At Microsoft, we believe that security is a team sport. That’s why we are committed to meeting customers where they are, integrating with the solutions they already use to ensure that everyone can take advantage of the agentic capabilities of Security Copilot.

And it’s not just an idea—it’s a reality. We’re excited to share why partners such as BlueVoyant, OneTrust, and Tanium chose to build agents with Security Copilot—and the value this brings to their customers.

By watching the videos featuring BlueVoyant, OneTrust, and Tanium, you’ll see firsthand how collaboration drives innovation and empowers security teams to tackle today’s threats with agility and confidence. Together, these partner-built agents show how organizations and partners can transform Security Copilot into an integrated force multiplier—proving that security is a team sport.

Partner-built agents power smarter protection

BlueVoyant – Specializing in comprehensive cyber risk management, BlueVoyant provides a suite of services to protect organizations from cyberattacks. In this video, we learn about BlueVoyant Watchtower and how their agents help customers get the most out of their Sentinel and Defender products by using an agent to always review the environment and recommend updated rules, configurations, and policies that catch bad actors Security Copilot gives us the advantage of moving more quickly.” – Micah Heaton, Executive Director, Microsoft Product & Innovation Strategy at BlueVoyant

OneTrust – OneTrust, a privacy and consent management platform, specializes in helping customers responsibly use data and AI. By partnering with Microsoft—specifically Microsoft’s Sentinel platform—OneTrust is able to provide their customers with a full view of their data estate. The Privacy Breach Response Agent by OneTrust combines the deep privacy and regulatory expertise of OneTrust with the robust generative AI capabilities of Microsoft Security Copilot, automating privacy risk assessments improving their accuracy.

Tanium – Specializing in endpoint management and security, Tanium gives IT teams visibility and control over every device in their environment. Tanium’s partnership with Microsoft provides Tanium with seamless integration into Microsoft’s Security products via Copilot, which combined with Tanium’s real-time environment insights, power powerful end to end workflows across Defender, Entra, Tanium, and Intune. The Security Triage Agent by Tanium accelerates alert triage, providing security teams with the context they need to make informed decisions on Tanium Threat Response alerts swiftly.

The work of partners like BlueVoyant, OneTrust, and Tanium is shaping a new security ecosystem—one where the Microsoft Security Store is a launchpad for partner innovation to drive real-world customer impact. The Store turns partner-built agents into enterprise-ready solutions by providing Microsoft-validated certification, high‑quality metadata, consistent deployment flows, secure authentication and transactions, and in‑product visibility inside Defender, Entra, and Security Copilot. These deployed agents run securely in your Security Copilot zero-trust environment.

The power of the Security Store is that it doesn’t just distribute agents—it amplifies them. It gives partners a unified, trusted surface where their solutions are discoverable directly within Microsoft Security products; where customers can compare capabilities through standardized metadata; where installation is guided and repeatable; and where Microsoft’s AI foundation elevates the value of every partner-built capability. For customers, this means direct access to the best of partner-driven security innovation. Partner-built agents deliver value at every stage of the security journey: proactively monitoring sensor health, surfacing actionable insights, accelerating investigations, and automating incident response. These capabilities help organizations strengthen their security posture, respond faster to threats, and stay ahead of attackers.

For partners, success begins with identifying the unique value their agent brings to customers and designing real security outcomes—such as improved detection, automated investigations, and measurable risk reduction. As more partners publish agents, the ecosystem expands- unlocking advanced scenarios like phishing and identity alert triage, incident enrichment, policy optimization, and automated remediation. By combining Microsoft’s AI foundation with specialized partner expertise, Security Copilot agents deliver differentiated solutions that address a wide range of security challenges—from privacy and compliance workflows to vulnerability management and forensics—helping customers strengthen their security posture and respond faster to threats.

Explore resources and documentation

Explore all the partner-built agents in Security Copilot and partner SaaS offerings at the Microsoft Security Store and at the Security Store Learn page Security Store documentation – Security Store | Microsoft Learn. Or read more documentation on Security Copilot agents to learn:

• What agents are and how they work in Security Copilot
• How partners build and integrate agents
• Links to related resources for development and deployment

A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store.

