This chapter covers Microsoft Copilot for Security, an AI-powered security analysis tool that integrates with Microsoft's security portfolio to accelerate incident response, threat hunting, and reporting. For the SC-200 exam, this is a high-priority topic under Objective 1.1 (Define the capabilities of Microsoft XDR and security analytics) and appears in approximately 10–15% of exam questions, often as scenario-based items testing your understanding of when to use Copilot versus traditional tools. You must know its licensing tiers, embedded experiences, prompt types, and how it differs from standalone KQL hunting.
Jump to a section
Imagine a SOC with 10 junior analysts and one senior analyst who has memorized every Microsoft security product, every attack pattern, and every KQL query. When a junior analyst gets an alert, they can ask the senior: 'What does this suspicious logon mean?' The senior instantly recalls similar past incidents, cross-references the user's behavior with known IOCs, and replies with a natural-language explanation and a recommended action. Now imagine the senior can also automatically generate a KQL query to hunt for related events, summarize a 10,000-line incident report into a one-paragraph executive summary, and even create a remediation script — all within seconds. That is Microsoft Copilot for Security. It is not a separate product; it is an AI assistant embedded into Microsoft's security tools (Defender, Sentinel, Intune, Entra ID) that uses the Security Copilot model, a specialized large language model trained on security data and Microsoft's threat intelligence. When you ask a question, Copilot retrieves relevant context from your environment, applies its security knowledge, and generates responses that are grounded in your data. It can also prompt you to run specific actions via Power Automate or APIs. The key is that Copilot does not act autonomously — it suggests, summarizes, and assists, but a human always makes the final decision.
What Is Microsoft Copilot for Security?
Microsoft Copilot for Security is an AI-powered security analysis tool that combines a large language model (LLM) with Microsoft's security-specific model (the Security Copilot model) and your organization's security data. It is designed to assist security analysts by providing natural-language-based insights, generating KQL queries, summarizing incidents, and suggesting remediation steps. Copilot is not a standalone product; it is an embedded experience within Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, Microsoft Entra ID, and Microsoft Purview. It also offers a standalone portal (https://securitycopilot.microsoft.com) for prompt-based analysis.
How It Works Internally
Copilot processes prompts through a multi-layered pipeline: 1. Prompt Ingestion: The user types a natural-language prompt (e.g., 'Summarize incident 12345') in any supported interface. 2. Context Retrieval: Copilot gathers context from the current workspace — incident details, user identities, device information, and relevant alerts. For example, in Defender XDR, it pulls the incident timeline, affected assets, and related alerts. 3. Grounding: The prompt and context are sent to the Security Copilot model, which is fine-tuned on security-specific data. The model uses Microsoft's threat intelligence and your organization's data to generate a response that is accurate and relevant. Grounding prevents hallucination by anchoring responses to real data. 4. Response Generation: The model produces a response in natural language, often including tables, links, and actionable suggestions. It may also generate KQL queries, PowerShell scripts, or Power Automate flows. 5. Action Execution: For prompts that require actions (e.g., 'Disable user account'), Copilot presents a suggested action that the analyst must approve. The action is executed via APIs or connectors.
Key Components and Defaults
Security Copilot Model: A specialized LLM trained on security data, including MITRE ATT&CK, CVEs, and Microsoft threat intelligence. It is not the same as GPT-4 or other general-purpose models.
Embedded Experiences: Copilot is available within:
- Microsoft Defender XDR (Incidents, Alerts, Threat Analytics) - Microsoft Sentinel (Incidents, Hunting, Workbooks) - Microsoft Intune (Device management, Compliance) - Microsoft Entra ID (Identity protection, Access reviews) - Microsoft Purview (Data classification, DLP alerts) - Standalone Portal: A dedicated web interface at https://securitycopilot.microsoft.com where analysts can ask arbitrary security questions and use promptbooks. - Promptbooks: Predefined sets of prompts for common tasks (e.g., incident triage, threat hunting). Promptbooks can be customized and shared. - Capacity: Copilot is metered by capacity units. Each capacity unit provides a certain number of queries per hour (default: 1 unit = 50 queries/hour). Additional units can be purchased. - Data Residency: Copilot processes data in the region where your tenant is provisioned. It does not use customer data for training. - Role-Based Access: Permissions are controlled via Azure AD roles. The 'Security Copilot Reader' role allows viewing responses; 'Security Copilot Contributor' allows submitting prompts and executing actions.
