Get started with Microsoft

Copilot for Security

© Copyright Microsoft Corporation. All rights reserved.

Learning path agenda

• Fundamentals of Generative AI

• Describe Microsoft Copilot for Security

• Describe the core features of Microsoft Copilot for Security

• Describe the embedded experiences of Microsoft Copilot for Security

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Fundamentals of
Generative AI

© Copyright Microsoft Corporation. All rights reserved.

Module 1 introduction
In this module you'll explore the way in which large language models (LLMs) enable AI applications and
services to generate original content based on natural language input. You’ll also learn how generative
AI enables the creation of AI-powered copilots that can assist humans in creative tasks.

Learning objectives
By the end of this module, you'll be able to describe:”
• What is generative AI?
• Large language models
• What is Azure OpenAI?
• What are copilots?
• Improve generative AI responses with prompt engineering

© Copyright Microsoft Corporation. All rights reserved.

What is generative AI?

AI: imitates human behavior by using machine learning to interact with the environment and execute tasks
without explicit directions on what to output.
Generative AI: creates original content, such as generative AI that has been built into chat applications.
Generative AI applications take in natural language input, and return appropriate responses in a variety of
formats:

Natural language
Image generation Code generation
generation
Large language models

Generative AI applications are powered by large language models (LLMs), which are
a specialized type of machine learning model that you can use to perform natural
language processing (NLP) tasks, including:
• Determining sentiment or otherwise classifying natural language text.
• Summarizing text.
• Comparing multiple text sources for semantic similarity.
• Generating new natural language.

© Copyright Microsoft Corporation. All rights reserved.

What is Azure OpenAI?

Azure OpenAI service is Microsoft's cloud solution for deploying, customizing, and hosting
large language models.
Azure OpenAI service consists of:
• Pre-trained generative AI models.
• Customization capabilities.
• Built-in tools to detect and mitigate harmful use cases so users can implement AI responsibly.
• Enterprise-grade security with role-based access control (RBAC) and private networks.

You can use several methods to develop Azure OpenAI solutions: Azure AI Studio,
REST API, supported SDKs, and Azure CLI.

© Copyright Microsoft Corporation. All rights reserved.

What are copilots?
Copilots are often integrated into other applications and provide a way for users to get help with
common tasks from a generative AI model.

© Copyright Microsoft Corporation. All rights reserved.

Improve generative AI responses with prompt engineering
The term prompt engineering describes the process of prompt improvement.
Both developers who design applications and consumers who use applications can improve the quality of
responses from generative AI by using direct language, system messages, examples, and/or grounding data.

Description
You can get the most useful completions by being
Direct language
explicit about the kind of response you want.
System messages Describe how the chat should act.
LLMs generally support zero-shot learning in which
responses can be generated without prior examples.
Providing examples
However, you can also provide a few example responses,
known as few-shot learning.
Grounding data You can include grounding data to provide context.
Example
“Create a list of 10 things to do in
Edinburgh during August”.
"You're a helpful assistant that
responds in a cheerful, friendly
manner“.
“Visit the castle in the morning
before the crowds arrive”.
Including email text with the
prompt “Summarize my email”.

© Copyright Microsoft Corporation. All rights reserved.

Module 2 knowledge check
What are Large Language Models?
1
 Models that only work with one language.
 Models that only work with small amounts of data.
 Models that use deep learning to process and understand natural language on a massive
scale.

2 What is an example of a potential task a generative AI application can help solve?

 Monitoring the temperature in a manufacturing facility.
 Creating a draft for an email.
 Collecting real time data and storing it in a database.

3 What is the potential impact of copilots?

 Copilots only impact applications used in professional settings.
 Copilots can help with first drafts, information synthesis, strategic planning, and much
more.
 Copilots can only be used for certain natural language tasks like summarizing text.
Module 2 summary

What you learned

Generative AI is • What is generative AI?

typically built into
software applications • Large language models
and uses language • What is Azure OpenAI?
models trained with
• What are copilots?
huge volumes of
textual data to • Improve generative AI responses with prompt engineering
generate human-like
natural language
responses or even
original images.

