Microsoft Copilot for Security for Small Business in Berlin

Security operations work is defined by the gap between what analysts need to investigate and what they can manually process within the available time. Alert volume grows faster than team capacity. Incident investigation requires correlating events across multiple products and dashboards. Threat hunting requires writing complex KQL queries and interpreting their results. Script and malware analysis requires reverse engineering skills that most small teams do not have. Microsoft Copilot for Security is an AI assistant purpose-built for security workflows that addresses this gap by augmenting analyst capability across investigation, triage, threat intelligence, script analysis, policy management, and reporting — embedded directly into the Microsoft security products your team already uses.

Copilot for Security is available as a standalone portal (securitycopilot.microsoft.com) and as embedded experiences within Microsoft Defender XDR, Microsoft Sentinel, Entra, Intune, and Purview. It is separately licensed from Microsoft 365 — billed by Security Compute Units (SCUs) provisioned per hour — meaning it is not included in Business Premium. For small Berlin businesses, the embedded experiences within Defender XDR are the primary value driver, reducing the time required to investigate and respond to security incidents.

Incident investigation and summarization

The highest-impact embedded Copilot for Security experience for small teams is incident summarization within Microsoft Defender XDR. When an incident is open, Copilot generates a natural-language summary of the attack chain — initial access vector, credential activity, lateral movement, and impact — aggregated from all correlated alerts. This summary is what an analyst would spend 20-30 minutes reconstructing manually from raw events; Copilot produces it in seconds.

From the incident view, Copilot can generate guided response actions, explain why specific entities (files, IP addresses, processes) are included in the incident, and produce a ready-to-send incident report with the timeline and affected entities pre-populated. For an IT manager at a small Berlin business who handles security alongside other responsibilities, this compresses incident response from a multi-hour investigation into a 15-minute review-and-respond workflow.

Script and file analysis

When an incident includes a suspicious PowerShell script, encoded command, or unknown binary, Copilot for Security can analyze it and produce a plain-English description of what the script does — including which techniques it implements, what data it accesses or exfiltrates, and whether it matches known malware families. This analysis would otherwise require either a malware analyst or the time to manually decode and trace the script. For small teams, this capability removes the skill barrier that previously made script-based threats opaque without external escalation.

KQL query generation

Advanced hunting in Defender XDR and Microsoft Sentinel uses Kusto Query Language (KQL). KQL proficiency takes months to develop, and threat hunting without it is limited to searching through pre-built detection rules. Copilot for Security translates natural-language hunting requests into KQL queries: “Show me all PowerShell executions in the last 24 hours that made outbound network connections” produces a working KQL query that can be run immediately or modified. The generated query includes an explanation of each clause — making it a learning tool as well as a productivity tool.

Entra identity investigations

Copilot for Security is embedded within the Microsoft Entra admin center, where it supports identity-focused investigations. Given a risky user flagged by Entra ID Protection, Copilot summarizes the user’s recent sign-in activity, risk detections, devices, and access patterns — the information an admin would manually gather from three or four separate Entra views — in a single natural-language summary. Copilot can also answer policy questions: “What Conditional Access policies apply to this user?” or “Why was this sign-in blocked?” with specific policy citations.

Intune device compliance analysis

Within the Intune admin center, Copilot for Security can summarize the configuration and compliance posture of a specific device, identify which policies are not applying correctly, and suggest remediation steps. For device management tasks that previously required navigating multiple Intune views and correlating policy assignments manually, Copilot produces a consolidated device summary with actionable guidance.

Promptbooks

Copilot for Security supports Promptbooks — saved sequences of prompts that automate repeated investigation workflows. Common examples: a phishing investigation promptbook that automatically queries the sender’s reputation, checks if any users clicked the link, examines email headers, and summarizes recommended actions. A vulnerability triage promptbook that queries the latest MDVM findings, filters for actively exploited CVEs, and produces a remediation priority list. These promptbooks codify institutional investigation procedures into repeatable, one-click workflows.

SCU pricing model

Copilot for Security is provisioned by Security Compute Units (SCUs). Each prompt consumes a fractional SCU; a typical incident investigation consumes 1-3 SCUs total. SCUs are provisioned at an hourly rate — you pay for the capacity you provision regardless of usage during that hour. For small teams that use Copilot reactively (during incidents), the appropriate provisioning model is a small SCU pool with on-demand scaling, rather than a large always-on allocation. Microsoft’s usage estimator helps project costs based on expected investigation frequency.