What's New in Microsoft Security Copilot: A Deep Dive into the Latest Updates
MicrosoftSecurityCopilot
As the cybersecurity landscape grows increasingly complex, security teams are facing an avalanche of alerts, incidents, and operational challenges. Microsoft Security Copilot — the AI-powered assistant integrated into Microsoft’s security ecosystem — continues to evolve to meet these demands. In its latest set of updates (March 2025), Microsoft has significantly expanded Security Copilot’s capabilities, focusing on automation, intelligence, and analyst productivity.
Let’s dive into the most impactful new features and what they mean for security professionals.
1. Autonomous Agents: Redefining SOC Automation
One of the most headline-grabbing features is the rollout of AI-powered agents. These agents automate high-volume, repetitive security tasks, freeing up analysts to focus on higher-order threat analysis and response.
Microsoft-Developed Agents
Phishing Triage Agent (Defender): Automatically reviews user-reported phishing emails, identifies true threats, and prioritizes them.
Alert Triage Agents (Purview): Used for both Data Loss Prevention and Insider Risk alerts, these agents filter out noise and highlight critical issues.
Conditional Access Optimization Agent (Entra): Helps prevent identity and access issues by simulating and suggesting policy improvements.
Vulnerability Remediation Agent (Intune): Analyzes known vulnerabilities and prioritizes remediation tasks based on threat context.
Threat Intelligence Briefing Agent: Summarizes the most relevant intelligence, aligned to your organization’s assets and posture.
These agents work autonomously but are integrated with Security Copilot’s guided experience, ensuring analysts remain in control of decision-making.
2. Threat Intelligence: Context at Your Fingertips
Security Copilot is now more intelligent in how it delivers insights.
New Features:
Malware Encyclopedia (Public Preview): Analysts can ask Security Copilot to explain malware families or identifiers. This feature taps into Microsoft’s internal threat database to provide readable summaries of threats, behaviors, and indicators.
Reason for Inclusion (Generally Available): When Copilot surfaces multiple threat actors or techniques, this feature explains why each result is shown. It's a huge improvement in transparency and relevance filtering.
Suggested Prompts (Generally Available): Analysts receive dynamic prompts based on the current investigation — a helpful nudge for junior analysts or for speeding up common workflows.
3. Plugin Management and Ecosystem Expansion
Security Copilot is increasingly modular, allowing for a more tailored experience.
Plugin Management UI: Now available, this feature allows security teams to enable or disable specific plugins within Copilot’s interface.
CheckPhish Plugin: New integration for scanning suspicious URLs and detecting phishing, scams, and cryptojacking in real time.
Third-Party Plugins (Preview): Security Copilot now supports external plugins from CyberArk, Jamf Pro, Red Canary, SGNL.ai, and others, allowing teams to bring their existing stack into the Copilot interface.
4. Analyst Experience: Query Assistance & Efficiency
Security Copilot is also getting smarter about how it helps analysts write, understand, and validate queries.
KQL Explanation (Generally Available): When Security Copilot generates Kusto Query Language (KQL) queries, it now explains each part in plain language. This helps upskill users while improving trust in automation.
Direct System Capability Calls (Public Preview): Allows promptbooks (Copilot’s automated workflows) to call system-level capabilities directly. This reduces the need for redundant requests and improves SCU (Security Compute Unit) efficiency.