© Copyright Microsoft Corporation. All rights reserved.

Module 2: Describe Microsoft
Copilot for Security

© Copyright Microsoft Corporation. All rights reserved.

Module 2 introduction
In this module, you will get acquainted with Microsoft Copilot for Security. You are introduced to some basic
terminology, how Microsoft Copilot for Security processes prompts, the elements of an effective prompt, and
how to enable the solution.

Learning objectives
By the end of this module, you'll be able to:
• Describe what Microsoft Copilot for Security is.
• Describe the terminology of Microsoft Copilot for Security.
• Describe how Microsoft Copilot for Security processes prompt requests.
• Describe the elements of an effective prompt
• Describe how to enable Microsoft Copilot for Security.

© Copyright Microsoft Corporation. All rights reserved.

Describe what Microsoft Copilot for Security is
An AI-powered, cloud-based security analysis tool that enables analysts to respond to threats quickly,
process signals at machine speed, and assess risk exposure more quickly than may otherwise be possible.

• Copilot combines powerful LLMs with a

security-specific model from Microsoft.
• Copilot integrates with Microsoft and non-
Microsoft sources.
• Copilot learns at machine speed to help
analysts identify and respond to emerging
threats.
• Enterprise data is protected by comprehensive
enterprise compliance and security controls.

© Copyright Microsoft Corporation. All rights reserved.

Describe Microsoft Copilot for Security – Use cases

Incident summarization. Distil complex security alerts into concise actional summaries.

Impact analysis. Assess the potential impact of security incidents to enable quicker response times
and streamlined decision-making.

Reverse engineering of scripts. Analyze complex command line scripts and translate them into
natural language with clear explanations of actions.

Guided responses. Actionable step-by-step guidance for incident response, including directions for
triage, investigation, containment, and remediation.

© Copyright Microsoft Corporation. All rights reserved.

Describe Microsoft Copilot for Security - Standalone experience

• Copilot through a dedicated

site.

• Users make requests in

natural language and receive
response outputs as text,
images, or documents.

© Copyright Microsoft Corporation. All rights reserved.

Describe Microsoft Copilot for Security – Embedded experience
• Some Microsoft products
like Defender XDR embed
Copilot directly inside their
user interface.
• In Defender XDR Incidents
and Advanced Hunting are
examples of embedded
Copilot.

© Copyright Microsoft Corporation. All rights reserved.

 Describe the terminology of Microsoft Copilot for Security

• Session: a particular conversation within Microsoft Copilot for Security.

• Prompt: a specific user statement or question within a session.
• Capability: a function Microsoft Copilot for Security uses to solve part of a problem.
• Plugin: A collection of capabilities by a particular resource, like Microsoft Intune.
• Orchestrator: Used to compose skills together, to answer a user’s prompt.

The prompt bar, used to

enter prompts.

© Copyright Microsoft Corporation. All rights reserved.

Describe the elements of an effective prompt

© Copyright Microsoft Corporation. All rights reserved.

Describe how to enable Microsoft Copilot for Security

To start using Microsoft Copilot for Security, organizations need to take steps to onboard the
service and users. These include:

1. Navigate to https:\\securitycopilot.Microsoft.com
2. Choose an Azure subscription and choose or create a new Resource Group
3. Provision Copilot capacity – name your capacity and add at least 1 SCU (Security compute unit)
4. Set up the default environment
5. Assign role permissions

© Copyright Microsoft Corporation. All rights reserved.

Provision capacity
Before users can start using Copilot, admins need to provision
and allocate capacity.

To provision capacity:
• You must have an Azure subscription.
• You must be an Azure owner or Azure contributor, at a
resource group level, as a minimum.

There are two options for provisioning capacity:

• Provision within Copilot for Security (recommended).
• Provision capacity through the Azure portal.