Let’s take a look at what’s new.

Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI

Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments.

Read more in the Sentinel announcement blog: Introducing Microsoft Sentinel graph

Build your own Security Copilot agents, no coding required

Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do.

Learn more: Build your own Security Copilot agent

New Microsoft and partner ready-made agents for real challenges

These new agents help teams address common security and IT challenges faster and smarter:

• Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks.

o   Learn more: The Microsoft Entra agent for smarter access governance: Access Review Agent

• Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation.

The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like:

• Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster.
• Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security.
• Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents.
• Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture.
• Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security.
• Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl.

o   Find these agents and more in the Microsoft Security Store

Microsoft Security Store – one, centralized place to find agents and SaaS solutions

The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows.

Read more in the announcement blog: Introducing Microsoft Security Store

Stay tuned and explore more!

Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating.

We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:

• Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action
• Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details
• Security Copilot Adoption Hub – Access rollout guides, templates, and best practices

Don’t miss Microsoft Ignite – we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security.

Introduction 

Microsoft Security Exposure Management (MSEM) provides the Cyber Defense team with a unified, continuously updated awareness of assets exposure, relevant attack paths and provides classifications to these findings. While MSEM continuously creates and updates these finding, the Security Operations Center (SOC) Engineering team needs to reach to this data and interact with it as a part of their proactive discovery exercises. 

Microsoft Security Copilot (SCP) on the other hand, acts as an always-ready AI-powered copilot to the SOC Engineering team. When combined, the situational awareness from MSEM and the quick and consistent retrieval capabilities of SCP, MSEM and SCP empower the SOC Engineers with a natural-language front door into exposure insights and attack paths, this combination also opens the door to include MSEM content, and the reasoning over this content in Security Copilot prompts, in prompt books and allows the use of this content in automation scenarios that leverage security copilot. 

Traditionally, a SOC person needs to navigate to Microsoft Security Advanced Hunting, retrieve data related to assets with a certain level of exposure, and then start building plans for each asset to reduce its exposure, a plan that needs to take into consideration the nature of the exposure, the location the asset is hosted and the characteristics of the asset and requires working knowledge of each impacted system. This approach: 

• Is a time-consuming process, especially when taking into consideration the learning curve associated with learning about each exposure before deciding on the best course of exposure reduction; and 
• Can result in some undesired habits like adapting a reactive approach, rather than a proactive approach; Prioritizing assets with a certain exposure risk level; or attending to exposures that are already familiar to the person reviewing the list of exposures and attack paths.  

Overview of Exposure Management 

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk. 

Who uses Security Exposure Management? 

Security Exposure Management is aimed at: 

• Security and compliance admins responsible for maintaining and improving organizational security posture. 

• Security operations (SecOps) and partner teams who need visibility into data and workloads across organizational silos to effectively detect, investigate, and mitigate security threats. 

• Security architects responsible for solving systematic issues in overall security posture. 

• Chief Information Security Officers (CISOs) and security decision makers who need insights into organizational attack surfaces and exposure in order to understand security risk within organizational risk frameworks. 

What can I do with Security Exposure Management? 

With Security Exposure Management, you can: 

• Get a unified view across the organization 

• Manage and investigate attack surfaces 

• Discover and safeguard critical assets 

• Manage exposure 

• Connect your data 

Reference links: 

Overview of Security Copilot plugins and skills 

Microsoft Security Copilot is a generative AI-powered assistant designed to augment security operations by accelerating detection, investigation, and response. Its extensibility through plugins and skills enables organizations to tailor the platform to their unique environments, integrate diverse data sources, and automate complex workflows. 

Plugin Architecture and Categories: 

Security Copilot supports a growing ecosystem of plugins categorized into: 

• First-party plugins: Native integrations with Microsoft services such as Microsoft Sentinel, Defender XDR, Intune, Entra, Purview, and Defender for Cloud. 

• Third-party plugins: Integrations with external security platforms and ISVs, enabling broader telemetry and contextual enrichment. 
• Custom plugins: User-developed extensions using KQL, GPT, or API-based logic to address specific use cases or data sources.