Configuration and Verification
To enable Copilot for Security: 1. Purchase licenses in the Microsoft 365 admin center (Security Copilot SKU). 2. Assign licenses to users. 3. Navigate to the Security Copilot portal and configure the capacity (units). 4. Enable embedded experiences in each product (e.g., in Defender XDR Settings > General > Security Copilot).
Verification commands (via PowerShell):
Check license assignment: Get-MgUserLicenseDetail -UserId user@domain.com
Check capacity usage: In the Copilot portal, view the 'Capacity' tab.
Interaction with Related Technologies
Microsoft Defender XDR: Copilot can summarize incidents, generate KQL queries for advanced hunting, and suggest remediation actions. For example, 'Show me all alerts related to this user' triggers a KQL query in Advanced Hunting.
Microsoft Sentinel: Copilot can analyze incidents, generate incident summaries, and create hunting queries. It can also integrate with Logic Apps for automated responses.
Microsoft Intune: Copilot can provide device compliance summaries and suggest remediation steps for non-compliant devices.
Microsoft Entra ID: Copilot can analyze sign-in logs, identify risky users, and suggest conditional access policies.
Microsoft Purview: Copilot can investigate data loss prevention alerts and summarize data classification results.
Prompt Types
Investigation Prompts: 'What is the status of incident 12345?'
Analysis Prompts: 'Analyze this PowerShell script for malicious indicators.'
Generation Prompts: 'Create a KQL query to detect failed logons from unusual locations.'
Action Prompts: 'Disable the user account jdoe.' (requires approval)
Report Prompts: 'Generate an executive summary of the past 7 days of incidents.'
Licensing and Cost
SKU: Security Copilot (standalone) or included with certain Microsoft 365 E5 bundles (check current offers).
Capacity: 1 capacity unit = 50 queries/hour. Queries are counted per prompt submitted, including follow-ups.
Free Trial: 1 capacity unit for 30 days available.
Limitations
Copilot is not a replacement for analysts; it is an assistant.
It requires internet connectivity to the Microsoft cloud.
It does not support all languages; primary support is English.
Custom data sources (third-party) are not natively integrated unless via connectors.
Exam-Relevant Numbers
Default capacity unit: 50 queries/hour.
Free trial: 30 days, 1 unit.
Roles: Security Copilot Reader (view only), Security Copilot Contributor (can prompt and execute actions).
Embedded experiences: Defender XDR, Sentinel, Intune, Entra ID, Purview.
Promptbooks: predefined sets of prompts.
Step-by-Step: Using Copilot to Investigate an Incident
Open Incident in Defender XDR: Navigate to Incidents & Alerts > Incidents, select an incident.
Launch Copilot Panel: Click the Copilot icon (sparkle) on the incident details page.
Ask a Question: Type 'Summarize this incident' or 'What are the affected assets?'
Review Response: Copilot displays a summary with key details, affected users, devices, and recommended actions.
Generate KQL Query: Ask 'Create a KQL query to find similar logons' – Copilot generates a query that you can run in Advanced Hunting.
Execute Action: Ask 'Isolate the affected device' – Copilot prompts you to confirm; upon approval, it executes the isolation via Defender for Endpoint.
Document: Ask 'Generate an incident report' – Copilot creates a formatted report ready for compliance.
Identify the Incident
Begin by identifying the incident you want to investigate. In Microsoft Defender XDR, navigate to Incidents & Alerts > Incidents. Select the specific incident that requires analysis. The incident timeline will show related alerts, affected users, devices, and mailbox items. This context is automatically passed to Copilot when you open the Copilot panel, ensuring that the AI has the necessary data to provide accurate responses. Without this step, Copilot would lack the context needed to generate meaningful insights.
