Skip to main content
6 min read
Share

I’ve been spending a lot of evenings and weekends with Microsoft Security Copilot lately, specifically the embedded bits inside Defender XDR. The demos looked slick, the marketing sounded great — but I wanted to know what it’s actually like when you throw real investigation scenarios at it. So here’s my honest assessment after a few weeks of proper use.

Setting Expectations

Before anything else: Security Copilot is not replacing your security analysts. If someone’s telling you it will, they’re trying to sell you something. What it does is act as an assistant. It can speed up certain tasks, surface context you might have missed, and help less experienced team members find their feet faster.

The marketing calls it transformative. Reality? More complicated than that. It’s useful in some areas, a bit flat in others, and occasionally maddening when it confidently tells you something that turns out to be wrong. If you’ve used any large language model for more than five minutes, you’ll know the feeling.

Incident Summarisation

This is the bit that impressed me most. Open an incident in Defender XDR and you can pull up an AI-generated summary — what happened, which entities are involved, the timeline, potential impact. All pulled together automatically.

For messy incidents with dozens of alerts and multiple entities? Brilliant. Genuinely brilliant. Instead of spending fifteen minutes manually stitching the story together from individual alerts, you get a coherent narrative in seconds. I found it particularly useful on-call — quickly working out whether something needs attention right now or whether it can wait until morning.

They’re not always spot on, mind. I’ve seen Copilot overplay a low-severity alert and miss a subtle connection between events in the same incident. But as a starting point for your investigation, it saves proper time.

KQL Query Generation

This was the feature I was most curious about. KQL is a core skill for anyone working in Defender XDR or Sentinel, but even experienced analysts have those moments where the syntax escapes them or they can’t remember which table holds what.

Copilot lets you describe what you want in plain English and it writes the KQL. Something like “Show me all sign-in failures for user john.smith@contoso.com in the last 7 days” comes back as a perfectly functional query hitting the right tables. For simple stuff, it works a treat.

Where it starts to wobble is with anything more complex. Multi-table joins, specific time window formatting, queries referencing custom fields in your environment — these tend to come back needing a fair bit of adjustment. My first attempt at getting it to write a complex cross-table hunting query was, frankly, a disaster. Syntactically valid but logically wrong.

Use it as a starting point, especially if you’re learning KQL or just need something quick. But always review the output before you run it anywhere that matters. I’ve had queries come back that looked right but hit the wrong table or forgot a filter condition entirely.

Promptbooks

Promptbooks are pre-built sequences of prompts for common security scenarios — think investigation playbooks, but powered by Copilot. There are ones for investigating suspicious sign-ins, picking apart phishing emails, assessing vulnerability exposure, that kind of thing.

I’ll be honest, these are cleverer than I expected. Rather than firing off a single question, a promptbook chains together multiple queries to build up a full picture. The phishing investigation one, for example, checks email headers, looks for similar messages sent to other recipients, checks whether links were clicked, then wraps it all up with a risk summary.

For SOC teams that are still building out their processes, promptbooks are a solid starting point. You can also create your own custom ones tailored to your organisation’s investigation workflows — and that’s where the real value sits. Off-the-shelf is fine, but custom promptbooks matched to how your team actually works? Much better.

What Needs Improvement

Wouldn’t be fair to skip the rough edges:

  • Consistency is hit and miss. Ask the same question twice and you might get slightly different answers. In security operations, where precision counts, that gets frustrating fast.
  • Hallucinations happen. Copilot will sometimes present information that’s just wrong, and it does it with the same confidence as when it’s spot on. You have to verify outputs, full stop — especially anything feeding into a security decision.
  • Speed varies. The embedded experiences inside Defender are usually quick enough. The standalone portal? Can be sluggish. Complex promptbooks in particular take their time working through all the steps.
  • Cost isn’t trivial. It’s licensed on a consumption basis using Security Compute Units (SCUs). Depending on how much your team leans on it, the bill can creep up. Understand the billing model before you roll it out broadly.
  • Garbage in, garbage out. Copilot’s only as good as the data it’s working with. If your Defender XDR environment isn’t well configured or you’re not ingesting the right sources, the analysis quality drops off noticeably.

Who Benefits Most?

From what I’ve seen across a few different organisations:

  • Tier 1 SOC analysts get the most obvious win from incident summaries and guided investigations. It’s like having a more experienced colleague looking over your shoulder
  • Teams with KQL gaps can use the query generation as both a productivity tool and a learning aid
  • Orgs that are still building out SOC processes can lean on promptbooks as a foundation to work from
  • On-call analysts who need to triage incidents at 2am and quickly decide what needs escalation

If you’re a seasoned Tier 3 analyst who already dreams in KQL and has well-worn investigation workflows, the value’s less obvious. It might shave a few minutes off here and there, but it won’t change how you work day to day.

My Verdict So Far

Security Copilot is a solid first version with real utility in specific situations. It’s not the revolution the marketing wants you to believe. But it’s not a gimmick either. The embedded experiences in Defender XDR are the strongest part of the product, and incident summarisation on its own makes it worth evaluating.

My advice: start with a small number of SCUs. Let your team use it during actual investigations, not just demos. Measure whether it saves time in practice. Don’t go and deploy it across the whole organisation because a slick demo impressed someone in leadership.

I’ll keep writing about this as I use it more. If you’ve already got Security Copilot running, I’d really like to hear how your team’s getting on with it — the good and the bad.

Security Copilot Documentation

Security Copilot in Defender XDR

Managing Security Compute Units

Share
Previous & Next
Entra Private Access - Replacing Your VPN Microsoft Secure 2025 - Security Announcements

Related Posts

Defender XDR: Custom Detections and Automation
7 min read

Defender XDR: Custom Detections and Automation

Microsoft Defender
Microsoft Exposure Management - Understanding Your Attack Surface
5 min read

Microsoft Exposure Management - Understanding Your Attack Surface

Microsoft Defender
Intune Endpoint Privilege Management: Saying Goodbye to Local Admin
7 min read

Intune Endpoint Privilege Management: Saying Goodbye to Local Admin

Microsoft Defender