Get started with Microsoft Security Copilot

Security Copilot is a generative AI security product that empowers security and IT professionals respond to cyber threats, process signals, and assess risk exposure at the speed and scale of AI. For more information, see What is Security Copilot?. Understand what you need to get started such as the minimum requirements, purchasing security compute units, and setting up a default environment.

Get recommendations on next steps to take to get you on your way to maximizing the capabilities in Security Copilot.

For information on applying Zero Trust, see Apply principles of Zero Trust to Microsoft Security Copilot.

Note

Disclaimer: This documentation is only intended for customers using commercial clouds. Currently, Security Copilot is not designed for use by customers using US government clouds, including but not limited to GCC, GCC High, DoD, and Microsoft Azure Government. For more information, consult with your Microsoft representative.

Minimum requirements

Subscription

In order to purchase security compute units, you need to have an Azure subscription. For more information, see Create your free Azure account.

Security compute units

Security compute units are the required units of resources that are needed for dependable and consistent performance of Microsoft Security Copilot.

Security Copilot is sold in a provisioned capacity model and is billed by the hour. You can provision Security Compute Units (SCUs) and increase or decrease them at any time. Billing is calculated on hourly blocks rather than by 60-minute increments and has a minimum of one hour. Any usage within the same hour is billed as a full SCU, regardless of start or end times within that hour. For instance, if you provision an SCU at 9:05 a.m., then deprovision it at 9:35 am, and then provision another SCU at 9:45 am, you'll be charged for two units within the 9:00 a.m. to 10:00 a.m. hour. Similarly, if you provision an SCU at 9:45 a.m., you'll only have 15 minutes to use it before it's no longer available, as SCUs are provided in hourly blocks from 9:00 a.m. to 10:00 a.m. To maximize usage, make SCU provisioning changes at the beginning of the hour. For more information, see Manage usage.

For more information, see Microsoft Security Copilot pricing.

Capacity

Capacity in the context of Security Copilot, is an Azure resource that contains SCUs. SCUs are provisioned for Security Copilot. You can easily manage capacity by increasing or decreasing provisioned SCUs within the Azure portal or the Security Copilot portal. Security Copilot provides a usage monitoring dashboard for Copilot owners, allowing them to track usage over time and make informed decisions about capacity provisioning. For more information, see Managing usage.

Onboarding to Security Copilot

Onboarding to Security Copilot is a two-step process:

Step 1: Provision capacity

You can choose from the following options to provision capacity:

Note

Regardless of the method you choose, you will need to purchase a minimum of 1 and a maximum of 100 SCUs. The recommended number of units to start the most basic exploration of Security Copilot is 3 units.

When you first open Security Copilot (https://securitycopilot.microsoft.com), you're guided through the steps in setting up capacity for your organization.

Required role

You need to be an Azure subscription owner or contributor to create capacity.

  1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).

  2. Select Get started.

    Screenshot of get started.

  3. Set up your security capacity:
    Select the Azure subscription, associate capacity to a resource group, add a name to the capacity, select the prompt evaluation location, and specify the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.

    Screenshot of set up your security capacity.

    Note

    The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.

    If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.

  4. Confirm that you acknowledge and agree to the terms and conditions, then select Continue.

After you've created the capacity, it will take a few minutes to deploy the Azure resource on the backend.

Screenshot of setting up your security capacity.

Option 2: Provision capacity in Azure

The initial setup in this method starts in the Azure portal. Then, you need to complete the setup in the Security Copilot portal.

Note

Billing begins as soon as capacity is created, regardless of whether the SCU is attached to an environment.

Required role

You need to be an Azure subscription owner or contributor to create capacity.

  1. Sign in to the Azure portal.

  2. Search for Security Copilot in the list of services, then select Security Copilot.

  3. Select Resource groups.

  4. Under Plan, select Microsoft Security Copilot. Then select Create.

  5. Select a subscription and resource group, add a name to the capacity, select the prompt evaluation location and select the number of Security Compute Units (SCUs). Data is always stored in your home tenant geo.