Launch Copilot Panel
On the incident details page, locate the Copilot icon (a sparkle or star symbol) typically in the top toolbar or side panel. Clicking it opens the Copilot panel, which is an embedded chat interface. This panel is context-aware, meaning it automatically includes the incident ID, severity, status, and related entities in the background. The panel can be resized or moved. It supports both text and voice input (if microphone is enabled). The panel also shows suggested prompts to help you get started.
Ask an Investigative Question
Type a natural-language question such as 'Summarize this incident' or 'What are the indicators of compromise?'. Copilot processes the prompt using the Security Copilot model, which combines the incident context with Microsoft threat intelligence. The response typically includes a concise summary, key entities (users, devices, IPs), and links to related alerts. For complex incidents, Copilot may break down the response into sections: attack timeline, affected assets, and recommended actions. This step is the core interaction with Copilot.
Generate and Execute a KQL Query
Ask Copilot to create a custom hunting query, e.g., 'Generate a KQL query to find all logons from this IP address in the last 7 days'. Copilot writes the query and displays it in a code block. You can copy the query and run it in Advanced Hunting, or in some embedded experiences, you can run it directly from the Copilot panel (if the environment supports it). The query is grounded in your data schema, so it uses the correct table names (e.g., IdentityLogonEvents). This step accelerates threat hunting by eliminating the need to manually write KQL.
Approve and Execute an Action
If Copilot suggests an action (e.g., 'Isolate device', 'Disable user account'), it presents a confirmation dialog. The action is not executed automatically; you must click 'Confirm' or 'Approve'. Once approved, Copilot triggers the action via the relevant API (e.g., Defender for Endpoint API for device isolation). The action result is displayed in the panel. This step ensures that the human remains in control, preventing unintended changes. Copilot logs all actions for audit purposes.
Enterprise Scenario 1: SOC Triage Acceleration
A global manufacturing company with a 24/7 SOC receives over 500 alerts per day. Junior analysts spend 30 minutes per incident reading logs and writing reports. By integrating Copilot for Security into Defender XDR, they reduce triage time to 10 minutes per incident. The workflow: an alert triggers an incident; the analyst opens the Copilot panel and asks 'Summarize this incident'. Copilot provides a one-paragraph summary with key IOCs, affected users, and priority. The analyst then asks 'Are there any similar incidents in the last 7 days?' Copilot runs a KQL query automatically and returns a list. Finally, the analyst asks 'Generate an incident report' and pastes the output into the ticketing system. This saves 20 minutes per incident, allowing the team to handle 50% more incidents daily. Configuration required: assign Security Copilot Contributor roles to analysts, enable embedded experience in Defender XDR, and purchase enough capacity units (e.g., 2 units for 100 queries/hour).
Enterprise Scenario 2: Threat Hunting with Promptbooks
A financial services firm uses Microsoft Sentinel for SIEM. The threat hunting team uses Copilot promptbooks to standardize hunting procedures. They create a promptbook called 'Ransomware Hunt' with steps: 1) 'Identify recent file encryption events', 2) 'List users with multiple failed logons', 3) 'Check for known ransomware IOCs'. Each prompt generates a KQL query and a summary. The team runs the promptbook daily, and Copilot outputs a consolidated report. This ensures consistent coverage across shifts. A common misconfiguration is not updating the promptbook when new tables are added to Sentinel; Copilot may generate queries referencing outdated schemas. To mitigate, the team periodically reviews and tests promptbooks.
