Browse all topics
All guidesGlossary

Microsoft Security Copilot

Microsoft's AI assistant for security analysts — what it does, where it's embedded, and how it's licensed.

Microsoft Security Copilot is the AI assistant for security analysts, embedded across the Defender XDR portal, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, Microsoft Purview, and Microsoft Defender for Cloud. It uses generative AI to accelerate the common SOC tasks: triaging incidents, understanding alerts, writing KQL queries, drafting incident reports.

What Security Copilot does

In Defender XDR / Sentinel:

  • Summarise an incident in plain English with affected users, timeline, suspected attacker behaviour.
  • Explain an alert — what triggered it, what it likely means, recommended response.
  • Generate KQL queries from a natural-language description.
  • Suggest hunting queries based on the current incident context.
  • Reverse-engineer a script — paste in suspicious PowerShell, get a plain-English explanation.
  • Draft incident reports suitable for handoff to management or other teams.

In Entra:

  • Summarise sign-in risk events.
  • Explain Conditional Access policy outcomes.

In Purview:

  • Summarise data security investigations.
  • Explain DLP detections.

In Intune:

  • Explain device compliance failures.
  • Suggest configuration changes.

How it works

Security Copilot is a thin orchestrator on top of:

  • Generative AI (Microsoft and OpenAI models hosted in Azure).
  • Plugins that fetch data from Microsoft and third-party security products. The plugin model is extensible — Microsoft ships built-in plugins, and partners build custom ones for their security tools.
  • Customer prompts and responses are processed under Microsoft's commercial AI commitments — no training on customer data, no cross-tenant data.

A typical query — "what's going on with incident 12345?" — fans out to relevant plugins, gathers data, and synthesises a response with citations to the underlying sources.

Licensing

Security Copilot is licensed by Security Compute Units (SCUs) — a capacity-based unit billed per hour. A small SOC team might run 4–8 SCUs continuously; larger deployments scale up. SCUs can be provisioned and decommissioned through the Security Copilot portal.

This is distinct from Microsoft 365 Copilot (per-user productivity AI) — different licensing model, different scope.

Where it fits in the SOC

Security Copilot is most valuable for:

  • Tier-1 triage — speeding up first responses to incidents.
  • Junior analyst enablement — analysts who don't yet know KQL well can ask in English.
  • Incident reporting — turning analyst notes into structured reports.
  • Cross-tool investigations — getting a coherent view across Defender, Sentinel, Entra, Purview.

It's not a replacement for skilled analysts — the AI produces drafts that humans validate. Treat it as a copilot, not an autopilot.

Realistic expectations

  • High-quality answers for common scenarios with well-formed prompts.
  • Imperfect responses when the underlying data is sparse or ambiguous.
  • No magic — it can't see signals the connected sources don't expose.

For SOCs already running Defender XDR and Sentinel, Security Copilot is one of the highest-leverage AI investments available — provided you have analysts who'll use it well.