New tools for Security Copilot management and capacity planning
Last year, we launched Microsoft Security Copilot with a bold goal: to help organizations protect at the speed of AI. Since then, Security Copilot has been transforming how IT and security operations teams respond to threats and manage their environments. In fact, research from live operations indicates that Security Copilot users have seen impact like a 30% reduction in mean time to resolution for SOC teams, and a 54% decrease in time to resolve a device policy conflict for IT teams. As adoption has grown, so has the complexity of customer needs. In many organizations, different teams, business units, and regions require distinct approaches to data access, capacity planning, and tooling. At the same time, customers want the flexibility to start small, test scenarios, and scale usage over time, without committing to long-term contracts. To meet these needs, Security Copilot is offered as a consumptive solution, allowing organizations to provision Security Compute Units (SCUs) as needed. This flexible model lowers the barrier to entry and encourages experimentation. And now, with workspaces and the Security Copilot capacity calculator to help manage capacity, customers can adopt Security Copilot with even more confidence and control. Workspaces Security operations don’t happen in a vacuum – different teams, business units, and regions have unique operational needs. This is why we’re excited to launch workspaces in public preview – a major enhancement to how teams can manage access, resources, and collaboration within Security Copilot. Workspaces provide a flexible way to segment environments, making it easier to align access and capacity with organizational needs, legal structures, or compliance requirements. Let’s take the example of a multinational organization with separate security and IT teams in North America, Europe, and Asia. With workspaces, this company can realize benefits in: Data boundaries: Each regional team operates within its own dedicated workspace, keeping data like prompt history local and accessible only to that team. This isolation ensures information stays relevant to the team and supports compliance with regional data residency requirements and internal policies. Role-based access control: Only authorized users specified by the admin have access to each workspace, and workspace management is restricted to users with administrator roles. Capacity planning: SCUs can be provisioned per workspace, giving admins the ability to right-size capacity based on each team’s workload. APAC can scale up during a surge while the US conserves usage during a quiet period. Note: multi-workspace support is now available in Security Copilot, enabling users to manage prompt sessions across multiple workspaces. However, available agents that run autonomously are currently limited to a single workspace, and embedded experiences continue to route traffic exclusively through the tenant-level default workspace. Please refer to the documentation for full details. Security Copilot capacity calculator One of the most common questions we hear from customers is: “How many SCUs do I need to get started with Security Copilot?” Given the dynamic nature of AI-powered security workflows, forecasting compute needs can be a challenge, especially for teams just starting their journey. To make planning easier, we’re excited to announce the launch of the Security Copilot capacity calculator, now available in the Security Copilot standalone experience (Azure account required). This tool offers a practical starting point to help estimate how many SCUs your organization may require. With a few clicks, customers can get an idea of estimated SCU usage based on inputs like number of users in an embedded Security Copilot experience. While actual consumption may vary as it depends on real-time prompt activity, the calculator serves as a helpful guide for initial provisioning and budget planning. Once you’ve estimated your baseline needs, you can get started in Security Copilot or in the Azure portal. Security Copilot offers two flexible models to support both predictable workloads and unplanned spikes in usage: Provisioned SCUs: Ideal for predictable, ongoing operations. A minimum of one provisioned SCU is required. Overage SCUs: Designed for variable demand. Overage SCUs allow usage to scale seamlessly, and customers only pay for what they use, up to their chosen optional overage limit. With the capacity calculator, organizations can confidently begin their Security Copilot journey and better manage usage to align with their business needs. After getting started, teams can monitor consumption through the in-product usage dashboard and adjust capacity as demand fluctuates. Learn more about Security Copilot pricing here. Get Started with Security Copilot today Together, workspaces and the capacity calculator provide organizations with deeper insight, flexibility, and control over their Security Copilot usage. These features address the real-world challenges of managing diverse teams, complex environments, and evolving workloads. Whether you’re just starting your Security Copilot journey or looking to optimize your existing usage, these tools help you right-size capacity, maintain compliance, and deliver actionable AI assistance for your security and IT teams. Discover Security Copilot use cases, best practices, and customer success stories in the Security Copilot adoption hub. Learn more about our most recent Security Copilot innovations for IT teams here. If you have questions or need support, don’t hesitate to contact us or reach out to your account manager.Smarter Prompts for Smarter Investigations: Dynamic Prompt Suggestions in Security Copilot
