Copilot for Security Technical Journey & Resources
What is the Copilot for Security Technical Journey? 
The Microsoft Copilot for Security Technical Journey will guide you through how to learn, extend, and drive customer adoption for Microsoft Copilot for Security, the first security platform to enable defenders to move at the speed and scale of AI by leveraging the most advanced large language models (LLMs) with large-scale data and threat intelligence, including more than 78 trillion daily security signals.
Table of Contents
This page is organized into three parts – Learn Copilot for Security, Extend Copilot for Security, and Driving Customer Adoption.
| Table of Contents | |
| Learn Copilot for Security | |
| Extend Copilot for Security | |
| Driving Customer Adoption | |
November 19th, 2024 Update📰
| Recent Update (November 19th, 2024): Events & Get Started |
Copilot for Security is now SOC 2 certified🎉
You can ingest your Copilot for Security audit logs using this Azure Function App and PowerShell script.
It’s also worth exploring this solution that automates the analysis of user-submitted phishing emails using Copilot for Security🎣
Lastly, my colleague and friend Rick created these easy-to-use KQL templates for custom Defender and Sentinel plugins. Give them a try!
Events
If you’re a member of the Microsoft Copilot for Security Customer Connection Program (CCP), join our weekly Copilot for Security Skilling and Readiness events:
| Topic | Date & Time | Register! |
| Copilot for Security in Defender EASM | Thursday, November 21st @ 9:00 AM PT | Register |
| Automating Workflows with Logic Apps in Copilot for Security | Thursday, December 5th @ 9:00 AM PT | Register |
Learn Copilot for Security
Are you ready to get started? Dive into onboarding guidance, prompt engineering templates and best practices, use cases, demos, roles, community resources, and other relevant documentation.
Overview
- What is Microsoft Copilot for Security?
- Microsoft Copilot for Security experiences
- Navigate Copilot for Security
- Create effective prompts
- What is a compound AI system?
- Using Microsoft Graph as a Microsoft Copilot for Security Plugin with Delegated Access
Onboarding
You can provision Copilot for Security within the standalone experience or in Azure. If your organization requires tags to deploy Azure resources, use this ARM template to add tags during deployment. When provisioning Copilot for Security, you can purchase capacity in these four regions: East US, West Europe, UK South, and Australia East. Customers can provision a maximum of 100 SCUs and scale down to a minimum of 1 SCU per hr.
While there are technically no prerequisites, you’ll need an Azure subscription and Microsoft Entra ID (Entra ID is required to authenticate your users). We also recommend allowing prompt evaluation anywhere with available GPU capacity for optimal results. By default, all users are “Copilot contributors” (this may vary according to existing user permissions) and the provisioning user is the “Copilot owner.” Contributors cannot update data sharing options, manage SCUs, view the usage dashboard, and may only manage and publish custom plugins or upload files when allowed. Also by default, all security administrators and global administrators inherit Copilot for Security access.
Copilot for Security will not elevate your level of access (e.g., to use the Microsoft Sentinel plugin, you will need the Microsoft Sentinel Reader role). However, plugin settings are managed at the user level, requiring each user to enable/disable plugins and configure authentication methods. Unfortunately, there is no existing option to set plugin configurations at the Tenant level.
I recommend starting with the Defender XDR Embedded Experience or Promptbooks. You can easily add tags, edit, share, run, and set the level of access to “Just me” or “Anyone in my organization.” You can even create your own. Learn more about how to create your own Promptbooks here. It’s also critical to monitor SCU usage to manage costs and avoid disruptions (e.g., calculate your average SCU utilization over a standard 7 days). Learn more about how to monitor your usage here. Microsoft permits some occasional demand spikes from customers that exceed their provisioned capacity at no additional charge, but if the spikes are consistent, that usually signals under provisioned capacity.
Lastly, experiment with uploading your organizations own DOCX, MD, PDF, and TXT files. You can upload files up to 20 MB in total. Copilot for Security reasons over files to generate more relevant and specific responses. Learn more about uploading your own files here.
Get Started
- Get started
- Understand authentication
- Best practices for Microsoft Entra roles
- Prompting
- Sample Prompts Library
- Promptbooks
- Promptbooks Library
- What does good prompt engineering look like?