Copilot for Security provides a usage monitoring

dashboard for capacity owners.

© Copyright Microsoft Corporation. All rights reserved.

Set up the default environment

To set up the default environment, you need to

have one of the following Microsoft Entra ID
roles:
• Global administrator.
• Security administrator

You're prompted to configure settings, including:

• The SCU capacity to allocate.
• Geographic location of tenant, customer data
collected is stored there
• Opt-in or opt-out of data sharing options.
• Roles

© Copyright Microsoft Corporation. All rights reserved.

Role permissions
The scope of Entra ID roles extends beyond Copilot

Copilot for Security introduces two roles that

function like access groups but aren't Microsoft Entra
ID roles.
• Copilot owner
• Copilot contributor

Copilot roles are defined and managed within

Copilot and grant access only to Copilot for Security
features.

© Copyright Microsoft Corporation. All rights reserved.

Module 4 knowledge check
What are the steps required to onboard organizations and users to Microsoft Copilot
1
for Security?
 Enable Copilot plugins, and procure Microsoft Entra Premium 1 licensing.
 Procure Microsoft Entra Premium 1 licensing.
 Provision SCUs, set up the default environment, and assign role permission.

2 A security analyst is crafting a prompt to investigate an incident involving the Pearl Sleet
actor. Which prompt will likely yield the most comprehensive results?
 Can you give me information about Pearl Sleet activity, including a list of known indicators of
compromise and tools, tactics, and procedures (TTPs)?
 Describe Pearl Sleet.
 List Pearl Sleet activities.

3 An admin is tasked with setting up Microsoft Copilot for Security and needs to provision
capacity. Which is the correct method to provision capacity for their organization?
 Provision capacity through a third-party vendor
 Provision capacity within Copilot for Security
 Provision capacity by directly purchasing SCUs from a software retailer
Module 4 summary

What you learned

• What Microsoft Copilot for Security is.
Microsoft Copilot for
Security is an AI- • The terminology of Microsoft Copilot for Security.
powered, cloud- • How Microsoft Copilot for Security processes prompt requests.
based security • The elements of an effective prompt
analysis tool
designed to help • How to enable Microsoft Copilot for Security.
organizations meet
the growing
challenges of
cybersecurity.

© Copyright Microsoft Corporation. All rights reserved.

Module 3: Describe the core
features of Microsoft Copilot
for Security

© Copyright Microsoft Corporation. All rights reserved.

Module 3 introduction

Microsoft Copilot for Security has a rich set of features. Learn about available plugins, promptbooks, the ways
you can export and share information from Copilot, and much more.

Learning objectives
By the end of this module, you'll be able to:
• Describe the features available in the standalone Copilot experience.
• Describe the features available in a session of the standalone experience
• Describe the plugins available in Copilot.
• Describe custom promptbooks.
• Describe knowledge base connections.

© Copyright Microsoft Corporation. All rights reserved.

Describe the features available in the standalone experience of
Microsoft Copilot for Security
Key landmarks on the Copilot landing
page to which the user can navigate:
• Home menu
• Continue you last session
• Get started using promptbooks
• Prompt bar
• Help

© Copyright Microsoft Corporation. All rights reserved.

 Home menu
From the home menu, you can
access the following pages:
• My sessions.
• The promptbook library
• Owner settings
• Role assignments
• Usage monitoring
• Settings
• Tenant switch

© Copyright Microsoft Corporation. All rights reserved.

Usage monitoring
• Change SCUs

• Filter by date

• Hove over any item in

the bar chart for
details.

© Copyright Microsoft Corporation. All rights reserved.

Tenant switcher
The tenant which is
provisioned for Copilot
doesn't need to be the tenant
your security analyst logs in
from.

Example: A user who logs in

using a Fabrikam account can
select the tenant used by
Copilot, provided they have
tenant access.

© Copyright Microsoft Corporation. All rights reserved.

Continue your last session
The landing page for the standalone experience provides a brief summary of your last few sessions.

