You dont have javascript enabled! Please enable it! Microsoft Security Copilot Documentation - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Microsoft Security Copilot Documentation

6 Min. Read

Updated — 13/03/2024 — Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities.

Microsoft Security Copilot is a generative AI-powered security solution that helps improve defenders’ efficiency and capabilities to improve security outcomes at machine speed and scale while remaining compliant with responsible AI principles.

In this article, we will share with you the public documentation for Security Copilot that was just released by Microsoft Learn. Please note that the information in these documents applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers.

What is Microsoft Security Copilot?

Microsoft Security Copilot is a generative AI-powered security solution that helps security professionals with incident response, threat hunting, intelligence gathering, and posture management. It uses natural language and security-specific plugins to generate responses to user prompts.

Early Access Program: Security Copilot is currently in an invite-only paid preview program for commercial customers. It is a pre-released product that may change before it’s commercially released.

Capabilities and scenarios: Security Copilot can summarize incidents, assess impact, provide guidance, protect against vulnerabilities, and generate reports. It can be accessed through a standalone experience or embedded in other Microsoft security products.

Plugins and integration: Security Copilot leverages plugins from Microsoft and third-party security products to extend and integrate services. Plugins bring more context and threat intelligence from various sources.

What is Microsoft Security Copilot?
Microsoft Security Copilot [Image Credit Microsoft Learn]
💡Reference: Microsoft Learn – What is Microsoft Security Copilot?

Security Copilot can be accessed through and is considered the standalone experience.

Security Copilot is also accessible in other Microsoft security products such as Microsoft Sentinel, Microsoft Intune, and Microsoft 365 Defender, etc. Accessing these experiences is considered the embedded experience.

Related: Microsoft Security Copilot Early Access Program.

Prompting in Security Copilot

Once you’ve set up Security Copilot, you can use prompts to input information. These prompts allow Security Copilot to generate answers that help you with your security-related tasks.

Prompts: These are the main input for the Security Copilot to generate answers. You can use promptbooks, prompt suggestions, or your own words to ask questions.

Process log: This shows the steps and sources that Security Copilot uses to form the response. You can cancel, edit, or delete your prompt at any time.

Feedback: You can provide feedback about the response by selecting Confirm, Off-Target, or Report. This can help improve Security Copilot.

Prompting in Security Copilot
Prompting in Security Copilot [Image Credit Microsoft Learn]

Triage Incidents using Security Copilot

As a security operations center (SOC) analyst, you can use Security Copilot to quickly triage incidents based on alerts, entities, and threat intelligence. It uses natural language to query and summarize data from Microsoft 365 Defender and Microsoft Sentinel.

Use case example: A step-by-step demonstration of how Security Copilot can help an analyst investigate a possible credential theft incident assigned to them by Defender. The analyst uses Security Copilot to get more information about the user, device, and IP address involved in the incident, and to correlate it with a Microsoft Sentinel incident related to SAP data exfiltration.

Summary report: A concise report that the analyst can use to escalate the incident to the response team. The report includes the assessment of the original Defender incident, the link to the Sentinel incident, and the indicators of compromise. The report also highlights the threat actor and the C2 tool used by them.

Triage Incidents using Security Copilot
Triage Incidents using Security Copilot [Image Credit Microsoft Learn]
💡Reference: Microsoft Learn – Triage incidents based on enrichment from threat intelligence.

Investigate an Incident in Security Copilot

As a security analyst investigating an incident, you can use Security Copilot to perform a comprehensive incident investigation using natural language and plugins. It is integrated into Microsoft 365 Defender and can also be used as a standalone experience.

Script analysis: Security Copilot can explain what a suspicious script is doing and provide an overall summary. It currently supports PowerShell, batch, and bash scripts.

Infrastructure analysis: Security Copilot can gather information about the reputation of indicators in a script, such as IP addresses or URLs, and flag them as malicious or benign.

Report generation: Microsoft Security Copilot can provide an assessment of the incident with supporting evidence and recommendations. It can also export the response and share the session with other analysts.

Investigate an Incident in Security Copilot
Investigate an Incident in Security Copilot [Image Credit Microsoft Learn]
💡Reference: Microsoft Learn – Investigate an incident and associated suspicious entities.

Manage Plugins in Security Copilot

To enhance the capabilities of Security Copilot, Microsoft has included a set of pre-installed plugins that are designed to work with Microsoft security services and other commonly used services and websites. Additionally, users have the option to add their own custom plugins, including those from OpenAI. Security Copilot can use plugins to access other services and websites that provide security information or actions.

Microsoft plugins: Security Copilot can use Microsoft plugins and connectors to access other Microsoft services that the organization already has access to, such as Microsoft Sentinel, Microsoft 365 Defender, Microsoft Entra, Microsoft Intune, Microsoft Defender Threat Intelligence, Logic Apps, and Natural Language to Microsoft 365 Defender KQL. These plugins are preinstalled and can be turned on or off by the user.

