Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Copilot Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks -- (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident -- whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M annotated incidents. By enabling researchers and practitioners to conduct research on real-world data, GUIDE advances the state of cybersecurity and supports the development of next-generation machine learning systems.

翻译：安全运营中心持续应对从简单到高度复杂的安全事件流。为此，我们开发了 Copilot 引导式响应（CGR），这是一个工业规模的机器学习架构，可引导安全分析师完成三项关键任务——（1）调查：通过识别类似事件提供必要的历史背景；（2）分类：确定事件的性质——是真阳性、假阳性还是良性阳性；（3）修复：推荐量身定制的遏制措施。CGR 已集成到 Microsoft Defender XDR 产品中并在全球部署，为数以千计的客户生成数百万条建议。我们通过内部评估、与安全专家合作以及客户反馈进行的广泛评估表明，CGR 在所有三项任务中都能提供高质量的建议。我们全面概述了 CGR 架构，开创了网络安全公司如此深入公开讨论这些能力的先例。此外，我们发布了 GUIDE，这是最大的真实世界安全事件公共数据集，涵盖 100 万个标注事件中的 1300 万条证据。通过使研究人员和从业人员能够对真实世界数据进行研究，GUIDE 推动了网络安全的发展，并支持下一代机器学习系统的开发。