Security Copilot Technical Journey & Resources
What is the Security Copilot Technical Journey? 
The Microsoft Security Copilot Technical Journey will guide you through how to learn, extend, and drive customer adoption for Microsoft Security Copilot, the first security platform to enable defenders to move at the speed and scale of AI by leveraging the most advanced large language models (LLMs) with large-scale data and threat intelligence, including more than 78 trillion daily security signals.
Table of Contents
This page is organized into three parts – Learn Security Copilot, Extend Security Copilot, and Driving Customer Adoption.
| Table of Contents | |
| Learn Security Copilot | |
| Extend Security Copilot | |
| Driving Customer Adoption | |
December 3rd, 2024 Update📰
| Recent Update (December 3rd, 2024): Events, Whitepapers, and Community Resources |
Although Microsoft lacks the official documentation for now, BlueVoyant and Splunk have published some documentation about the integration of the Splunk platform with Security Copilot, which you can read here.
Security Copilot is now SOC 2 certified🎉
You can learn how to access the Security Copilot audit log here or how you can ingest your Security Copilot audit logs using this Azure Function App and PowerShell script.
It’s also worth exploring this solution that automates the analysis of user-submitted phishing emails using Security Copilot🎣
Lastly, my colleague and friend Rick created these easy-to-use KQL templates for custom Defender and Sentinel plugins. Give them a try!
Events
If you’re a member of the Microsoft Security Copilot Customer Connection Program (CCP), join our weekly Security Copilot Skilling and Readiness events:
| Topic | Date & Time | Register! |
| Automating Workflows with Logic Apps in Security Copilot | Thursday, December 5th @ 9:00 AM PT | Register |
Learn Security Copilot
Are you ready to get started? Dive into onboarding guidance, prompt engineering templates and best practices, use cases, demos, roles, community resources, and other relevant documentation.
Overview
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Navigate Security Copilot
- Create effective prompts
- What is a compound AI system?
- Using Microsoft Graph as a Microsoft Security Copilot Plugin with Delegated Access
Onboarding
You can provision Security Copilot within the standalone experience or in Azure. If your organization requires tags to deploy Azure resources, use this ARM template to add tags during deployment. When provisioning Security Copilot, you can purchase capacity in these four regions: East US, West Europe, UK South, and Australia East. Customers can provision a maximum of 100 SCUs and scale down to a minimum of 1 SCU per hr.
While there are technically no prerequisites, you’ll need an Azure subscription and Microsoft Entra ID (Entra ID is required to authenticate your users). We also recommend allowing prompt evaluation anywhere with available GPU capacity for optimal results. By default, all users are “Copilot contributors” (this may vary according to existing user permissions) and the provisioning user is the “Copilot owner.” Contributors cannot update data sharing options, manage SCUs, view the usage dashboard, and may only manage and publish custom plugins or upload files when allowed. Also by default, all security administrators and global administrators inherit Security Copilot access.
Security Copilot will not elevate your level of access (e.g., to use the Microsoft Sentinel plugin, you will need the Microsoft Sentinel Reader role). However, plugin settings are managed at the user level, requiring each user to enable/disable plugins and configure authentication methods. Unfortunately, there is no existing option to set plugin configurations at the Tenant level.
I recommend starting with the Defender XDR Embedded Experience or Promptbooks. You can easily add tags, edit, share, run, and set the level of access to “Just me” or “Anyone in my organization.” You can even create your own. Learn more about how to create your own Promptbooks here. It’s also critical to monitor SCU usage to manage costs and avoid disruptions (e.g., calculate your average SCU utilization over a standard 7 days). Learn more about how to monitor your usage here. Microsoft permits some occasional demand spikes from customers that exceed their provisioned capacity at no additional charge, but if the spikes are consistent, that usually signals under provisioned capacity.
Lastly, experiment with uploading your organizations own DOCX, MD, PDF, and TXT files. You can upload files up to 20 MB in total. Security Copilot reasons over files to generate more relevant and specific responses. Learn more about uploading your own files here.
Get Started
- Get started
- Understand authentication
- Best practices for Microsoft Entra roles
- Prompting
- Sample Prompts Library
- Promptbooks
- Promptbooks Library
- What does good prompt engineering look like?