Enterprise Scenario 3: Executive Reporting
A healthcare organization needs weekly executive summaries of security incidents for compliance. The CISO asks the SOC manager to use Copilot to generate a report. The manager opens the Copilot standalone portal and prompts 'Generate a weekly summary of all incidents from the past 7 days, categorized by severity and attack type'. Copilot pulls data from Defender XDR and Sentinel, formats it with tables and charts, and outputs a Word document (via integration with Microsoft 365). This reduces report creation time from 4 hours to 15 minutes. However, if the organization has not enabled the required connectors (e.g., Sentinel connector), Copilot will only have access to Defender data, leading to an incomplete report. Proper configuration of data sources is critical.
SC-200 Exam Focus: Microsoft Copilot for Security
The SC-200 exam tests Copilot for Security under Objective 1.1: Define the capabilities of Microsoft XDR and security analytics. Specifically, you must understand:
What Copilot is (AI assistant, not autonomous)
Where it is embedded (Defender XDR, Sentinel, Intune, Entra ID, Purview)
How it is licensed (capacity units, 50 queries/hour per unit)
The difference between Reader and Contributor roles
The purpose of promptbooks
How grounding works (uses your data + Microsoft threat intelligence)
That it does not use customer data for training
That actions require human approval
Common Wrong Answers and Why Candidates Choose Them
'Copilot can automatically remediate incidents without human approval.' – Wrong. Copilot requires explicit approval for any action. Candidates confuse AI assistance with automation. Remember: Copilot suggests, humans decide.
'Copilot replaces the need for KQL knowledge.' – Wrong. Copilot generates KQL queries, but analysts still need to understand and validate them. The exam may test that Copilot is a productivity tool, not a replacement.
'Copilot is only available in Defender XDR.' – Wrong. It is embedded in multiple products. Candidates overlook Sentinel and other services.
'Copilot uses GPT-4.' – Wrong. It uses the Security Copilot model, a specialized LLM. The exam may ask about the model name.
Specific Numbers and Values to Memorize
50 queries per hour per capacity unit.
30-day free trial with 1 unit.
Roles: Security Copilot Reader (view only), Security Copilot Contributor (can prompt and execute).
Embedded experiences: Defender XDR, Sentinel, Intune, Entra ID, Purview.
Promptbooks: predefined sets of prompts.
Edge Cases
If a user has only Reader role, they cannot submit prompts; they can only view responses generated by others.
Copilot may generate incorrect KQL if the data schema changes; always validate.
Capacity is consumed per prompt, including follow-ups. A conversation with 5 prompts uses 5 queries.
Copilot is not available in GCC High or DoD environments by default; check specific SKUs.
How to Eliminate Wrong Answers
If an answer says 'automatically' or 'without human intervention', it is likely wrong.
If an answer claims Copilot uses a general-purpose model, it is wrong.
If an answer limits Copilot to one product, it is wrong.
If an answer mentions training on customer data, it is wrong (Microsoft states it does not).
Microsoft Copilot for Security is an AI assistant, not an autonomous system; all actions require human approval.
It is embedded in Defender XDR, Sentinel, Intune, Entra ID, and Purview, and has a standalone portal.
Licensing is based on capacity units: 1 unit = 50 queries per hour.
The Security Copilot model is a specialized LLM trained on security data, not GPT-4.
Customer data is not used for training; responses are grounded in your environment at query time.
Two roles: Security Copilot Reader (view only) and Security Copilot Contributor (can prompt and act).
Promptbooks are predefined sets of prompts for common tasks like incident triage or threat hunting.
Copilot can generate KQL queries, but analysts should validate them before use.
A 30-day free trial with 1 capacity unit is available.
Copilot is not available in GCC High/DoD by default; check SKU availability.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Copilot for Security
Uses natural language prompts; no KQL required.
Provides summarized insights and context.
Generates KQL queries automatically.
Requires Security Copilot license and capacity units.
Actions require human approval.
Traditional KQL Hunting
Requires manual KQL query writing.
Analyst must interpret raw data.
No automatic query generation.
No additional license cost (included with Defender/Sentinel).
Actions are executed manually via portal or API.
Security Copilot Reader Role
Can only view responses from Copilot.
Cannot submit prompts or execute actions.
Suitable for auditors or managers who need to see reports.
