A practical, human take for SOCs on blending analyst judgment with AI speed – without tripping over privacy, governance, or trust.
I can proudly state, that no one joined a Security Operations Center (SOC) to copy-paste Indicators-of-Compromise (IOCs) between tabs or write the same incident summary for the tenth time this week. Security Copilot can take that grind off your plate so you can focus on the messy, ambiguous work that actually needs a human. The goal here isn’t to automate people out of the loop – it’s to give analysts a thinking partner that’s fast, consistent, and transparent.
What co-teaming feels like in a SOC
Imagine a sharp junior SOC analyst who never gets tired. You point it at a Sentinel incident and it pulls context from Defender XDR (MDE/MDI/MDO), Entra ID sign-ins, Purview Audit, Intune posture, Defender for Cloud, maybe even your MISP and TAXII feeds. It drafts the timeline, maps likely MITRE ATT&CK techniques, proposes KQL pivots, and leaves the judgment calls to you. That’s the vibe.
- Advisor in the loop: Copilot summarizes incidents, proposes queries, and suggests next steps. You approve or tweak.
- Executor on the loop: Low-risk tasks – enrichment, evidence collection, tagging – run automatically; anything impactful still needs your click.
- Narrow autonomous agent: Well-scoped jobs like phishing triage can run hands-off with conservative thresholds, explainable decisions, and an easy rollback.
Start with advisor mode, earn trust with evidence, then cautiously expand autonomy.
Clear roles, smoother hand-offs
- Tier 1: Validate Copilot’s summaries, mark false positives, trigger “Investigate,” and escalate when the narrative doesn’t add up.
- Tier 2: Turn hypotheses into concrete KQL, pivot through Advanced Hunting (DeviceProcessEvents, DeviceNetworkEvents, IdentityLogonEvents), and shape new detections.
- IR Lead: Own containment decisions, legal/forensic escalations, and approval gates for any automated action – especially on crown-jewel assets.
- Platform & AI Ops: Wire up connectors (CEF, Syslog, AMA with Data Collection Rules), manage ASIM normalization, RBAC/PIM boundaries, private links, and versioned playbooks.
- Risk & Compliance: Map usage to GDPR, NIS2, DORA, and the EU AI Act; keep audit trails, DPIAs, and Records of Processing (RoPA) current.
EU-first governance without slowing down
- Establish GDPR by design by minimising data in prompts, pseudonymising where possible, and prefer role-based “need-to-know” views. Avoid pushing raw PII into ad-hoc conversations.
- As NIS2 is important topic and if your organization is an Essential or Important Entity, align incident phases and reporting with your competent authority; use Copilot to collect evidence but keep a human on the final wording.
- Treat AI-enabled workflows as ICT services. Keep change logs, run resilience tests, and ensure third-party risk controls cover Copilot integrations and SOAR playbooks for DORA compliance reasons
- Want to make sure that you are complying with EU AI Act as well? If yes: Document intended use, human-oversight controls, training/evaluation datasets, and decision traces. If an agent acts, capture rationale, confidence, and input artifacts.
- Map processes to ENISA good practices and ISO/IEC 27001:2022 (with ISO 27701 for privacy). If relevant, consider BSI C5 and sector standards like TISAX.
- For EU organizations: Prefer EU regions for log storage and processing. If cross-border flows are unavoidable, document SCCs and safeguards in your DPIA.
Architecture patterns that tend to work (from my experience)
- Microsoft Defender XDR, Sentinel, Entra ID, Purview (DLP/Insider Risk/Audit), Defender for Cloud, EASM, third-party feeds via STIX/TAXII for getting the feeds in.
- Logic Apps SOAR playbooks, Graph Security API, Sentinel analytic rules, UEBA, ASIM, Content Hub solutions, watchlists for enterprise IOCs for orchestration.
- Establish your guardrails using Azure RBAC with least privilege, PIM for JIT admin, Conditional Access for admin planes, private endpoints for ingestion, split “staging vs production” workspaces.
- Azure Lighthouse for multi-tenant operations, policy-as-code for prompts/playbooks, per-tenant evidence stores with immutable logging for increased MSSP friendliness.
Very easy examples of KQL Prompts you might want to try out
Advanced Hunting (PowerShell with outbound network)
/code// Microsoft Defender XDR tables
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "wget", "curl")
| join kind=leftouter (
DeviceNetworkEvents
| project DeviceId, InitiatingProcessId, RemoteUrl, RemoteIP, Timestamp
) on DeviceId, $left.InitiatingProcessId == $right.InitiatingProcessId
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, AccountName
| order by Timestamp descSentinel with ASIM (process + network)
// Uses ASIM normalized schema if deployed
let proc = _ASim_ProcessEvent
| where EventType == "ProcessCreated"
| where CommandLine has "powershell";
let net = _ASim_NetworkSession
| where DstPort > 0;
proc
| join kind=innerunique (net) on $left.DeviceId == $right.DeviceId, $left.ProcessId == $right.ProcessId
| where TimeGenerated between (ago(7d) .. now())
| project TimeGenerated, DstIpAddr, DstPort, CommandLine, ActorUsername, DvcHostname
| order by TimeGenerated descPseudonymisation example for GDPR-friendly views
// Hash PII before sending to Copilot or broad dashboards
let masked = DeviceProcessEvents
| extend UserHash = hash_sha256(AccountName)
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, UserHash;
// Keep cleartext joins in a secured view if genuinely needed
maskedPro tip: keep a “Copilot-safe” Log Analytics view that already pseudonymises sensitive fields so analysts don’t need to remember each time.
Validation and trust (show your work)
Trust doesn’t come from promises; it comes from receipts. Start by replaying real, past incidents end-to-end and compare how long they took with and without Copilot. Note where the AI helped, where it hesitated, and where it got things wrong. Refresh this “golden dataset” every quarter so you’re not grading against stale scenarios. And insist on a decision trace: every recommendation should point back to the exact queries, alerts, rules, and artifacts it used. If there’s no evidence, there’s no action. Keep humans in charge of anything that can bite – host isolation, credential resets, firewall changes, device wipes – and require a second pair of eyes for crown-jewel systems. Finally, put your setup under stress with red-team and purple-team drills. Emulate real TTPs, watch for hallucinations or brittle automations, and feed what you learn directly into your playbooks and approval gates.
Metrics that actually matter
Measure what changes work feels like on the ground. Track MTTR by incident class so you can see whether triage and containment are actually faster. Watch your false-positive rate and capture the “why” behind benign closures; that’s how you tune analytics and prompts. Look at analyst throughput per shift, but subtract duplicated effort – busy isn’t the same as effective. Count the minutes saved on the boring stuff (evidence gathering, ticket drafting, status reports) and treat that as reclaimed time for hunting. Keep a simple trust score – the percentage of Copilot suggestions analysts accept versus override – and record the reasons. And maintain a “safety incidents” log for any automated action that needed rollback. These are the numbers that convince leadership and satisfy EU oversight under NIS2 and internal audit reviews.
Final take
Good co-teaming feels calm and deliberate. Copilot handles the grind; analysts handle ambiguity and risk. Evidence is always a click away. Automation is reversible. Compliance isn’t an afterthought. Do that, and your SOC spends more time reasoning and less time wrestling with tooling.
Share this post:
Leave a Comment