Or: The Part Where Our Enthusiastic New Hire Actually Earns Their Keep
Last time, we introduced Microsoft Copilot as the eager new hire who’s read every manual, means well, and just needs a little supervision before anything goes out the door. We talked about M365 Copilot making your inbox slightly less terrifying, and gave Security Copilot a polite nod before promising to come back to it.
Well. We’re back.
Because here’s the thing about Security Copilot — once you get it plugged in and actually watch it work a real incident, there’s a moment where you sit back and say, “Okay. I see it now.”
That moment is worth talking about.
First, a Quick Orientation
Security Copilot isn’t a standalone product that lives in its own corner of the building. It’s more like giving our enthusiastic new hire a security clearance and a seat at the SOC. It plugs directly into the tools you’re already using — primarily Microsoft Defender XDR and Microsoft Sentinel — and acts as an AI layer on top of your existing data.
It can also connect to Intune, Entra, Purview, and third-party sources via plugins, but for this post we’re keeping our eyes on Defender, with Sentinel in a supporting role.
The way it actually works: Copilot reads your environment’s signals, correlates them, and lets you ask questions in plain English. No KQL required. No pivot tables. No fifteen-browser-tab investigation spiral. You just… ask it things. And it answers, with citations.
That last part matters. Unlike your average AI chatbot, Security Copilot shows its work. It tells you which incidents, alerts, and logs it pulled from. You can verify. You can dig deeper. It’s less “trust me” and more “here’s where I got this — go check.”
The Wow Moments (Yes, There Are Some)
Let’s get to the good stuff, because this is where Security Copilot earns the badge.
Incident Summarization That Actually Makes Sense
Anyone who’s stared at a Defender incident with 47 correlated alerts, three affected devices, two suspicious user accounts, and a timeline that spans six hours knows the feeling. Where do you even start?
Security Copilot starts for you. Ask it to summarize the incident and it’ll hand you a clear narrative: what happened first, what it likely triggered, which assets are involved, and what the probable attack chain looks like. In plain English. In about thirty seconds.
Is it always perfect? No. But it gets you oriented in a fraction of the time, which matters a lot when things are actively on fire.
“What Else Has This User Been Doing?”
This is one of those questions that used to mean opening four different tabs, running a few queries, and cross-referencing timestamps manually. With Security Copilot sitting on top of Defender, you can just ask. It’ll pull the user’s recent sign-in history, devices, any flagged behavior, and relevant alerts — and surface the ones worth paying attention to.
It’s the investigative equivalent of having someone who’s already done the legwork waiting when you walk in the room.
Script and File Analysis
Found a suspicious PowerShell script in an alert? Paste it in and ask Copilot what it does. It’ll break it down in plain language — what it’s attempting, what techniques it maps to (often with MITRE ATT&CK references), and whether it looks like something you should be losing sleep over.
This one is genuinely useful for analysts who are solid on process but maybe don’t live and breathe obfuscated PowerShell. It levels the playing field without requiring everyone on the team to be a malware reverse engineer.
Guided Response Suggestions
After it walks you through what happened, Security Copilot will often suggest next steps — isolate this device, revoke this session, check these other assets. These aren’t binding actions; it’s not going to do anything without you telling it to. But having a clear “here’s what you probably want to do next” list when you’re in the middle of an incident and running on adrenaline and bad coffee is genuinely valuable.
Where Sentinel Fits In
Sentinel plays a supporting role here, and it’s a good one. If you’ve got Sentinel set up as your primary SIEM — pulling in logs from across your environment — Security Copilot can query it directly. You can ask natural language questions against your Sentinel data without writing a line of KQL.
“Show me failed authentication attempts for this user in the last 48 hours.” Done.
“Were there any anomalous sign-ins from this IP across the tenant?” It’ll look.
For teams that are Sentinel-native, this is a significant quality-of-life improvement. For those of us running a hybrid setup with Splunk handling third-party logs and Sentinel covering the Microsoft stack, it’s still useful — just scoped to what Sentinel can see.
The Practical Side (Because There’s Always a Practical Side)
Okay, wow moments documented. Now for the part where we talk about what it actually takes to make this work.
Security Compute Units (SCUs) are how Security Copilot is billed, and they can sneak up on you. You provision a certain number, and usage draws from that pool. More complex queries and larger investigations consume more. Start with a smaller allocation, watch the usage dashboard, and scale up from there. Don’t find out what “overrun” looks like on your first month’s invoice.
Your data quality matters more than ever. Security Copilot reasons from what it can see. If your Defender alerts are noisy and misconfigured, it’ll reason from noisy, misconfigured data. If your incident tagging is inconsistent, that inconsistency shows up in the output. Think of it as a forcing function to clean up your environment — the better your inputs, the sharper Copilot’s answers.
Role permissions still apply. Copilot respects the access controls you’ve set up. An analyst who can’t see certain data in Defender won’t see it through Copilot either. This is good — it means you don’t have a new attack surface to worry about — but it also means you want to make sure the right people have the right access before they start leaning on it.
It’s a reasoning tool, not an oracle. Security Copilot will occasionally get things wrong, draw a slightly off conclusion, or miss context that a seasoned analyst would catch immediately. The answer isn’t to distrust it — it’s to stay in the loop. Use it to accelerate the investigation, not to hand off the judgment call.
Bottom Line
Security Copilot with Defender is, at its best, like having a very fast, very well-read junior analyst who never gets tired, never loses track of the timeline, and will always do the first pass without complaining about it. That’s valuable. Genuinely valuable — not in a press release way, but in a “my team is less exhausted at the end of an incident” way.
The ceiling is real. The limits are real. But so are the wins.
Get it in front of your team in a test environment, run a simulated incident, and watch their faces when they ask it a question they’d normally spend an hour answering. That’s the moment. That’s when it clicks.
Our new hire, it turns out, is pretty good at this particular part of the job.
Coming up: MDI – giving the grizzled PI his close-up, and what to look for in the world of Identity!
Xenodyne Technologies 
Leave a comment