This was a no-brainer for me — I had to write a blog about Microsoft Copilot for Security. You know I like AI and I like Intune. What is better if I can blog in one post about both. I was already part of the closed preview, and I am a very big fan of this product and the potential behind it. In this blog post I will write about everything you have to know and how you can start.
What is the Microsoft Copilot for Security?
The Microsoft Copilot for Security is a dedicated product but also a kind of framework which Microsoft integrated into the different security tools like Intune, Entra, Purview, Sentinel, Defender and more.
The definition from Microsoft is “Copilot for Security is an AI cybersecurity product that enables security professionals to respond to cyberthreats quickly, process signals at machine, and assess risk exposure in minutes“. But what does this mean?
The Copilot for Security utilized the most hyped technology and in my point of view the technology with the most potential to make big changes in the way how we work -> Transformer Models more precise large language models. You formulate a question/prompt, and you get an answer with exactly what you want (not always). But when you apply this power to the powerful security tool suite from Microsoft you can unfold totally new potential.
The Copilot for Security can also be extended with 3rd party plugins and promptbooks. A promptbook is a series of prompts for common tasks. The security copilot also gives you the possibility to integrate your own knowledgebases and documents which can be used to answer questions.
What will be changed with this product?
The Copilot for Security will change the way how you interact with one or all products. You have a dedicated chat experience but also an experience directly where you need it. This chat can answer your questions with a grounding of data from one or all tools. It helps to save time for typical SOC tasks. As mentioned in many of my blogs the new skill you need is prompt engineering. The way how an Admin interact with the products will change. You no longer have to find the right portal and navigate in the 20th sub menu. You only have to formulate your question or your action as precisely as possible to get a good answer.
I hate dashboards because no one is able to monitor all of them and there is no perfect dashboard which fits the specific question or task you have. This will also be changed. Move away from reactive dashboards and get the data and reports you need on the fly. I think not all of these aspects are covered today and there is still a long way to go to bring this big change to all admins and organizations, but this is the starting point of this big transformation.
What are the prerequisites?
Normally you can find here a big list. For the Copilot for Security this is a very small list. You need an Azure subscription and a consumption unit. That’s it.
How is the pricing?
The Security Compute Unit (SCU) is the unit with which the Copilot for Security is billed. One SCU costs $4 per hour, which is approximately $2,920 per month. In my opinion, this is a high price because you can’t get that far with one SCU.
A change of the SCU is not possible; this means a deletion and redeployment.
How can I deploy the Copilot for Security?
Let me show you two ways. One is via the Portal, and one is via Code.
The first thing you have to do is open the Azure Portal (portal.azure.com).
Search for Copilot for Security in the Azure Portal and click to +Create.
- Select the Resource group and enter a name, the prompt evaluation location and the amount of compute units per hours. Click Review + create.
To deploy the Copilot for Security via code you need two things: an ARM (Azure Resource Manager) template and a PowerShell script.
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"capacityName": {
"type": "String"
},
"location": {
"type": "String"
},
"numberOfUnits": {
"type": "Int"
},
"crossGeoCompute": {
"type": "String"
},
"geo": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.SecurityCopilot/capacities",
"apiVersion": "2023-12-01-preview",
"name": "[parameters('capacityName')]",
"location": "[parameters('location')]",
"properties": {
"numberOfUnits": "[parameters('numberOfUnits')]",
"crossGeoCompute": "[parameters('crossGeoCompute')]",
"geo": "[parameters('geo')]"
}
}
]
}# Variables for common values
$tenantId = "tennantId"
$template = "templatefilepath"
$subscriptionId = "subscriptionId"
$location = "westeurope"
$resourcegroup = "rg-securitycopilot"
$resourceName = "scu-capacity"
$crossGeoCompute = "Allowed"
$numberOfUnits = 1
$ressourceRegion = "eu"
$resourceType = "microsoft.securitycopilot/capacities"
$deploymentName = "Deploy" + $ResourceName
# Create Connection
Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId
# Create Resource Group
Write-host "Microsoft Copilot for Security will be deployed..."