No capacity consumption.
Assigned via Azure AD.
Security Copilot Contributor Role
Can submit prompts and execute actions.
Consumes capacity (queries per hour).
Suitable for SOC analysts.
Can create and run promptbooks.
Assigned via Azure AD.
Mistake
Copilot for Security is the same as Microsoft 365 Copilot.
Correct
No. Microsoft 365 Copilot works in Office apps (Word, Excel). Security Copilot is a separate model trained on security data and integrated into security products. They have different SKUs and purposes.
Mistake
Copilot can fully automate incident response without human approval.
Correct
Copilot requires explicit human approval for any action (e.g., disabling a user, isolating a device). It suggests actions but does not execute them autonomously. This is by design to maintain human oversight.
Mistake
Copilot uses customer data to train its AI model.
Correct
Microsoft explicitly states that Copilot for Security does not use customer data for training. Responses are grounded in your data at query time, but that data is not used to improve the underlying model.
Mistake
Copilot eliminates the need to learn KQL.
Correct
Copilot can generate KQL queries, but analysts still need to understand and validate them. The exam expects you to know that Copilot is an assistant, not a replacement for skills.
Mistake
Copilot is only available in Microsoft Defender XDR.
Correct
Copilot is embedded in multiple products: Defender XDR, Sentinel, Intune, Entra ID, and Purview. It also has a standalone portal. The exam may test your knowledge of these integrations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Copilot for Security is an AI-powered security analysis tool that helps security professionals investigate incidents, hunt for threats, and create reports using natural language. It integrates with Microsoft security products like Defender XDR, Sentinel, Intune, Entra ID, and Purview. It uses the Security Copilot model, a specialized LLM trained on security data and Microsoft threat intelligence. Copilot does not act autonomously; it requires human approval for any actions. It is licensed by capacity units (50 queries/hour per unit) and offers a 30-day free trial.
Microsoft 365 Copilot is designed for productivity in Office apps (Word, Excel, Teams), while Security Copilot is specifically for security operations. Security Copilot uses a different AI model trained on security-specific data (threat intelligence, attack patterns, KQL). It is integrated into security products and has its own licensing (capacity units). The two are separate SKUs and cannot be used interchangeably.
Copilot for Security requires a Security Copilot SKU license assigned to each user. Additionally, capacity units must be purchased (1 unit = 50 queries per hour). The free trial provides 1 unit for 30 days. Users must also have appropriate Azure AD roles (Security Copilot Reader or Contributor). There is no dependency on other Microsoft 365 licenses, but the embedded experiences require the underlying product licenses (e.g., Defender XDR, Sentinel).
No, Copilot for Security cannot execute actions automatically. It suggests actions (e.g., isolate device, disable user) but requires explicit human approval via a confirmation dialog. Once approved, the action is executed via APIs. This design ensures that humans remain in control and can review the suggested action before it is applied. All actions are logged for audit.
Copilot uses the context from the current workspace (e.g., incident details, user info) combined with Microsoft threat intelligence and the Security Copilot model's training data. It does not use customer data from other tenants or for training. Responses are grounded in your organization's data at query time. Copilot may also access data from connected services (Defender, Sentinel, etc.) based on the user's permissions.
First, purchase Security Copilot licenses and capacity units in the Microsoft 365 admin center. Assign licenses to users. Then, navigate to the Security Copilot portal (https://securitycopilot.microsoft.com) to configure capacity. To enable embedded experiences, go to each product's settings (e.g., Defender XDR > Settings > General > Security Copilot) and toggle the integration on. Finally, assign Azure AD roles (Reader or Contributor) to users.
Promptbooks are predefined sets of prompts designed for common security tasks, such as incident triage, threat hunting, or compliance reporting. They help standardize workflows and ensure consistent analysis. Users can create custom promptbooks or use built-in ones. When a promptbook is run, Copilot executes each prompt sequentially, using the context from previous responses. Promptbooks can be shared across the team.
You've just covered Microsoft Copilot for Security — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?