Most SOCs do not have a tooling problem anymore. They have a workflow problem.
Security teams today operate in an environment saturated with platforms: SIEM, XDR, identity protection, email security, threat intelligence feeds and SOAR. Detection coverage has never been stronger. According to the 2024 Verizon Data Breach Investigations Report, organisations are collecting more telemetry than ever, yet breach containment timelines remain stubbornly slow.
When an alert fires, the investigation still often follows a manual path:
Check the endpoint.
Check the user.
Review email activity.
Pull timelines.
Search historical events.
Stitch everything into a summary.
Decide what to do next.
Repeat that dozens of times per day and the real bottleneck becomes obvious.
It is not detection. It is the investigation workflow.
This is the gap that Microsoft is now targeting with its latest security direction.
Two components define this shift:
- Security Copilot Agents
• Security Store
Security Copilot Agents: Automation That Is Finally SOC-Shaped
Early copilots acted as assistants. They summarised alerts, explained detections and helped analysts write reports faster. Useful, but still analyst-driven.
Agents are different. They are designed to handle repeatable investigation tasks in a controlled, governed way.
Technically, agents are not just prompts. They operate with:
- Defined triggers
• Scoped permissions
• A governed identity model
• Access to tools and data sources
• Structured outputs returned to analysts
This enables consistent enrichment workflows every single time an alert fires.
In practice:
When an alert triggers, instead of an analyst pivoting across tools, the agent:
- Pulls endpoint context
• Checks identity activity
• Reviews email exposure
• Gathers related alerts
• Assembles a timeline
• Produces a structured summary
• Suggests response options
The analyst still makes the decision. They simply stop spending most of their time gathering evidence.
This matters because analysts spend a significant portion of their day on repetitive work. According to Gartner, up to 50 percent of SOC analyst time is spent on manual investigation and documentation tasks, not actual threat hunting or response.
Agents directly target that inefficiency.
Security Store: The Part Many Organisations Underestimate
Security Store sounds minor until you consider what it changes.
Historically, expanding SOC capability meant:
- Writing runbooks
• Building scripts
• Maintaining integrations
• Fixing broken automation
• Repeating the process constantly
Security Store shifts this toward a platform model. It acts as a marketplace embedded in the Microsoft security ecosystem where organisations can discover and deploy Microsoft or partner-built agents and solutions directly into Defender, Sentinel and Copilot workflows.
This enables teams to:
- Deploy ready-made investigation agents
• Bring in partner automations faster
• Standardise workflows across environments
• Scale capability without scaling engineering effort
It does not remove the need for custom engineering. But it removes a large portion of the repetitive engineering overhead most SOCs struggle with.
The Critical Foundation: Data
None of this works if security data remains fragmented or short-lived.
Behind the scenes, the Microsoft Sentinel data lake provides long-term, unified security telemetry designed for analytics and AI workflows.
Agents only appear intelligent when they have context. The data layer provides that context.
The importance of this cannot be overstated. According to (ISC), the global cybersecurity workforce gap reached 4 million professionals in 2023, meaning organisations must rely more heavily on automation and AI to compensate for limited human capacity.
Without centralised telemetry and long-term retention, AI-driven workflows cannot function effectively.
Garbage in, garbage out still applies.
What This Changes Inside the SOC
Stepping back, the emerging model looks like this:
Signals from Defender, identity, cloud, email and Sentinel detections feed into a unified data foundation holding long-term context.
Copilot agents handle enrichment, summarisation and repeatable investigation tasks.
Security Store supplies deployable capabilities and extensions.
Analysts focus on validation, containment decisions and real threat hunting.
This is a major shift from the traditional SOC where humans drove every step and automation helped occasionally.
Here, AI handles structured work while humans provide judgement.
Why This Matters Now
Security teams do not scale linearly with alert volume.
According to the Verizon DBIR, organisations continue to experience rising alert volumes and increasingly complex attack chains, while the time to identify and contain breaches still averages 204 days to identify and 73 days to contain (IBM Cost of a Data Breach Report 2024).
Hiring experienced analysts fast enough to match this growth is not realistic.
The direction Microsoft is taking points toward a SOC where:
- Junior analystsoperatecloser to senior level
• Investigations become consistent across teams
• Repetitive enrichment happens automatically
• Institutional knowledge is embedded in workflows
• Capability grows without massive engineering overhead
This fundamentally changes daily SOC operations.
Security Copilot Agents and Security Store are not just new features.
They are early indicators of a shift toward an AI-orchestrated SOC platform.
Agents change how investigations are executed.
Security Store changes how capability is delivered.
The data platform underneath makes both useful.
References (APA)
Gartner. (2024). Top trends in security operations.
https://www.gartner.com/en
IBM. (2024). Cost of a Data Breach Report 2024.
https://www.ibm.com/reports/data-breach
(ISC)². (2023). Cybersecurity Workforce Study.
https://www.isc2.org/Research/Workforce-Study
Verizon. (2024). 2024 Data Breach Investigations Report.
https://www.verizon.com/business/resources/reports/dbir/
Microsoft. (2024). Microsoft Security Copilot overview.
https://learn.microsoft.com/en-us/security-copilot/
Microsoft. (2024). Microsoft Sentinel overview.
https://learn.microsoft.com/en-us/azure/sentinel/overview