© Copyright Microsoft Corporation. All rights reserved.

Promptbooks

Copilot for Security comes with prebuilt promptbooks, a collection of prompts that have been
put together to accomplish specific security-related tasks.

© Copyright Microsoft Corporation. All rights reserved.

Example promptbook
• Input required to run the
promptbook.

• Run the promptbook.

© Copyright Microsoft Corporation. All rights reserved.

Prompt bar
• Use the prompt bar to tell Copilot what insights you want from your security data, in natural language,
then select the run icon.
• Inside the prompt bar you can:
o Select the prompt icon to access all promptbooks and system capabilities.

o Select the sources icon to access and manage all plugins and files.

© Copyright Microsoft Corporation. All rights reserved.

Describe the features available in a session of the standalone
experience

Copilot has features that are common across all sessions and to the individual prompts that make
up a session, including:.
• The process log
• Actions available on a prompt and its response
• Prompt feedback
• The pin board

© Copyright Microsoft Corporation. All rights reserved.

Process log
Displays the capability used to
generate the response and enables
you to determine whether the
response was generated from a
trusted source.

As part of Microsoft’s commitment

to responsible AI, the final output
goes through safety checks.

© Copyright Microsoft Corporation. All rights reserved.

Other actions available on a prompt and its response
Pin a prompt

Edit a prompt

Rerun a prompt

Delete a prompt

Export a response

Provide feedback
Copy a response
on a response

© Copyright Microsoft Corporation. All rights reserved.

Describe the Microsoft plugins available in
Copilot for Security

• Microsoft plugins give Copilot access to

information and capabilities from within your
organization's Microsoft products.

• Microsoft plugins may use the OBO (on behalf of)

model – Copilot knows that a customer has
licenses to specific products and is automatically
signed into those products.

• Some plugins require setup.

© Copyright Microsoft Corporation. All rights reserved.

 Plugin settings example

© Copyright Microsoft Corporation. All rights reserved.

Describe the non-Microsoft plugins available in
Copilot for Security – 3rd party plugins
Give Copilot access to information and capabilities from
services beyond Microsoft that your organization uses.

Generally, requires set-up and authentication to the specific

service.

Supported plugins include:

• CIRCL Hash Lookup (Preview)
• Copilot for Security Plugin for ServiceNow (Preview)
• Copilot for Security Plugin for Splunk (Preview)
• CrowdSec Threat Intelligence (Preview)
• GreyNoise Community (Preview)
• GreyNoise Enterprise (Preview)

© Copyright Microsoft Corporation. All rights reserved.

Describe the non-Microsoft plugins available in Copilot for
Security – custom plugins
Two types of custom plugins:
• Custom Copilot plugins that you develop
• Custom plugins developed with OpenAI’s API.
Upload a manifest file (.json or .yaml) which describes metadata about the skill set and how to invoke the skills.
Owner settings, determines who can add and manage their own custom plugins and who can add and manage custom plugins
for everyone in the organization.

© Copyright Microsoft Corporation. All rights reserved.

Describe custom promptbooks

A promptbook is a collection of prompts that have been

put together to accomplish specific security-related tasks.
You can create your own custom promptbook.
1. You can start with an existing session that contains the
prompts you want to work with.
2. Select the boxes beside the prompts to include them or select
the top box to include all prompts in the session.
3. Name the promptbook, add a tag, a description, add more
prompts, and remove or edit existing prompts.
4. If any of the prompts require an input parameter, specify an
easily understood parameter name within angle brackets
5. Select Create.

© Copyright Microsoft Corporation. All rights reserved.

File upload
To upload a file, the steps are as follows:
1. Navigate to the file upload page by selecting the sources
icon in the prompt bar then selecting files.
2. Upload file
a) Max file size is 3MB.
b) File type supported are .docs, .pdf, .txt, .md.
3. To include the file as a source in your session, select the
toggle button so it's lit up.
4. Prompting
a) If you want Copilot to reason overall your available
files, include “uploaded files” in your prompt.
b) If you want to guide Copilot to reason over a specific
file, include the file name.
Users assigned the Owner role can choose who are
allowed to upload files.

