You dont have javascript enabled! Please enable it! CISO's Guide: Using Copilot For Security Insights & Guidance - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

CISO’s Guide: Using Copilot for Security Insights & Guidance

6 Min. Read

As a prominent organization’s Chief Information Security Officer (CISO), you safeguard sensitive data and mitigate cyber threats. To address these challenges effectively, you implemented Copilot for Security, an advanced AI assistant that provides insights and guidance.

This article will show how CISO can use Copilot for Security as an AI security assistant for insights and guidance.

What is Copilot for Security

Microsoft Copilot for Security is a generative AI-powered security solution that helps increase defenders’ efficiency and capabilities, improving security outcomes at machine speed and scale while remaining compliant with responsible AI principles.

When thinking about Copilot for Security, consider a broad reach. There are many use cases beyond the SOC Analyst persona; some include System Administrator, Insider Risk Analyst
Identity Access Management Administrator, Compliance Analyst.

Copilot for Security isn’t “Copilot for Defender,” “Copilot for Sentinel,” or “Copilot for Incidents.” Its use case scenarios span security, compliance, management, and identity, creating an additional value proposition for customers. Many impactful personas include those who work with Data Loss Prevention, eDiscovery, Microsoft Intune, and Microsoft Entra.

Microsoft Threat Intelligence – Copilot for Security
Microsoft Threat Intelligence – Copilot for Security

Copilot for Security is all about the data sources it can integrate with, like connectors, which are important to the strength of Microsoft Sentinel. While Microsoft continues to invest in adding additional first-party plugins, an active partner community is developing plugins to extend Copilot for Security’s capabilities.


To follow this guide, you need to have the following:

1) Azure subscription — If you don’t have an Azure subscription, you can create one here for free.

2) Microsoft Copilot for Security enabled — Copilot for Security capacity is billed monthly via a new Security Compute Unit (SCU) at the rate of “$4 per SCU per hour”. Microsoft recommends provisioning 3 SCUs ($4 X 3 = $12 per hour) to start Copilot for Security exploration. If we do a quick math, this will land at 730h X $4 (1 SCU as a minimum) = $2,920/Month. There is no free trial for Copilot for Security.

How to scope Copilot for Security SCUs: You can use the Azure pricing calculator, which now has Copilot for Security, to price your SCU metrics (Copilot for Security Pricing Calculator). Another tip is to track the team’s prompt usage per hour compared to the Copilot for Security usage monitoring dashboard. This will give you an estimated idea of how many prompts the team can generate per hour and how many SCUs they need to scale up.

Related: Check how to set up Copilot for Security Capacity.

3) To create Copilot for Security capacity, you must be an Azure Owner or Contributor, at least at the resource group level. You must also have a Global Administrator or Security Administrator role to set up the default environment.

  • Contributors can access Copilot, but Copilot responses will vary based on existing user permissions to Microsoft Security products. After setup, Owners can manage access from the role assignment page. Using security groups instead of individual users to assign Copilot for Security roles is highly recommended, which reduces administrative complexity. Learn more about Copilot for Security access.

Important! — For those that might not be aware, when you provision Copilot for Security for the first time, the group “everyone” is automatically added to the Contributor role, as shown in the figure below. This needs to be changed immediately since the Contributor role provides much access to areas with Copilot for Security. Microsoft decided to enable the embedded experience for everyone, but it can catch administrators off guard and prevent them from realizing what a Contributor role gives you.

Check the support documentation for what permissions the role Contributor gives in Copilot for Security (Understand authentication in Microsoft Copilot for Security), and see the screenshot below about what groups have defaulted to the Contributor role and the Owner role in Copilot for Security.

Copilot for Security – Role assignment
Copilot for Security – Role assignment

4) Microsoft Defender XDR E5 license—Check the licensing requirements if you don’t have Defender XDR. Then, ensure the Microsoft Defender XDR plugin is enabled in Copilot for Security and that you have the proper permission to access Defender XDR data.

Copilot for Security – Manage Plugins
Copilot for Security – Manage Plugins

Assuming you have all the prerequisites, let’s look at how the Chief Information Security Officer (CISO) can leverage Microsoft Copilot for Security for insights and guidance.

CISO using Copilot for Security

So, we begin by entering the following prompt to seek an overview of the organization’s performance in handling recent security incidents.

I am a CISO and need to understand how well my organization is performing, can you please look at the last 30 days of defender incidents and let me know what threats we are facing and if we are prepared based upon incidents being closed or resolved?

Copilot for Security compiles a report detailing the various threats encountered over the past month in less than a minute. These include suspicious activities such as Azure role assignments, Data Loss Prevention (DLP) policy triggers, and suspicious login activities linked to known Indicators of Compromise (IOCs). Additionally, Copilot highlights incidents involving rare Remote Desktop Protocol (RDP) connections, rapid creation and deletion of user accounts, abuse of AWS credentials, mailbox permission grants, and detection of unfamiliar sign-in properties. Most of these incidents remain ‘active,’ indicating ongoing investigation or mitigation efforts.

