SoCMate integrates with Microsoft Security Copilot as a custom plugin, enabling Copilot users to invoke SoCMate investigations, query the knowledge graph, and access incident data directly from the Copilot interface.

Overview

The Security Copilot integration exposes SoCMate capabilities as Copilot skills. Security analysts can use natural language in Copilot to trigger SoCMate actions without switching between tools. 
┌─────────────────────────────────────────────────────────┐
│             Microsoft Security Copilot                   │
│                                                          │
│  User: "Use SoCMate to investigate IP 203.0.113.50"     │
│                                                          │
│         ┌──────────────────────────────────┐             │
│         │    SoCMate Custom Plugin         │             │
│         │                                  │             │
│         │  Skills:                         │             │
│         │  - Investigate entity            │             │
│         │  - Query knowledge graph         │             │
│         │  - List recent incidents         │             │
│         │  - Get investigation report      │             │
│         └──────────┬───────────────────────┘             │
│                    │                                     │
└────────────────────┼─────────────────────────────────────┘
                     │ API calls (X-API-Key)

┌─────────────────────────────────────────────────────────┐
│                    SoCMate API                           │
└─────────────────────────────────────────────────────────┘

Plugin Setup

1

Create an API key in SoCMate

Navigate to Admin > API Keys and create a key with the following scopes:
  • investigations:read
  • investigations:write
  • incidents:read
  • search:read
  • graph:read
Copy the API key value — you will need it when configuring the plugin.
2

Download the plugin manifest

The SoCMate plugin manifest is an OpenAI-compatible plugin descriptor that defines the available skills and API endpoints. Contact your SoCMate administrator or download it from your SoCMate instance:
https://api.socmate.yourcompany.com/api/v1/copilot/manifest
3

Upload to Security Copilot

In Microsoft Security Copilot:
  1. Go to Sources (plugin icon in the prompt bar)
  2. Click Manage plugins
  3. Select Custom and click Add a plugin
  4. Upload the plugin manifest file or provide the manifest URL
  5. Enter your SoCMate API key when prompted for authentication
  6. Enable the plugin
4

Verify the integration

In the Copilot prompt bar, try:
Use SoCMate to check if IP 203.0.113.50 has been seen in any investigations
If configured correctly, Copilot will invoke the SoCMate knowledge graph skill and return results.

Available Skills

Investigate Entity

Start a SoCMate investigation on a security entity. Copilot prompt examples:
  • “Use SoCMate to investigate IP 203.0.113.50 for malicious activity”
  • “Ask SoCMate to check user john@example.com for suspicious sign-ins”
  • “Have SoCMate investigate host SRV-DC01”
What it does: Calls POST /api/v1/investigations/start with the entity and a default SOC Analyst persona. Returns a summary of the investigation findings.

Query Knowledge Graph

Look up an entity in SoCMate’s knowledge graph to see its history and connections. Copilot prompt examples:
  • “Check SoCMate knowledge graph for IP 203.0.113.50”
  • “What does SoCMate know about user admin@corp.local?”
  • “Show SoCMate connections for domain evil-phishing.com”
What it does: Calls GET /api/v1/graph/entity/{value} and returns the entity’s neighborhood — connected entities and relationships from past investigations.

List Recent Incidents

Retrieve the latest Sentinel incidents from SoCMate’s synced incident store. Copilot prompt examples:
  • “Show me high severity incidents from SoCMate”
  • “List the latest critical incidents in SoCMate”
  • “What are the new SoCMate incidents from the last 24 hours?”
What it does: Calls GET /api/v1/incidents with severity and time filters. Returns incident titles, severity, status, and SoCMate links.

Get Investigation Report

Retrieve a completed investigation report by session ID. Copilot prompt examples:
  • “Get the SoCMate investigation report for session sess_abc123”
  • “Show me the results of SoCMate investigation sess_abc123”
What it does: Calls GET /api/v1/sessions/{session_id} and returns the investigation summary, risk score, entities, and findings.

Search Investigations

Search across all SoCMate investigations for relevant findings. Copilot prompt examples:
  • “Search SoCMate for phishing investigations”
  • “Find SoCMate investigations related to brute force attacks”
What it does: Calls GET /api/v1/search with the query and returns matching investigation sessions.

Data Flow

  1. User asks a question in Security Copilot mentioning SoCMate
  2. Copilot identifies the SoCMate plugin skill that best matches the request
  3. Copilot formats the API call using the plugin manifest schema
  4. The request is sent to SoCMate’s API with the configured API key
  5. SoCMate processes the request and returns results
  6. Copilot formats the response for display in the conversation

Authentication

The plugin authenticates with SoCMate using an API key stored in Security Copilot’s plugin configuration. The key is sent as an X-API-Key header with every request.
Use a dedicated API key for the Security Copilot integration. Do not reuse keys from other integrations. This makes it easier to monitor usage, rotate credentials, and revoke access if needed.

Limitations

  • Streaming not supported — Security Copilot receives the final investigation result, not real-time streaming updates
  • Persona selection — The plugin defaults to the SOC Analyst persona; CISO-level reports require manual selection
  • Rate limits — API key rate limits apply; high-frequency usage may require limit increases
  • Follow-ups — Multi-turn investigation conversations are not supported through the plugin; use the SoCMate UI for follow-up questions