© Copyright Microsoft Corporation. All rights reserved.

Module 5 knowledge check

A security analyst needs to review past sessions created in Microsoft Copilot for Security.
1
After accessing the standalone experience, which option should they select to manage
and review these sessions?
 Select the My sessions option from the home menu.
 Select the Help icon.
 Select settings.

After enabling the Defender EASM plugin in Copilot, a security analyst wants to assess the
2
organization's exposure to a specific vulnerability; which prompt should they use to obtain this
information?
 Get assets by CVSS score.
 Get expired SSL certificates.
 Is my external attack surface impacted by CVE-2023-21709?

A security analyst needs to integrate ServiceNow incident management with Microsoft Copilot for
3
Security. Which authentication method should be configured to enable this integration?
 Anonymous authentication
 OAuth authorization
 Copilot uses on-behalf-of authentication, so no other authentication is required for ServiceNow integration.
Module 5 summary

What you learned

Microsoft Copilot for • How to describe the features available in the standalone
Security is a platform Copilot experience.
that provides
• How to describe the plugins available in Copilot.
guidance specific to
your organization's • How to describe custom promptbooks.
security.
• How to describe knowledge base connections.

© Copyright Microsoft Corporation. All rights reserved.

Module 4: Describe the
embedded experiences of
Microsoft Copilot for Security

© Copyright Microsoft Corporation. All rights reserved.

Module 4 Introduction

Microsoft Copilot for Security is accessible directly from some Microsoft security products, this is referred to
as the embedded experience. Learn about the scenarios supported by the Copilot embedded experience in
Microsoft’s security solutions.

Learning objectives
By the end of this module, you'll be able to:
• Describe Microsoft Copilot in Microsoft Defender XDR.
• Describe Microsoft Copilot in Microsoft Purview.
• Describe Microsoft Copilot in Microsoft Entra.

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Copilot for Security – embedded experiences

• Microsoft Copilot for Security is accessible directly from some Microsoft security products (Defender XDR,
Microsoft Entra, Microsoft Purview, and more coming).
• In the embedded experience, Copilot invokes the product specific capabilities directly, providing
processing efficiency.
• The embedded experience is a great place to start a security investigation.

• Easily transition to the standalone experience to pursue a more detailed, cross product investigation that
brings to bear all the Copilot capabilities enabled for your role.
• Microsoft plugin for the specific solution must be enabled and the user must have role permission to
access Copilot plus any role permission required to access data associated with the specific solution.

© Copyright Microsoft Corporation. All rights reserved.

Describe Microsoft Copilot in Microsoft Defender XDR
Microsoft Copilot for Security is embedded in Microsoft Defender XDR to enable security teams to quickly and
efficiently investigate and respond to incidents.

Capabilities supported include:

• Summarize incidents
• Guided responses
• Script analysis
• Natural language to KQL
queries
• Incident reports
• Analyze files
• Device summary

© Copyright Microsoft Corporation. All rights reserved.

Summarize incidents
• Copilot automatically creates a summary when you
navigate to an incident's page.
• Incidents containing up to 100 alerts can be
summarized into one incident summary.
• Depending on the availability of the data, an incident
summary includes the following:
• The time and date when an attack started.
• The entity or asset where the attack started.
• A summary of timelines of how the attack unfolded.
• The assets involved in the attack.
• Indicators of compromise (IOCs).
• Names of threat actors involved.

© Copyright Microsoft Corporation. All rights reserved.

Guided responses

Guided responses recommend actions in one or more of the

following categories:
• Triage - includes a recommendation to classify incidents as
informational, true positive, or false positive.
• Containment - includes recommended actions to contain an incident.
• Investigation - includes recommended actions for further
investigation.
• Remediation - includes recommended response actions to apply to
specific entities involved in an incident.

