St. Luke's saves nearly 200 hours monthly with AI-powered Security Copilot agents
Lack of unified, real-time visibility is a roadblock to disrupting cyber attacks and responding to emerging threats promptly. When St. Luke's University Health Network faced these challenges, it launched a strategy to close visibility gaps by creating a unified security platform integrating Security Copilot agents with Microsoft Defender. This customer story shows how St. Luke's has benefited-including how it has reclaimed nearly 200 hours a month of phishing triage time. Read the customer story to explore how AI-powered Security Copilot agents can accelerate incident response and improve organizational outcomes.
How did Security Copilot help St. Luke’s save nearly 200 hours every month?
St. Luke’s University Health Network is saving close to 200 hours every month primarily by automating phishing alert triage with Security Copilot agents in Microsoft Defender.
Here’s how the time savings break down:
- **Phishing Triage Agent in Defender**: This agent autonomously handles and closes thousands of false positive phishing alerts each month.
- **From manual to automated triage**: Previously, analysts had to manually review large volumes of user‑reported suspicious emails, moving between multiple portals and tabs. Triage and understanding hundreds of alerts could take hours each day.
- **Now in minutes, not hours**: With Security Copilot, alerts are consolidated in one place and triage takes minutes. The Phishing Triage Agent uses language model–based analysis to understand the content and intent of emails and classify them as malicious or benign.
Because the agent explains its decisions in clear, plain text, the St. Luke’s team has built confidence in its accuracy and no longer needs to double‑check every incident. The result is:
- **~200 hours saved monthly** on phishing alert triage.
- Analysts shifting from **reactive triage** to **proactive threat hunting** and higher‑value work.
- Less time spent on repetitive tasks, which also supports analyst satisfaction and reduces burnout.
What role does Security Copilot play in unifying St. Luke’s security stack?
Before adopting Security Copilot, St. Luke’s had a strong but fragmented security stack that included Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Purview, and other tools. The main gap was **unified, real‑time visibility** across these platforms.
Security Copilot acts as an **AI layer and connective tissue** across this environment by:
- **Consolidating views** of alerts, access controls, and vulnerabilities from multiple tools into a single, AI‑powered experience.
- **Correlating threats across workflows**, so analysts can see how signals from endpoints, email, identity, applications, and cloud workloads relate to each other.
- **Eliminating silos** between tools, which previously forced analysts to jump between multiple dashboards and tabs.
- **Embedding AI guidance into daily workflows**, providing context and recommendations directly where analysts work.
In practice, this means St. Luke’s can:
- Identify threats in **real time** instead of after the fact.
- Use Security Copilot’s insights to understand **where visibility gaps and weaknesses exist** in their environment.
- Support their security roadmap with data‑driven evidence about where to close those gaps.
St. Luke’s also uses several Security Copilot agents beyond phishing triage, including:
- **Conditional Access Optimization Agent** in Microsoft Entra.
- **Vulnerability Remediation Agent** in Microsoft Intune.
- **Alert Triage Agents** in Microsoft Purview DLP and IRM.
Together, these agents help St. Luke’s reimagine security operations as a more unified, AI‑first system that scales with thousands of endpoints, identities, and cloud workloads.
How does Security Copilot improve incident response and reporting at St. Luke’s?
Security Copilot has reshaped incident response and reporting at St. Luke’s by making investigations faster, more consistent, and easier to communicate across the organization.
Key improvements include:
1. **Faster triage and investigation**
- Before Security Copilot, triaging and understanding hundreds of alerts could take **hours each day**, with analysts digging through multiple portals.
- Now, Security Copilot brings relevant information into **one place**, and triage typically takes **minutes**.
- AI‑driven context and recommendations help analysts make quicker, data‑backed decisions.
2. **Clear, sequential incident reports**
- With more than **23,000 employees** and millions of patient records, St. Luke’s has strict compliance and reporting needs.
- Previously, creating an incident report by hand could take **hours**.
- Security Copilot in Defender now generates **clear, sequential incident reports in minutes**. The team can copy the report, add any needed context, and escalate to leadership or forensics with confidence.
3. **Better use of analyst time and reduced burnout**
- Routine, repetitive tasks like reviewing false positives and assembling reports are largely automated.
- Analysts can focus on **true threats, proactive threat hunting, and strategic improvements** instead of manual data gathering.
- This shift supports higher job satisfaction and helps reduce burnout.
Overall, Security Copilot helps St. Luke’s:
- Respond more quickly to real threats.
- Maintain a consistent, auditable incident history.
- Collaborate more effectively across the security team, since all incident information is centralized and easier to share.
St. Luke's saves nearly 200 hours monthly with AI-powered Security Copilot agents
published by BlueTeamAssess LLC
I founded BlueTeamAssess LLC to develop and offer actionable and cost effective security solutions to SMBs.
BlueTeamAssess LLC is a veteran-owned Cybersecurity Consulting business based in Onslow County, NC.
My company wants to be the trusted advisor to small businesses for cybersecurity and related information technology needs. We will help you meet compliance requirements for HIPAA, PCI, NC cybersecurity requirements for financial advisors, and NIST 800-171 and CMMC cybersecurity requirements for providing goods and services through DOD contracts.
We help small businesses understand cybersecurity threats and their vulnerability to those threats. We offer affordable products and services to protect their business and their livelihood from those threats.
We use the SAINT Security Suite and its family of assessment products to provide cybersecurity services that assess your exposure to the many threats that can impact your business. And we help you meet compliance requirements for NIST 800-171 cybersecurity requirements for providing goods and services through DOD contracts as well as for HIPAA, PCI, the NC data breach protection law and NC cybersecurity requirements for financial advisors.
We use the CyberSecurity Assessment Tool from QS Solutions to assess the security posture of your Microsoft 365 deployment and help bring your risk score to acceptable levels through our remediation services.
We will help you reduce SPAM, secure your email and defend against ransomware. To help do this, we offer a number of solutions scalable for small business budgets and environments. These include:
- Microsoft 365 email and office software and its extensive security features and advanced threat protection.
- Fortinet security solutions that provide a Security Fabric that knits together protection for your endpoints and servers, your firewalls, your wireless network, security analytics and many other services that protect your organization technology from today’s advanced threats whether the workers are working in the office or remotely from home.
- A backup and recovery solution from Acronis to protect your critical customer and business data when the next storm or other disaster impacts your business.
You can trust BlueTeamAssess LLC be the trusted advisor to small businesses for cybersecurity and related information technology needs.
Sign in with LinkedIn