If (!(Get-AzResourceGroup -Name $resourcegroup -Location $location))
{
New-AzResourceGroup -Name $resourcegroup -Location $location -Force
}
# Create Ressource
New-AzResourceGroupDeployment `
-Verbose `
-Name $deploymentName `
-ResourceGroupName $resourcegroup `
-TemplateFile $template `
-capacityName $resourceName `
-location $location `
-crossGeoCompute $crossGeoCompute `
-geo $ressourceRegion`
-numberOfUnits $numberOfUnitsSetting up the Copilot for Security
Open the Webpage: https://securitycopilot.microsoft.com/tour/admin and start the enrollment. Once this is done you can select a capacity and click Continue.
If you want to support Microsoft in improving the pilot, you can activate the diagnostic settings and click Continue.
- Once this is done the setup is completed and you can click Finish.
How can I open the Copilot for Security
You have two ways: one is to open the central portal and the other is to use the embedded experience in Intune.
To open the central experience open https://securitycopilot.microsoft.com/sessions/new and here you have an open prompt experience where you can ask anything the Copilot for Security can do.
You can check the prompt hints here to get a clue what you can ask and with which questions Copilot can support you. Also, on the start page of the Copilot you get a lot of information and learnings about the Copilot.
On the button beside you can turn on and turn off different plugins and decide which one should be used to answer your questions.
You can now prompt for a question like “Can you give me a summarization of the device NAME” and you will get a complete summary of this device. You can also further chat about this device.
But let’s move further to the embedded experience in e.g. Intune. To use this, open intune.microsoft.com in your browser and make sure that the Copilot is activated. You can do this in the tenant administration.
The Intune experience is currently not an open prompt experience; it is more a guided prompt scenario. What you have to do is, e.g., open a device, policy or some other object to see the Copilot icon. In this example I opened a configuration profile and I see the button “Summarize with Copilot“, which helps me to get a summarization of this object.
Let’s try this:
The important part is the one at the bottom. Here you have the possibility to give feedback to help improve the product, enter some follow-up prompts and also see the prompt book with some proposals on what you can do next. In this case it is very similar to the follow-up actions.
What are useful example prompts?
This is a list of useful prompts you can ask the Copilot for Security:
- Can you give me a summary of the device HOSTNAME
- Tell everything about UPN/Username/… in a markdown table.
How to write better prompts?
As already mentioned, multiple times in my blogs. Prompt engineering is the skill for the future. It is important that you deal with this topic and build up some experience here. A good start for this is the Microsoft learn platform: https://learn.microsoft.com/en-us/training/modules/apply-prompt-engineering-azure-openai/.
But what does this mean. Prompt engineering is a skill to write good and efficient inputs to an LLM (Large Language Model) to get the expected, most accurate and high-quality output. It is a process which includes writing, refining and optimization of the query. It describes the new way how we interact with systems and content in the future.
A bad prompt is:
- What’s H493958343?
A better prompt is:
- Generate me a short summary of the device H493958343 and include general information and the assigned configurations.
Where can I find further information
There is a very good QnA from Microsoft where you can find a ton of information: https://learn.microsoft.com/en-us/copilot/security/faq-security-copilot
If you want to better understand the architecture and LLM concepts behind these Copilot experiences, you can also check out my deep dive into Co-Pilots.
Also you should definitely check out the resources you find on the start page here:
https://securitycopilot.microsoft.com
If you are interested in how AI could also change device management, check out my post about AI-driven endpoint management with Intune.
If you are not already part of this LinkedIn group, I can also recommend joining: https://www.linkedin.com/groups/14345161/
If you want to build something similar for Intune, you can also check out my post about creating your own Intune Co Pilot using Azure OpenAI Studio.
If you want to go one step further with Intune and Copilot, check out my post about how to create your own Intune Co Pilot using CoPilot Studio.