Plugins act as grounding sources—providing context, verifying responses, and enabling Copilot to operate across embedded experiences or standalone sessions. Users can toggle plugins on/off, prioritize sources, and personalize settings (e.g., default Sentinel workspace) to streamline investigations. 

Skills and Promptbooks 

Skills in Security Copilot are modular capabilities that guide the AI in executing tasks such as incident triage, threat hunting, or policy analysis. These are often bundled into promptbooks, which are reusable, scenario-driven workflows that combine plugins, prompts, and logic to automate investigations or compliance checks. 

Security analysts can create, manage, and share promptbooks across tenants, enabling consistent execution of best practices. Promptbooks can be customized to include plugin-specific logic, such as querying Microsoft Graph API or running KQL-based detections. 

Role-Based Access and Governance 

Security Copilot enforces role-based access through Entra ID security groups: 

• Copilot Owners: Full access to manage plugins, promptbooks, and tenant-wide settings. 

• Copilot Contributors: Can create sessions and use promptbooks but have limited plugin publishing rights. 

Each embedded experience may require additional service-specific roles (e.g., Sentinel Reader, Endpoint Security Manager) to access relevant data. Governance files and onboarding templates help teams align plugin usage with organizational policies.  

Connecting Exposure Management with Security Copilot 

There are multiple benefits of connecting MSEM with Security Copilot (as explained in section 1 [Introduction] of this paper). We wrote a plugin with two skills to harness the Exposure Management insights within Security Copilot and to eventually understand the exposure of assets hosted in a particular cloud platform by your organization and of assets belonging to a specific user. 

A high-level architecture of the connectivity looks like this: 

The two skills of the plugins correspond to the following two use cases: 

1. Obtain exposure of an asset hosted on a particular cloud platform by your organization  
2. Obtain exposure of an asset belonging to a specific user  

As a user you could also specify the exposure level for which you want to extract the data, in each of the above use cases. 

Plugin Code (YAML) 

GitHub – Microsoft Security Exposure Management plugin for Security Copilot – YAML 

Proof of Concept (screen video) 

Conclusion

Here, we proposed an alternative approach that drives up the SOC’s efficiency and helps the organization reduce the time from exposure discovery to exposure reduction. The alternative approach proposed allows the SOC person to retrieve assets that fit a certain profile, i.e. prompt Security Copilot to “List all assets hosted on Azure with Low Exposure Level” and after all affected assets are retrieved, the user can then prompt Security Copilot to “For each asset, help me create a 7-days plan to reduce these exposures” and can then finally conclude with the prompt “Create an Executive Report, start by explaining to none-technical audience the risks associated with the identified exposures, then list all affected assets, along with a summary of the steps needed to reduce the exposures identified”. These prompts can also be organized in a promptbook, further reducing the burden on the SOC person, and can also be made using Automation on regular intervals, where the automation can later email the report to intended audience or can be further extended to create relevant tickets in the IT Service Management System. 

An additional approach to risk management is to keep an eye on highly targeted personas within the organization, with the proposed integration a SOC person can prompt Security Copilot to find “What are the exposure risks associated with the devices owned by the Contoso person john.doe@contoso.com”. This helps the SOC person identify and remediate attack paths targeting devices used by highly targeted persons, where the SOC person can, within the same session, start digging deeper into finding any potential exploitation of these exposures, get recommendations on how to reduce these exposures, and draft an action plan. 

This week at Microsoft Secure, we announced the next big step forward in agentic security. In addition to Microsoft and partner-built agents, you can now create your own Security Copilot agents, extending the growing ecosystem of agents that help teams automate workflows, close gaps, and drive stronger security and IT outcomes.

Why it matters: no two environments are the same. Out-of-the-box agents give you powerful starting points, but your workflows are unique. With custom agents, you get the flexibility to design and deploy solutions that fit your organization.

Two ways to build: Your choice, your workflow

Security Copilot gives you options. Analysts can easily build with a no-code interface. Developers can stay in their preferred coding environment. Either way, you end up with a fully functional, testable, and deployable agent.