When a security analyst turns to an AI system for help—whether to hunt threats, investigate alerts, or triage incidents—the first step is usually a natural language prompt. But if that prompt is too vague, too general, or not aligned with the system’s capabilities, the response won’t be helpful. In high-stakes environments like cybersecurity, that’s not just a missed opportunity, it’s a risk. That’s exactly the problem we tackled in our recent paper, Dynamic Context-Aware Prompt Recommendations for Domain-Specific Applications, now published and deployed as a new skill in Security Copilot. Why Prompting Is a Bigger Problem in Security Than It Seems LLMs have made impressive progress in general-purpose settings—helping users write emails, summarize documents, or answer trivia. These systems often include smart prompt recommendations based on the flow of conversation. But when you shift into domain-specific systems like Microsoft Security Copilot, the game changes. Security analysts don’t ask open-ended questions. They ask task-specific ones: “List devices that ran a malicious file in the last 24 hours.” “Correlate failed login attempts across services.” “Visualize outbound traffic from compromised machines.” These questions map directly to skills—domain-specific functions that query data, connect APIs, or launch workflows. And that means prompt recommendations need to be tightly aligned with the available skills, underlying datasets, and current investigation context. General-purpose prompt systems don’t know how to do that. What Makes Domain-Specific Prompting Hard Designing prompt recommendations for systems like Security Copilot comes with unique constraints: Constrained Skill Set: The AI can only take actions it’s configured to support. Prompts must align with those skills—no hallucinations allowed. Evolving Context: A single investigation might involve multiple rounds of prompts, results, follow-ups, and pivots. Prompt suggestions must adapt dynamically. Deep Domain Knowledge: It’s not enough to suggest “Check network logs.” A useful prompt needs to reflect how real analysts work—across Defender, Sentinel, and more. Scalability: As new skills are added, prompt systems must scale without requiring constant manual curation or rewriting. Our Approach: Dynamic, Context-Aware, and Skill-Constrained We introduce a dynamic prompt recommendation system for Security Copilot. The key innovations include: Contextual understanding of the session: We track the user’s investigation path and surface prompts that are relevant to what they’re doing now, not just generic starters. Skill-awareness: The system knows what internal capabilities exist (e.g., “list devices,” “query login events”) and only recommends prompts that can be executed via those skills. Domain knowledge injection: By encoding metadata about products, datasets, and typical workflows (e.g., MITRE attack stages), the system produces prompts that make sense in security analyst workflows. Scalable prompt generation: Rather than relying on hardcoded lists, our system dynamically generates and ranks prompt suggestions. What It Looks Like in Action The dynamic prompt suggestion system is now live in Microsoft Entra, available in both Embedded and Immersive experiences. When a user enters a natural language prompt, the system automatically suggests several context-aware follow-up prompts, based on the user's prior interactions and the system’s understanding of the current task. These suggestions are generated in real time—users can simply click on a suggestion, and it’s executed immediately, allowing for quick and seamless follow-up queries without needing to rephrase or retype. Let’s walk through two examples: Embedded Experience We begin with the prompt: "How does Microsoft determine Risky Users?" The system returns the response and generates 3 follow-up suggestions, such as: "List dismissed risky detections." We click on that suggestion, which executes the query and shows the results. New suggestions continue to appear after each prompt execution, making it easy to explore related insights. Immersive Experience We start with a prompt: "Who am I?" Among the 5 suggested prompts, we select: "List the groups user nase74@woodgrove.ms is a member of." The user clicks, the query runs, and more follow-up suggestions appear, enabling a natural, guided flow throughout the session. Why This Matters for the Future of Security AI Prompting isn’t just an interface detail—it’s the entry point to intelligence. And in cybersecurity, where time, accuracy, and reliability matter, we need AI systems that are not just capable, but cooperative. Our research contributes to a future where security analysts don’t have to be prompt engineers to get the most out of AI. By making prompt recommendations dynamic, contextual, and grounded in real domain knowledge, we help close the gap between LLM potential and security reality. Interested in learning more? Check out the full paper: Dynamic Context-Aware Prompt Recommendations for Domain-Specific Applications If you're using or building upon this work in your own research, we’d appreciate you citing our paper: @article {tang2025dynamic, title={Dynamic Context-Aware Prompt Recommendation for Domain-Specific AI Applications}, author={Tang, Xinye and Zhai, Haijun and Belwal, Chaitanya and Thayanithi, Vineeth and Baumann, Philip and Roy, Yogesh K}, journal={arXiv preprint arXiv:2506.20815}, year={2025} }RSA Conference 2025: Security Copilot Agents now in preview
