Security operation centers contend with a constant stream of security incidents, ranging from straightforward to highly complex. To address this, we developed Copilot Guided Response (CGR), an industry-scale ML architecture that guides security analysts across three key tasks -- (1) investigation, providing essential historical context by identifying similar incidents; (2) triaging to ascertain the nature of the incident -- whether it is a true positive, false positive, or benign positive; and (3) remediation, recommending tailored containment actions. CGR is integrated into the Microsoft Defender XDR product and deployed worldwide, generating millions of recommendations across thousands of customers. Our extensive evaluation, incorporating internal evaluation, collaboration with security experts, and customer feedback, demonstrates that CGR delivers high-quality recommendations across all three tasks. We provide a comprehensive overview of the CGR architecture, setting a precedent as the first cybersecurity company to openly discuss these capabilities in such depth. Additionally, we GUIDE, the largest public collection of real-world security incidents, spanning 13M evidences across 1M annotated incidents. By enabling researchers and practitioners to conduct research on real-world data, GUIDE advances the state of cybersecurity and supports the development of next-generation machine learning systems.

翻译：安全运营中心持续应对从简单到高度复杂的安全事件流。为此，我们开发了Copilot引导式响应（CGR），这是一种工业级机器学习架构，可引导安全分析师完成三项关键任务——（1）调查：通过识别相似事件提供必要的历史背景；（2）分类：确定事件性质——属于真阳性、假阳性还是良性阳性；（3）修复：推荐定制化的遏制措施。CGR已集成至Microsoft Defender XDR产品并在全球部署，为数以千计的客户生成数百万条建议。我们通过内部评估、与安全专家协作及客户反馈进行的广泛评估表明，CGR在所有三项任务中均能提供高质量建议。本文全面阐述了CGR架构，开创了网络安全公司如此深度公开讨论此类能力的先河。此外，我们发布了GUIDE——规模最大的真实世界安全事件公共数据集，涵盖100万条标注事件中的1300万条证据。通过使研究人员和从业者能够基于真实数据开展研究，GUIDE推动了网络安全领域的发展，并支持下一代机器学习系统的构建。