- Apply principles of Zero Trust to Microsoft Copilot for Security
- Exploring Copilot for Security to Automate Incident Triage
- Extending Copilot for Security with Azure Function Apps
- Harnessing the power of KQL Plugins with Copilot for Security
- Customize and Optimize Copilot for Security with the custom Data Security plugin
- NEW: Identity forensics with Copilot for Security Identity Analyst Plugin
- NEW: Enhancing Threat Hunting with Microsoft Defender Experts Plugin
Features
- Incident Summarization — Summarize incidents, vulnerabilities, and threats in minutes and prepare the information in ready-to-share reports.
- Impact Analysis — Assess impact and receive insights into your affected systems.
- Reverse Script Engineering — Analyze complex command line scripts and translate them into natural language with clear explanations of actions.
- Guided Response — Receive actionable step-by-step guidance, including for triage, investigation, and remediation.
Use Cases
- Triage incidents with enriched threat intelligence
- Investigate an incident’s malicious script
- Advanced Hunting
- Summarize an incident in Microsoft Defender XDR
- Use guided responses in Defender XDR
- Create an incident report in Microsoft Defender XDR
- Script analysis in Defender XDR
- Generate device summaries in Defender XDR
- Analyze files in Defender XDR
- Risky user summarization in Entra
- Summarize the latest threats in MDTI
- Analyze recommendations in MDC
- Summarize recommendations in MDC
- Remediate recommendations in MDC
- Delegate recommendations in MDC
- Remediate code in MDC
Demos
- Business Email Compromise (BEC)
- Human-operated ransomware (HumOR)
- Defender XDR Embedded Copilot to Standalone Copilot investigation
- Extended user account investigation
- Cloud compromise
- Troubleshooting
Also explore our Microsoft Copilot for Security Instructional Demo Videos📹
Videos
We recommend watching the following videos created by Microsoft Security and the Global Partner Solutions (GPS) Technical Team:
 |
Microsoft Copilot for Security John Savill dives into the powerful features and capabilities of Microsoft Copilot for Security. |
 |
Threat Intelligence in Copilot for Security with Volt/Silk Typhoon demo Learn about Microsoft Threat Intelligence in Copilot for Security, including what it is, how you can use it, and learn from a comprehensive demo featuring Volt/Silk Typhoon, prolific state-sponsored espionage actors from China. |
 |
Copilot for Security Pricing Short on time? Learn about Copilot for Security’s pricing model in just 10 minutes, including how to provision, scale, and manage Security Compute Units (SCUs). Discover what you can do today, along with valuable onboarding tips. |
 |
Selling Copilot for Security w/ Multi-stage Incident Demo Explore Copilot for Security’s powerful use cases, its unique value, proven results, and differentiation story, and see it all in action with a comprehensive multi-stage incident demo in Microsoft Defender XDR. |
 |
Copilot for Security Responsible AI Learn how Copilot for Security mitigates Responsible AI issues and explore Generative AI threats, including prompt injection attacks, disinformation campaigns, spear phishing, etc., and how we at Microsoft defeat them. |
 |
How Microsoft Copilot for Security works Ryan Munsch, from the Copilot for Security team, joins host Jeremy Chapman to share how Copilot for Security is an enterprise-grade natural language interface for your organization's security data. |
Also explore Microsoft’s Copilot for Security YouTube Playlist📹
Roles beyond SOC Analysts
- IT Admins: Create device configuration profiles in Intune and leverage data-driven configuration troubleshooting and remediation.
- DLP Analysts: Summarize DLP alerts and analyze DLP policy configurations.
- Insider Risk Analysts: Summarize Insider Risk Management (IRM) alerts and gain context around users with risky behavior.
- eDiscovery Analysts: Generate Keyword Query Language from NL in eDiscovery and summarize evidence collected.
- Identity Access Management (IAM) Admins: Discover high risk users, overprivileged access, suspicious sign-ins in Entra.
