Using promptbooks in Microsoft Copilot for Security
What are promptbooks?
Copilot for Security comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way as security playbooks—ready-to-use workflows that can serve as templates to automate repetitive steps—for instance, with regard to incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name).
You can find the different promptbooks by going to the promptbook library or by selecting the Prompts icon at the prompt bar. You can then search for a promptbook or select See all promptbooks to view all.
Watch the following video to learn more about promptbooks:
Incident investigation
You can run the incident investigation promptbook after supplying an incident number to either the Microsoft Sentinel or Microsoft Defender XDR plugin. Use the appropriate promptbook for the plugin you want to use. The incident investigation promptbooks contain several prompts to generate an executive report for a nontechnical audience that summarizes the investigation. Each prompt builds on the previous prompt.
To run the Microsoft Sentinel incident investigation promptbook:
Select the Prompts button in the prompt bar and start to type "incident investigation" until the promptbooks appear in the list.
Select Microsoft Sentinel incident investigation. (To use the Microsoft Defender XDR plugin instead, select Microsoft Defender XDR incident investigation.)
Supply the incident number that you want to investigate in the input box that says Sentinel Incident ID.
Next, select Run in the upper left corner of the dialog box.
Wait for Copilot for Security to run the incident number through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts, building on each response until it gets to the last prompt.
Read the responses by Copilot for Security. The last prompt by Copilot for Security generates an executive report summarizing the investigation based on the responses. Review and verify whether the responses are accurate and meet your needs.
Threat actor profile
The threat actor profile promptbook is a quick way to get an executive summary about a specific threat actor. The promptbook looks for any existing threat intelligence articles about the actor, including known tools, tactics, and procedures (TTPs) and indicators, including remediation suggestions. It then summarizes the findings into a report for less technical readers.
To run the threat actor profile promptbook: 1.Select the Prompts button in the prompt bar and start to type "threat actor profile" until the promptbooks appear in the list.
- Select Threat actor profile.
- Type the name of the threat actor in the input box that says Threat actor name.
- Next, select the Run button in the upper left corner of the dialog box.
- Wait for Copilot for Security to run the threat actor name through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts and builds on each until it gets to the last prompt.
- Read the response by Copilot for Security. The last prompt by Copilot for Security generates an easily readable report that includes pertinent information about the identified threat actor. Review and verify whether the responses are accurate and meet your needs.
Suspicious script analysis
The suspicious script analysis promptbook is useful when you're investigating a PowerShell or Windows command-line script. For example, if a PowerShell script was involved in a critical incident in your network, you can copy the body of the script and run the promptbook to find out more about it.
To run the promptbook: 1.Select the Prompts button in the prompt bar and start to type "suspicious script analysis" until the promptbooks appear in the list.
Select Suspicious script analysis.
Paste the script string that you want analyzed in the input box saying Script to analyze.
Next, select Run in the upper left corner of the dialog box.
Wait for Copilot for Security to run the script content through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts, building on each response until it gets to the last prompt.
Read the responses by Copilot for Security. The last prompt by Copilot for Security generates a full report of what the script does, any related threat activities, and recommended next steps based on the assessment about file intent. Review and verify whether the responses are accurate and meet your needs.
Vulnerability impact assessment
The vulnerability impact assessment promptbook accepts a CVE number or known vulnerability name to find out if the vulnerability has been publicly disclosed or exploited and whether it has been used by threat actors in their campaigns. It can then provide recommendations to address or mitigate the threat and summarize these findings in an executive summary.
To run this promptbook:
- Select the Prompts button in the prompt bar and start to type "vulnerability impact assessment" until the promptbooks appear in the list.
- Select Vulnerability impact assessment.
- Type the CVE number or common vulnerability name that you want to learn about in the input box saying CVEID.
- Next, select the Run button in the upper left corner of the dialog box.
- Wait for Copilot for Security to run the vulnerability name or CVE through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Security Copilot generates responses for each of the prompts and builds on each until it gets to the last prompt.
- Read the response from Copilot for Security. The last prompt generates an easily readable report about the vulnerability. The report includes details about known exploitation activities, including mitigation suggestions. Review and verify whether the responses are accurate and meet your needs.
View the promptbook library
Both prebuilt and user-built promptbooks across your organization appear in the promptbook library. View the promptbooks by going to the Copilot menu and selecting Promptbook library.
You can also select View promptbook library on the home page.
The promptbook library displays all the promptbooks available to you. The promptbooks are listed by name, and you can view the description, owner, number of prompts, the required plugins, inputs, and tags, if any.
Select the magnifying glass icon in the Promptbook library in the top left region of the page. Type in the first few letters of your promptbook title and wait for the results to load.
You can also filter based on tags.