St. Luke’s saves nearly 200 hours monthly with AI-powered Security Copilot agents

St. Luke’s University Health Network saw a critical gap across multiple security platforms: the need for unified, real-time visibility so it could anticipate and disrupt attacks earlier in the chain and quickly respond to emerging threats.

Security Copilot in Microsoft Defender became the connective tissue across St. Luke’s security stack, providing an AI-powered, agentic, consolidated view of alerts, access controls, and vulnerabilities.

St. Luke’s is accelerating efficiency and threat response with the help of Security Copilot agents and capabilities, saving nearly 200 hours monthly in phishing alert triage and creating incident reports in minutes instead of hours.

“Healthcare is the number one cyberattack target in the world,” says David Finkelstein, Chief Information Security Officer at St. Luke’s University Health Network. “A cyberattack paralyzes our ability to provide life-saving care to our patients.”

With 15 campuses, 300 outpatient sites, and more than 2.5 petabytes of data and patient records in motion, St. Luke’s University Health Network (St. Luke’s) faces a daunting challenge. The organization must protect a sprawling digital estate while helping ensure clinicians and staff can deliver care without interruption.

“Phishing is the biggest attack threat, followed by DDoS (distributed denial of service),” explains Finkelstein. “With a DDoS attack, our systems can be shut down; patients can’t be seen. Operations stall, we lose money, we lose patient trust.”

Despite a robust security stack, including Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Purview, and other tools, St. Luke’s recognized a critical gap. The team needed unified, real-time visibility across platforms so it could anticipate and disrupt attacks earlier in the chain. “We had strong tools, but they were disconnected,” recalls Finkelstein. “We need a way to see across the entire landscape and respond to threats as they emerge, not after the fact.”

Eliminating silos, consolidating views

To modernize and unify security operations, St. Luke’s turned to Microsoft Security Copilot to supercharge analyst productivity and help its Security Operations Center (SOC) teams operate at scale. Security Copilot connected the unified protection capabilities of Defender—spanning endpoints, email, identity, applications, and cloud workloads—with the security information and event management (SIEM) power of Sentinel. Security Copilot infuses AI-powered insights directly into daily operations. Now analysts correlate threats across workflows, eliminate silos, and respond with greater speed and precision.

“Moving to Security Copilot was really the next evolutionary stage for St. Luke’s,” says Finkelstein. “It was the first tool that gave us hope that we could get predictive, proactive analytics.”

Security Copilot is an AI layer across St. Luke’s security tech stack, providing enhanced visibility into alerts, access controls, and vulnerabilities. It intelligently surfaces and correlates insights from multiple sources, serving as connective tissue that helps security teams triage, investigate, and respond more effectively. Now St. Luke’s identifies threats in real time, with Security Copilot summarizing vast data signals across security platforms into actionable insights.

Streamlining workflows with Security Copilot agents

Cyberthreats are becoming more sophisticated, often using AI and exploiting vulnerabilities in interconnected systems. “Phishing is the vector that concerns me most,” says Krista Arndt, Associate Chief Information Security Officer at St. Luke’s University Health Network. “It’s getting increasingly complex, especially with the introduction of generative AI.”

The team is an early adopter of Security Copilot agents, including the Conditional Access Optimization Agent in Entra and the Vulnerability Remediation Agent in Microsoft Intune, and Alert Triage Agents in Purview DLP and IRM. The Phishing Triage Agent in Defender is making its mark. “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts,” notes Arndt. “Our team shifted from reactive triage to proactive threat hunting, now that they’re not bogged down by routine triage.”

Arndt continues, “I was surprised by how quickly the Phishing Triage Agent became a force multiplier. It didn’t just reduce noise—it helped us prioritize with precision.”

Analysts are inundated every day with user-reported suspicious emails, each demanding careful investigation and triage. The sheer volume slows response, drains resources, and increases the risk of real threats slipping through the cracks. The Phishing Triage Agent uses advanced language model–based analysis to perform sophisticated tasks, such as understanding the content and intent of reported emails, to determine whether a submission is a genuine phishing attempt or a false alarm.

