Skip to main content
5 min read
Share

Right, Microsoft Secure 2025 has wrapped up and my head’s still spinning from the sheer number of announcements. I spent most of last week camped out watching sessions and scribbling notes on anything that looked like it’d matter for day-to-day security work. Here’s my roundup of the stuff that actually stood out.

Security Copilot Everywhere

The headline was impossible to miss: Microsoft is embedding Security Copilot into everything. Literally everything. The standalone Copilot experience from last year? That was just the warm-up. The real push now is putting Copilot right inside the tools security teams are already using.

Here’s where it’s showing up:

  • Defender XDR: Inline Copilot sits right inside the Defender portal now. Incident summaries, guided response actions, natural language KQL generation — all without leaving your investigation workflow. I actually found this properly useful during testing. No more context-switching to a separate window; the suggestions appear right where you need them.
  • Microsoft Entra: Copilot can help with identity investigations now. Risky sign-in analysis, understanding why a Conditional Access policy blocked (or didn’t block) a particular sign-in, getting plain-English explanations of those policies you wrote six months ago and can barely remember. If you’ve ever sat staring at a sign-in log trying to figure out which policy fired and why — yeah, you’ll appreciate this.
  • Microsoft Purview: Data security investigations get the Copilot treatment. Use it to untangle DLP policy matches, summarise insider risk alerts, or get context on sensitive data exposure. It’s early days here, but the direction is promising.
  • Microsoft Intune: Copilot in Intune helps troubleshoot device compliance issues and explain policy configurations. Dead handy when a device isn’t compliant and the reason is buried three layers deep in nested configuration profiles.

Bottom line: Microsoft wants Copilot to be the assistant sitting on your shoulder while you work. Whether it consistently delivers on that promise is something I’ll be putting through its paces over the next few months.

Unified Security Operations Platform

The other big story was the unified security operations platform. Microsoft has been trying to bring Sentinel and Defender XDR closer together for a while, and at Secure 2025 they showed off some real progress.

The unified incident queue is now properly merged — incidents from Sentinel and Defender XDR land in a single view, with correlation happening automatically. Anyone who’s been running both products and dealing with duplicate incidents will know what a relief this is. I’ve spent more hours than I care to admit cross-referencing between portals.

There’s also a new unified entity page. One consolidated view of users, devices, and other entities pulling from both Sentinel and Defender data. No more bouncing between two portals to get the full picture.

Custom detections got an overhaul too. You can now author detection rules that span both Sentinel and Defender XDR data sources from a single experience. If you’ve been maintaining separate rule sets in two different systems, this should simplify your life quite a bit.

Inline Copilot in the Defender Portal

I’m calling this out on its own because I think it’s the most impactful change for anyone doing hands-on security operations work. The inline Copilot in Defender gives you contextual suggestions as you’re investigating.

Hover over an alert — Copilot gives you a summary. Looking at an incident timeline — it highlights the key events. Need a KQL query but can’t remember the exact syntax? Just describe what you want and it writes it for you.

I’ll be honest though, it’s not perfect. The KQL generation sometimes comes back needing a tweak. The summaries occasionally miss subtlety. But as a starting point — particularly for junior analysts or when you’re staring at an alert type you don’t see often — it does save real time.

What Else Caught My Eye

A few other bits worth flagging:

  • Attack path analysis in Defender for Cloud got improvements, with better visualisations of how an attacker could move laterally through your environment
  • Security posture management for multi-cloud scenarios now has deeper integration with AWS and GCP security findings, which is good news for anyone running a mixed estate
  • Defender for Identity picked up improved lateral movement detection and tighter integration with the unified SOC platform

My Take

Microsoft’s betting heavily on AI-assisted security operations. That’s clear. Security Copilot is the vehicle, and the embedded experiences are a smart approach — they meet security professionals where they already are instead of asking them to adopt another new tool.

Thing is, I’d really urge everyone to test these capabilities in their own environment rather than just watching the demos and assuming it’ll work the same way. The tech is impressive, no doubt. But the actual value you get will depend on your data quality, your team’s maturity, and how well you’ve configured the products underneath.

I’ll be writing deeper pieces on several of these announcements over the coming weeks — starting with Security Copilot in Defender XDR. If you were at Microsoft Secure or caught the sessions on catch-up, I’d love to hear which announcements grabbed your attention.

Security Copilot Documentation

Unified Security Operations Platform

Share
Previous & Next
Getting Hands On with Security Copilot Leveraging Privileged Identity Management for Enhanced Access Protection

Related Posts

Microsoft Ignite 2025 - Security Roundup
6 min read

Microsoft Ignite 2025 - Security Roundup

Microsoft Events
Microsoft Ignite 2024 - Chicago -Preview
5 min read

Microsoft Ignite 2024 - Chicago -Preview

Microsoft Events
Microsoft Ignite - November 2021 - Book of News
5 min read

Microsoft Ignite - November 2021 - Book of News

The link to the Book of News is here- Microsoft Ignite 2021 Book of News

Microsoft Events