Sign in Subscribe
Security Copilot

Setup Microsoft Security Copilot in Your Tenant

Sakaldeep Yadav

5 min read
Setup Microsoft Security Copilot in Your Tenant

This blog will guide you through setting up Microsoft Security Copilot. Before we dive in, let's review the key requirements you'll need to meet to get started.

Azure Subscription: You must have an Azure subscription to purchase and manage Security Compute Units (SCUs), which are essential for the performance of Microsoft Security Copilot.

Security Compute Units (SCUs): These are the required units of resources needed for dependable and consistent performance. SCUs are provisioned in hourly blocks and can be adjusted as needed.

Capacity Management: You must manage the capacity by provisioning SCUs within the Azure or Security Copilot portals. This includes monitoring usage and making informed decisions about capacity provisioning.

Onboarding to Security Copilot involves two key steps:

  1. Provisioning capacity
  2. Setting up the environment

Provision capacity

You need to be an Azure subscription owner or contributor to create capacity.

  1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).

2.  Click on Get Started.

3. Setting up Microsoft Copilot for Security computing capacities. Choose the appropriate Azure subscription, link the capacity to a specific resource group, assign a name to the capacity, select the location for prompt evaluation, and determine the number of Security Compute Units (SCUs) required. Note that data is consistently stored within your home tenant's geographical region.

4. Choose the number of compute units, minimum is 1. We have chosen 1 for this demo purpose.

5. Confirm that you acknowledge and agree to the terms and conditions, then select Continue.

Once the capacity is created, the Azure resource will be deployed on the backend in a few minutes.

Assign the capacity name and click on Apply.

Setting up  Environment

You're informed where your Customer Data will be stored. Select Continue.

Select the roles that can access Security Copilot. Select Continue

Below is the first look at the Microsoft Security Copilot standalone experience. The most crucial element is the prompt, where we interact directly with the Security Copilot. This interface allows users to input queries, and commands, and receive real-time insights and responses from the system. The prompt serves as the primary communication channel, enabling users to leverage the full capabilities of Security Copilot for enhanced security management and decision-making. Through this interactive prompt, users can efficiently manage security tasks, analyze threats, and implement security measures, all within a streamlined and user-friendly environment.

Prompt

Crafting your first prompt, such as "Show me all the servers that are onboarded to MDE," initiates a powerful interaction with Microsoft Security Copilot.

The Security Copilot couldn't locate the source of the information. To execute this prompt, we need to enable the data source, referred to as a plugin. Click on the highlighted button below and enable all the necessary plugins.

Here is the list of plugins:

With the plugins now enabled as shown above, let's proceed by entering the second prompt, "Device Summary," and observe how Security Copilot responds. We can see that Security Copilot has provided detailed information, indicating that it is functioning correctly.

Create Compute Capacity from Azure portal

You can also create the compute capacity for Security Copilot directly from the Azure portal. Simply log in to portal.azure.com(https://portal.azure.com) search for "Microsoft Security Copilot compute capacities," and follow the provided steps.

Security Copilot Embedded Experience

Security Copilot offers an extended experience, meaning you can utilize it across various portals such as Defender for Endpoint, Intune, and Purview. This integration allows for a seamless and unified approach to security management across different platforms. For instance, within the Defender for Endpoint portal, you can access Security Copilot's embedded experience, enabling you to leverage its capabilities directly within the endpoint security environment. This integration enhances your ability to monitor, manage, and respond to security incidents efficiently, providing a comprehensive view of your security posture across multiple services.

The Security Copilot icon has now appeared in the Defender for Endpoint portal, allowing you to use it as an embedded experience.

The Security Copilot icon has now appeared in the Intune portal, allowing you to use it as an embedded experience.

Third Prompt

Manage the Copilot compute capacity via the Azure portal.

You can delete the compute unit from the Azure portal. Once deleted, you will no longer be able to use Security Copilot in either the standalone or embedded experience.

You can scale the compute capacity of Security Copilot through the Azure portal as follows.

To monitor the cost of Security Copilot, use Azure Cost Management and Billing tools to track and analyze your spending. Set budgets and alerts to stay informed about your usage. Regularly review usage reports and optimize resource allocation to avoid unnecessary costs. Conduct periodic audits to ensure there are no unexpected charges. By following these steps, you can effectively manage and control your Security Copilot expenses.

I hope this information was useful. Feel free to reach out to me on Twitter @sakaldeep for any further questions.