    Note

    The number of SCUs is provisioned on an hourly basis, and the estimated monthly cost is displayed.

    If your selected geo location is too busy, you can also evaluate the prompts anywhere in the world. This can be done by selecting the appropriate option in the capacity creation screen.

  6. Confirm that you acknowledge and have read the terms and conditions, then select Review + create.

  7. Verify that all the information is correct, then select Create. A confirmation page is displayed.

  8. Select Finish setup in the Security Copilot portal.

Step 2: Set up default environment

Required role

You need to be at least a Security Administrator role to accomplish this task.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

You need to be an Azure Owner or a contributor for the capacity resource to associate capacity to Security Copilot.

  1. Associate your capacity to the Security Copilot environment if the capacity was created in the Azure portal.

  2. You're informed where your Customer Data will be stored. Select Continue.

    Screenshot of where your customer data is stored.

  3. You're informed on accessing data from Microsoft 365 services. Select Continue.

  4. Select if you want Security Copilot to capture and store admin actions, user actions, and system responses. Select Continue. For more information, see Accessing data from Microsoft 365 services.

    Note

    Microsoft Purview will store your Customer Data in the region where your Microsoft 365 data is stored. For more information, see Privacy and data security.

  5. Select among the data sharing options. Select Continue. For more information on data sharing, see Privacy and data security.

  6. Select the roles that can access Security Copilot. Select Continue.

    Screenshot of Copilot access.

  7. A confirmation page is displayed. Select Finish.

    Image of Copilot all set

Offboarding

To offboard from Security Copilot, you'll need to delete the provisioned capacity.

Note

To export data, you will need to contact support. For more information, see Contact support.

Required role

You need to be at least a Security Administrator role to accomplish this task.

Delete capacity through Security Copilot

You can delete capacity from the Owner settings page or the usage monitoring page.

Warning

Deleting capacity and their internal data is a permanent action and cannot be undone.

Owner settings page

  1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).

  2. Select the home menu icon.

  3. Navigate to the Owner settings or Usage monitoring section.

  4. In the units section, select Change.

  5. Select the overflow menu (...).

  6. Select Delete the capacity.

  7. Confirm that you want to delete capacity. This action deletes the active capacity for the tenant.

Assign roles to users

Now that you have Security Copilot up and running, decide who should get Copilot access. By default, All users in your tenant have basic access to the platform, but only those in your organization with extra permission are able to effectively prompt security data. For more information, see, Assign roles.

Take the Security Copilot tour

Security Copilot comes with a tour to help you ease into using the application.

When you first log into Security Copilot, the tour helps you discover some of the key features and functionality of the solution.

You're introduced to concepts such as the prompt bar and what to use it for, how to edit, rerun, or delete prompts. You'll also learn how to use some of the navigational elements available such as providing feedback.

Watch the following video to learn more about Security Copilot:

Try out the Security Copilot standalone and embedded experiences

Security Copilot can be accessed through the standalone portal and is also available through intuitive embedded experiences. For example, some capabilities are available through Microsoft Defender XDR and Microsoft Purview with no prompting needed. For more information, see Security Copilot experiences.

Learn about the integrations

Security Copilot seamlessly integrates with other Microsoft security services and third-party services. A user with a security administrator role can easily manage the plugins that Security Copilot uses as a data source to respond to prompts. For more information, see Manage plugins in Security Copilot.

Check out the primary use cases

Security Copilot is a robust solution that offers unparalleled functionality and capabilities which culminate in powerful mitigation against high-impact incidents such as ransomware attacks.

Some highlights include:

  • Incident summarization
  • Impact analysis
  • Reverse engineering of scripts
  • Guided response

Join the Microsoft Security Copilot Customer Connection Program (CCP)

Stay up to date with Security Copilot by joining the Microsoft Security Copilot Customer Connection Program. CCP community members have access to:

  • The latest technical product information and access to private previews
  • Free weekly technical trainings and product skilling webinars
  • A Teams Community to discuss with Security Copilot product experts and engineers

Click here to opt in to join the community.

See also