| name | security-copilot |
| description | Guidance for Microsoft Security Copilot - the generative-AI security platform that helps analysts investigate, hunt, summarise, and respond using natural language, plugins, promptbooks, and embedded experiences. Covers SCU provisioning, plugins, promptbooks, governance, and the standalone vs embedded experience choice. WHEN: Microsoft Security Copilot, AI for SOC, security copilot units SCU, promptbooks, Copilot plugins, natural language investigation, summarise incident with AI, Copilot for Security setup, how do I use AI in my SOC, explain a KQL query with AI, summarise an alert for a stakeholder. DO NOT USE when the goal is configuring autonomous triage or remediation agents (use security-copilot-agents). |
| license | MIT |
| metadata | {"author":"Microsoft","version":"0.1.0"} |
Microsoft Security Copilot
Microsoft Security Copilot is a generative-AI security platform that helps security and IT
teams investigate incidents, hunt threats, summarise findings, and respond at machine speed
using natural language, grounded in your security data and Microsoft threat intelligence.
When to use
Accelerating SOC investigation, reporting, and analyst productivity across Microsoft and
third-party security data using natural-language workflows.
Do not use this skill for:
- Configuring autonomous triage/remediation agents (use
security-copilot-agents)
- Building a SIEM analytics rule (use
sentinel)
- Configuring Defender XDR investigations or actions (use
defender-xdr)
Pick the right experience for the task
| Task | Use this experience | Why |
|---|
| Multi-step investigation across products | Standalone portal | Cross-plugin reasoning, promptbooks |
| Summarise this specific incident | Embedded in Defender XDR | Context already loaded |
| Explain or translate a KQL query | Embedded in Sentinel | Inline in the query editor |
| Explain a Conditional Access policy | Embedded in Entra | Policy already in scope |
| Repeatable investigation pattern | Promptbook | Saved, shareable, parameterised |
| Daily ad-hoc analyst question | Standalone or embedded | Either; pick by where you start |
Rule of thumb: start embedded for single-product questions, switch to standalone
the moment you need to correlate across two or more products. Promptbook anything you do
more than twice.
Approach
- Provision capacity - Set up Security Compute Units (SCUs) in Azure (provisioned
capacity model), assign the Azure subscription and resource group, choose the geographic
region, and configure overage settings. SCUs are the meter; underprovisioning throttles,
overprovisioning wastes spend.
Verify: Security Copilot → Owner settings → Capacity shows SCUs reserved and the region
matches your data residency requirement.
- Assign roles - Configure Security Copilot owner and contributor roles in Entra,
align to least privilege, set the default environment, and decide on the data sharing toggle
(model improvement opt-in/out).
Verify: a non-owner test account can use Copilot but cannot change capacity settings.
- Enable plugins - Turn on the Microsoft plugins you need (Defender XDR, Sentinel, Intune,
Entra, Threat Intelligence, Purview, Defender for Cloud) and add non-Microsoft or custom
plugins where you have third-party data. Copilot respects the underlying product RBAC of
the calling user - it never elevates privilege.
Verify: a query that requires Sentinel data from a user without Sentinel access returns a
permission error, not an answer.
- Choose the experience per workflow - Use the standalone portal for multi-step
cross-product investigations, and the embedded experiences inside Defender XDR,
Sentinel, Intune, Entra, and Purview for single-product context.
Verify: analysts know which surface to start in for their top 5 daily tasks.
- Build promptbooks - Identify your top 5 repeatable workflows (incident summary for exec,
reverse-engineer a script, KQL explanation, phishing email triage, CA policy explanation)
and turn each into a promptbook with parameters.
Verify: each promptbook runs end-to-end on a sample input without manual editing.
- Govern usage and consumption - Monitor SCU consumption per workload, audit Copilot
activity, and set alerts on SCU utilisation > 80% to control cost. Review prompt logs for
sensitive data exposure.
Verify: a usage dashboard exists; alerting fires when SCUs trend high.
- Measure value - Track time-to-first-answer, analyst satisfaction, and SCU per resolved
incident before and after rollout. If the metric does not move, the promptbooks or plugins
are wrong, not the platform.
Guardrails
- Treat AI output as assistive - analysts must validate findings before acting. Copilot is
not the source of truth; the underlying product is.
- Apply least-privilege plugin access; Copilot inherits the user's product RBAC, so over-
permissioning a user over-permissions Copilot for that user.
- Monitor SCU consumption to control cost; tune capacity to demand and set utilisation
alerts. Surprises in capacity bills are a configuration problem, not a platform problem.
- Data residency is set at capacity creation - changing region later means rebuild. Decide
up front based on regulatory scope.
- Sensitive prompts are still data. Treat the prompt history as audit-relevant; do not
paste credentials, customer PII, or unsanitised raw data into prompts.
- Promptbooks are code. Version-control them, review changes, and remove unused ones.
Common anti-patterns
- "Buy SCUs, give everyone access, see what happens." Burns budget, produces no measurable
value, and trains analysts to distrust AI output.
- Skipping promptbooks. Without them, every investigation is a snowflake and the platform
feels like a chatbot, not a workflow.
- Treating Copilot as a fact source. It synthesises from the products' data - if the data
is wrong, the answer is wrong. Always pivot to the source product for action.
- Pasting raw incident data into the standalone prompt when the embedded experience
already has it. Wastes SCUs and adds risk.
- No SCU utilisation alerts. First sign of a problem is the invoice.
Example prompts
Set up Microsoft Security Copilot and provision SCUs.
Use promptbooks to summarise an incident for a stakeholder.
How do I use AI to speed up incident investigation in my SOC?
Explain a KQL query with Security Copilot.
Pick between standalone and embedded experiences for my analysts.
Microsoft Learn