Microsoft Copilot for Security: configuration and usage

Microsoft Copilot for Security

Questo articolo è disponibile anche in lingua italiana, al seguente link – Microsoft Copilot for Security: get started ed utilizzo –

In today’s digital era, cybersecurity has become an indisputable priority for companies of all sizes. With the increasing complexity of cyber threats, maintaining secure IT environments is an ongoing challenge. This is where Microsoft Copilot for Security steps in, offering an innovative solution to navigate the intricate world of cybersecurity.

Microsoft Copilot for Security

Microsoft Copilot for Security is an AI-based assistance platform designed to enhance and automate security operations. This AI solution integrates and analyzes data from various security sources, providing analysts with valuable and actionable information in real-time. The goal is straightforward: to make security management more intuitive, efficient, and proactive.

What Does It Serve?

At the heart of Microsoft Copilot for Security is its AI engine, capable of performing several crucial functions:

  • Threat Detection: Using advanced algorithms, Copilot for Security can identify suspicious activities or anomalies in systems, often before they become serious issues.
  • Incident Response: It provides AI-based recommendations for incident responses, helping security teams to react quickly and effectively to attacks.
  • Process Automation: Automates repetitive tasks, allowing analysts to focus on more sophisticated threats and comprehensive security strategies.
  • Training and Simulations: Offers attack simulations based on real scenarios, enhancing the skills of security teams through practical learning.


Microsoft Copilot for Security integrates with all Microsoft security products, with a roadmap already announced for interfacing with third-party products (some of them are already in Preview).


Configuring Copilot for Security can be done in two ways: from the Azure portal or the Copilot console. This involves setting up Security Compute Units (SCUs), which manage the entire Copilot stack, necessary for running queries, saving LLMs, and interfacing with the mentioned products.

The SCUs can scale up or down, depending on usage or the security team’s structure—a higher number of SCUs guarantees better performance but increases the cost.

After the initial phase, you can define security policies and plugins; the latter can also be managed later. It’s important to always keep in mind regarding plugins:

  • Each plugin implements skills, and based on demand, Copilot will evaluate which to use
  • If the plugin is not activated, it’s not possible to enter prompts on that scope or expect “broad” responses that require interfacing across multiple areas


How does Copilot for Security work? Again, there are two possibilities: from the standalone console or from the service portal like Microsoft Entra, Defender XDR, or Intune.

Which is the best place to work from? From a logical standpoint, the standalone console seems the best; however, various product teams are already announcing targeted development of Copilot within their specific application portals.

Prompts and Interaction

What interactions can we currently perform? Here are some examples:

Microsoft Defender XDR

  • Summarize incidents
  • Analyze scripts and codes
  • Generate KQL queries for hunting
  • Use guided response
  • Create incident reports
  • Summarize device information
  • Analyze files
  • Using for threat intelligence

Microsoft Entra

  • Investigate risky users

Microsoft Intune

  • Policy and setting management
  • Use Microsoft Copilot in Intune to troubleshoot devices

Microsoft Purview

  • Investigate a Microsoft Purview Data Loss Prevention alert
  • Summarize Communication Compliance messages using Microsoft Copilot for Security
  • Investigate insider risk management activities
  • Summarize an eDiscovery message using Microsoft Copilot for Security


How much does Microsoft Copilot for Security cost? From the communication perspective, Microsoft hasn’t been clear, announcing a price of $4/hour/SCU, omitting the fact that Security Compute Units are always on, thus the monthly price can go up to $2880, unless the SCU is removed from the Azure subscription.

However, it’s not clear what this operation entails today. While on one hand, it eliminates a cost, on the other, it’s possible that all history, LLMs, and queries might be lost; certainly, for an SME, it’s an excellent product usable in “pay as you go” mode, but for medium-large companies, it’s not ideal (having to reconfigure everything from scratch each time).


Microsoft Copilot for Security represents a significant step forward in the field of cybersecurity. With its ability to integrate artificial intelligence into the day-to-day security operations, it promises not only to simplify the work of analysts but also to elevate the level of protection for IT infrastructures. In a world where cyber threats are increasingly sophisticated and pervasive, having a reliable “copilot” can make a difference in the race against attackers. With Microsoft Copilot for Security, companies now have a powerful tool to stay one step ahead in their cybersecurity strategies.