Configuring a budget for Copilot for Security

I have previously detailed how Copilot for Security is an excellent tool for SMB:

Copilot for Security – The lowdown for SMB

One of the major things that SMB need to pay very close attention to is the cost of Copilot for Security, given that it needs to be used in an ‘on-demand’ manner to be cost effective for smaller businesses. A good way to keep abreast of those costs is to use Budgets in Azure.

My recommendation is that you configure Copilot for Security in its own Azure Resource Group so that costs and permissions are easier to manage. Inside this dedicated Copilot for Security Resource Group you can attach a budget with notification. To this, navigate to the Azure Resource Group where Copilot for Security is provisioned. Locate the Budgets menu item on the left under the heading Cost Management as shown above. On the right, select +Add from the menu across the top.

Give the budget a name, a reset period (typically monthly) and date range.

If you scroll down you’ll see that you can set a budget amount. Here I’m setting the budget to $150. Select the Next button at the bottom of the page to continue.

On the next screen you can configure a threshold alert level. Here I set that to 90% of my budget. This means I’ll start getting alerts about Copilot for Security when the cost reaches around $135. You can configure multiple thresholds if you wish.

You can also have the alert take automatic action via an Action Group (say shut down the resources), but I won’t cover this here.

A little further down you can configure the email you wish to receive the notification on. You can configure multiple emails to receive notifications if you wish.

Scroll to the bottom of the page and select the Create button.

You should now see the budget you just created as shown above. You can click on the name for more details.

You can also edit and delete the configuration here if you wish.

Now, when you exceed the thresholds you set in this budget, you’ll get an email notification that your spending on Copilot for Security has reached the threshold you set.

Copilot for Security–The day after

Having set up Copilot for Security yesterday,

A day with Copilot for Security

and having an initial look around I decided to de-provision it after I was done for the day.

I returned the following day and set it all back up again using the same process as before. No issues.

I had a quick look at the billing in my Azure portal and noticed that some charges had appeared as shown above. They seem to however lag actual usage by at least 24 hours or more, so keep that in mind if you are trying to track costs closely

Because I also have Intune in the environment I took a look at where Copilot for Security is surfaced there. As you can see you get a big message in the homepage of the Intune portal when you navigate there reminding you that Copilot for Intune is available to you as part of Copilot for Security.

If you visit the Intune Tenant Admin area you’ll find a Copilot area as shown above. My check icon was green so I knew everything was working as expected.

I then opened a policy and found a Summarize with Copilot button which I used to generate the summary you see on the right hand side of the policy. Very handy.

I also found a Copilot button when I looked at individual devices. As you can see above, I can use Copilot to give me a comparison between the apps installed on devices. Nice.

I then generated some security ‘incidents’ on a device and checked the device in the Microsoft Security portal to see how Copilot would be surfaced. You’ll see it appears as a pane on the right, as shown above.

You’ll see in the above screen shot, I got Copilot to draft and email to send to the user of the problem machine. Very handy.

After playing around some more I went and looked at the Copilot for Security usage and you can see above, my unit usage was significantly higher than I initially provisioned. I assume I will be billed for those 3.7 units at US$4ph x the time I was actually playing around (about 1 hour). Let’s see when the costing make their way into the Azure portal.

I then went off and asked Copilot for Security about how to make my environment Essential 8 compliant, and you can see the response above.

I also found where you can upload you own company files to the environment to give it even more information you can use in your investigations.

I found an area where there was an option to allow Copilot for Security to access my Microsoft 365 data, shown above.

However, for whatever reason, it did not allow me enable this option as you can see from the error above. I’ll try that again during my next session.

So today’s session has shown me that you can de-commission and re-commission Copilot for Security on demand. At the moment that is a manual process via the GUI, but I expect that I’ll be able to script that with something PowerShell soon enough.