For full documentation and detailed guidance on building agents, check out the Microsoft Security Copilot documentation. But now, let’s walk through the key steps so you can get started building your own agent today.

Option 1: Build in Security Copilot, no coding required

Step 1: Create in natural language

Click ‘Build’ in the left nav, describe what you want your agent to do in plain language, and submit. Security Copilot will engage in a back-and-forth conversation to clarify and capture your intent so you start with precision.

Step 2: Auto-generate the configuration
Security Copilot instantly creates a starter setup, giving you:

• An agent name and description
• Clear instructions and input parameters
• Recommended tools pulled from the catalog, including Microsoft, partner, and Sentinel MCP tools

This saves time and generates a strong foundation you can build on

Step 3: Customize to fit your needs
Tailor the configuration to your needs, you can edit any part. Update instructions, swap tools, or add new ones from the tool catalog. If the right tool isn’t available, you can create one in natural language or a form-based experience. You’re in full control of how your agent works.

Step 4: Keep YAML and no-code views aligned
Every change you make is automatically reflected in the underlying YAML code. This ensures consistency between the no-code visual and code views, so both analysts and developers can work with confidence. Toggle on ‘view code’ to see it live.

Step 5: Test and elevate with autotune instruction optimization
Run full end-to-end tests or test individual components to see how your agent performs. Security Copilot shows detailed outputs and a step-by-step activity map of the agent’s dynamic plan, including the tools, inputs, and outputs.

While you can test without it, turning on autotune instruction optimization delivers major advantages:

• Refined instruction recommendations you can copy directly into your config
• AI quality scoring on clarity, grounding, and detail to ensure your agent is effective before publishing
• Faster iteration with confidence your agent is tuned for real-world use

Explore the activity graph tab to view a visual node map of the run, and click any node to see details of what happened at each step.

Step 6: Publish and share
When you’re ready, publish the agent into your Security Copilot instance at either a user or workspace scope (depending on admin permissions). If you’re a partner, you can also download the agent code, publish to the Microsoft Partner Center and contribute it to the Microsoft Security Store for broader visibility and adoption by customers.

Benefit: Build production-ready agents in minutes without writing a single line of code.

It’s that easy to build an agent tailored to your unique workflows, and you are not limited to the Security Copilot portal. If you prefer a developer-friendly environment, you can build entirely in VS Code using GitHub Copilot and Microsoft Sentinel MCP tools. You still get AI-powered guidance, YAML scaffolding, and testing support, along with rich context from Sentinel data and the full platform toolset, all while staying in the environment that works best for you.

Option 2: Build in VS Code using GitHub Copilot + Microsoft Sentinel MCP Tools

Step 1: Set up your development environment
Enable the Microsoft Sentinel MCP server in VS Code. This gives you direct access to the collection of Security Copilot agent creation MCP tools and integrates with GitHub Copilot for code generation – all while staying in your preferred workspace.

Step 2: Define agent behavior from natural language with platform context
Describe the agent you want to build in natural language. GitHub Copilot interprets your intent, selects the relevant MCP tools, find relevant skills and tools in Security Copilot for your agent, and crafts the agent instructions. The agent YAML gets generated and outputted back to you. Because your agent is built on Microsoft Security Copilot and Sentinel, it automatically leverages rich data and tooling across the platform for context-aware, more effective results.

Step 3: Iterate, customize and extend your agent
Modify instructions, add tools, or create new tools as needed. Use prompts to vibe code your edits or copy the YAML into the code editor and directly modify the agent YAML there. GitHub Copilot keeps the chat and code in sync.

Step 4: Deploy to Security Copilot for testing
Once you’re ready to test your agent YAML, prompt GitHub Copilot to deploy the agent to your user scope. Then head to the Security Copilot portal to test and optimize your agent with autotune instruction optimization. Take advantage of detailed outputs, activity maps, and AI scoring to refine instructions and ensure your agent performs effectively in real-world scenarios.

Step 5: Publish and share your agent

Once validated, publish the agent into your Security Copilot instance at either user or workspace scope (depending on admin permissions). Partners can also download the agent code, publish to the Microsoft Partner Center, and contribute it to the Microsoft Security Store for broader discoverability and adoption.