Announcements & Whitepapers
- Whitepaper – Microsoft Copilot for Security – Working with the Microsoft Security stack and 3Ps
- Randomized Controlled Trial for Copilot for Security
Community Resources
- Join the Copilot for Security Customer Connection Program (CCP)
- Microsoft Copilot for Security Tech Community Blog
- Copilot in Azure Technical Deep Dive
- Copilot for Security Partner Playbook
- Introduction to red teaming large language models (LLMs)
- OpenAI Prompt Engineering
- Applied Generative AI (GAI) in Security Blog
- Why AI Will Save the World
AI Security
- Learn more about our approach to Responsible AI.
- MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems)
- OWASP AI Security and Privacy Guide
Back to Table of Contents. Are you ready to extend Copilot for Security?
Extend Copilot for Security
Learn how to grant an MSSP access to your Copilot for Security environment and how to use and create plugins. Copilot for Security plugins enhance the platform’s capabilities by acting as connectors, enabling seamless integration with infinite partners and third parties, allowing for custom functionality. To first create a plugin, you will need the correct instance URL and API token.
MSSPs
Plugins
- Overview
- Other plugins – Non-Microsoft plugins
- API
- GPT
- KQL
- Manage plugins
- Plugin error codes
Connectors
3P Plugins
- AbuseIPDB – AbuseIPDB is a central repository to report and identify IPs that are associated with malicious activity online
- Computer Incident Response Center Luxembourg (CIRCL) – CIRCL is a government initiative that enables users to validate suspicious files in the form of hashes
- CrowdSec – CrowdSec provides identification and verification of potentially malicious IPs
- CyberArk – CyberArk Privilege Cloud helps to securely store, rotate, and isolate credentials
- Cybersixgill – Cybersixgill offers real-time TI solutions, including from the dark web
- Cyware – Cyware is an end-to-end incident management and response platform
- Darktrace – Darktrace offers cybersecurity AI services
- Forescout Vedere Labs – Forescout research teams provide a TI feed containing IP, URL, and File hash indicators for potentially malicious activity
- GreyNoise – GreyNoise collects and analyzes Internet-wide scan and attack data
- Intel 471 – Intel 471 provides cybercrime intelligence
- Jamf – Jamf Pro provides enterprise-level Mobile Device Management (MDM)
- Netskope – Netskope combines security and networking services, enabling Secure Access Services Edge (SASE) and Zero Trust
- Red Canary – Red Canary provides managed detection and response (MDR) services
- ReversingLabs – ReversingLabs helps SOC teams understand file-based threats
- Saviynt – Saviynt provides insights into identity-related risks
- SGNL – SGNL provides Zero Standing Privilege (ZSP) initiatives to protect user sessions and credentials
- Shodan – Shodan is a search engine that allows users to find specific types of devices connected to the Internet
- Silverfort – Silverfort provides advanced CEF data from Microsoft Sentinel
- Tanium – Tanium is a Converged Endpoint Management (XEM) reference platform
- UrlScan – UrlScan allows users to scan and analyze potentially malicious URLs
- Valence Security – Valence combines SaaS Security Posture Management (SSPM) and advanced remediation
- Whoisfreaks – Whoisfreaks provides domain and IP intelligence services
Extensibility Features
Community Plugins
Disclaimer: Some of these plugins were developed and are maintained by the community and are not owned and/or managed by Microsoft.
- Track SCU changes
- Copilot for Security Portal Logins
- Send Copilot Output to Email
- GitHub Advanced Security Custom Plugin Scenarios
- Microsoft Defender XDR Custom Plugin Scenarios
- Microsoft Sentinel Custom Plugin Scenarios
- QR Code AiTM Phishing Detection
- Have I Been Pwned – Have I Been Pwned allows users to verify whether their personal data has been compromised by data breaches
- IBM X-Force Threat Intelligence – IBM X-Force is a cloud-based TI solution
- Censys – Censys regularly probes public IPs and domains
- SentinelOne – SentinelOne is an Enterprise Security AI Platform
Back to Table of Contents. Are you ready to drive customer adoption?
Driving Customer Adoption
Microsoft Copilot for Security enables customers and partners to proactively defend against threats, streamline security workflows, and protect critical assets. Learn how to drive customer adoption below.
