NOW IN PREVIEW: Microsoft Security Copilot Agents in Purview
Microsoft has introduced Security Copilot agents in Microsoft Purview (preview) to help organisations automate and scale triage across Data Loss Prevention (DLP) and Insider Risk Management (IRM). These AI-powered agents are built on the Microsoft Security Copilot platform and leverage Security Compute Units (SCUs) to reason over alerts, analyse content, and prioritise risk—at scale.
📌New agents are:
1. DLP Triage Agent
🔹 Content Risk: Based on Microsoft-provided SITs, trainable classifiers, and default sensitivity labels.
🔹Exfiltration Risk: External sharing, label removal/downgrades, unapproved domains.
🔹Policy Risk: Based on rule actions and policy enforcement modes.
2. Insider Risk Management (IRM) Triage Agent
🔹User Risk: Behavioural anomalies
🔹File Risk: Sensitivity, activity history, labelling
🔹Activity Risk: Combination of file, device, and app indicators
These agents process alert queues and prioritise incidents based on parameters you define—like time range, policy scope, and organisational risk tolerance. They reason over alert content, user behavior, and file metadata to highlight what matters most.
❗Security Context: agents operate in the security context of the last user who configured them. That access must be refreshed every 90 days and respects Entra ID admin scopes.
📌Use Cases
🔹 Prioritise risk-based alerts without drowning in volume
🔹Focus analyst time on actionable threats
🔹 Improve signal-to-noise ratio in Insider Risk and DLP investigations
🔹 Leverage explainable AI to justify alert severity rankings
🚫 Known Limitations
🔹No support for pseudonymization in IRM
🔹Limited file evidence analysis on endpoints if tenant settings are incomplete
🔹Agents won’t triage alerts based solely on custom SITs or trainable classifiers
🔹Max supported file size for triage: 2 MB
Want to learn more?
📘 Learn how to get started: Security Copilot Agents in Microsoft Purview overview (preview) | Microsoft Learn
Follow me on LinkedIn: José Lázaro | LinkedIn
#MicrosoftSecurity #SecurityCopilot #MicrosoftPurview #DLP #InsiderRisk #SOC #AIinSecurity #InfoSec #CyberSecurity #Microsoft365 #Compliance #AIforSecOps #MSPartnerUK #SIEM #XDR #Microsoft