XDR Unified Portal & Autonomous Driving: Five Levels of Microsoft AI for Cybersecurity
Written by Mona Ghadiri, Senior Director Product Management, Microsoft MVP
The Society of Automotive Engineers (SAE) outlines five levels of autonomous driving, indicating varying degrees of human intervention and system capability.. This analogy is helpful to understand AI in cybersecurity. Microsoft’s AI solutions for cybersecurity feature varying levels of automation and intelligence, much like the progression of self-driving cars.
This article draws parallels between autonomous vehicles and cybersecurity AI to help readers understand the type of cybersecurity AI you might encounter within your Microsoft Security framework. Each AI option varies in automation and intelligence, from basic tools to advanced AI-driven solutions and serve different roles.
Level 1: Driver Assistance vs. Basic Automation
Autonomous Driving: Level 1 involves basic driver assistance features like adaptive cruise control. The driver remains in control, but the system assists with specific tasks.
Microsoft Automation for Cybersecurity: Basic Automation uses simple tools to aid security professionals, such as scripts to automate repetitive tasks. This is where many start with SIEM technologies like Microsoft Sentinel, using playbooks to manage alerts.
Comparison: Both levels augment human capabilities. In driving, it aids the driver; in cybersecurity, it automates routine processes to reduce manual workload.
Level 2: Partial Automation vs. Advanced Automation
Autonomous Driving: Level 2 systems control both steering and acceleration/deceleration, but the driver must remain engaged.
Microsoft AI for Cybersecurity: Advanced Automation involves Microsoft SOAR automating complex tasks like remediation with integrated Microsoft data. The Microsoft XDR Unified Portal exemplifies this, integrating alerts from various sources.
For instance, Microsoft AI can automatically dismiss certain alerts if conditions are met, such as a user’s high sign-in risk being mitigated by a successful MFA challenge. You can see which alerts have had Microsoft AI adjudicate or dismiss by using this query:
// Union query to combine incidents from MDE and AADIP that were resolved automatically union ( SecurityIncident | where ClassificationComment == "Resolved at source" | where parse_json(tostring(AdditionalData.alertProductNames))[0] == "Microsoft Defender Advanced Threat Protection" ), ( SecurityIncident | where ClassificationComment == "Resolved at source" | where parse_json(tostring(AdditionalData.alertProductNames))[0] == "Azure Active Directory Identity Protection" ) // Project the relevant fields
| project IncidentNumber, Title, ClassificationComment, LastModifiedTime, Severity, Status, Product = parse_json(tostring(AdditionalData.alertProductNames))[0] // Order by most recently closed incidents | order by LastModifiedTime desc
Another example of this is how Microsoft’s AI can alter risk status. We have seen incidents automatically dismissed by Microsoft and logged as “aiConfirmedSignInSafe”
Comparison: Advanced automation integrates systems to handle multiple tasks but requires human oversight for accuracy, like both cars and SOC operations.
Level 3: Conditional Automation vs. Intelligent Assistance
Autonomous Driving: Level 3 vehicles manage most driving tasks under specific conditions, but the driver must be ready to intervene.
Microsoft AI for Cybersecurity: Intelligent Assistance involves tools like Azure OpenAI bots providing intelligent suggestions. These tools handle tasks like assessments autonomously but require human intervention for management.
Comparison: Systems become more autonomous but still depend on human oversight for unexpected scenarios. Microsoft Copilot for Security enhances efficiency by defining conditions where AI fits best
Level 4: High Automation vs. Autonomous Threat Management
Autonomous Driving: Level 4 systems perform all driving tasks within specific environments without human intervention.
AI for the SOC: Autonomous Threat Management promises full task automation. Recent acquisitions and market shifts indicate a move towards this level, though full autonomy is still developing.
Comparison: Both systems handle complex tasks autonomously within defined parameters, but mainstream cybersecurity and vehicle providers lack the infrastructure for full autonomy today.
Level 5: Full Automation vs. Comprehensive AI Security
Autonomous Driving: Level 5 represents full automation, capable of operating in all environments without human assistance.
Microsoft AI for Cybersecurity: Comprehensive AI Security is not fully realized yet in the cybersecurity world.
Comparison: The highest level of automation offers complete autonomy, but current systems cannot fully deliver on this promise.
The evolution of cyber threats and AI usage varies across MDR service providers, vendors, and customers. This article aims to contextualize where your tools and providers stand in their journey toward autonomous threat remediation, similar to the development ofautonomous cars. Understanding these levels helps identify where AI can be effectively integrated into cybersecurity operations.
Looking to understand where your organization is on their AI journey? Check out BlueVoyant’s Security Diagnostic to gain insights and actionable guidance to help you make data-baked decisions about your Microsoft Security investment.