Here’s how BUI can help you take advantage of the new AI-powered capabilities in Microsoft Defender, Microsoft Sentinel and Microsoft 365 E5 to strengthen your security operations.
The security landscape is shifting again: Microsoft has just unveiled a new wave of integrated AI capabilities across Microsoft Defender, Microsoft Sentinel and Microsoft 365 E5. These advancements, showcased during the 2025 Microsoft Ignite conference in San Francisco, are designed to transform how organisations detect, investigate and respond to threats. For those already managing complex hybrid and multi-cloud environments, this new era of AI-powered security offers substantial benefits – but it also requires a strategic approach to deployment and implementation to ensure success.
As a Microsoft Solutions Partner for Security, a Microsoft MXDR Verified Partner, and a member of the Microsoft Intelligent Security Association, we’re uniquely positioned to help you turn these innovations into measurable results. Let’s take a closer look at the major security announcements from Ignite, what they mean for organisations like yours, and how the BUI team can support you.
New in Microsoft Defender: Agentic tools and AI-powered incident triage
Microsoft has introduced new agents, powered by Security Copilot, to bring AI into the day-to-day workflows for SIEM and XDR users within Microsoft Defender. These agents can assist with threat hunting, intelligence analysis, incident investigation, and risk prioritisation, helping analysts work faster and more accurately. Microsoft is also improving the Microsoft Defender incident queue, with an updated AI-powered experience now in public preview.
1 | The Threat Hunting Agent
Quick overview: The Threat Hunting Agent guides analysts through end-to-end investigations using natural language. It delivers direct answers, suggests investigative steps, and provides context that speeds up the discovery of anomalies.
Key benefits: With this agent in play, threat hunting becomes faster and more consistent. Your junior analysts will be empowered to perform advanced tasks and your senior analysts will gain precious time for deeper analysis. Overall, your SecOps team will benefit from increased investigative capacity.
2 | The Threat Intelligence Briefing Agent
Quick overview: Integrated into the Microsoft Defender portal, the Threat Intelligence Briefing Agent creates custom intelligence briefings by combining Microsoft Threat Intelligence with global feeds and organisation-specific context. Analysts can use these briefings to better understand risks, vulnerabilities, and emerging campaigns.
Key benefits: Your SecOps team will gain quick access to relevant threat intelligence without having to conduct manual research. They can prioritise risks more effectively and initiate remediation based on clear recommendations and direct links to affected assets.
3 | The Dynamic Threat Detection Agent
Quick overview: The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots. When a major incident occurs, it checks for related undetected threats (such as latent activity on sensitive identities), thereby identifying gaps that traditional alerting might miss.
Key benefits: Your SecOps team will have a safety net that increases confidence during high-impact investigations. You’ll be able to validate that incidents have been fully contained and that hidden activity does not go unnoticed.
4 | AI-powered incident triage
Quick overview: A new Microsoft Defender incident queue experience (currently in public preview) uses artificial intelligence to score and prioritise security incidents. By leveraging factors like alert types, criticality tags and MITRE mappings, it produces risk scores that help analysts understand which incidents require immediate action.
Key benefits: Your SecOps team will have a clear view of incident rankings, enabling faster and more confident decision-making in the face of high-impact threats.
New in Microsoft Sentinel: More connectors, data lake enhancements, and RBAC
Microsoft has also introduced a significant set of updates to Microsoft Sentinel, its connector ecosystem, and the Sentinel data lake. Together, these improvements support businesses that want to unify signals, reduce storage costs, and maintain strict governance across complex cloud environments.
1 | The Sentinel connector ecosystem surpasses 350 integrations
Quick overview: Microsoft unveiled a broad set of new out-of-the-box connectors that support AWS, GCP, SAP, Palo Alto and numerous third-party security and compliance platforms. These connectors make it easier to bring multi-cloud and hybrid telemetry into Sentinel without custom development.
Why this matters: Richer telemetry increases the accuracy of detection and reduces blind spots across your distributed environments. These connectors also expand Microsoft Purview Data Security Posture Management capabilities through streamlined access to external data asset information.
2 | Direct data ingestion into the data lake
Quick overview: Sentinel now supports the direct ingestion of Microsoft Defender for Endpoint data into the data lake, with Defender for Office 365 and Defender for Cloud Apps expansion coming in December 2025. Entra, Syslog, CEF and CommonSecurityLog sources can also be ingested.
