Hey Checkyourlogs Fans,

Today, we are going to have at Microsoft’s newest flagship offering now in GA called Security for Co-Pilot.

I felt that what a better way to celebrate the integration of AI and the Defender Suite than taking it for a test drive.

Step 1 – will be to learn all about it at https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot

Pricing is handled through Security Compute units and the stored in Azure via “Capacity”.   Capacity is basically the storage home for this new service.

Some details from Microsoft on this:

Security compute units:

Security compute units are the required units of resources needed for dependable, consistent performance of Microsoft Copilot for Security.

Copilot for Security is sold in a provisioned capacity model and is billed by the hour. You can provision security compute units (SCUs) and increase or decrease them at any time. Billing is calculated on an hourly basis with a minimum of one hour.


Capacity in the context of Copilot for Security, is an Azure resource that contains SCUs. SCUs are provisioned for Copilot for Security. You can easily manage capacity by increasing or decreasing provisioned SCUs within the Azure portal or the Copilot for Security portal. Copilot for Security provides a usage monitoring dashboard for Copilot owners, allowing them to track usage over time and make informed decisions about capacity provisioning.

Ok sounds great what’s next?   Now let’s get this going by entering yet another Microsoft Portal: https://securitycopilot.microsoft.com

After clicking Get started it takes a few minutes so go grab a coffee.


There is a nice little hidden progress bar at the top.


Next, fill in your details for Azure Subscription, Resource Group, Capacity Name, Prompt Evaluation, Capacity Region, and Security Compute Units.





Next, this is an extremely important step as everyone will have access to co-pilot and we are going to want to change this.

Make sure we remove Everyone from the Contributor access.


Now you just type in something like “summarize defender incident 37756”


At the end it gives a beautiful executive summary:

Incident 37756 was a high severity phishing attack that triggered three alerts and an automatic response to disrupt the attack. The attack was identified as an ‘Adversary in the Middle’ (AiTM) attack, a type of cyber attack where a malicious actor intercepts and potentially alters the communication between two parties.

The user involved in this incident, known as ‘USERID’, was compromised during this attack. The attack took place on a device identified as ‘DEVICE’, which runs on the Windows 10 operating system.

The phishing attack involved a specific IP address ‘’ and two internet links. The IP address was later classified as malicious with a high reputation score of 100, indicating a high risk. This IP address is associated with a known threat actor named Storm-0563.

The user ‘USERID has an additional layer of security enabled known as Multi-Factor Authentication (MFA). This means that in addition to entering a password, the user must provide another form of identification to access their account, such as a code sent to their phone. This provides an extra layer of security.

The user ‘USERID’ has recently used two devices, an iPhone and a device identified as ‘DEVICEID. Both of these devices are compliant with our security policies, meaning they meet the standards set to protect against cyber threats.

The device ‘DEVICEID’ is up-to-date with all operating system updates. Keeping a device updated is crucial as updates often include patches for security vulnerabilities.

In summary, while this incident was a serious phishing attack, the user involved has strong security measures in place, and the devices used are compliant with our security policies and up-to-date with all necessary updates.


To me as someone that has had to write up hundreds of summarizations to this type of activity in Defender this is a MUST Have.

Stay tuned for more information to come,