Preparing for Microsoft Copilot for Security

Microsoft Copilot for Security is a revolutionary tool that helps increase the efficiency and capabilities of defenders and your security measures. It is a generative AI-powered solution that uses advanced algorithms and machine learning to provide insights, recommendations, and proactive measures to improve your security posture. However, it is important to note, while Microsoft Copilot for Security aids in enhancing security, it does not replace the need for a comprehensive security strategy, which should include robust policies, user education, and regular audits.

How does Copilot for Security work?

Microsoft Copilot for Security can be accessed through a standalone experience and through experiences available in other Microsoft security products. The language model and proprietary Microsoft technologies work together in a system that improves the efficiency and capabilities of defenders.

Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune integrates with Copilot for Security via plugins. These plugins from Microsoft and third-party security products extend and integrate services with Copilot for Security. Plugins adds context from event logs, alerts, incidents, and policies from both Microsoft security products and supported third-party solutions.

The plugins also provide access to threat intelligence and authoritative content. The plugins can search across Microsoft Defender Threat Intelligence articles and intel profiles, Microsoft Defender XDR threat analytics reports, and known (public) vulnerabilities.

Deploying Copilot for Security

Deployment of Copilot for Security is done via the Marketplace and requires access to an Azure Subscription to deploy the required Microsoft Copilot for Security compute capacity. Once deployed customers can access Copilot for Security using

Connecting Data Sources

The effectiveness of Microsoft Copilot for Security relies on connecting the right data sources. Here’s how you can optimize this process:

  1. Identify Relevant Data Sources: Identify the data sources most relevant to your security needs, such as server logs, network traffic data, user activity logs, and threat intelligence feeds.
  2. Ensure Data Accessibility: Ensure the tool can access the necessary data. This may involve configuring firewalls, adjusting permission settings, or setting up APIs.
  3. Maintain Data Quality: The tool’s effectiveness directly depends on the quality of your data. Ensure your data is accurate, up-to-date, and error-free.
  4. Secure Your Data: Maintain strict security protocols to protect sensitive information while connecting your data sources. Implement encryption, use secure transfer methods, and regularly audit your security measures.
  5. Regular Updates: Keep your data sources updated to ensure the tool has the latest information, leading to more accurate insights and recommendations.

Remember, the effectiveness of Microsoft Copilot for Security depends not just on the quantity, but also the relevance and quality of the data.


Prompting, or interacting with Microsoft Copilot for Security through questions or commands, is a key aspect. Follow these best practices for effective prompting:

  1. Specificity: Be specific with your prompts. For example, instead of asking “What’s the security status?”, ask “What’s the security status of Server 12 in the East US region?”.
  2. Relevant Keywords: Use keywords relevant to the information you’re seeking. For instance, if you’re interested in potential vulnerabilities, ask “Show me the top 5 vulnerabilities in our network.”
  3. Sufficient Context: Provide context to help the tool understand your request better. For example, instead of asking “Any alerts?”, ask “Are there any security alerts from the past 24 hours for the West EU region?”

The more specific and clear your prompts are, the more accurate and helpful the tool’s responses will be.

Understanding the Cost Model

Microsoft Copilot for Security operates on a cost model based on compute units. This model is designed to provide scalability and flexibility, ensuring you only pay for what you use.

Compute units are a measure of computational resources consumed by the tool. The number of compute units required for your deployment depends on various factors:

  1. Organization Size: Larger organizations typically have more data to analyze, which requires more compute units.
  2. Network Complexity: More complex networks generate more data and require more computational resources to analyze.
  3. Data Volume: The volume of data to be analyzed directly impacts the number of compute units needed. More data requires more computational power.

To help you estimate the costs associated with using Copilot for Security, Microsoft provides a Pricing Calculator. This tool takes into account your specific requirements and provides an estimated cost. It’s a valuable resource for budgeting and planning, helping you avoid unexpected costs and efficiently allocate resources.

Remember, understanding the cost model is crucial for effective budgeting and to ensure you’re getting the most out of Microsoft Copilot for Security. It’s recommended to review your usage regularly and adjust as necessary to optimize cost-effectiveness.


Microsoft Copilot for Security is a powerful tool that can significantly enhance your security posture. By understanding its cost model, connecting the right data sources, and following best practices for prompting, you can maximize its benefits. However, remember that while it provides valuable insights and recommendations, it should be part of a broader, comprehensive security strategy.