In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer resources. Microsoft Security Copilot was built to bridge that gap, delivering an AI-driven assistant that enhances detection, investigation, and response across the entire Microsoft Security stack. Since it was launched in April 2024, Copilot has been integrated into customer environments to assist security professionals at every level – amplifying human expertise, streamlining complex workflows, and helping teams stay ahead of evolving threats. New research from Microsoft live operations highlights Security Copilot’s tangible impact, showing productivity gains across security and IT. Organizations using Security Copilot have seen: At this year’s RSA Conference, we are excited to share updates that make Security Copilot even more powerful, flexible, and accessible to customers and partners. Security Copilot agents are now in preview Last month at Microsoft Secure, we introduced Security Copilot agents - autonomous AI designed to tackle high-volume security tasks. Built on Security Copilot and seamlessly integrated with Microsoft Security solutions and partner ecosystem, these agents are tailored to security-specific use cases, adapt to your workflows, and learn from feedback, all while keeping your team fully in control. Every agent launched is built on the Security Copilot platform, ensuring a consistent, secure, and unified experience across capabilities. Starting today, we’re beginning a phased public preview rollout which will gradually expand to more customers to ensure a smooth and scalable experience. The following agents are now available in preview to select customers: Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click. Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval. Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure. And there’s more to come. Over the next few weeks, additional agents will become available to customers: Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback. Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback. Partner agents from OneTrust, Tanium, BlueVoyant, Fletch, and Aviatrix that automate tasks like privacy breach response, SOC assessment, alert triage, task optimization, and root cause analysis. We’re also thrilled to announce two new partner agents that have joined our growing ecosystem since our Secure event last month, now in private preview: Email Threat Analyst Agent by Performanta conducts investigations into email-based threats and compromised user activity and provides an impact and recommended mitigation assessment. IAM Supervisor Agent by Performanta uncovers and triages identity and access threats and provides an impact and recommended mitigation assessment. With these additions, our growing ecosystem of Security Copilot agents – now in preview – offers broader insights and powerful automation to help security teams respond faster and more effectively. We are excited to continue advancing agentic capabilities both at Microsoft and through collaboration with our third-party partners. Please visit the new Security Copilot video hub for demos or deep dives of Security Copilot agents. Partner ecosystem updates Azure Lighthouse support for Sentinel use cases Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now generally available. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: Use the same natural language-based prompts using Sentinel skills on customer data Create custom promptbooks using Sentinel skills to automate their investigations Use Logic Apps to trigger these promptbooks Learn more about how to get started with Azure Lighthouse Support for Sentinel use cases here. New Security Copilot plugins As part of our effort to provide customers with truly end-to-end security protection, we continue to prioritize expanding our Security Copilot partner ecosystem. We have worked with partners to develop plugins to enhance and extend the information and data brought into Security Copilot. The following plugins are now in preview: Censys plugin enables users to enrich investigations using threat intelligence from the Censys platform to scan a URL or domain and scan an IP address. HP Workforce Experience Platform (WXP) plugin for Security Copilot allows users to gain insight into warranty of devices, application crashes, data about their fleet, and more. Splunk plugin allows Security Copilot users to make calls to Splunk to perform queries to create, retrieve, and dispatch saved Splunk searches, and retrieve and view information about fired alerts. Quest Security Guardian plugin reduces alert fatigue by prioritizing your most exploitable vulnerabilities and Active Directory configurations that demand attention. The following plugins are now in GA: CheckPhish plugin allows users to utilize the CheckPhish AI to analyze URLs for potential phishing threats, tech support scams, cryptojacking, and other security risks. Integration spotlight: ServiceNow SIR plugin The integration of ServiceNow AI and Microsoft Security Copilot capabilities brings joint capabilities to empower our customers and enhance their security posture. The integration optimizes incident insights within SIR and enhances Microsoft Security product’s security incident resolution status and threat prioritization capabilities, driving continuous security posture and awareness. As a result, security teams benefit from faster, more accurate incident resolution - reinforcing our commitment to delivering cutting- edge, AI-driven solutions that elevate the entire security ecosystem. Flexibility, scalability, and security for AI Microsoft Purview for Security Copilot As organizations adopt AI, implementing data controls and a Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Security Copilot. By combining Microsoft Purview and Security Copilot, users can: Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) for AI dashboard to reduce these risks. Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device. Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection. Learn more about Purview for Security Copilot here. Copilot in Microsoft Defender for Cloud Copilot in Defender for Cloud helps security teams accelerate risk remediation, making it faster and easier for security admins to remediate cloud risks by providing AI-generated summaries, remediation actions, and delegation emails, guiding users in each step of the risk reduction process. Security admins can use AI to quickly summarize a specific recommendation, generate remediation scripts, and delegate tasks via email to resource owners. The capabilities help reduce investigation time, enabling security teams to understand the risk in context and identify resources to quickly remediate. The capabilities are now generally available. Learn more about Copilot in Defender for Cloud here. Enriched Incident Summaries in the Microsoft Sentinel Azure portal We’re excited to announce Security Copilot Incident Summaries in the Microsoft Sentinel Azure portal are now in public preview. This capability provides enriched, easy-to-digest insights into security incidents - streamlining triage and helping analysts quickly understand scope, impact, and next steps. Read the blog post here. Enhanced Consumption Flexibility for Security Copilot This month we introduced enhancements to Security Copilot to enhance customer flexibility and scalability, by supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This capability ensures that users can scale their Copilot workloads beyond their provisioned capacity, for uninterrupted protection. Read the blog post here. Learn more about Security Copilot at RSA Conference 2025 To learn more about Security Copilot and explore how it can elevate your organization’s security strategy, we invite you to connect with us at booth #5744. This is a great opportunity to engage with Microsoft security experts, dive deeper into the latest innovations, and experience how Security Copilot can simplify and strengthen your security operations. Join us for our Security Copilot sessions below, stop by our booth for a live demo, or schedule a one-on-one meeting with our team.Microsoft Security Copilot Achieves SOC 2 Certification
We are pleased to announce that Microsoft Security Copilot has successfully achieved SOC 2 certification, a significant milestone that reinforces our commitment to delivering secure, compliant solutions for enterprise customers. This certification underscores our dedication to maintaining the highest standards of security, availability, processing integrity, confidentiality, and privacy in the world’s first generative AI-powered security solution.Monitor User Activities and System Events with Security Copilot and Microsoft Sentinel
We do recommend you read through the our Privacy and data security document to understand more about what data we are capturing Privacy and data security as well as how to enable Purview Audit logs: Access the Copilot for Security Audit Log About Our Solution Our solution enhances traditional audit logs through the Unified Audit Log (UAL) by providing a centralized and comprehensive view of all user and system activities across various Microsoft services. The UAL aggregates data from multiple sources, including Microsoft 365, Azure, and third-party applications, offering a holistic view of security events. This integration allows for more effective monitoring, quicker incident response, and improved compliance reporting. Additionally, Security Copilot uses AI to identify patterns and anomalies, providing actionable insights and recommendations to strengthen your security posture. For a more comprehensive guide on how to create a search job in Purview, please visit our documentation here. Security Copilot customers can now access audit events natively through Microsoft Purview by navigating to Audit unified logs and searching. On the Search Page, refine and filter the base record type and time range, then create a Search job. To create a search for Security Copilot you will need to select the workload: Security Copilot Enhance Audit solution improves audit logging for Copilot. This custom solution includes: Microsoft Sentinel connector that reads data from the Office Management API and writes it to Log Analytics Workspace. Azure workbook that provides insights on the ingested data. Detection rules deployed in Microsoft Sentinel to alert defenders of anomalous events. This solution provides streaming audit logging, facilitating advanced queries and detections. It also correlates logs with other data to enhance security insights. Prerequisites/Preparation