Now Available: Microsoft Security Copilot Plugin for Splunk — Ask, Investigate, and Act with Natural Language

In today’s fast-moving threat landscape, security teams are under more pressure than ever to detect, investigate, and respond to incidents at machine speed. That’s why more organizations are turning to AI-powered security and observability tools — and why Splunk and Microsoft are excited to introduce the new Microsoft Security Copilot plugin for Splunk that’s available now.

This new integration brings together the power of Microsoft’s generative AI assistant, Security Copilot, with Splunk’s industry-leading unified security and observability platform on Azure. The result? Fast, efficient, repeatable, and contextual queries and searches into Splunk connected data using natural language.

This new plugin is a natural extension of the ongoing alliance and joint engineering roadmap between Splunk and Microsoft, built to meet customers where they are — across diverse security stacks, hybrid cloud environments, and evolving operational models. We understand that customers want the flexibility to leverage their investments in Splunk Cloud Platform alongside Microsoft 365 E5 security capabilities in a way that aligns with their AI transformation. And Security Copilot is quickly emerging as a preferred AI entry point for SOC analysts.

"Security teams are overwhelmed by alert fatigue and the complexity of switching between tools to resolve issues. With Microsoft Security Copilot and Splunk, we’re helping customers cut through the noise and take action faster than ever before using natural language." — Wayne Brown, Global Partner Technical Manager, Splunk

Ready to jump right in and see it in action? Watch me and Wayne Brown, Global Partner Technical Manager, walk through a demo of plugin and show what’s possible when AI and SecOps come together.

Smarter, Faster Security With Splunk and Security Copilot

The Microsoft Security Copilot plugin for Splunk lets security analysts interact with their Splunk data using natural language, bringing the power of generative AI directly into daily security workflows. Instead of manually creating and retrieving Splunk searches, users can simply ask a question to Copilot in plain English and get contextual, actionable results from their connected Splunk environment. With the Security Copilot plugin, you’re not replacing your familiar and proven SPL tools, you are using them with greater accuracy, automation, and repeatability. Whether you’re triaging alerts, investigating incidents, or summarizing findings for a report, the plugin helps SecOps teams work more efficiently, make smarter decisions, and accelerate time to resolution.

“We’re excited to see partners like Splunk leaning into the Copilot ecosystem and giving SOC teams tangible wins with AI. The Microsoft Security Copilot plugin for Splunk helps security professionals get to insights faster using AI, while maintaining full control and visibility over their data." — Dilip Radhakrishnan, Partner Group Product Manager, Microsoft

Each Security Copilot session is private, secure, and isolated, ensuring your organization’s data remains protected. Behind the scenes, Copilot continuously learns how to better work with Splunk’s API to surface relevant information and improve its responses. It maintains context throughout your conversation so you can ask follow-up questions and dig deeper — without starting from scratch. By allowing analysts to “talk to their data,” this integration delivers a more intuitive experience: ask questions, get answers, and take action — all with the full visibility and control of Splunk’s unified security and observability platform, running natively on Azure.

Real-World Use Cases: What You Can Do With the Plugin

The Microsoft Security Copilot plugin for Splunk isn’t just smart — it’s practical. Designed to streamline real-world SecOps workflows, the plugin enables teams to interact directly with Splunk, executing searches, analyzing results, and even pulling in contextual information from outside sources.

Here are some of the ways organizations can use the plugin to enhance security operations:

• Run pre-built Splunk searches using natural language. Just type a prompt like “Show me all failed login attempts in the last 24 hours,” and Security Copilot will understand the intent, query Splunk behind the scenes, and return the results.
• Execute one-shot SPL queries on demand. There’s no need to write or tweak syntax manually.
• Retrieve saved searches and display the results in a clean, user-friendly format that’s easy to digest and share.
• Stay in context. Security Copilot understands the flow of your session — so you can follow up with “narrow it to a specific IP” or “summarize by user,” and it will apply that request intelligently to your previous search.
• Pull in context from external sources. The plugin enhances your investigation by incorporating relevant data from documentation, public internet sources, or past searches — giving you a more complete picture of what’s happening.
• Explore fired alerts and current job statuses directly from Splunk, helping teams manage ongoing investigations and keep tabs on system activity.

One of the most exciting features is the Prompt Book — a library of reusable, pre-built prompts designed to help analysts move faster with consistent workflows. Splunk is building out Prompt Books with common security use cases, including Splunk One-Shot Searches, saved searches, and custom SPL queries, all accessible via Security Copilot.

At the core of all this is the plugin’s ability to make secure, scoped calls to the Splunk REST API — enabling a growing list of capabilities, including:

• Performing normal and ad-hoc one-shot SPL queries
• Creating and retrieving saved searches
• Dispatching saved searches and retrieving results
• Viewing fired alerts
• Monitoring current search jobs

Splunk + Microsoft = Shared Vision for Digital Resilience

The Microsoft Security Copilot plugin for Splunk is the latest in a series of co-engineered innovations from Splunk and Microsoft, all designed to help security teams become more digitally resilient. This partnership builds on a strong foundation that includes Splunk Cloud Platform on Azure, Enterprise Security, IT Service Intelligence (ITSI), and most recently, Splunk SOAR on Azure.

Together, we’re helping customers improve their security posture, streamline operations, and confidently embrace AI-powered security at scale.

Get Started Today

The Microsoft Security Copilot plugin for Splunk is available now, and getting started is easy. Simply open Security Copilot, search for “Splunk”, and connect it to your Splunk API. Within minutes, you’ll be able to ask questions, run queries, and accelerate investigations using natural language—all while staying in control of your Splunk data.

Ready to dive in? Watch the demo video and read the technical documentation to explore setup steps, supported capabilities, and usage tips.

And to see what else Splunk and Microsoft are building together to transform security and observability, visit splunk.com/microsoft.