- Apply principles of Zero Trust to Microsoft Security Copilot
- Exploring Security Copilot to Automate Incident Triage
- Extending Security Copilot with Azure Function Apps
- Customize and Optimize Security Copilot with the custom Data Security plugin
- NEW: Identity forensics with Security Copilot Identity Analyst Plugin
- NEW: Enhancing Threat Hunting with Microsoft Defender Experts Plugin
- NEW: Monitor User Activities and System Events with Security Copilot and Microsoft Sentinel
Features
- Incident Summarization — Summarize incidents, vulnerabilities, and threats in minutes and prepare the information in ready-to-share reports.
- Impact Analysis — Assess impact and receive insights into your affected systems.
- Reverse Script Engineering — Analyze complex command line scripts and translate them into natural language with clear explanations of actions.
- Guided Response — Receive actionable step-by-step guidance, including for triage, investigation, and remediation.
Use Cases
- Triage incidents with enriched threat intelligence
- Investigate an incident’s malicious script
- Advanced Hunting
- Summarize an incident in Microsoft Defender XDR
- Use guided responses in Defender XDR
- Create an incident report in Microsoft Defender XDR
- Script analysis in Defender XDR
- Generate device summaries in Defender XDR
- Analyze files in Defender XDR
- Risky user summarization in Entra
- Summarize the latest threats in MDTI
- Analyze recommendations in MDC
- Summarize recommendations in MDC
- Remediate recommendations in MDC
- Delegate recommendations in MDC
- Remediate code in MDC
Demos
- Business Email Compromise (BEC)
- Human-operated ransomware (HumOR)
- Defender XDR Embedded Copilot to Standalone Copilot investigation
- Extended user account investigation
- Cloud compromise
- Troubleshooting
Also explore our Microsoft Security Copilot Instructional Demo Videos📹
Videos
We recommend watching the following videos created by Microsoft Security and the Global Partner Solutions (GPS) Technical Team:
 |
Microsoft Security Copilot John Savill dives into the powerful features and capabilities of Microsoft Security Copilot. |
 |
Threat Intelligence in Security Copilot with Volt/Silk Typhoon demo Learn about Microsoft Threat Intelligence in Security Copilot, including what it is, how you can use it, and learn from a comprehensive demo featuring Volt/Silk Typhoon, prolific state-sponsored espionage actors from China. |
 |
Security Copilot Pricing Short on time? Learn about Security Copilot’s pricing model in just 10 minutes, including how to provision, scale, and manage Security Compute Units (SCUs). Discover what you can do today, along with valuable onboarding tips. |
 |
Selling Security Copilot w/ Multi-stage Incident Demo Explore Security Copilot’s powerful use cases, its unique value, proven results, and differentiation story, and see it all in action with a comprehensive multi-stage incident demo in Microsoft Defender XDR. |
 |
Security Copilot Responsible AI Learn how Security Copilot mitigates Responsible AI issues and explore Generative AI threats, including prompt injection attacks, disinformation campaigns, spear phishing, etc., and how we at Microsoft defeat them. |
 |
How Microsoft Security Copilot works Ryan Munsch, from the Security Copilot team, joins host Jeremy Chapman to share how Security Copilot is an enterprise-grade natural language interface for your organization's security data. |
Also explore Microsoft’s Security Copilot YouTube Playlist📹
Roles beyond SOC Analysts
- IT Admins: Create device configuration profiles in Intune and leverage data-driven configuration troubleshooting and remediation.
- DLP Analysts: Summarize DLP alerts and analyze DLP policy configurations.
- Insider Risk Analysts: Summarize Insider Risk Management (IRM) alerts and gain context around users with risky behavior.
- eDiscovery Analysts: Generate Keyword Query Language from NL in eDiscovery and summarize evidence collected.
- Identity Access Management (IAM) Admins: Discover high risk users, overprivileged access, suspicious sign-ins in Entra.
Announcements & Whitepapers
- NEW: Randomized Controlled Trials for Security Copilot for IT Administrators
- NEW: Generative AI and Security Operations Center Productivity: Evidence from Live Operations
- Whitepaper – Microsoft Security Copilot – Working with the Microsoft Security stack and 3Ps
- Randomized Controlled Trial for Security Copilot
Community Resources
- NEW: Microsoft Ignite: Redefining email security with LLMs to tackle social engineering
- Join the Security Copilot Customer Connection Program (CCP)
- Microsoft Security Copilot Tech Community Blog
- Copilot in Azure Technical Deep Dive
- Security Copilot Partner Playbook
- Introduction to red teaming large language models (LLMs)
- OpenAI Prompt Engineering
- Applied Generative AI (GAI) in Security Blog
- Why AI Will Save the World
AI Security
- Learn more about our approach to Responsible AI.
- MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems)
- OWASP AI Security and Privacy Guide
Back to Table of Contents. Are you ready to extend Security Copilot?
Extend Security Copilot
Learn how to grant an MSSP access to your Security Copilot environment and how to use and create plugins. Security Copilot plugins enhance the platform’s capabilities by acting as connectors, enabling seamless integration with infinite partners and third parties, allowing for custom functionality. To first create a plugin, you will need the correct instance URL and API token.
MSSPs
Plugins
- Overview
- Other plugins – Non-Microsoft plugins
- API
- GPT
- KQL
- Manage plugins
- Plugin error codes
Connectors
3P Plugins
- AbuseIPDB – AbuseIPDB is a central repository to report and identify IPs that are associated with malicious activity online
- NEW: Aviatrix – Aviatrix provides insights into cloud networking and firewall policy enforcement
- NEW: CheckPhish – CheckPhish AI analyzes URLs for phishing threats, tech support scams, cryptojacking, and other risks
- Computer Incident Response Center Luxembourg (CIRCL) – CIRCL is a government initiative to validate suspicious files in the form of hashes
- CrowdSec – CrowdSec provides identification and verification of potentially malicious IPs
- CyberArk – CyberArk Privilege Cloud helps to securely store, rotate, and isolate credentials
- Cybersixgill – Cybersixgill offers real-time TI solutions, including from the dark web
- Cyware Intel Exchange – Cyware Intel is a TI Platform for ingestion, enrichment, analysis, prioritization, actioning, and sharing of threat data
- Cyware Respond – Cyware Respond is an end-to-end incident management and response platform
- Darktrace – Darktrace offers cybersecurity AI services
- Forescout Risk and Exposure Management – Forescout REM provides a view of device risks and vulnerabilities
- Forescout Vedere Labs – Forescout research teams provide a TI feed containing IP, URL, and File hash indicators for potentially malicious activity
- GreyNoise – GreyNoise collects and analyzes Internet-wide scan and attack data
- Intel 471 – Intel 471 provides cybercrime intelligence
- NEW: IPGeolocation – IPGeolocation provides geolocation data, time zone details, security insights (VPN, proxy, bot detection), etc.
- NEW: IPinfo – IPinfo provides IP geolocation, IP to Privacy Detection (VPN, Tor, Proxy), ASN data, company data, carrier metadata, and WHOIS data
- Jamf – Jamf Pro provides enterprise-level Mobile Device Management (MDM)
- Netskope – Netskope combines security and networking services, enabling Secure Access Services Edge (SASE) and Zero Trust
- NEW: Quest Security Guardian – Quest Security Guardian is an Active Directory tool that reduces your attack surface
- Red Canary – Red Canary provides managed detection and response (MDR) services
- ReversingLabs – ReversingLabs helps SOC teams understand file-based threats
- Saviynt – Saviynt provides insights into identity-related risks
- SGNL – SGNL provides Zero Standing Privilege (ZSP) initiatives to protect user sessions and credentials
- Shodan – Shodan is a search engine that allows users to find specific types of devices connected to the Internet
- Silverfort – Silverfort provides advanced CEF data from Microsoft Sentinel
- Tanium – Tanium is a Converged Endpoint Management (XEM) reference platform
- UrlScan – UrlScan allows users to scan and analyze potentially malicious URLs
- Valence Security – Valence combines SaaS Security Posture Management (SSPM) and advanced remediation
- Whoisfreaks – Whoisfreaks provides domain and IP intelligence services
Extensibility Features
Community Plugins
Disclaimer: Some of these plugins were developed and are maintained by the community and are not owned and/or managed by Microsoft.
- Track SCU changes
- Security Copilot Portal Logins
- Send Copilot Output to Email
- GitHub Advanced Security Custom Plugin Scenarios
- Microsoft Defender XDR Custom Plugin Scenarios
- Microsoft Sentinel Custom Plugin Scenarios
- QR Code AiTM Phishing Detection
- Have I Been Pwned – Have I Been Pwned allows users to verify whether their personal data has been compromised by data breaches
- IBM X-Force Threat Intelligence – IBM X-Force is a cloud-based TI solution
- Censys – Censys regularly probes public IPs and domains
- SentinelOne – SentinelOne is an Enterprise Security AI Platform
Back to Table of Contents. Are you ready to drive customer adoption?