© Copyright Microsoft Corporation. All rights reserved.

 Analyze scripts and codes

• Access the script analysis capability in the

alert timeline within an incident, for an
entry consisting of script or code.
• Inspect scripts and code without using
external tools.
• PowerShell, batch, and bash are supported
script languages.

© Copyright Microsoft Corporation. All rights reserved.

Generate KQL queries
• Copilot in Microsoft Defender XDR
comes with a query assistant capability
in advanced hunting.
• Reduces the time it takes to write a
hunting query from scratch.
• Generate a KQL query from a suggested
prompt or enter your own prompt.
• Run the query directly or add it to the
editor where you can edit, save, share,
or run the query.

© Copyright Microsoft Corporation. All rights reserved.

Create incident reports
To create an incident report, select the ellipses then
select Generate incident report or select the report
icon.

Copilot creates an incident report containing the

following information:
• The main incident management actions' timestamps
• The analysts involved in incident response
• Incident classification, including analysts' comments on
how the incident was evaluated and classified.
• Investigation actions applied by analysts and noted in the
incident logs
• Remediation actions done
• Follow up actions

© Copyright Microsoft Corporation. All rights reserved.

Analyze files
• Sophisticated attacks often use files that mimic legitimate or system files to avoid detection.
• Copilot in Microsoft Defender XDR enables security teams to quickly identify malicious and suspicious files.
• File analysis usually contains an overview that contains an assessment of the file and a details section that includes strings,
API calls and relevant certificates.

© Copyright Microsoft Corporation. All rights reserved.

Summarize devices
Get a device’s security posture, vulnerable software information, and any
unusual behaviors.

© Copyright Microsoft Corporation. All rights reserved.

Common functionality across key features
There are some options that are common across the features of Copilot for Microsoft Defender XDR.

Providing Feedback Move to the Standalone experience

As with the standalone experience, the embedded The embedded experience is a great place to start a security
experience provides users a mechanism to provide investigation, but you pivot to the standalone experience to
feedback on the accuracy of the AI generated response. pursue a more detailed, cross product investigation

© Copyright Microsoft Corporation. All rights reserved.

Feedback

• For any AI generated content, you can

provide feedback and accuracy of the
content.
• Select the feedback prompt on the
bottom right of the content window.

© Copyright Microsoft Corporation. All rights reserved.

Module 6 knowledge check
A security analyst is using Microsoft Copilot in Microsoft Defender XDR to review an incident and
1 needs to understand the sequence of events that occurred during the attack. Which feature should
they use to obtain a comprehensive overview?
 Script analysis
 Summarize incidents
 Guided responses
An organization's legal compliance team uses Microsoft Purview eDiscovery tools for internal and external
2 investigations and is planning to use Copilot for Security to help make them more productive and aid in their
investigations. Which of the following statements is true regarding Copilot use with eDiscovery?
 Copilot functionality isn't supported with Microsoft Purview eDiscovery.

 The organization must be licensed to use Microsoft Purview eDiscovery (Premium).

 The organization needs to be licensed for Microsoft Purview eDiscovery (Standard), as a minimum.

After enabling the Entra plugin in Copilot and assigning the appropriate role permissions, an admin navigates to
3
the Risky users report to investigate a user's risky sign-ins. What should the admin do next to view the Copilot
generated summary?
 Select the 'Export' option to download the user's risk details.

 Check the 'User Activity' log for recent sign-in attempts.

 Select the 'Summarize' tab in the Risky User Details window.

Module 6 summary

What you learned

Microsoft Copilot for • How to describe Microsoft Copilot in Microsoft Defender XDR.
Security is accessible • How to describe Microsoft Copilot in Microsoft Purview.
directly from some
Microsoft security • How to describe Microsoft Copilot in Microsoft Entra.
products. This is
referred to the
embedded
experience.

© Copyright Microsoft Corporation. All rights reserved.