Enable Continuous Improvement of SOC Procedures with GitHub Copilot

#TL;DR

SOCs can adopt GitHub Copilot to enable a virtuous cycle of continuous improvement of their operational procedures, enhanced by the capabilities of Generative AI. Watch the three short videos referenced at the end to get an idea of how this can happen.

Acknowledgements

I am indebted to my brilliant colleague Chris S. : his article published a few weeks ago, together with the guidance he kindly provided while I was experimenting with the concepts he described and the solution he shared, were truly enlightening. What I present in this new article is merely a set of reflections developed in the context of that experimentation. Any merit belongs to his work; any conceptual errors are mine alone.

Disclaimer

As always, I must clarify that this article contains personal considerations, not reviewed or validated by experts, and should not be interpreted as official statements or guidance from Microsoft.

The Context

Sentinel, Defender, and Entra are AI‑ready security technologies thanks to the fact that Microsoft provides — free of charge — MCP Servers, which allow AI‑powered agents to connect to them.

Microsoft’s portfolio of solutions for building and running agents is quite extensive: in addition to the general‑purpose platforms Microsoft Foundry (for code‑centric development approaches) and Copilot Studio (for low/no‑code development approaches), the security domain also includes Security Copilot. Within this landscape, GitHub Copilot — when executed in agent mode — can also act as an agent in the context of security operations. In a previous article, I already highlighted how the choice of the most appropriate platform among those mentioned may depend on the specific SOC role for which the agent being developed is intended and I shared a diagram representing all these opportunities.

Access that article if you need the 𝐏𝐏𝐓𝐗 of the diagram for your own edits.

What GitHub Copilot Offers to SOC Operators

Compared to the other agent development and execution platforms mentioned above, GitHub Copilot — when used to support SOC operations — offers several unique characteristics, as illustrated in this figure.

🚀 Adopt Latest Innovations

As observed over recent months, it adopts AI‑related technological innovations earlier than any other solution. For example, at the time of writing, it is the only platform that provides supported procedures to connect to all tools across all MCP Servers offered by Microsoft. As another example, with the recent introduction of support for MCP App extensions (UI-powered local MCP Server), it is now also the only platform capable of generating dynamic visual controls (geomaps, heatmaps, etc.) within the conversational flow.

Finally, it offers the broadest selection of the latest and most powerful LLMs, as illustrated in this figure:

🧩 Enable Modular Organization

With its “agent skills,” it enables the structuring of a set of textual files containing instructions across different domains, which can be used to guide the agent in handling different types of requests (e.g., user investigation, device investigation, etc.). These files can be entirely textual (no‑code scenarios) and, where necessary (low‑code scenarios), can include or reference code components that GitHub Copilot knows how to execute (for example, KQL queries already optimized for specific searches, or Python scripts for specialized needs).

🔄 Support Change Implementation

It is natively an environment designed to support code writing and development across sets of textual files. This capability is particularly useful even simply to make any large‑scale modification of textual instructions (SKILLs) fast and consistent — for example, when operational logic needs to be updated across multiple instruction files. In low‑code scenarios, it is also able to effectively address requirements such as generating code snippets to be integrated into the instructions.

📍 Enable Local Runtimes

It enables the creation and use of code executed in local runtime engines (e.g., Python, Node.js, etc.). In this context, it also allows the creation and use of local MCP Servers to connect to heterogeneous systems for which no native hosted MCP Server exists. Now it also allow to create and use MCP Apps (local MCP Servers with an UI).

🔁 Enable Continuous Improvement

Thanks to its native integration with DevOps platforms such as GitHub and Azure DevOps, it enables the adoption of a collaborative approach to managing instruction files.

Let me elaborate on this last point to highlight its disruptive value within the context of use in a SOC.

Continuous Improvement for Standard Operating Procedures (SOPs)

With other agent creation and execution platforms, it is typically possible to address two scenarios:

• Agents created by SOC users for their own use
• Agents created by SOC users, supporting developers, or commercial vendors and published for use by others

The first case is, by definition, not a collaboration scenario. However, the second case does not enable collaboration either: a consuming user has no direct way to contribute by proposing changes and improvements to the published agents.

