Background
Some of my customers are not having 24×7 SOC but still wants to utilize Microsoft Copilot for Security during their normal workhours, typically Monday-Friday from 8am-4pm.
During this time they want to have a scalable capacity with most capacity in the morning (peak) and then less capacity in the afternoon. When they go home, they want the capacity to be removed until next day at 8am.
This scenario will decrease the cost for Copilot for Security significantly as it is only running during their workhours.
Disclaimer about pricing
Since Microsoft Copilot for Security came out April 1, 2024, I expect some fine-tuning of technical conditions and pricing along the way. Therefore the idea behind this method and price examples may change, if Microsoft introduces changes in price structure or technical conditions in the future.
I recommend to monitor this webpage to check out the latest about Microsoft Copilot for Security.
Cost Calculator for Scalable Deployment of Capacity
This spreadsheet can be used to calculate the capacity cost for a non-24×7 SOC scenario, where Copilot for Security is used with different sizing during the day (high, medium, low capacity usage) during for example 8am-4pm operation.
Example of cost per month, based on peak in the morning with degrade of capacity requirement around noon. Capacity is removed at 4pm, when IT dept goes home. No 24×7 SOC.
NOTE: This spreadsheet doesn’t replace Microsoft Azure Price Calculator. Microsoft Azure Price Calculator contains latest on pricing and conditions for your region and environment.
Deployment scripts for Scalable Deployment of Capacity
Link to ZIP-file with all files
| Purpose | SCUs (sample) | File |
|---|---|---|
| High Gives highest amount of SCUs. Typically used in the morning for example from 8-10am, when security incidents are being analyzed (peak) | 4 | DeploymentCopilot4Security Capacity_SCU_High_Usage |
| Medium Gives medium amount of SCUs. Typically used in the morning after initial security incident analysis for example from 10-11am | 2 | DeploymentCopilot4Security Capacity_SCU_Medium_Usage |
| Low Gives lowest amount of SCUs. Typically used when peak for security analyses are over and normal security operation happens for example from 11am-4pm | 1 | DeploymentCopilot4Security Capacity_SCU_Low_Usage |
| Delete Removes capacity, so there will be no capacity cost in off-hours where IT dept. works. Used in scenarios with no 24×7 Security SOC. This can run for example at 4pm when IT dept goes home. | 0 | DeleteCopilotf4SecurityCapacity |
NOTE: Remember to edit the amounts of SCUs and region in the files for your needs
Hopefully we will see a more smoother method in the future, instead of a delete+provision of capacity.
Note: You don’t loose any prompt history, settings, permissions, etc. as it is kept for 90 days. It is only the capacity, which is being adjusted/removed.
Automation of Capacity Change
You can automate the configuration using any method like Scheduled Tasks software like Task Scheduler, VisualCron – or Azure Function or LogicApps.
Aaron Hoffman made a great article on how to to this in LogicApp here
Below is an example of doing this as 4 jobs using VisualCron (Advanced Task Scheduler)
What happens to CfS when you change the capacity to 0 – nothing? Just that you remove the power to run the prompts – you don’t lose your sessions, promptsbooks etc right?
You cannot set the quantity to 0. You delete the capacity. All history incl. sessions, permissions, configurations are kept for 90 days. You just get an ‘please add capacity popup’. Copilot will still show around. Once you deploy capacity again, everything will continue to work as before.
Thanks Morten for clearing this up 🙂
Translate to English: Hello, nice to meet you, I tried to download the zip file, but Defender indicates that it contains “Trojan:Script/Wacatac.B!ml”. Can you verify this?
Most-likely a false-positive. ZIP file is auto-generated by Github (https://github.com/KnudsenMorten/Copilot4SecurityTools). There is no malware in the powershell script according to Defender. You can also open and copy each script down from the github page directly https://github.com/KnudsenMorten/Copilot4SecurityTools. As an extra precaution, I did a full scan of my environment and Defender din’t find anything.
Great work Morten!
I love following you. I often share the same Microsoft related concerns and magically Morten has already done the hard work of finding a solution.
Very much appreciated.
Thank you for the kind words. This scenario is important for lots of customers in the world, but one of the good things working closely with the product groups at Microsoft is, that they listen to our feedback to make the product a little bit better everyday.