Pricing📌
Copilot for Security pricing is consumption-based and costs approximately $4 per SCU per hr. A Security Compute Unit (SCU) is Copilot for Security’s unit of measurement of computing capacity to run a Copilot workload (i.e., prompt/Promptbook). The amount of SCUs needed depends on the complexity of the given workload. The pricing is consistent across the standalone experience and the embedded experiences as well as regions.
Why is it consumption-based and not per user? The idea is that the flexibility will allow more customers and partners to try it! That said, the output is only as good as the input, and the more plugins you use to contextually enrich complex investigations, the better (think Microsoft Sentinel pricing; the more telemetry ingested = the more coverage and insights, so long as it’s not too much noise). There are no prerequisites, but for the optimal user experience, we recommend that customers have MDE P2 and/or Microsoft Sentinel.
To use Copilot for Security, you will need to provision at least 1 SCU per hr 24x7. Therefore, the minimum annual price is $35,040 USD ($4 * 24hr per day * 365day per yr). Your monthly bill is calculated as (SCUs per hr) x $4 x 730/month or you can leverage the Azure Pricing Calculator. Customers and partners can purchase SCUs in the standalone experience or in Azure and can manually provision SCUs up or down so long as there is at least 1 SCU/hr. Once an analyst is nearing the capacity limit (90%), they will receive a warning and the option to increase the capacity.
If you delete Copilot for Security (zero SCUs per hr), we will retain your data for 90 days. Tenant-level MDTI workbench is included with Copilot for Security and although it’s not the standalone API, the TI information is easy to read and in the context of your investigations (e.g., activity groups, tooling, and vulnerabilities). From a licensing perspective, this is also significant cost savings.
Since computing capacity and token usage is variable (quantifying a specific # of tokens or SCUs/workflows needed per prompt/Promptbook is difficult), it’s important for partners to know what they can do now:
- Calculate your average SCU utilization over a standard 7 days
- Provision ≈1 SCU per Embedded Experience, ≈4 SCU per Standalone Experience, and ≈5 SCU per Automation and/or Promptbooks
- Measure SCU usage between different use cases (SOC analysts, Purview admins, Identity/access admins, etc.)
- Measure SCU usage between different levels of expertise (Junior analysts vs Senior analysts)
- Measure SCU usage across different types of investigations (incident triage, threat actor investigation, reverse engineering a malicious script, etc.)
- Explore the Copilot for Security SCU Optimizer Solution to simplify CfS cost management
Beyond GA, we’re also collecting this data and in good time, will provide more guidance and standards on SCU usage and patterns.
Integrations
- Microsoft Copilot for Security in Microsoft Defender XDR
- Microsoft Copilot for Security in Microsoft Entra
- Microsoft Copilot for Security and Intune
- Microsoft Copilot for Security and Defender EASM
- Microsoft Copilot for Security and Microsoft Threat Intelligence
- Microsoft Copilot for Security in Microsoft Purview
- Copilot for Security in Defender for Cloud (Preview)
Microsoft Security Integration Reference Architecture
Multi-tenant & Delegation Models
As of today, customers pay for their MSSP’s SCUs/usage. MSSPs can access the customer’s Copilot for Security environment (limited to the standalone portal) if the customer elects to provide access (referred to as Bring your Own MSSP), which is managed via Guest Access (B2B) and GDAP. Currently, there isn’t a CSP or reseller multitenant model for MSSPs.
- Grant partners access
- B2B collaboration
- Granular Delegated Admin Privileges (GDAP)
- Azure Lighthouse Coming soon to Copilot for Security
- Microsoft 365 Lighthouse Coming soon to Copilot for Security
Address Concerns
- OAuth 2.0 On-Behalf-Of flow
- Privileged Identity Management (PIM)
- Microsoft Defender for Endpoint (MDE) Device Groups
Technical Considerations
- Assist a Human in Completing Work – It’s a Copilot, integrations are driven by/drive human engagement, not background runtime processing of substantial amounts of data.
- Have High Customer Value — The cost of Generative AI is orders of magnitude higher per transaction than your average feature today and depends on a constrained hardware supply (GPUs).
- Will be Regularly Used — The best integrations will be used regularly so it is ongoing value, not a one-time value (like a configuration assistant).