How St. Luke’s Health Network Saves 200 Hours Monthly with Security Copilot

St. Luke’s University Health Network is among the larger integrated health systems in the northeastern United States, operating 15 campuses and more than 300 outpatient sites with a workforce of over 23,000 people. The organization manages more than 2.5 petabytes of patient data and records in active motion — a profile that makes it an attractive target. Healthcare ranked as the number one cyberattack sector globally, and St. Luke’s leadership was acutely aware that a successful breach could halt clinical operations and directly endanger patients.

Despite a strong security stack — Microsoft Defender, Sentinel, Entra, Purview, and Intune — the security operations team lacked a unified view across those tools. Analysts triaging hundreds of alerts daily had to navigate multiple portals and dashboards, which slowed response and created fatigue. Phishing was the primary vector of concern: the volume of user-reported suspicious emails was high enough to overwhelm manual review, and with generative AI making phishing attempts increasingly convincing, the team needed a way to distinguish genuine threats from noise at scale.

St. Luke’s adopted Microsoft Security Copilot as an AI orchestration layer across its existing security ecosystem. Security Copilot connected Defender’s endpoint, email, identity, and cloud workload protection with Sentinel’s SIEM capabilities, surfacing correlated insights in a single interface. The team also became early adopters of Security Copilot agents: the Security Alert Triage Agent in Defender for phishing review, the Conditional Access Optimization Agent in Entra, the Vulnerability Remediation Agent in Intune, and Alert Triage Agents in Purview DLP and IRM.

The Security Alert Triage Agent became the most visible force multiplier. Using large language model–based analysis, it autonomously evaluates reported emails — understanding intent and content — and closes thousands of false positives without human intervention. The result: nearly 200 hours saved per month. Incident reports that previously required hours of manual compilation are now generated in minutes inside Defender. Analysts shifted from reactive triage to proactive threat hunting.

For St. Luke’s, Security Copilot represents more than an efficiency gain — it’s a foundation for a self-improving security posture. The unified platform reveals gaps in coverage, informs roadmap priorities, and reduces analyst burnout by removing repetitive work. The security team describes it as gaining a 24/7 analyst and mentor: one that surfaces what matters, explains its reasoning in plain English, and enables smaller teams to operate at a scale previously impossible without significant headcount growth.