“The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.”

Krista Arndt, Associate Chief Information Security Officer, St. Luke’s University Health Network

According to Wayde Williams, Senior Network Cybersecurity Engineer at St. Luke’s University Health Network, the agent provides explanations for its decision-making in plain text. These descriptions are detailed and accurate, providing the right context for determining if an email is malicious or benign. Over time, the team has grown confident in the agent’s classification accuracy and found they no longer needed to double-check every incident. The agent takes care of the heavy lifting, allowing SOC teams to focus their time and expertise on responding to the real threats that it surfaces.

Strengthening with AI-powered visibility

With Security Copilot, AI-fueled guidance is embedded directly into existing workflows, providing context and recommendations that help analysts make faster, data-driven decisions. This AI-powered visibility is having another important impact. “Security Copilot is giving us the ability to figure out where our weaknesses are,” says Finkelstein. “Where are we not seeing things? Where are the gaps in our environment? Then Copilot gives us the information to support our roadmaps and strategies to close those gaps.”

Automating protection

With thousands of endpoints, identities, and cloud workloads to protect, the security team at St. Luke’s sifts through millions of signals daily. Before adopting Security Copilot, much of the threat detection and response at St. Luke’s was manual. “Behavioral analytics at scale is almost impossible for a human to do,” explains Arndt. “We tried to automate reporting through dashboards like Power BI, but with the sheer volume of data, it was difficult to pinpoint threats that weren’t immediately obvious.”

Williams describes the day-to-day reality: “Before Security Copilot, it took hours to triage and understand hundreds of alerts a day. We’d have to dig through multiple portals and tabs. Now it’s all in one place, and triage takes just minutes.” Williams continues, “Everything is handled autonomously by a [phishing triage] agent that works for us 24/7, helping us find the true threats amidst a sea of false positives.”

“Security Copilot is an innovative tool that’s allowing us to grow and mature as a security team. It’s almost like having an extra person—a mentor—guiding us to be more successful.”

David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network

Improving efficiency, compliance, and collaboration

Another important capability of Security Copilot in Defender is incident reporting. With more than 23,000 employees and millions of patient records, compliance is always top of mind for St. Luke’s. The ability of Security Copilot to provide clear, sequential incident reports within Defender proves invaluable. Creating an incident report by hand can take hours, but with Copilot, the process is reduced to minutes. The team quickly copies the report, adds context, and escalates to leadership or forensics with confidence and accuracy.

These features not only improve operational efficiency but also contribute to analyst satisfaction and reduced burnout, because routine and repetitive tasks are automated and teams focus on more meaningful work.

The unified platform also improves collaboration across the security team. Security Copilot provides all the information needed for an incident in one location, eliminating the need to jump between multiple dashboards or tools. This streamlined approach helps the team make effective decisions quickly.

“Before Security Copilot, it took hours to triage and understand hundreds of alerts a day. We’d have to dig through multiple portals and tabs. Now it’s all in one place, and triage takes just minutes.”

Wayde Williams, Sr. Network Cybersecurity Engineer, St. Luke’s University Health Network

Remaining resilient

St. Luke’s sees its investment in Security Copilot as the foundation for a self-improving security ecosystem. AI-driven security means the team stays ahead of both technological and business changes, ensuring that St. Luke’s remains resilient in the face of evolving threats.

Optimistic about what’s next, Finkelstein says, “Security Copilot is an innovative tool that’s allowing us to grow and mature as a security team. It’s almost like having an extra person—a mentor—guiding us to be more successful.”

For St. Luke’s University Health Network, the journey is ongoing, but the direction is clear: an AI-first, end-to-end approach to security. This transforms fragmented tools into a resilient, unified security posture that protects what matters most.

Discover more about St. Luke’s University Health Network on Facebook, Instagram, LinkedIn, X/Twitter, and YouTube.