Why this matters: This model gives you cost-effective long-term storage for historical security data. It also provides the depth needed for retro-hunting, incident review, and compliance without storing everything in the analytics tier.
3 | Enhanced role-based access control for the data lake
Quick overview: The Sentinel data lake has enhanced its permission model to enable users to access workspace data in the lake based on their granular Azure role-based access control (RBAC) permissions on each workspace. Support for managed identities and service principals is coming soon.
Why this matters: You can now implement more precise access controls, supporting least-privilege models across your SIEM and data lake environments. Your automation workflows can also operate more securely through identity-based access.
4 | Threat analytics for SIEM customers
Quick overview: Microsoft’s threat intelligence library covering threat actors, vulnerabilities, campaigns, and indicators of compromise is now available to Sentinel users. The intelligence aligns to MITRE techniques, tactics and procedures.
Why this matters: High-quality threat intelligence gives analysts detailed insights for proactive hunting and remediation. Your SecOps team can respond more effectively when attacker behaviours and relevant indicators are clear.
New in Microsoft 365 E5: Security Copilot now included
Ryan Roslansky (CEO, LinkedIn and Executive Vice President, Microsoft Office and Copilot) speaks during the 2025 Microsoft Ignite conference in San Francisco. Photo credit: Microsoft
One of the most impactful Ignite announcements this week was the inclusion of Security Copilot for Microsoft 365 E5 customers. This change brings AI agents directly into Defender, Entra, Purview and Intune for Microsoft 365 E5 customers.
Quick overview: Security Copilot capabilities are being activated for Microsoft 365 E5 customers in phases. Organisations with existing Security Copilot licences and Microsoft 365 E5 have access now. All other Microsoft 365 E5 customers will receive access soon, with a 30-day advance notification from Microsoft.
Why this matters: For many organisations, this significantly increases the value of their Microsoft 365 E5 investments, especially at a time when staff shortages and high alert volumes are putting pressure on internal teams. Now, SecOps analysts will gain immediate access to AI tools across the Microsoft 365 security ecosystem for richer context and consistent, intelligent assistance.
How BUI can help you take advantage of these innovations
1 | Strengthening your security operations with built-in AI
The latest AI capabilities in Microsoft Defender and Microsoft Sentinel allow security professionals to work faster and more accurately, but only when they’re properly embedded into existing processes. We can help you:
- activate, customise and integrate these tools into your day-to-day security operations
- fine-tune AI-driven triage and align your workflows with the agentic features in Sentinel
- configure advanced threat hunting queries and refine your SecOps playbooks
- equip your analysts with the skills to use these capabilities effectively.
Whether you’re onboarding new data sources, expanding your threat intelligence workflows, or modernising your architecture, we can provide the technical and operational support to transform your Security Operations Centre into a proactive, intelligence-driven defence hub.
2 | Guided deployment, optimisation, and SCU management
With Security Copilot now included for Microsoft 365 E5 customers – and Security Compute Units (SCUs) required to scale AI workloads – you may need clarity on configuration, optimisation, and cost control. We provide guided deployment and optimisation services to help you verify that Security Copilot is configured correctly; prompts and workflows are efficient; and SCU usage remains predictable. We can also help you model and forecast usage patterns so that you gain maximum value without unnecessary spend.
3 | AI oversight frameworks and advisory services
As AI becomes more important to your security operations, you’re responsible for ensuring that automation remains transparent, validated, and aligned with applicable compliance policies. We can help you establish practical oversight frameworks that support the confident use of AI. Our advisory services include governance model design, automated action review, validation of AI-assisted outcomes, and guardrails that reduce risk while maintaining agility. This approach enables your team to innovate securely while retaining full control and accountability.
Your next step: Embracing AI-powered security operations
Microsoft Ignite 2025 has made one thing undeniable: AI is now at the core of Microsoft’s security stack, empowering organisations with smarter detection, richer context, and automated decision-making across Microsoft Defender, Microsoft Sentinel, and Microsoft 365 E5.
Here at BUI, we know that adopting new technologies is only the beginning… The real business transformation happens when AI is operationalised: integrated into playbooks, governed responsibly, and fully embraced by the people who depend on it.
We’re here to help. If you’re ready to strengthen your security posture, modernise your security operations, and empower your teams with Microsoft’s latest capabilities, let’s get started. Contact us to arrange a chat.