What you get: Full code-level control and the same AI-powered agent development experience while staying in your preferred workspace.

Whichever approach you choose, you can build, test, and deploy agents that fit your workflows and environment. Microsoft Security Copilot and Microsoft Sentinel give you the tools and advanced AI guidance to create agents that work for your organization.

Explore the Microsoft Security Store

Automate your workflows with pre-built solutions. The Microsoft Security Store gives you a central place to discover and deploy agents and SaaS solutions created by Microsoft and partners. Browse ready-to-use solutions, learn from proven approaches, and adapt them with your own customizations. It’s the quickest way to expand your ecosystem of agents and accelerate impact. More resources about the Security Store: What is Security Store? Microsoft Learn

Build, deploy, defend

Security Copilot puts the power of agentic AI directly in your hands. Start with ready-to-use agents from Microsoft and partners, or create custom agents designed specifically for your environment and workflows. These agents streamline decision-making, surface critical insights, and free your team to focus on strategic security initiatives – making operations faster, smarter, and more responsive.

Join us at Microsoft Ignite, online or in-person, for hands-on demos and insights on how Security Copilot agents empower teams to act faster and protect better.

More resources on building Security Copilot agents:

• Watch the Mechanics video to see agents in action: Security Copilot agents Mechanics video
• For more detailed guidance on building agents, check out the Microsoft Security Copilot documentation

Special thanks to my co-authors, Namrata Puri (Principal PM, Security Copilot) and Sherie Pan (PM, Security Copilot), for their insights and contributions

Microsoft Security Copilot is redefining how security and IT teams operate. Today at Microsoft Secure, we’re unveiling powerful updates that put genAI and agent-driven automation at the center of modern defense. In a world where threats move faster than ever, alerts pile up, and resources stay tight, Security Copilot delivers the competitive edge: contextual intelligence, a growing network of agents, and the flexibility to build your own. 

The announcements focus on three key areas: building your own Security Copilot agents for tailored workflows, expanding the agent ecosystem with new Microsoft and partner solutions, and improving agent quality and performance. These updates build on the agents first introduced in March while giving security and IT teams more flexibility and control. This is the blueprint for the next era of agentic defense, and it starts now. 

Build your own Security Copilot agents, your way 

While we already offer a growing catalog of ready-to-use agents built by Microsoft and partners, we know that no two environments are alike. That’s why Security Copilot empowers you to create custom agents your way for tailored workflows – whether you’re an analyst with limited coding experience or a developer using your favorite platform – you can build agents that fit your needs. 

Build agents in the Security Copilot portal

Users can now build agents with a simplified, no-code interface in the standalone Security Copilot experience. Simply describe the task or workflow in natural language, and Copilot automatically generates the agent code. You can edit components, add any additional tools, including Sentinel MCP tools from our rich tool catalog, test the agent, optimize its instructions, and publish directly to your tenant. Create dynamic, ready-to-use agents in minutes – without writing any code. 

Build agents in a preferred MCP server-enabled development environment

For teams with experienced developers, you can also use natural language and vibe-coding to build agents in a preferred MCP server-enabled coding platform, such as VS Code using GitHub Copilot. By enabling the Sentinel MCP server, developers can access MCP tools to build, refine, and deploy custom agents directly within their workspace. This approach gives full control over code, tools, and deployment while keeping the process within familiar development platforms. 

These options empower both technical and non-technical teams to rapidly create, test, and deploy custom Security Copilot agents. Organizations can automate workflows faster, design agents to their unique needs, and improve security and IT operations across the board. 

Discover new Security Copilot agents 

Since Security Copilot agents were first introduced in March, we have delivered more than a dozen Microsoft and partner-developed agents that help organizations tackle real challenges in security and IT operations. Analysts using the Conditional Access Optimization Agent in Microsoft Entra have been able to quickly uncover policy gaps, closing an average of 26 gaps per customer in just one month, with 73% of early adopters acting on at least one recommendation. The Phishing Triage Agent in Microsoft Defender has allowed analysts to shift from reactive sifting to proactive resolution, reducing triage time by up to 78%. Read how St Lukes University saves nearly 200 hours monthly in phishing alert triage and creating incident reports in minutes instead of hours. 