CISO's Guide: Using Copilot for Security Insights & Guidance 1

Next, we request Copilot for Security to provide details about a specific Defender incident and the threat actor involved.

I was told about defender incident 26530 a Human-operated ransomware attack from a threat actor called Manatee Tempest. Bullet list the users identified in the defender incident and also provide the threat actor profile information about the threat actor.”

In response to our query, Copilot identified “Jonathan Walcott” as involved in the incident and provided information about Tempest.

CISO's Guide: Using Copilot for Security Insights & Guidance 2

Next, we seek guidance on implementing effective security measures by using the following prompt:

What can we do to prevent and protect the organization? What are some best practices we can implement and can you tell me if those practices are currently in place?

CISO's Guide: Using Copilot for Security Insights & Guidance 3

As we see in the response below, Copilot for Security recommends a comprehensive approach encompassing Multi-Factor Authentication (MFA), Least Privilege Access, Security Awareness Training, Regular Patching and Updates, Endpoint Detection and Response (EDR), Threat Intelligence integration, and establishment of a robust Incident Response Plan. It also assesses the current implementation status of these practices within the organization.

CISO's Guide: Using Copilot for Security Insights & Guidance 4

Recognizing the need for a strategic roadmap, we request Copilot to formulate a detailed plan for the next 90 days.

What should my organization do first? Can you create a detailed plan with three phases for the next 90 days?

Copilot for Security responds with a phased approach. Phase 1: Immediate Actions (Days 1-30) outlines immediate actions like enabling MFA, implementing Least Privilege Access, and initiating Security Awareness Training. Phase 2: Strengthen Defenses (Days 31-60) involves strengthening defenses through regular patching and deploying an EDR solution. Phase 3: Enhance and Maintain (Days 61-90) to enhance security posture through Threat Intelligence integration, Incident Response Plan development, and Security Audits.

CISO's Guide: Using Copilot for Security Insights & Guidance 5

Finally, we tasked Copilot with creating a comprehensive report suitable for presentation to the board of directors.

Can you create a detailed report summarizing this information that I could present to our board of directors. Please include a technical and non-technical version.”

As the response below shows, Copilot delivers a technical report outlining security status, identified threats, recommended best practices, and a 90-day action plan. Additionally, it provides a non-technical version summarizing recent security incidents, potential threat actors, suggested security measures, and the strategic plan for enhancing organizational security.

CISO's Guide: Using Copilot for Security Insights & Guidance 6

Non-Technical Report

The non-technical report includes:

* Security Status: Over the past month, our organization has faced a variety of potential cyber threats. These include suspicious activities in our cloud services, potential data leaks, unusual login activities, and signs of unauthorized access to our systems. Most of these issues are still being investigated.

* Threats: We have identified three groups of cybercriminals who may be targeting our organization. These groups are known for their financial motivations, espionage activities, and disruptive actions.

* Best Practices: To protect our organization, we need to take several steps. These include using multiple methods to verify user identities, limiting access to only what is necessary, educating our staff about security threats, keeping our systems updated, detecting and responding to threats quickly, staying informed about the latest threats, and having a plan in place to respond to security incidents.

CISO's Guide: Using Copilot for Security Insights & Guidance 7

That’s it, there you have it. Our CISO is armed now with Copilot’s insights and guidance to lead the organization toward a more resilient and secure future!

In Summary

leveraging Microsoft Copilot for Security as a Chief Information Security Officer (CISO) equips you with a powerful AI assistant to enhance your organization’s security posture. With its generative AI capabilities, Copilot for Security offers comprehensive insights and guidance across various security roles, improving efficiency and outcomes at machine speed and scale.

By integrating with multiple data sources and extending functionality through first-party and partner-developed plugins, Copilot for Security delivers a broad range of use cases beyond traditional Security Operations Center (SOC) analysts. This AI assistant is pivotal in addressing threats, managing compliance, and enhancing identity access management.

Using Copilot for Security, a CISO can quickly assess the organization’s performance, analyze specific incidents, receive best practice recommendations, and formulate strategic plans. This tool empowers security leaders to make informed decisions, implement robust security measures, and communicate with stakeholders through detailed technical and non-technical reports.

Embracing Copilot for Security helps navigate the complex cybersecurity landscape, enabling your organization to become more resilient and secure in the face of evolving threats.

Thank you for reading our blog.

Please let us know in the comments section below if you have any questions or feedback.

-Charbel Nemnom-

Photo of author
About the Author:
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Microsoft Sentinel Sizing and Pricing – Optimize Costs and Enhance Security

Microsoft Press Learning Course – Exam SC-200 Microsoft Security Operations Analyst


Let us know what you think, or ask a question...