Microsoft Security Copilot is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale while remaining compliant with responsible AI principles.
In this article, we will share with you the public documentation for Security Copilot that was just released by Microsoft Learn. Please note that the information shared in these documents applies to the Microsoft Security Copilot Early Access Program, which is an invite-only paid preview program for commercial customers.
Table of Contents
What is Microsoft Security Copilot?
Microsoft Security Copilot is a generative AI-powered security solution that helps security professionals with incident response, threat hunting, intelligence gathering, and posture management. It uses natural language and security-specific plugins to generate responses to user prompts.
Early Access Program: Security Copilot is currently in an invite-only paid preview program for commercial customers. It is a pre-released product that may change before it’s commercially released.
Capabilities and scenarios: Security Copilot can summarize incidents, assess impact, provide guidance, protect against vulnerabilities, and generate reports. It can be accessed through a standalone experience or embedded in other Microsoft security products.
Plugins and integration: Security Copilot leverages plugins from Microsoft and third-party security products to extend and integrate services. Plugins bring more context and threat intelligence from various sources.💡Reference: Microsoft Learn – What is Microsoft Security Copilot?
Security Copilot can be accessed through https://securitycopilot.microsoft.com and is considered the standalone experience.
Security Copilot is also accessible in other Microsoft security products such as Microsoft Sentinel, Microsoft Intune, and Microsoft 365 Defender, etc. Accessing these experiences is considered the embedded experience.
Prompting in Security Copilot
Once you’ve set up Security Copilot, you can use prompts to input information. These prompts allow Security Copilot to generate answers that help you with your security-related tasks.
Prompts: These are the main input for the Security Copilot to generate answers. You can use promptbooks, prompt suggestions, or your own words to ask questions.
Process log: This shows the steps and sources that Security Copilot uses to form the response. You can cancel, edit, or delete your prompt at any time.
Feedback: You can provide feedback about the response by selecting Confirm, Off-Target, or Report. This can help improve Security Copilot.💡Reference: Microsoft Learn – Prompting in Microsoft Security Copilot.
Triage Incidents using Security Copilot
As a security operations center (SOC) analyst, you can use Security Copilot to quickly triage incidents based on alerts, entities, and threat intelligence. It uses natural language to query and summarize data from Microsoft 365 Defender and Microsoft Sentinel.
Use case example: A step-by-step demonstration of how Security Copilot can help an analyst investigate a possible credential theft incident assigned to them by Defender. The analyst uses Security Copilot to get more information about the user, device, and IP address involved in the incident, and to correlate it with a Microsoft Sentinel incident related to SAP data exfiltration.
Summary report: A concise report that the analyst can use to escalate the incident to the response team. The report includes the assessment of the original Defender incident, the link to the Sentinel incident, and the indicators of compromise. The report also highlights the threat actor and the C2 tool used by them.💡Reference: Microsoft Learn – Triage incidents based on enrichment from threat intelligence.
Investigate an Incident in Security Copilot
As a security analyst investigating an incident, you can use Security Copilot to perform a comprehensive incident investigation using natural language and plugins. It is integrated into Microsoft 365 Defender and can also be used as a standalone experience.
Script analysis: Security Copilot can explain what a suspicious script is doing and provide an overall summary. It currently supports PowerShell, batch, and bash scripts.
Infrastructure analysis: Security Copilot can gather information about the reputation of indicators in a script, such as IP addresses or URLs, and flag them as malicious or benign.
Report generation: Microsoft Security Copilot can provide an assessment of the incident with supporting evidence and recommendations. It can also export the response and share the session with other analysts.💡Reference: Microsoft Learn – Investigate an incident and associated suspicious entities.
Manage Plugins in Security Copilot
To enhance the capabilities of Security Copilot, Microsoft has included a set of pre-installed plugins that are designed to work with Microsoft security services and other commonly used services and websites. Additionally, users have the option to add their own custom plugins, including those from OpenAI. Security Copilot can use plugins to access other services and websites that provide security information or actions.