The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.  
– Krista Arndt, ACISO, St. Luke’s University Health Network 

We’re continuing to build on this momentum with new agents designed to address additional security and IT scenarios.  

The new Access Review Agent in Microsoft Entra tackles a common challenge: reduce access review fatigue and approving access without review. It analyzes ongoing reviews, flags anomalies or unusual access patterns, and delivers actionable guidance in a conversational interface. Reviewers can approve, revoke, or request more details right in Microsoft Teams, helping them focus on the riskiest access, make faster decisions, and strengthen compliance. With innovations like this, we’re not just reducing fatigue—we’re redefining how access governance is done, setting the standard for security agents that adapt to the way people work. Learn more about the Access Review Agent here.

And, with the growing range of agentic use cases, the new Microsoft Security Store is your one-stop shop to discover, purchase, and deploy Security Copilot agents built by Microsoft and trusted partners. Find solutions aligned for SOC, IT, privacy, compliance, and governance teams, all in one place. By uniting discovery, deployment, and publishing in a single experience, Security Store powers a thriving ecosystem that gives your team a unique advantage: access to an ever-expanding range of agent capabilities that evolve as fast as the challenges they face. 

In addition to helping customers find the right solutions, Security Store also enables partners to bring their innovations to market. Partners can build and publish Security Copilot agents and SaaS solutions to grow their business and reach new customers. Today, we are announcing 30 new partner-built agents as well as 50 partner SaaS solutions in the Security Store.  

The launch of 30 new partner-built agents brings forward solutions like:  

• A Forensic Agent by glueckkanja AG delivers deep-dive analysis of Defender XDR incidents to accelerate investigations, while their Privileged Admin Watchdog Agent helps enforce zero standing privilege principles by getting rid of persistent admin identities. These innovations, along with their other 6 agents in the Security Store today, demonstrate how glueckkanja AG is empowering organizations to tackle a wide range of security and IT challenges.  

• 3 agents from adaQuest focused on automating investigation and response to focus security teams on what matters. A Ransomware Kill Chain Investigator Agent by adaQuest automates ransomware triage, an Entity Guard Investigator Agent by adaQuest investigates Defender incidents, and an Admin Guard Insight Agent analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, offering actionable insights to improve administrative security posture.  

• An Identity Workload ID Agent by Invoke empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, helping to reduce risk, strengthen compliance, provide more control over identity sprawl.  

To learn more about all new partner-built agents as well as partner SaaS offerings, read the blog or head to the Microsoft Security Store. 

Smarter, faster Security Copilot agents 

High-quality LLM instructions are critical to agent performance, yet manually fine-tuning them is time-consuming and error-prone. We’re excited to introduce tools that help improve custom-built agent quality and performance, starting with autotune instruction optimization. Autotune eliminates the need for manual tuning by automatically analyzing and refining agent instructions for optimal performance. Simply enable autotune during testing and submit, then receive a detailed results report with suggested prompt changes boost your agent’s AI quality score quickly and effortlessly. This optimization not only delivers better outcomes faster, but it also ensures that every agent in our ecosystem is always evolving – making them smarter, sharper, and more effective over time. 

But instructions are only part of the picture. To truly empower agents, context and data is key. By combining rich security signals from Microsoft Sentinel with advanced AI reasoning, Microsoft is setting a new standard for what agents can achieve—resolving incidents faster, optimizing workflows, and delivering deeper, more actionable insight. Security Copilot leverages a unified foundation of structured, graph, and semantic data from Sentinel to give agents the context they need to connect the dots across your environment. This deep integration transforms what AI can do, enabling agents to reason, adapt, and act with precision at machine speed. Read the Sentinel graph announcement here. 

Get Started Today

With Security Copilot, the power of AI is now in your hands. Deploy ready-to-use agents from Microsoft and partners, or design custom agents built for your environment and workflows. These agents accelerate decision-making, surface critical insights, and let teams focus on strategic security work – turning complexity into clarity and speed. Explore Security Store today to experience how agentic automation is reshaping security operations and unlocking the full potential of your team. Learn more about how to create your own agents. 

