AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security

TL;DR

This paper introduces Microsoft Copilot for Security Guided Response (CGR), an ML system integrated into Microsoft Defender XDR that assists security analysts in investigation, triage, and remediation, backed by extensive evaluation and a large public incident dataset.

Contribution

The paper presents CGR, a novel ML architecture for cybersecurity incident response, and releases GUIDE, the largest annotated cybersecurity incident dataset to date.

Findings

CGR provides high-quality, actionable recommendations across key security tasks.

CGR is deployed globally, generating millions of recommendations.

GUIDE dataset enables large-scale evaluation and development of security response systems.

Abstract

Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Microsoft Copilot for Security Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks -- (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident -- whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we release GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M incidents annotated with ground-truth triage labels by customer security analysts. This dataset represents the first large-scale cybersecurity resource of its kind, supporting the development and evaluation of guided response systems and beyond.