Get started with Microsoft Copilot for Security

Copilot for Security is a generative AI security product that empowers security and IT professionals respond to cyber threats, process signals, and assess risk exposure at the speed and scale of AI. For more information, see What is Copilot for Security?. Understand what you need to get started such as the minimum requirements, purchasing security compute units, and setting up a default environment.

Get recommendations on next steps to take to get you on your way to maximizing the capabilities in Copilot for Security.

For information on applying Zero Trust, see Apply principles of Zero Trust to Microsoft Copilot for Security.

Note

Disclaimer: This documentation is only intended for customers using commercial clouds. Currently, Copilot for Security is not designed for use by customers using US government clouds, including but not limited to GCC, GCC High, DoD, and Microsoft Azure Government. For more information, consult with your Microsoft representative.

Minimum requirements

Subscription

In order to purchase security compute units, you need to have an Azure subscription. For more information, see Create your Azure free account.

Security compute units

Security compute units are the required units of resources that are needed for dependable and consistent performance of Microsoft Copilot for Security.

Copilot for Security is sold in a provisioned capacity model and is billed by the hour. You can provision Security Compute Units (SCUs) and increase or decrease them at any time. Billing is calculated on an hourly basis with a minimum of one hour.

For more information, see Microsoft Copilot for Security pricing.

Capacity

Capacity in the context of Copilot for Security, is an Azure resource that contains SCUs. SCUs are provisioned for Copilot for Security. You can easily manage capacity by increasing or decreasing provisioned SCUs within the Azure portal or the Copilot for Security portal. Copilot for Security provides a usage monitoring dashboard for Copilot owners, allowing them to track usage over time and make informed decisions about capacity provisioning. For more information, see Managing usage.

Onboarding to Copilot for Security

Onboarding to Copilot for Security is a two-step process:

Step 1: Provision capacity

You can choose from the following options to provision capacity:

Note

Regardless of the method you choose, you will need to purchase a minimum of 1 and a maximum of 100 SCUs. The recommended number of units to start the most basic exploration of Copilot for Security is 3 units.

When you first open Copilot for Security (https://securitycopilot.microsoft.com), you're guided through the steps in setting up capacity for your organization.

Required role

You need to be an Azure subscription owner or contributor to create capacity.

  1. Sign in to Copilot for Security (https://securitycopilot.microsoft.com).

  2. Select Get started.

    Screenshot of get started.

  3. Set up your security capacity:
    Select the Azure subscription, associate capacity to a resource group, add a name to the capacity, select the prompt evaluation location, and specify the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.

    Screenshot of set up your security capacity.

    Note

    The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.

    If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.

  4. Confirm that you acknowledge and agree to the terms and conditions, then select Continue.

After you've created the capacity, it will take a few minutes to deploy the Azure resource on the backend.

Screenshot of setting up your security capacity.

Option 2: Provision capacity in Azure

The initial setup in this method starts in the Azure portal. Then, you need to complete the setup in the Copilot for Security portal.

Note

Billing begins as soon as capacity is created, regardless of whether the SCU is attached to an environment.

Required role

You need to be an Azure subscription owner or contributor to create capacity.

  1. Sign in to the Azure portal.

  2. Search for Copilot for Security in the list of services, then select Copilot for Security.

  3. Select Resource groups.

  4. Under Plan, select Microsoft Copilot for Security. Then select Create.

  5. Select a subscription and resource group, add a name to the capacity, select the prompt evaluation location and select the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.

    Screenshot of setting up Copilot for Security in Azure.

    Note

    The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.

    If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.

  6. Confirm that you acknowledge and have read the terms and conditions, then select Review + create.

  7. Verify that all the information is correct, then select Create. A confirmation page is displayed.

  8. Select Finish setup in the Copilot for Security portal.

Step 2: Set up default environment

Required role

You need to be at least a Security Administrator role to accomplish this task.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

You need to be an Azure Owner or a contributor for the capacity resource to associate capacity to Copilot for Security.

  1. Associate your capacity to the Copilot for Security environment if the capacity was created in the Azure portal.

    Screenshot of selecting capacity you'd like to use.

  2. You're informed where your Customer Data will be stored. Select Continue.

    Screenshot of where your customer data is stored.

  3. You're informed on accessing data from Microsoft 365 services. Select Continue.

  4. Select among the data sharing options. Select Continue. For more information on data sharing, see Privacy and data security.

    Screenshot of Customer Data sharing options.

  5. You'll be informed of the default roles that can access Copilot for Security. Select Continue.

    Screenshot of Copilot access.

  6. A confirmation page is displayed. Select Finish.

    Image of Copilot all set

Offboarding

To offboard from Copilot for Security, you'll need to delete the provisioned capacity.

Note

To export data, you will need to contact support. For more information, see Contact support.

Required role

You need to be at least a Security Administrator role to accomplish this task.

Delete capacity through Copilot for Security

You can delete capacity from the Owner settings page or the usage monitoring page.

Warning

Deleting capacity and their internal data is permanent action and cannot be undone.

Owner settings page

  1. Sign in to Copilot for Security (https://securitycopilot.microsoft.com).

  2. Select the home menu icon.

  3. Navigate to the Owner settings or Usage monitoring section.

  4. In the units section, select Change.

  5. Select the overflow menu (...).

  6. Select Delete the capacity.

  7. Confirm that you want to delete capacity. This action deletes the active capacity for the tenant.

Assign roles to users

Now that you have Copilot for Security up and running, decide who should get Copilot access. By default, All users in your tenant have basic access to the platform, but only those in your organization with extra permission are able to effectively prompt security data. For more information, see, Assign roles.

Take the Copilot for Security tour

Copilot for Security comes with a tour to help you ease into using the application.

When you first log into Copilot for Security, the tour helps you discover some of the key features and functionality of the solution.

You're introduced to concepts such as the prompt bar and what to use it for, how to edit, rerun, or delete prompts. You'll also learn how to use some of the navigational elements available such as providing feedback.

Watch the following video to learn more about Copilot for Security:

Try out the Copilot for Security standalone and embedded experiences

Copilot for Security can be accessed through the standalone portal and is also available through intuitive embedded experiences. For example, some capabilities are available through Microsoft Defender XDR and Microsoft Purview with no prompting needed. For more information, see Copilot for Security experiences.

Learn about the integrations

Copilot for Security seamlessly integrates with other Microsoft security services and third-party services. A user with a security administrator role can easily manage the plugins that Copilot for Security uses as a data source to respond to prompts. For more information, see Manage plugins in Copilot for Security.

Check out the primary use cases

Copilot for Security is a robust solution that offers unparalleled functionality and capabilities which culminate in powerful mitigation against high-impact incidents such as ransomware attacks.

Some highlights include:

  • Incident summarization
  • Impact analysis
  • Reverse engineering of scripts
  • Guided response

Join the Microsoft Copilot for Security Customer Connection Program (CCP)

Stay up to date with Copilot for Security by joining the Microsoft Copilot for Security Customer Connection Program. CCP community members have access to:

  • The latest technical product information and access to private previews
  • Free weekly technical trainings and product skilling webinars
  • A Teams Community to discuss with Copilot for Security product experts and engineers

Click here to opt-in to join the community.

See also