Microsoft plugins: Security Copilot can use Microsoft plugins and connectors to access other Microsoft services that the organization already has access to, such as Microsoft Sentinel, Microsoft 365 Defender, Microsoft Entra, Microsoft Intune, Microsoft Defender Threat Intelligence, Logic Apps, and Natural Language to Microsoft 365 Defender KQL. These plugins are preinstalled and can be turned on or off by the user.
Other plugins: Security Copilot can also use other plugins that are not from Microsoft, such as ServiceNow, OpenAI, VirusTotal, and Shodan. These plugins need to be added by the user and may require additional setup steps.
Plugin management: Security Copilot allows the user to manage the plugins by turning them on or off, resetting and personalizing the settings, editing or deleting the plugin files, and adding new custom plugins. The user can also see which plugins are available and how to use them.💡Reference: Microsoft Learn – Manage plugins in Microsoft Security Copilot.
Navigating Security Copilot
The Security Copilot platform has navigational features to maximize its functionality. As you explore the system, reference this article for more details.
Navigational features: This article explains how to use the home, my sessions, settings, tenant options, and help icons on the top bar of the platform. It also describes how to switch tenants and manage plugins.
Prompting features: This article shows how to use the process log, the pin board, the share feature, and the export feature to interact with the prompts and responses. It also provides links to articles on how to use featured prompts, suggested prompts, and custom prompts.
Configuration settings: The platform has some settings for data and privacy, theme preferences, and session management. It also provides links to articles on how to discover more settings and features of Security Copilot.💡Reference: Microsoft Learn – Navigate Security Copilot.
Privacy and Data Security
When you use Security Copilot, there are two types of data generated by Security Copilot: customer data and system data. Customer data is the data that you provide or generate when using Security Copilot. System data is the data that is necessary for the operation and improvement of Security Copilot.
Data sharing options: You can choose whether to share customer data with Microsoft for two purposes: to improve Security Copilot and to receive personalized recommendations. You can change your data-sharing settings at any time. Data that was shared previously is retained for not more than 180 days.
Data protection measures: Microsoft uses comprehensive controls to protect your data. Security Copilot runs queries as the user, stores only limited data, works with the closest data centers in your region, and complies with Microsoft’s responsible AI principles.
💡Reference: Microsoft Learn – Privacy and data security in Microsoft Security Copilot.
Microsoft Security Copilot FAQs
What is Security Copilot?
Security Copilot is an AI cybersecurity product that helps security professionals and analysts respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes.
What are Security Copilot features?
Security Copilot combines a specialized large language model with security-specific capabilities from Microsoft. It uses data and signals from other Microsoft Security products and global threat intelligence. It also supports natural language queries and commands.
Who can access Security Copilot?
An invite-only paid preview program for commercial customers who want to try Security Copilot before it’s commercially released. The program has some supplemental terms and prerequisites for participation. During the Early Access Program, Security Copilot is designed for analysts as its intended users.
How much does Security Copilot cost?
The Early Access Program has a one-time invoice and purchase, and there are no extra usage fees. Customers need to agree to the Microsoft Customer Agreement and can cancel the purchase within seven days. Customers also get access to Microsoft Defender Threat Intelligence at no extra cost. This will change once Security Copilot is GA. Stay Tuned!
Compare ChatGPT and Security Copilot
Security Copilot is different from ChatGPT in terms of design, purpose, data sources, and functionality. Security Copilot is an enterprise cyber AI tool that helps with posture management, incident response, and reporting. ChatGPT is a chatbot that uses prompts from users to generate responses.
💡Reference: Microsoft Learn – Microsoft Security Copilot Frequently Asked Questions.
At the time of this writing, Security Copilot is in the Early Access Program which is an invite-only paid preview program for commercial customers to use Security Copilot, a tool that can help with security-related tasks.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.