With GitHub Copilot, the situation changes completely:

• The SOC can begin adopting this approach by structuring a set of instruction files created directly from the documents that describe its standard operating procedures (SOPs), or from high‑quality instruction files shared within the broader cybersecurity community.
• Once these files are downloaded to their PC, each SOC operator can immediately start using them to conduct their investigations.
• Each SOC operator, by assessing the effectiveness and completeness of these procedures, has the immediate ability to modify them to correct or enrich them according to their own skills and perspective. This can be done not only through manual edits, but also by requesting support from GitHub Copilot itself, in order to speed up the process and make it more consistent. In fact, the operator can also ask GitHub Copilot for help during the earlier evaluation phase of a set of instructions, requesting it to assess their effectiveness, identify potential execution errors, and highlight missing investigation elements.
• An operator who believes they have produced a solid update to one or more procedures and wishes to make these changes available to colleagues can simply use standard DevOps tools (for example, Git — already integrated into VS Code) to “publish” their version and make it available to others, optionally after validation by a team leader.

Such collaboration can only enhance the operational capabilities of the SOC:

• SOCs that are currently not organized around SOPs will be able to easily begin adopting this approach.
• SOCs with already well‑structured procedures will see them improve and expand very rapidly, thanks to the combination of forces achieved by bringing together the capabilities of the most powerful GenAI models with the enablement of collaboration among users.

How SOC Operators Can Use GitHub Copilot

A SOC operator can use GitHub Copilot’s GenAI to perform a variety of heterogeneous tasks:

• Conduct investigations and security data analysis by combining strict, procedure-driven playbooks (instruction files) with free-form, interactive questioning, leveraging MCP Servers provided by Microsoft security products.
• Review the steps of an investigation to identify areas for process improvement or simply aspects that warrant deeper analysis
• Analyze and resolve any errors encountered while executing a procedure
• Make targeted or large-scale changes to procedures (text) and to any code they may contain (KQL, Python, etc...)
• Create entirely new Security Operating Procedures (SOPs), based on the structure of existing ones and with content initially suggested directly by the LLM in GitHub Copilot
• Invoke actions from other tools, for example to push/pull the latest version of SOC procedures
• Create local MCP Servers and MCP Apps to access APIs (this is slightly more complex than the other tasks described in this list, but absolutely feasible: this is exactly how I built from scratch the two local MCP Servers shown in the demo for sending emails and adding comments to Sentinel incidents, including the associated Azure Logic Apps and the documentation to deploy and use them)
• Create Python / PowerShell / … scripts to perform additional types of actions
• …

Demos

Watch these short videos to get an overview of how GitHub Copilot can be used operationally at a SOC.

User and computer investigation in GitHub Copilot with Continuous Improvement

(5 minutes video)

Heat Maps, Geo Maps, and Remediation Procedures with GitHub Copilot

(4 minutes video)

Configuration: MCP Servers and Instructions

(2 minutes video)

References

• Transforming Security Investigations with GitHub Copilot, Microsoft Sentinel Data Lake and Model Context Protocol (MCP) | LinkedIn (by Chris S. - As I'm always writing, this article is a MUST READ!)
• NEW by Chris S. : AI-powered security investigation framework | LinkedIn
• Enhancing SOC Operations with Conversational AI Agents | LinkedIn
• SCStelz/security-investigator - Chris's solution in GitHub
• stefanpems/security-investigator - My fork of Chris's solution
• stefanpems/mcp-email-sender - My local MCP Server for sending emails (used in the first video referenced above)
• stefanpems/mcp-add-comment-to-sentinel-incident - My local MCP Server for writing comments to Defender/Sentinel incidents (also used in the first video referenced above)

Conclusion

I hope that the considerations presented in this article can be useful to SOCs looking to adopt Generative AI to enhance their operational capabilities.