Other plugins: Security Copilot can also use other plugins that are not from Microsoft, such as ServiceNow, OpenAI, VirusTotal, and Shodan. These plugins need to be added by the user and may require additional setup steps.

Plugin management: Security Copilot allows the user to manage the plugins by turning them on or off, resetting and personalizing the settings, editing or deleting the plugin files, and adding new custom plugins. The user can also see which plugins are available and how to use them.

Manage Plugins in Security Copilot
Manage Plugins in Security Copilot [Image Credit Microsoft Learn]
💡Reference: Microsoft Learn – Manage plugins in Microsoft Security Copilot.

Navigating Security Copilot

The Security Copilot platform has navigational features to maximize its functionality. As you explore the system, reference this article for more details.

Navigational features: This article explains how to use the home, my sessions, settings, tenant options, and help icons on the top bar of the platform. It also describes how to switch tenants and manage plugins.

Prompting features: This article shows how to use the process log, the pin board, the share feature, and the export feature to interact with the prompts and responses. It also provides links to articles on how to use featured prompts, suggested prompts, and custom prompts.

Configuration settings: The platform has some settings for data and privacy, theme preferences, and session management. It also provides links to articles on how to discover more settings and features of Security Copilot.

Navigating Security Copilot
Navigating Security Copilot [Image Credit Microsoft Learn]
💡Reference: Microsoft Learn – Navigate Security Copilot.

Privacy and Data Security

When you use Security Copilot, there are two types of data generated by Security Copilot: customer data and system data. Customer data is the data that you provide or generate when using Security Copilot. System data is the data that is necessary for the operation and improvement of Security Copilot.

Data sharing options: You can choose whether to share customer data with Microsoft for two purposes: to improve Security Copilot and to receive personalized recommendations. You can change your data-sharing settings at any time. Data that was shared previously is retained for not more than 180 days.

Data protection measures: Microsoft uses comprehensive controls to protect your data. Security Copilot runs queries as the user, stores only limited data, works with the closest data centers in your region, and complies with Microsoft’s responsible AI principles.

💡Reference: Microsoft Learn – Privacy and data security in Microsoft Security Copilot.

Microsoft Security Copilot FAQs

What is Security Copilot?

Security Copilot is an AI cybersecurity product that helps security professionals and analysts respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes.

What are Security Copilot features?

Security Copilot combines a specialized large language model with security-specific capabilities from Microsoft. It uses data and signals from other Microsoft Security products and global threat intelligence. It also supports natural language queries and commands.

Who can access Security Copilot?

An invite-only paid preview program for commercial customers who want to try Security Copilot before it’s commercially released. The program has some supplemental terms and prerequisites for participation. During the Early Access Program, Security Copilot is designed for analysts as its intended users.

How much does Security Copilot cost?

The Early Access Program has a one-time invoice and purchase, and there are no extra usage fees. Customers need to agree to the Microsoft Customer Agreement and can cancel the purchase within seven days. Customers also get access to Microsoft Defender Threat Intelligence at no extra cost. This will change once Security Copilot is GA. Stay Tuned!

Compare ChatGPT and Security Copilot

Security Copilot is different from ChatGPT in terms of design, purpose, data sources, and functionality. Security Copilot is an enterprise cyber AI tool that helps with posture management, incident response, and reporting. ChatGPT is a chatbot that uses prompts from users to generate responses.

💡Reference: Microsoft Learn – Microsoft Security Copilot Frequently Asked Questions.

Microsoft Security Copilot Blog

Microsoft introduced a new blog in the Microsoft Tech Community for Microsoft Security Copilot, an AI assistant for daily operations in security and IT that brings the power of generative AI to empower teams to defend at machine speed and scale. You can find the blog on the following page.

In Summary

Microsoft announced that beginning April 1, 2024, it will make Copilot for Security generally available for purchase as a consumption offer. The straightforward pricing model will cover both the standalone Copilot experience and embedded experiences across the Microsoft Security product portfolio.

The consumption model of Copilot for Security makes it easy to start quickly and on a small scale. This allows you to experiment and learn without any upfront charges per device or user. You can use the existing Azure subscription, or sign up for one if you are not already an Azure customer. Then, you can provision Azure capacity to support all the Copilot for Security workloads, both standalone and embedded. Copilot for Security capacity is expected to be billed monthly, using a new Security Compute Unit (SCU) at a rate of $4 per hour. If we do a quick calculation, this will land at 730h X $4 = $2,920, which might be simply expensive for most smaller organizations.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Google Cloud Calculator: Basic Usage and Examples

Vulnerability Management in the Cloud


Let us know what you think, or ask a question...