Driving Customer Adoption
Microsoft Security Copilot enables customers and partners to proactively defend against threats, streamline security workflows, and protect critical assets. Learn how to drive customer adoption below.
Pricing📌
Security Copilot pricing is consumption-based and costs approximately $4 per SCU per hr. A Security Compute Unit (SCU) is Security Copilot’s unit of measurement of computing capacity to run a Copilot workload (i.e., prompt/Promptbook). The amount of SCUs needed depends on the complexity of the given workload. The pricing is consistent across the standalone experience and the embedded experiences as well as regions.
Why is it consumption-based and not per user? The idea is that the flexibility will allow more customers and partners to try it! That said, the output is only as good as the input, and the more plugins you use to contextually enrich complex investigations, the better (think Microsoft Sentinel pricing; the more telemetry ingested = the more coverage and insights, so long as it’s not too much noise). There are no prerequisites, but for the optimal user experience, we recommend that customers have MDE P2 and/or Microsoft Sentinel.
To use Security Copilot, you will need to provision at least 1 SCU per hr 24x7. Therefore, the minimum annual price is $35,040 USD ($4 * 24hr per day * 365day per yr). Your monthly bill is calculated as (SCUs per hr) x $4 x 730/month or you can leverage the Azure Pricing Calculator. Customers and partners can purchase SCUs in the standalone experience or in Azure and can manually provision SCUs up or down so long as there is at least 1 SCU/hr. Once an analyst is nearing the capacity limit (90%), they will receive a warning and the option to increase the capacity.
If you delete Security Copilot (zero SCUs per hr), we will retain your data for 90 days. Tenant-level MDTI workbench is included with Security Copilot and although it’s not the standalone API, the TI information is easy to read and in the context of your investigations (e.g., activity groups, tooling, and vulnerabilities). From a licensing perspective, this is also significant cost savings.
Since computing capacity and token usage is variable (quantifying a specific # of tokens or SCUs/workflows needed per prompt/Promptbook is difficult), it’s important for partners to know what they can do now:
- Calculate your average SCU utilization over a standard 7 days
- Provision ≈1 SCU per Embedded Experience, ≈4 SCU per Standalone Experience, and ≈5 SCU per Automation and/or Promptbooks
- Measure SCU usage between different use cases (SOC analysts, Purview admins, Identity/access admins, etc.)
- Measure SCU usage between different levels of expertise (Junior analysts vs Senior analysts)
- Measure SCU usage across different types of investigations (incident triage, threat actor investigation, reverse engineering a malicious script, etc.)
- Explore the Security Copilot SCU Optimizer Solution to simplify CfS cost management
Beyond GA, we’re also collecting this data and in good time, will provide more guidance and standards on SCU usage and patterns.
Integrations
- Microsoft Security Copilot in Microsoft Defender XDR
- Microsoft Security Copilot in Microsoft Entra
- Microsoft Security Copilot and Intune
- Microsoft Security Copilot and Defender EASM
- Microsoft Security Copilot and Microsoft Threat Intelligence
- Microsoft Security Copilot in Microsoft Purview
- Security Copilot in Defender for Cloud (Preview)
Microsoft Security Integration Reference Architecture
Multi-tenant & Delegation Models
As of today, customers pay for their MSSP’s SCUs/usage. MSSPs can access the customer’s Security Copilot environment (limited to the standalone portal) if the customer elects to provide access (referred to as Bring your Own MSSP), which is managed via Guest Access (B2B) and GDAP. Currently, there isn’t a CSP or reseller multitenant model for MSSPs.
- Grant partners access
- B2B collaboration
- Granular Delegated Admin Privileges (GDAP)
- Azure Lighthouse Coming soon to Security Copilot
- Microsoft 365 Lighthouse Coming soon to Security Copilot
Address Concerns
- OAuth 2.0 On-Behalf-Of flow
- Privileged Identity Management (PIM)
- Microsoft Defender for Endpoint (MDE) Device Groups
Technical Considerations
- Assist a Human in Completing Work – It’s a Copilot, integrations are driven by/drive human engagement, not background runtime processing of substantial amounts of data.
- Have High Customer Value — The cost of Generative AI is orders of magnitude higher per transaction than your average feature today and depends on a constrained hardware supply (GPUs).
- Will be Regularly Used — The best integrations will be used regularly so it is ongoing value, not a one-time value (like a configuration assistant).