Deep dive into these innovations at Microsoft Secure on Sept. 30, Oct. 1 or on demand. Then, join us at Microsoft Ignite, Nov, 17–21 in San Francisco, CA or online—for more innovations, hands-on labs, and expert connections. 

Integrating Microsoft Security Copilot with Azure Logic Apps enables security teams to automate investigations, orchestrate fast incident response, and unify workflows across the modern enterprise. By leveraging the unique strengths of both platforms, organizations can achieve scalable, efficient, and actionable security automation. 

Why Integrate Security Copilot with Logic Apps?

Security Copilot brings AI-powered reasoning, automation, and natural language-to-action workflow capabilities. When paired with Logic Apps, it enables:

• Seamless orchestration: Launch incident investigations or automated email analysis with a single trigger.
• Advanced automation: Integrate across Microsoft and third-party security tools without heavy coding.
• Consistent, repeatable outcomes: Use Security Copilot’s prompts and promptbooks for security-centric routines and reduce potential for error .

Common scenarios include incident response initiation, scheduled security reports, and automated threat intelligence gathering.

Best Practices for designing robust workflows:

1. Identify your use case

Not all scenarios require automation. Likewise, not all use cases benefit equally from combining automation with AI enrichment. The first step in unlocking value from Azure Logic Apps and Security Copilot is selecting the right use cases—those that align with both operational needs and the capabilities of these tools.

To identify a suitable use case, we suggest the following guidelines:

• • • Start with repetitive tasks: Look for tasks that are performed frequently and follow a predictable pattern, such as alert enrichment, ticket creation, or user access reviews. These are ideal candidates for automation via Logic Apps.
    • Assess the complexity of decision-making: If a task involves nuanced decision-making or contextual analysis—like investigating suspicious sign-ins or correlating threat indicators—Security Copilot’s AI capabilities can add significant value.
    • Evaluate data availability and integration points: Ensure the use case involves systems and data sources that Logic Apps can connect to easily (e.g., Microsoft Sentinel, Entra ID, Office 365 E-mail). While it is possible to build your own custom, connectors, the availability of built-in connectors is a key consideration for the success of the integration.
    • Consider the impact on security operations: Prioritize use cases that reduce manual effort, accelerate response times, or improve accuracy in threat detection and remediation. 
    • Check for existing playbooks or templates: Use cases that align with existing Logic Apps templates or Security Copilot skills are easier to implement and test. Microsoft’s GitHub repository for Copilot for Security or the Sentinel GitHub repos are great places to start.
    • Validate with stakeholders: Collaborate with SOC managers, incident responders, and IT admins to confirm that the selected use case addresses a real pain point and fits within current workflows.

2. Optimize for performance, cost, and scale

• • • Leverage direct skill invocation: This has the effect of cost reduction and faster execution as the planning process that natural language prompts must go through is bypassed.
    • Optimize Security Copilot calls: Limit Copilot calls within workflows to actions that benefit from AI-value addition such as reducing cognitive load on the Security Analyst or providing reasoning over disparate sets of facts while taking advantage of the investigation context powered by the wide range of Security Copilot skills that are native to the product 
    • Logic App tuning: Fine-tune trigger frequency and need for AI-value addition i.e. you may only need to attach a Logic App that submits security copilot prompts as part of its flow based on the complexity of the expected incidents vs all detection rules and resulting incidents

Pro Tips

i. Prototype cost-effective, complex workflows 

Prototype complex workflows with test data before deploying to production environments. You can do this by simulating Security Copilot prompts by using variable instead of actual calls to Security Copilot during the testing phase. Follow the following steps to do this:

a. Run the prompt or promptbook within Security Copilot to obtain the desired payload

b. In this example we need to execute the following promptbook as part of a workflow that involves extraction of firewall device names and their owners so that we can send them an e-mail, alerting them to block public IPs exhibiting suspicious behaviors:

Fig. 1 : Sample Promptbook for demo

c. Execute the promptbook

Fig 2. Sample promptbook run

d. Next, we prompt Security Copilot to generate an output that can be used to generate a JSON formatted payload which we will eventually use to create a schema for our Logic App ParseJSON step.

