Getting Started with Microsoft Copilot for Security

In our last blog post on Microsoft Copilot for Security , we provided an overview of the functions of the AI assistant. This time, it’s less about the benefits of using it and more about how to get it up and running. So, if you’ve got a taste for it, buckle up, because today we’re getting started with Copilot for Security.

Getting Started is Easy

The basic requirements for setting up the AI assistant are minimal. All you need is an Azure subscription, which most interested parties already have due to their use of other Microsoft technologies or services. Users then need to set up so-called capacities (“Capacities”) and finally activate Microsoft Copilot for Security via provisioning. This may sound a little complicated at first. However, the whole process is completed in just a few minutes – thanks to the intuitive web interface, among other things.

1. Access the Azure Portal In the Azure Portal, go to the search bar and enter the term “Copilot”. The search engine should suggest the entry “Microsoft Copilot for Security Compute Capacities”. Click on it and then on “Create” to open the installation wizard.
2. Configuration Steps
   • Select your Azure subscription from the corresponding drop-down menu.Choose the resource group and the prompt evaluation location. For users from the DACH region, the location will typically be Europe, but there are also alternatives (US, UK, and Australia).
   • Select the desired SCUs (Secure Component Units), which represent the computing capacity budget for AI queries. Microsoft recommends starting with 3 SCUs, though initial tests can be done with at least 1 SCU.
3. Finalizing Setup
   • Click on “Review + Create”. The capacity will be created and ready for use.

Which Plug-Ins Do I Need?

The fine-tuning of the capacity takes place on the Copilot for Security website. When considering necessary plug-ins, companies ideally should use the entire E5 suite from Microsoft, which includes:

• Security Compliance Toolkit
• Data governance tool Purview
• Microsoft Sentinel as a SIEM (Security Incident and Event Management) platform

It’s also possible to start smaller with Microsoft Defender for Endpoints or Microsoft Defender for Office. However, using the entire E5 suite doesn’t mean all components should run as plug-ins in Copilot for Security, as this can be resource-intensive and costly. The general recommendation is to use:

• Microsoft Defender XDR
• Microsoft Entra
• Microsoft Intune
• Microsoft Sentinel

Third-party plug-ins are available, and the list is growing. If a special plug-in for the firewall isn’t available, companies can passively provide this information to Copilot for Security via Sentinel.

A New Kind of Search Engine

The success of using Microsoft Copilot for Security depends largely on the prompts. Unlike traditional search engines, AI assistants require more elaborate search queries. Here are some tips for effective querying:

• Determine the goal of the query and formulate it accordingly.
• Provide the AI assistant with the necessary context to avoid unnecessary plug-ins usage.
• Clarify your expectations and specify the type of result you want.
• Specify the sources the tool should search for to avoid wasting SCUs.

As an alternative to manually creating prompts, you can use prompt books. These are curated and customizable series of commands that build on each other and are already available in Microsoft Copilot for Security for certain workflows. For example, they map a typical series of prompts that a security analyst would query during an incident. Also, with Copilot for Security activated, the Defender portal summarizes all relevant information in the detailed view of an incident. Another advantage is that the AI assistant automatically pre-formulates a sample email to the officer responsible.

Pricing Considerations

Whether Microsoft Copilot for Security is feasible depends on the company’s budget. The recommended number of SCUs for medium-sized companies is 3, which currently costs just under 100,000 euros per year. It’s possible to scale dynamically based on need, but companies cannot use less than 1 SCU without settings being deleted. However, once a Secure Computing Unit is used up, it recharges every hour, allowing continuous prompt issuance even with minimum capacity.

In the future, Microsoft plans to provide companies with analyses of plug-in usage by the AI assistant to track and fine-tune capacity burn rates. While Copilot for Security is not a must for companies using tools like Ontinue ION, its use makes the work of Ontinue’s Cyber Advisors and Cyber Defenders easier, making it a valuable asset in the fight against cyber criminals.