Microsoft Security Copilot is now becoming more visible inside day-to-day security operations, especially through embedded experiences and agent-based workflows across Microsoft Defender XDR, Microsoft Entra ID, Microsoft Intune, and Microsoft Purview.

Instead of looking at Security Copilot only as a standalone prompt interface, SOC and identity teams should also understand how Security Copilot agents are deployed, how they consume Security Compute Units, how they appear in operational workflows, and where activity can be monitored.

This post summarizes practical observations from a security operations perspective, with a focus on Microsoft Defender XDR, Microsoft Entra ID, usage monitoring, and KQL-based activity review.

Licensing & Capacity Units

Requirements

• Requires eligible Microsoft security licensing, typically:
  • Microsoft 365 E5
  • Microsoft 365 E7

Security Compute Units (SCUs)

• Security Copilot capacity is measured using Security Compute Units (SCUs).
• SCUs are billed based on provisioned capacity.
• Indicative pricing:
  • $4 per Provisionied SCU/hour
  • $6 per Overage SCU/hour
• Billing is calculated hourly, based on the amount of SCUs provisioned.

Included Capacity

• Organizations with:
  • 1,000 Microsoft 365 E5 licenses
• Receive:
  • 400 included SCUs
• Included SCUs are shared across the tenant within a common capacity pool.

Scaling

• SCU capacity can be scaled dynamically based on operational requirements and workload demand.

Data Retention

• Security Copilot session and interaction data without active SCU-backed retention is typically retained for:
  • 90 days

Security Copilot Agents - Microsoft Defender

This section outlines the Microsoft Security Copilot agents currently available in the Microsoft Defender portal.

NameKey characteristics Security Alert Triage Agent (Preview)

• Manual setup from Defender portal
• Automatically creates Unified RBAC custom role
• Runs automatically when a user reports a suspicious email or when a new supported alert is generated, supported alert sources: MDI, MDC, MDO
• If an alert tuning rule is enabled, it will be automatically disabled when the agent is deployed.
• Creates and connects with agentic user account: Phishing Triage Agent (Security Copilot)
• Automatic alert assignment to SecurityCopilotAgentUser-db16fec3-f1fb-4632-843e-46d07408c584@<tenant-domain>Alert was assigned to Phishing Triage Agent (Security Copilot).
• Adds Tag Agent to the created Incidents

Threat Hunting Agent

• Manual setup from Defender portal
• Automatically creates Unified RBAC custom role
• This agent runs manually. There isn't an automatic trigger.
• Creates and connects with agentic user account: Threat Hunting Agent (Security Copilot)
• Analyst Questions in natural language
• Generates and executed KQL queries in Advanced hunting
• Provides charts, dynamic follow-up questions and remediation actions recommendations
• No activity is identified from agent's identity during agent execution

Threat Intelligence Briefing Agent

• Manual setup from Defender portal
• Provides automated TI briefing summary
• Configured from https://security.microsoft.com/securitysettings/defender/agent_configuration-threatintelligencebriefingagent 

Security Analyst Agent

• Manual setup from Defender portal

Dynamic Threat Detection Agent (Preview)

• Automatically enabled
• always-on, runs continuously in the background
• Correlates: Alerts, Security events, Behavioral anomalies,  TI signals
• Generates Alerts with Detection Source: Security Copilot
• The Alerts can be correlated with existing Multi-Stage Incidents
• No agentic user account identity is used by this agent
• Available free of charge during public preview, will begin consuming Security Compute Units (SCUs) once generally available (GA)

Incidents handled by Security Alert Triage Agent:

Alerts created by Dynamic Threat Detection Agent:

Execution of Threat Hunting Agent:

View agents in use: https://security.microsoft.com/security-copilot/agents

View Unified RBAC custom roles: https://security.microsoft.com/mtp_roles 

View Security Copilot user identities in Microsoft Entra ID:

Notes:

CloudAppEvents activity logs only from the following agents:

• Phishing Triage Agent
• Conditional Access Optimization Agent

Security Copilot Agents - Microsoft Entra ID

Conditional Access Optimization Agent

Usage Monitoring

Sign-in to Security Copilot portal using Global Admin account and navigate to the following location: https://securitycopilot.microsoft.com/usage-monitoring 

Reference: https://learn.microsoft.com/en-us/copilot/security/manage-usage 

Logging Activity

Copilot Agents Management:

CloudAppEvents

| where ActionType contains "CopilotAgent"

| extend AgentName = RawEventData.AgentName

| extend Workload = RawEventData.Workload

| extend ResultStatus = RawEventData.ResultStatus

| project TimeGenerated, ActionType, ResultStatus, AgentName, Application, Workload

All Copilot Workload data:

CloudAppEvents

| extend Workload = RawEventData.Workload

| where Workload == "Copilot"

| summarize EventCount = count() by ActionType, AccountDisplayName