Without Copilot for Security being re-enabled I found that most Copilot menu items in places like Intune remained but failed to operate, not unexpectantly. However, when I re-provisioned Copilot for Security again on the second day, all those options worked again. Some took and little while to ‘refresh’, but they all started working again as on the first day.

I also noticed that all my previous chat sessions where all still available and accessible. This is thanks to retention that is part of Copilot for Security. I just need to find out how long that retention is.

So the main thing I learnt from day 2 with Copilot for Security is that you can utilise it on demand. It doesn’t seem that you actually need to have it running 24/7, which is great new for smaller businesses on a budget. I’m sure you get more out of it if you do indeed leave an SCU running 24/7 but seems to me, so far, that you don’t lose much just enabling it as you need.

I also learned that the cost reporting seems to take at least 24 hours to start appearing which can make budgeting a little butt clenching until the actual cost figure appear in the Azure portal. I also learned that after you enable Copilot for Security the menu option remain in the various portals, even after your de-provision the service. Now, these may indeed disappear after a period time if you don’t re-provision but I’d find any of the disable menu items presented any errors, they just didn’t do anything any more. Which is understandable.

In short, I think Copilot for Security will work in an SMB environment but currently, you’ll need to a bit of manual labour to enable and disable the service but I expect that can be improved with automation down the track.

I’ll be playing with Copilot for Security for another day and I’ll then share my overall thoughts and feedback on what I’ve seen and the ROI it provides. However, I will certainly be implementing this, in an on demand capacity, in my production environment.

More updates soon from day 3.

A day with Copilot for Security

Given that Copilot for Security has just been released, I thought I’d spin it up in my tenant and see what it looks like.

To get the most from Copilot for Security you’ll first need to have an Azure subscription. You’ll get more out of the service if you also have Intune and Sentinel as well as aggregation of your logs, but an Azure subscription is all you need to get started.

The easiest way to commence the set up process is to visit:

https://securitycopilot.microsoft.com

where you’ll be greeted with the set up wizard shown above.

Prior to setting up Copilot for Security, as I mentioned, you need an Azure subscription and I’d also recommend setting up a dedicated Azure Resource Group to help monitor and manage costs.

It is important to under what this will cost you in the default configuration. That is detailed on this page:

Yup, you read right $2,880 per month is the minimum! That is basically $4 per hour over 730 hours in a month. So, ensure you turn all this OFF once you have finished testing!

Once you complete all the listed fields you can continue.

You’ll need to wait a moment or two as the service is set up.

Since the Azure Resource Group into which I’m placing Copilot for Security is in Australia, my data will also be in Australia.

You’ll then be asked whether you wish to help Copilot improve as shown above. Make your choice and continue.

Next, you get the option to set up any permissions. As this is simply a test and I’ll be the only one using it I didn’t make any changes and just continued.

You should be all good to go as shown above.

If you now return to the initial starting point:

https://securitycopilot.microsoft.com

you should see the above, where you can input your query.

If you look in the Azure back end you will see a new item called Copilot inside your Azure portal, which looks like the above.

Selective the resource displayed the above.

You’ll also notice that you can’t adjust the Security Compute Units (SCU) below 1.

By clicking this button in the prompt

you’ll see all the plugins that can be configured in your environment

So, I went off and had a play to see what results it would give me.

I asked for some summaries.

and I had a look at some inbuilt playbooks.

I them dug around into the Usage monitoring which you’ll find the menu at the top left of the page.

In here I could change the Security compute units and delete them as well. Which I did eventually after play around a bit more.

Clearly, most smaller businesses are not going to justify running this full time. It is therefore VERY important to delete the SCU when you have finished playing around. After doing that and running Copilot for Security I was interested to see my bill, but as yet no amounts have appeared in my Azure portal. I’ll share these when they appear.

I still however believe this can be an effective security tool for SMB, PROVIDED, you enable and disable it as required, kind of on demand. I’m playing with doing that for myself to better understand any limitations on that approach and I’ll report back.

I have more to share on my findings so far so stay tuned.