Enable the audit log capability in Security Copilot During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot. Security Administrators can also access this option through the Owner settings page. Use the following steps to update the audit log settings: Sign in to Security Copilot (https://securitycopilot.microsoft.com). Select the home menu icon. Navigate to the Owner settings > Logging audit data in Microsoft Purview. For a step-by-step guide on each of these actions, please refer to this GitHub repository: https://github.com/Azure/Security-Copilot/tree/main/Monitoring/IngestSecurityCopilotAuditlogs Deploying the Security Copilot Audit Logs Connector via the CloudAppEvents Table You can seamlessly use the XDR connector within Microsoft Sentinel and Defender to ingest Security Copilot audit logs. This is achieved by enabling Defender raw event logs into your Sentinel workspace. In this case, our focus is on the CloudAppEvents table. To learn more about the CloudAppEvents table and its schema, refer to the advanced hunting schema documentation here. This will bring the events Security Copilot logs directly into Sentinel, thus allowing you to deploy the workbook. To verify that the connector is functioning and sending data to the configured workspace: Wait for 5-10 minutes. Open the workspace and go to the log section. In the logs canvas, enter the following KQL query: CloudAppEvents | where parse_json(RawEventData)["AppIdentity"] == 'Copilot.Security.SecurityCopilot' | where parse_json(RawEventData)["Workload"] == 'Copilot' If results appear, you can proceed with setting up the workbook and deploying the detection rules. Deploying Detection Rules For deploying the 3 analytics rules, press on the deploy button location here https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs Once you've clicked the deploy button and authenticated with an Azure deployment user, complete the required parameters. Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector. Once deployment is complete, open Sentinel and go to analytics. Search for "Copilot" rules and enable them. The above detection rules will complement this audit solution. We have provided three sample detections as highlighted below: Security Copilot - TI map IP entity to Prompts This rule looks back one hour into the Copilot for Security Audit logs and identifies whether any prompting has been done from an IP that has been matched as an IOC that has been active for up to the last 14 days. Security Copilot - Anomalous sign-in activity by Security Copilot user This rule detects anomalous user log on and resource access associated with usage of Copilot for Security where any of these operations have been executed: DeleteCopilotPromptBook,DisableCopilotPlugin,DeleteFile or EnableCopilotPlugin. The rule checks whether these operations have been performed by a user that has performed them from a connection that is used for the first time in the tenant, whether its from a country their peers don’t normally connect from and whether its uncommon for them to access Copilot for Security. Security Copilot - Anomalous Operations by Copilot for Security User Detect Anomalous operations involving actions such as "DisableCopilotPlugin" , "DeleteFile" , "UpdatePluginSettings" , or "DeleteCopilotPromptBook". The detection uses the KQL basket() function to detect whether any these activities have been performed by a user that does not typically perform these operations based on a 14 day baseline. Deploying the Workbook To deploy the Workbook, press on the deploy button located here: https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs After pressing the deploy button and authenticating with an Azure deployment user, fill in the above parameters. Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector. Once deployment is complete, open Sentinel and go to Workbook. Open My Workbooks and locate the workspace with the name “Security Copilot Audit”. Press on View Saved Workbook Note: Please note that filters apply to all the widgets simultaneously. You can filter by Time Range and Workspace. What can we find in the Workbook? We designed this workbook to satisfy the most important questions our customers have. With that in mind, we created 3 separate widgets that focus on: an all up view in the Dashboard, information about sign-ins, especially failed sign-ins, and lastly information about SCU changes. Now, let’s take a look at each of them individually: Security Copilot Audit Dashboard In the first view, we have some general information about how Security Copilot has been used. Here we can find: We will also provide a visual chart of prompt numbers over time, allowing you to identify busier periods and understand which Security Copilot Experience drives usage. In the next graphs, we are focusing on three different aspects of the logs: Security Copilot interactions: this will show you the different types of interactions users have performed (changing a promptbook, creation of a plugin, deletion of a plugin, etc.) Security Copilot interactions by Location: this shows you a visual map of where all the interactions occurred Top Users Prompts: this table will show you the user and the number of prompts they have performed Following this, we have a list of Promptbook interactions where we can see who created, deleted or updated promptbooks: In the next two graphs we will be able to find who enabled and disabled different plugins In the