deploy multiple security tools experience 2.8x more data security incidents compared to those with fewer tools. The average annual cost of a severe incident can be up to $15M for organizations, meaning the additional cost of such incidents can add up to $27M for those with multiple tools*. With such high stakes, it’s crucial for organizations to have end-to-end visibility across their security data.
For data security and compliance admins, it is challenging to keep up with the volume and complexity of alerts within the investigation workflow. In fact, data security teams receive on average 50+ alerts per day but can only review 70% of them. To effectively triage the volume of alerts and prioritize what’s truly critical, organizations need concise alert summaries, integrated insights and real time guidance at the speed of AI - all within their trusted investigation workflows.
Today, we are excited to announce AI-powered capabilities in private preview to help your SOC, data security and compliance teams achieve more. With Microsoft Purview capabilities in Security Copilot, your SOC team gains unprecedented visibility across your security data – bringing signals together from Defender, Sentinel, Intune, Entra and Purview into a single pane of glass. Purview capabilities are essential here to help SOC teams determine the source of an attack and quickly identify sensitive data that could be at risk.
Additionally, data security and compliance admins will be able to leverage Security Copilot powered summarization capabilities and natural language support, embedded directly into Microsoft Purview solutions. These capabilities help you accelerate time to action and enable analysts at all levels to conduct advanced investigations, including:
- Gain comprehensive summary of Data Loss Prevention alerts
- Gain comprehensive summary of Insider Risk Management alerts
- Gain contextual summary of Communication Compliance policy matches
- Gain contextual summary of evidence collected in eDiscovery review sets
- Generate keyword query language from natural language prompt in eDiscovery
Microsoft Purview capabilities in Security Copilot
Security teams need integrated insights to drive operational efficiency. Research shows that 62% of data security teams collaborate with SOC teams and are more confident in proactively addressing data security than those who do not. With Microsoft Purview skills in Security Copilot, you gain valuable data and user risk insights to help identify the source of an attack and any sensitive data that may be at risk. This end-to-end visibility across platforms helps reduce investigation time and uncover insights that would have otherwise been missed.
Imagine a scenario where your SOC team detects ransomware on a user’s machine and needs to determine how it got there. With Security Copilot, you can quickly learn about the user risk associated with the security incident and the potential source of the attack. For example, you may discover that the user has visited websites known to host malware. Additionally, you can ask which sensitive files the user has accessed or worked on in the past week, to help identify which files could potentially be held for ransom. Armed with these insights from Microsoft Purview, you can expedite the process of identifying the source of the attack and quickly understand which sensitive files may be impacted by a ransomware event.
Security Copilot embedded in Microsoft Purview
But we’re not stopping there. We’re natively embedding Security Copilot into Microsoft Purview solutions to help with your data security and compliance scenarios. You can now leverage summarization capabilities, real time guidance, and natural language support to catch what others miss, accelerate investigation and strengthen your team’s expertise. Imagine the power at your fingertips: with a single click, you can instantly generate a comprehensive and concise summary of your top alerts to focus on critical investigation paths forward.
Gain comprehensive summary of Data Loss Prevention (DLP) alerts
For data security admins, speed of investigation means everything to prevent data loss. But investigations can be overwhelming due to the large number of sources to analyze, including apps, cloud services, email, endpoints and chat, and the varying rules and conditions of a policy. Additionally, admins need integrated insights, because a low severity alert alone might not be enough to understand the true risk to your organization. To help alleviate these challenges, we are excited to announce that we are natively embedding Security Copilot in Data Loss Prevention to summarize alerts. This quick summary provides a comprehensive overview of an alert, including the source and the attributed policy rules to help recall the original policy configuration. Additionally, the summary surfaces user risk insights from Insider Risk Management, all while honoring the appropriate roles-based access control permissions. By understanding what sensitive data was leaked and associated user risk, you have a better starting point for further investigation. Learn more in our Microsoft Purview Data Loss Prevention announcement.