Fig 3. Output from promptbook run

e. Next, use a LLM, preferably an enterprise grade one such as Microsoft 365 or Security Copilot to generate the JSON payload

Fig. 4: Generated sample payload

f. Next, use the sample payload to create the input schema for the ParseJSON step in the Logic App

Fig. 5: Generate the schema using the sample payload

g. Initialize a variable and save the sample JSON-this will act as simulated output Parsed from the EvaluationResult of the Promptbook from Security Copilot-effectively avoiding any costs involved with submitting the promptbook multiple times while you test and refine your Logic App

Fig. 6 Image showing initialization and saving of variable

h. You can now run the Logic App several times without submitting any prompts to Security Copilot . If you must test with payloads that vary considerably you can still do that by not saving it in the variable, and selecting the “Run with payload” option then pasting your payload in the resulting box

Fig. 7 Logic App snippet showing manual execution of Logic App

i. Once happy with Logic App flow and output you can replace the variable with the actual Security Copilot connection for your prompt or promptbook

Fig. 8 Partial snapshot of sample Logic App

ii. Session management: Use the Session Id field to maintain investigative context—enabling multiple prompts within a workflow to share data without re-authentication. However, you can also spawn new sessions which allows for parallel execution of tasks without dependency on current session content

iii. Provide descriptive connector names: Rename default connector names as you build out your logic app. This helps to troubleshoot the Logic App or maintain it, especially if it is being done by someone other than the one that built the original one. Example below describes exactly what the step does vs the default connector names:

Fig. 9. Partial snapshot of Logic App showing descriptive names for Logic App connectors

iv. Use custom code: Enhance workflows with inline Python or Function App steps for specialized operations, such complex text transformations or data extractions. In the example below, a function app is used to apply a regex operation to extract the e-mail GUID. This comes in handy when you do not have a built-in connector for specific requirements or existing ones are not as efficient tor flexible as a function app would be.

Fig. 9 Logic App snippet showing use of the Function connector

 v. Secure your Logic App workflows

• • Managed identities: Leverage managed identities across all connectors that support this authentication method whenever you use them in your flows.
  • Obfuscate secrets in run histories: Actions that handle passwords, secrets, keys, or other sensitive information are visible by default from the run history of the Logic App. For example, if your logic app gets a secret from Azure Key Vault to use when authenticating an HTTP action, you may want to hide that secret from view by enabling the toggle button for supported actions. See below:

Fig. 10 showing toggle set to “on” to enable securing of outputs

You may also use source IP addresses to perform access restrictions to this data. See details in this document

Log and monitor activities: Enable logging for action taken by Logic Apps in your environment for greater visibility and control. If using Microsoft Sentinel, you can send Logic App activities to your Log Analytics workspace and benefit from queries such as the one below:

SentinelHealth

| where TimeGenerated > ago(30d)

| where SentinelResourceType == “Playbook”

| extend triggeredBy = ExtendedProperties.TriggeredByName.UserDisplayName

vi. Use parameters 

Parameters allow workflows to be dynamic and reusable by enabling the injection of context-specific data—such as usernames, incident IDs, or IP addresses—at runtime. This flexibility means a single Logic App can serve multiple scenarios without hardcoding values, improving maintainability and scalability. Additionally, parameters help enforce security best practices by supporting secure input/output handling, which protects sensitive information during execution.

Conclusion

Security Copilot and Logic Apps together unlock a flexible, AI-powered automation platform for any security operations team. By following these best practices—efficient prompt design, session context management, robust security controls, and scheduled automation—organizations can level up their security response and proactivity. To go even further, explore Microsoft’s official documentation, the Security Copilot Adoption Hub, Techcommunity blog portal and our GitHub repo. I f you have any feedback or ideas on how you think we can further improve the value delivered by these solutions working together, please reach out. Always happy to hear back from you.

Additional resources

Security-Copilot/Logic Apps

Microsoft Security Copilot – Microsoft Adoption

Category: Security Copilot | Microsoft Community Hub