final graph we will be able to find a list of the users who made changes either at a tenant level or user level: Security Copilot Sign in Data In the Second Widget that we created, you will be able to filter and see all of the sign-in data in Security Copilot. As such, to this widget we have four components: A visual representation of successful and Failed sign-ins by location Successful sign-ins: here you will be able to see all the data about every user’s successful sign-in such as IP Address, Location, Platform and OS Platform and more. Failed sign-ins: here you will be able to see the data about a user's unsuccessful sign ins such as the reason for the authentication fail, IP Address, as well as more granular information about the attempted sign-in Lastly, we have a graph depicting all the different reasons for the unsuccessful sign-ins. These can include: Flow token expired, User did not pass the MFA challenge, Invalid username or password or Invalid on-premises username or password, etc. Security Copilot SCU Events The last Widget that we implemented is Security Copilot SCU Events. Here you will be able to view the number of purchased SCU's as well as any changes that is done to them. For example, you will be able to see increases or decreases in the SCUs and who has performed the change. Lastly, we have SCU Capacity Activity where we will be able to find SCU alignment operation. The integration of Microsoft Security Copilot with Microsoft Sentinel provides a powerful, AI-driven solution for monitoring and analyzing audit logs across your organization’s security landscape. This setup offers deeper visibility into user activities and system events, enabling more proactive threat detection and compliance management. With features like anomaly detection, custom connectors, and interactive workbooks, Security Copilot simplifies and strengthens your security operations. Ready to take your security to the next level? Explore our GitHub repository to get started with the setup or contact our team to learn more about enhancing your organization's security posture.Azure Lighthouse support for MSSP use of Security Copilot Sentinel scenarios in Public Preview
Security Copilot support for Azure Lighthouse Sentinel use cases for managed security service provider (MSSP) tenants is now in public preview. With this support, MSSPs can purchase SCUs and attach them to the managing tenant in Azure Lighthouse and use those SCUs to run Security Copilot skills related to Microsoft Sentinel on their customer tenants via Azure Lighthouse. All the Sentinel skills available in Security Copilot will be invokable from the Azure Lighthouse tenant without the customer needing to have Security Copilot, thereby making Security Copilot available to MSSPs who manage multiple customers. Supported scenarios include querying the customer Sentinel incident, incident entities/ details, querying Sentinel workspaces, and fetching Sentinel incident query. These skills can be invoked on per customer Sentinel workspace. Managing tenants using Azure Lighthouse now can do the following, without their customers needing to provision SCUs: Use the same natural language based prompts using Sentinel skills on customer data Create custom promptbooks using Sentinel skills to automate their investigations Use Logic Apps to trigger these promptbooks While this release doesn’t support all Security Copilot skills across customer tenants for MSSPs, it is an important development on the road to full support for Security Copilot for MSSPs using Azure Lighthouse. Read on to learn more about what this means for your practice, and how to get started. What is Azure Lighthouse? Azure Lighthouse is built into the Azure portal and allows IT partners to manage multiple tenants for Azure services. It provides a unified management experience, enabling partners to view and manage resources across all their customers' Azure environments from a single pane of glass. It supports multi-customer management, meaning partners can perform actions across multiple customer tenants simultaneously. This is particularly useful for Managed Service Providers (MSPs) who need to manage resources at scale. What is changing? We are introducing Azure Lighthouse support for MSSPs to use Security Copilot on their customer tenants without requiring customers to purchase Security Compute Units (SCUs). With Azure Lighthouse support, SCUs should be purchased by a MSSP admin for use on their customer’s tenant . To get started, MSSPs can go to Azure to onboard on to Security Copilot and apply their purchased SCUs to their Azure Lighthouse subscription. In Azure Lighthouse, the MSSP needs to ensure that they have access setup to their customer’s Sentinel environment. Once the setup is completed, MSSPs can invoke Sentinel skills on the customer tenant via the Security Copilot Standalone portal and use the SCUs associated to the Azure Lighthouse subscription. MSSPs can further use custom promptbooks and logic apps to automate their workflows. In future, managed service support will continue to expand to include other skills and capabilities such as Entra, Intune and Purview skills. We will also add support to run the skills in parallel on multiple workspaces across customer tenants so that the same prompt can return the response from multiple tenants for better analysis. What other access controls are supported? As of December 2024, we now support M365 Partner Center GDAP (Granular