Get started with Microsoft Copilot for Security
Copilot for Security is a generative AI security product that empowers security and IT professionals respond to cyber threats, process signals, and assess risk exposure at the speed and scale of AI. For more information, see What is Copilot for Security?. Understand what you need to get started such as the minimum requirements, purchasing security compute units, and setting up a default environment.
Get recommendations on next steps to take to get you on your way to maximizing the capabilities in Copilot for Security.
For information on applying Zero Trust, see Apply principles of Zero Trust to Microsoft Copilot for Security.
Note
Disclaimer: This documentation is only intended for customers using commercial clouds. Currently, Copilot for Security is not designed for use by customers using US government clouds, including but not limited to GCC, GCC High, DoD, and Microsoft Azure Government. For more information, consult with your Microsoft representative.
Minimum requirements
Subscription
In order to purchase security compute units, you need to have an Azure subscription. For more information, see Create your Azure free account.
Security compute units
Security compute units are the required units of resources that are needed for dependable and consistent performance of Microsoft Copilot for Security.
Copilot for Security is sold in a provisioned capacity model and is billed by the hour. You can provision Security Compute Units (SCUs) and increase or decrease them at any time. Billing is calculated on an hourly basis with a minimum of one hour.
For more information, see Microsoft Copilot for Security pricing.
Capacity
Capacity in the context of Copilot for Security, is an Azure resource that contains SCUs. SCUs are provisioned for Copilot for Security. You can easily manage capacity by increasing or decreasing provisioned SCUs within the Azure portal or the Copilot for Security portal. Copilot for Security provides a usage monitoring dashboard for Copilot owners, allowing them to track usage over time and make informed decisions about capacity provisioning. For more information, see Managing usage.
Onboarding to Copilot for Security
Onboarding to Copilot for Security is a two-step process:
Step 1: Provision capacity
You can choose from the following options to provision capacity:
- Option 1 (Recommended): Provision capacity within Copilot for Security
- Option 2: Provision capacity through Azure
Note
Regardless of the method you choose, you will need to purchase a minimum of 1 and a maximum of 100 SCUs. The recommended number of units to start the most basic exploration of Copilot for Security is 3 units.
Option 1 (Recommended): Provision capacity through Copilot for Security
When you first open Copilot for Security (https://securitycopilot.microsoft.com), you're guided through the steps in setting up capacity for your organization.
Required role
You need to be an Azure subscription owner or contributor to create capacity.
Sign in to Copilot for Security (https://securitycopilot.microsoft.com).
Select Get started.
Set up your security capacity:
Select the Azure subscription, associate capacity to a resource group, add a name to the capacity, select the prompt evaluation location, and specify the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.
Note
The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.
If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.
Confirm that you acknowledge and agree to the terms and conditions, then select Continue.
After you've created the capacity, it will take a few minutes to deploy the Azure resource on the backend.
Option 2: Provision capacity in Azure
The initial setup in this method starts in the Azure portal. Then, you need to complete the setup in the Copilot for Security portal.
Note
Billing begins as soon as capacity is created, regardless of whether the SCU is attached to an environment.
Required role
You need to be an Azure subscription owner or contributor to create capacity.
Sign in to the Azure portal.
Search for Copilot for Security in the list of services, then select Copilot for Security.
Select Resource groups.
Under Plan, select Microsoft Copilot for Security. Then select Create.
Select a subscription and resource group, add a name to the capacity, select the prompt evaluation location and select the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.
Note
The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.
If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.
Confirm that you acknowledge and have read the terms and conditions, then select Review + create.
Verify that all the information is correct, then select Create. A confirmation page is displayed.
Select Finish setup in the Copilot for Security portal.
Step 2: Set up default environment
Required role
You need to be at least a Security Administrator role to accomplish this task.
Important
Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
You need to be an Azure Owner or a contributor for the capacity resource to associate capacity to Copilot for Security.
Associate your capacity to the Copilot for Security environment if the capacity was created in the Azure portal.
You're informed where your Customer Data will be stored. Select Continue.
You're informed on accessing data from Microsoft 365 services. Select Continue.
Select among the data sharing options. Select Continue. For more information on data sharing, see Privacy and data security.
You'll be informed of the default roles that can access Copilot for Security. Select Continue.
A confirmation page is displayed. Select Finish.
Offboarding
To offboard from Copilot for Security, you'll need to delete the provisioned capacity.
Note
To export data, you will need to contact support. For more information, see Contact support.
Required role
You need to be at least a Security Administrator role to accomplish this task.
Delete capacity through Copilot for Security
You can delete capacity from the Owner settings page or the usage monitoring page.
Warning
Deleting capacity and their internal data is permanent action and cannot be undone.
Owner settings page
Sign in to Copilot for Security (https://securitycopilot.microsoft.com).
Select the home menu icon.
Navigate to the Owner settings or Usage monitoring section.
In the units section, select Change.
Select the overflow menu (...).
Select Delete the capacity.
Confirm that you want to delete capacity. This action deletes the active capacity for the tenant.
Recommended next steps
Assign roles to users
Now that you have Copilot for Security up and running, decide who should get Copilot access. By default, All users in your tenant have basic access to the platform, but only those in your organization with extra permission are able to effectively prompt security data. For more information, see, Assign roles.
Take the Copilot for Security tour
Copilot for Security comes with a tour to help you ease into using the application.
When you first log into Copilot for Security, the tour helps you discover some of the key features and functionality of the solution.
You're introduced to concepts such as the prompt bar and what to use it for, how to edit, rerun, or delete prompts. You'll also learn how to use some of the navigational elements available such as providing feedback.
Watch the following video to learn more about Copilot for Security:
Try out the Copilot for Security standalone and embedded experiences
Copilot for Security can be accessed through the standalone portal and is also available through intuitive embedded experiences. For example, some capabilities are available through Microsoft Defender XDR and Microsoft Purview with no prompting needed. For more information, see Copilot for Security experiences.
Learn about the integrations
Copilot for Security seamlessly integrates with other Microsoft security services and third-party services. A user with a security administrator role can easily manage the plugins that Copilot for Security uses as a data source to respond to prompts. For more information, see Manage plugins in Copilot for Security.
Check out the primary use cases
Copilot for Security is a robust solution that offers unparalleled functionality and capabilities which culminate in powerful mitigation against high-impact incidents such as ransomware attacks.
Some highlights include:
- Incident summarization
- Impact analysis
- Reverse engineering of scripts
- Guided response
Join the Microsoft Copilot for Security Customer Connection Program (CCP)
Stay up to date with Copilot for Security by joining the Microsoft Copilot for Security Customer Connection Program. CCP community members have access to:
- The latest technical product information and access to private previews
- Free weekly technical trainings and product skilling webinars
- A Teams Community to discuss with Copilot for Security product experts and engineers
Click here to opt-in to join the community.