Gain comprehensive summary of Insider Risk Management** alerts
Insider Risk Management provides comprehensive insights into risky user activities that may lead to potential data security incidents. Data is moved by people, but it can be challenging to determine whether the movement was inadvertent or malicious. It can also be difficult to know where to start when risky activities are detected over a long period of time. Today, we are announcing Security Copilot in Insider Risk Management which summarizes alerts to help accelerate investigations. These summaries help you quickly gain context into user intent and timing of risky activities, enabling you to tailor your investigation with those specific dates in mind and quickly pinpoint sensitive files at risk. Learn more in our Microsoft Purview Insider Risk Management announcement.
Gain contextual summary of Communication Compliance*** policy matches
Amidst the surge in digital communications, organizations are subject to regulatory obligations related to business communications. This requires compliance investigators to review communication violations which can be time-consuming, especially when reviewing lengthy content like meeting transcripts, email attachments, Teams attachments, or extensive text. Security Copilot in Communication Compliance addresses these challenges by rapidly summarizing alerts and highlighting high-risk communications that may lead to a data security incident or business conduct violation. Additionally, contextual summaries help you evaluate the content against regulations or corporate policies, such as gifts and entertainment and stock manipulation violations. Learn more in our Microsoft Purview Communication Compliance announcement.
Gain contextual summary of evidence collected in eDiscovery review sets
Legal investigations can take hours, days, even weeks to sift through the list of evidence collected in review sets. This often requires costly resources like outside council to manually go through each document to determine the relevancy to the case. To help customers address this challenge, we are excited to introduce Security Copilot in eDiscovery. This powerful tool generates quick summaries of documents in a review set, helping you save time and conduct investigations more efficiently. Learn more in our Microsoft Purview eDiscovery announcement.
Generate keyword query language from natural language in eDiscovery
Search is one of the most difficult and time-intensive workflows in an eDiscovery investigation. Traditionally, searches are kicked off with the input of a query in keyword query language, which can be difficult to do depending on your skill level. Not only is it time-consuming, but if you input an incorrect property or condition, it can mean the difference between a right or wrong result – meaning you have to start over and further delay the investigation. Today, we are excited to announce Security Copilot in eDiscovery with natural language to keyword query language capabilities, where users can now provide a search prompt in natural language and it will translate into keyword query language to expedite the start of the search. This capability helps to strengthen your team’s expertise by empowering analysts at all levels to conduct advanced investigations that would otherwise require keyword query language. Learn more in our Microsoft Purview eDiscovery blog.
The cornerstone of this work is our commitment to how Security Copilot handles your data:
- Your data is your data. It’s yours to own and control, and yours to choose how you use data in accordance with your company policies.
- Your data is never shared with OpenAI.
- Azure OpenAI service is stateless and doesn’t retrain using input prompts.
- Microsoft’s fine-tuning and new AI model development leverages data within the bounds of customer contracts.
- Security Copilot runs queries as its user, so it never has elevated privileges.
Get started
- Join us at the Microsoft Purview breakout session: Secure and govern your data in the era of AI, or watch it on-demand, to explore other exciting announcements.
- Security Copilot in Microsoft Purview will be available in private preview to select Early Access Program customers. Reach out to your account manager to gain access to these features.
- Interest in the Security Copilot Early Access Program has been high and space is still available. Reach out to your sales representative to get more details on early access program qualifications.
- If you are a security partner interested in using Microsoft Security Copilot with your solutions, please sign up to join the Security Copilot Partner Ecosystem.
- Stay up to date on our Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview.
- Learn more about these solutions in the Microsoft Purview compliance portal. Visit your Microsoft Purview compliance portal to activate your free trial and begin using our new features. An active Microsoft 365 E3 subscription is required as a prerequisite to activate the free trial.
- Download Microsoft Data Security Index report to learn more about the trends and best practices for an effective data security program.
- See how data security solutions in Microsoft Purview, including Insider Risk Management, are designed to help detect and respond to a corporate espionage incident.
Thanks,
Talhah Mir, Principal Product Manager, Microsoft Purview
Liz Willets, Sr. Product Marketing Manager, Microsoft Purview
*The average cost of a severe incident is $15M annually and customers with multiple tools experience 2.8x more incidents. Thus, effectively $15M * 2.8 - $15M = $27M is the additional cost for organizations using multiple tools.
**Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
***Communication Compliance provides the tools to help organizations detect regulatory compliance violations (e.g. SEC or FINRA) and business conduct violations, such as inappropriate sharing of sensitive/confidential information, adult content, and using harassing or threatening language. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.