Delegated Admin Privileges) which allows the managing tenant to operate directly in their customer’s environment using their customer’s Security Copilot tenant. M365 Partner Center GDAP: GDAP is focused on Microsoft 365 services and is available through the Partner Center. It provides more granular and time-bound access to customer workloads, addressing security concerns by offering least-privileged access. Unlike Azure Lighthouse, GDAP relationships are more specific and time-bound, with a maximum duration of two years. Partners can request and manage these relationships through the Partner Center. GDAP is designed to help partners provide services to customers who have regulatory requirements or security concerns about high levels of partner access. MSSPs can get access to customer tenants via GDAP and log into the Security Copilot standalone portal or the embedded experience to get their jobs done. The MSSP will be able to execute all the skills in Security Copilot (Entra, Defender, Purview, Intune, XDR etc.,), a full list of skills is available here as GDAP supports all these services. In this configuration, the customer is the one purchasing Security Copilot SCUs and the MSSP uses these SCUs associated to the customer tenant, rather than SCUs associated to the MSSP’s tenant. Since Entra, Defender, Purview, Intune are not supported in Azure Lighthouse, the only way for MSSPs to use Security Copilot on their customer tenant for these products is by directly logging into the customer tenant and utilizing the SCUs purchased by customers. Additional Resources Understand authentication in Microsoft Security Copilot | Microsoft Learn Grant MSSPs access to Microsoft Security Copilot | Microsoft Learn Microsoft Security Copilot Frequently Asked Questions | Microsoft Learn Microsoft 365 Lighthouse frequently asked questions (FAQs) GDAP frequently asked questions - Partner Center | Microsoft LearnMicrosoft Security Copilot Achieves PCI DSS Certification
We are excited to announce that Microsoft Security Copilot has achieved the Payment Card Industry Data Security Standard (PCI DSS) certification, a significant milestone in our ongoing commitment to security excellence. This certification highlights our dedication to protecting sensitive payment information and staying ahead of increasingly sophisticated cyber threats in today’s digital landscape. You can access the certification by visiting the Service Trust Portal and searching for "Copilot for Security." Why PCI DSS Certification Matters PCI DSS is the global standard for securing credit card data and preventing fraud, setting rigorous requirements for organizations handling sensitive payment information. Achieving PCI DSS compliance is not just a regulatory requirement, but a crucial part of maintaining customer trust and ensuring business continuity. Research from the U.S. Federal Trade Commission (FTC) shows that consumers are increasingly concerned about the security of their personal and payment data. PCI DSS compliance reassures customers that their data is being handled securely. With the growing frequency and sophistication of cyberattacks, businesses must adopt these security standards to safeguard data and reduce the financial and reputational risks of breaches. Expanding Our Commitment to Security and Compliance In addition to PCI DSS, Microsoft Security Copilot has already achieved several other critical certifications, including SOC 2, ISO 27001, ISO 27018, ISO 27017, ISO 27701, ISO 20000-1, ISO 9001-1, ISO 22301, and HITRUST CSF. These certifications demonstrate our proactive approach to navigating complex regulatory requirements and continually enhancing our security infrastructure. We are fully compliant with HIPAA through Business Associate Agreements (BAA), ensuring adherence to healthcare regulations and safeguarding sensitive health data. How PCI DSS Certification and Our Expanded Portfolio Benefit You With Microsoft Security Copilot’s robust certification portfolio, our customers enjoy a wide range of benefits: Enhanced Security: PCI DSS and other certifications enforce rigorous security measures that help protect payment data and reduce the risk of data breaches and fraud. Streamlined Compliance: By using Security Copilot, customers can rely on a certified platform that simplifies their compliance efforts, saving both time and resources. Increased Trust: Achieving these certifications signals our unwavering commitment to data protection, fostering trust with customers and stakeholders. Clear Responsibility Models: With the Azure PCI DSS Responsibility Matrix and other compliance frameworks, Microsoft and our customers have a shared understanding of security responsibilities, ensuring clarity in meeting compliance requirements. Next Steps To learn more about how Microsoft Security Copilot can enhance your organization's cybersecurity posture and compliance efforts, please visit our dedicated product page. For more details on our full range of compliance offerings, including SOC 2 and other certifications, please visit the Microsoft Service Trust Portal. Microsoft is proud of this achievement and looks forward to continuing to support our enterprise customers in their pursuit of secure and compliant operations through Microsoft Security Copilot. To see Security Copilot in action, contact our sales team to schedule a personalized demo or request a quote. We are committed to supporting you throughout every step of your journey.
