Skip to content
Back to Blog
1 min read

Microsoft Security Copilot: AI-Powered Threat Defense

Microsoft AI Security Copilot Cybersecurity

I wrote “Microsoft Security Copilot: AI-Powered Threat Defense” to share practical, production-minded guidance on this topic.

Security Copilot Capabilities

from dataclasses import dataclass
from typing import Optional
from datetime import datetime

@dataclass
class SecurityIncident:
    id: str
    severity: str
    title: str
    description: str
    affected_assets: list[str]
    indicators: list[dict]
    timestamp: datetime

class SecurityCopilot:
    """AI-powered security operations assistant."""

    def __init__(self, client, security_apis):
        self.client = client
        self.apis = security_apis

    async def investigate_incident(
        self,
        incident: SecurityIncident
    ) -> dict:
        """Comprehensive incident investigation."""

        # Gather context
        context = await self._gather_context(incident)

        prompt = f"""Investigate this security incident.

Incident: {incident.title}
Severity: {incident.severity}
Description: {incident.description}
Affected assets: {', '.join(incident.affected_assets)}

Indicators of Compromise:
{self._format_indicators(incident.indicators)}

Additional Context:
{context}

Provide:
1. Initial assessment
2. Attack vector analysis
3. Scope of impact
4. Timeline reconstruction
5. Related threats/campaigns
6. Immediate containment steps
7. Evidence to preserve"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[
                {"role": "system", "content": "You are a senior security analyst."},
                {"role": "user", "content": prompt}
            ]
        )

        return {
            "investigation": response.content,
            "incident_id": incident.id,
            "timestamp": datetime.utcnow().isoformat()
        }

    async def analyze_threat_intel(
        self,
        indicators: list[dict],
        context: str = None
    ) -> dict:
        """Analyze threat intelligence."""

        iocs_str = self._format_indicators(indicators)

        prompt = f"""Analyze these indicators of compromise.

IOCs:
{iocs_str}

{f'Context: {context}' if context else ''}

Provide:
1. Threat assessment
2. Known associations (malware families, APT groups)
3. Attack patterns indicated
4. Risk level
5. Detection recommendations
6. Hunting queries"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}]
        )

        return {"analysis": response.content}

    async def generate_hunting_query(
        self,
        threat_description: str,
        platform: str = "microsoft_sentinel"
    ) -> dict:
        """Generate threat hunting query."""

        prompt = f"""Generate a threat hunting query.

Threat to hunt: {threat_description}
Platform: {platform}

Generate:
1. KQL/Query for the platform
2. What the query detects
3. Expected false positives
4. Tuning recommendations"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}],
            temperature=0.1
        )

        return {"hunting_query": response.content}

    async def explain_alert(
        self,
        alert_data: dict
    ) -> str:
        """Explain security alert in plain language."""

        import json
        alert_str = json.dumps(alert_data, indent=2)

        prompt = f"""Explain this security alert for a non-technical audience.

Alert:
{alert_str}

Provide:
1. What happened (plain language)
2. Why it matters
3. Immediate risk
4. Recommended action"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}]
        )

        return response.content

    async def generate_incident_report(
        self,
        incident: SecurityIncident,
        investigation_findings: dict,
        audience: str = "executive"
    ) -> str:
        """Generate incident report."""

        import json
        findings_str = json.dumps(investigation_findings, indent=2)

        prompt = f"""Generate a security incident report.

Incident: {incident.title}
Severity: {incident.severity}
Investigation Findings:
{findings_str}

Audience: {audience}

Generate a professional report including:
1. Executive summary
2. Incident timeline
3. Technical details
4. Impact assessment
5. Response actions taken
6. Recommendations
7. Lessons learned"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}]
        )

        return response.content

    def _format_indicators(self, indicators: list[dict]) -> str:
        """Format IOCs for prompt."""
        lines = []
        for ioc in indicators:
            lines.append(f"- Type: {ioc.get('type')}, Value: {ioc.get('value')}")
        return "\n".join(lines)

    async def _gather_context(self, incident: SecurityIncident) -> str:
        """Gather additional context from security APIs."""
        context_parts = []

        # Get user context
        for asset in incident.affected_assets:
            if "@" in asset:  # Likely a user
                user_context = await self.apis.get_user_context(asset)
                context_parts.append(f"User {asset}: {user_context}")

        # Get recent alerts
        recent = await self.apis.get_recent_alerts(hours=24)
        context_parts.append(f"Recent alerts: {len(recent)} in last 24h")

        return "\n".join(context_parts)

Integration with Microsoft Security Stack

class SecurityStackIntegration:
    """Integrate with Microsoft security products."""

    async def query_sentinel(
        self,
        natural_query: str
    ) -> dict:
        """Convert natural language to KQL for Sentinel."""

        prompt = f"""Convert to KQL for Microsoft Sentinel.

Query: {natural_query}

Generate valid KQL that:
1. Is efficient
2. Handles common edge cases
3. Includes time bounds"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}],
            temperature=0
        )

        return {"kql": response.content}

    async def analyze_defender_alert(
        self,
        defender_alert: dict
    ) -> dict:
        """Analyze Microsoft Defender alert."""

        import json
        alert_str = json.dumps(defender_alert, indent=2)

        prompt = f"""Analyze this Microsoft Defender alert.

Alert:
{alert_str}

Provide:
1. Threat assessment
2. Attack technique (MITRE ATT&CK)
3. Recommended response
4. Additional queries to run"""

        response = await self.client.chat_completion(
            model="gpt-4",
            messages=[{"role": "user", "content": prompt}]
        )

        return {"analysis": response.content}

Use Cases

  1. Incident triage - Quickly assess and prioritize alerts
  2. Threat hunting - Generate queries from threat descriptions
  3. Report generation - Create executive and technical reports
  4. Knowledge augmentation - Explain complex security concepts
  5. Response guidance - Step-by-step remediation instructions

Security Copilot addresses the security skills gap by augmenting analysts with AI-powered investigation and response capabilities.\n\n## Takeaways\n\nAdd a concise, personal takeaway and recommended next steps here.\n

Michael John Pena

Michael John Pena

Senior Data Engineer based in Sydney. Writing about data, cloud, and technology.