Scott Freitas

AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security

Scott Freitas, Jovan Kalajdjieski, Amir Gharib, Rob McCann


Overview of the Copilot Guided Response architecture from the perspective of a single geographic region—uniformly replicated across all regions. Train Pipeline: Running weekly, this process trains grade and action recommendation models based on historical SOC telemetry. Inference Pipeline: Running every 15 minutes, this process generates grade, action, and similar incident recommendations for incoming incidents by leveraging the models created in the train pipeline. Embedding Pipeline: Running every 30 minutes until 180 days of historical embeddings exist, this job creates historical embeddings of SOC incidents for the similar incident recommendation algorithm in the inference pipeline.


Abstract

Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Copilot Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks – (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident – whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M annotated incidents. By enabling researchers and practitioners to conduct research on real-world data, GUIDE advances the state of cybersecurity and supports the development of next-generation machine learning systems.

Citation

AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security
Scott Freitas, Jovan Kalajdjieski, Amir Gharib, Rob McCann
arXiv (arXiv). 2024.
Project PDF Blog Dataset BibTeX Deployed in Microsoft Copilot for Security product