Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security

Scott Freitas, Jovan Kalajdjieski, Amir Gharib, Robert McCann

TL;DR

This work provides a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth and releasing GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M incidents annotated with ground-truth triage labels by customer security analysts.

Abstract

Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Microsoft Copilot for Security Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks -- (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident -- whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we release GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M incidents annotated with ground-truth triage labels by customer security analysts. This dataset represents the first large-scale cybersecurity resource of its kind, supporting the development and evaluation of guided response systems and beyond.

AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security

TL;DR

This work provides a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth and releasing GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M incidents annotated with ground-truth triage labels by customer security analysts.

Abstract

Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Microsoft Copilot for Security Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks -- (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident -- whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we release GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M incidents annotated with ground-truth triage labels by customer security analysts. This dataset represents the first large-scale cybersecurity resource of its kind, supporting the development and evaluation of guided response systems and beyond.
Paper Structure (26 sections, 3 figures, 4 tables, 2 algorithms)

This paper contains 26 sections, 3 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Contributions
  3. Background
  4. Microsoft Copilot for Security
  5. Guided Response
  6. Architecture Overview
  7. Train Pipeline
  8. Preprocessing
  9. Model Training
  10. Inference Pipeline
  11. Preprocessing
  12. Triage Recommendations
  13. Investigation Recommendations
  14. Remediation Recommendations
  15. Embedding Pipeline
  16. ...and 11 more sections

Figures (3)

  • Figure 1: Overview of the Copilot Guided Response architecture. Train Pipeline: Running weekly, this process trains grade and action recommendation models based on historical SOC telemetry. Inference Pipeline: Running every 15 minutes, this process generates grade, action, and similar incident recommendations for incoming incidents by leveraging the models created in the train pipeline. Embedding Pipeline: Running every 30 minutes until 180 days of historical embeddings exist, this job creates historical embeddings of SOC incidents for the similar incident recommendation algorithm in the inference pipeline.
  • Figure 2: Sampled distribution of incident size---measured by the number of alerts per incident---exhibits a long-tailed pattern where the majority of incidents have only a few alerts.
  • Figure 3: PR curves of triage performance in Region 2