Microsoft Copilot for Security in Microsoft Purview
Microsoft Copilot for Security is a cloud-based AI platform that can assist you in identifying, summarizing, triaging, and remediating alerts and events in Microsoft Purview for:
- Microsoft Purview Data Loss Prevention (DLP)
- Microsoft Purview Insider Risk Management
- Microsoft Purview Communication Compliance
- Microsoft Purview eDiscovery
It also supports security and compliance professionals in different scenarios, such as alert and incident response, threat hunting, and intelligence gathering. For more information about what it can do, read What is Microsoft Security Copilot?.
Know before you begin
If you're new to Copilot for Security, you should familiarize yourself with it by reading these articles:
- What is Microsoft Copilot for Security?
- Microsoft Copilot for Security experiences
- Get started with Microsoft Copilot for Security
- Understand authentication in Microsoft Copilot for Security
- Prompting in Microsoft Copilot for Security
Microsoft Copilot in Microsoft Purview
Copilot in Microsoft Purview embeds capabilities, like summarizing a DLP or insider risk management alert, into Microsoft Purview features. You can also use the standalone experience to get insights from your Purview data.
Copilot in Microsoft Purview embedded experiences - Is a set of capabilities that are embedded in Microsoft Purview features. For more information, see standalone and embedded experiences.
Copilot in Microsoft Purview standalone experience - Is a chat-like experience that you can use to ask questions and get answers about your data. For more information, see standalone and embedded experiences.
Copilot in Microsoft Purview integration
When you sign up for Copilot for Security in the same tenant as Microsoft Purview, you can use both the Copilot in Microsoft Purview embedded and standalone experiences.
Features in the embedded experience
The embedded experience in Purview can help you:
- Summarize alerts in DLP. For more information on this and how to access Copilot in DLP, see Investigate a DLP alert.
- Summarize alerts in insider risk management. For more information on this and how to access Copilot in Insider Risk Management, see Investigate insider risk management activities.
- Summarize policy matches based on trainable classifiers for communication compliance. Communication compliance also provides an interactive prompt experience to dig deeper into the summary. For more information on this and the steps to access Copilot in Communication Compliance, see Investigate and remediate communication compliance alerts. Get contextual summary for eDiscovery cases. For more information, see Group and view documents in a review set in eDiscovery (Premium).
Features in the standalone experience
The Copilot in Microsoft Purview standalone experience has many capabilities built in. You can use these capabilities to get insights from your Purview data and make connections between datapoints. This information can help you understand your information security, and compliance posture and triage alerts.
- DLP and Insider Risk Management data and user risk promptbook. Copilot in Microsoft Purview analyzes data from DLP and insider risk management and by running multiple, sequential prompts, contained in a prompt book presents you with integrated results. For more information, see Microsoft Copilot in Microsoft Purview prompts and promptbooks.
System capabilities of Copilot in Microsoft Purview
In the standalone experience, there are built-in capabilities (prompts) that are available once the Microsoft Purview plugin is enabled.
Copilot in Purview brings three types of capabilities:
- Summarize Microsoft Purview alerts.
- Triage Microsoft Purview alerts.
- Drill down into your Microsoft Purview data.
Enable the Microsoft Purview source in Microsoft Copilot for Security
Important
Copilot in Purview must be enabled for both the standalone and embedded experiences to work.
To enable the Microsoft Purview source in Microsoft Copilot for Security, follow these steps:
Ensure that you have Copilot owner permissions.
Open the Microsoft Copilot for Security menu.
Select Owner settings.
Set the Allow Copilot for Security to access date from your Microsoft 365 services. toggle to On.
Important
Global admin permissions are required to view the Microsoft 365 services toggle.
- Open Sources in the prompt bar.
- On the Manage plugins page, set the Purview toggle is set to On
Review the Microsoft Purview system capabilities
Select the capabilities control in the prompt bar.
Select See all system capabilities to see all the system capabilities that are available for Microsoft Purview. Here are a few:
- Get Data Risk Summary
- Get User Risk Summary
- Summarize Purview Alert
- Triage Purview Alerts
- Zoom into Purview Data and User Risk
Sample prompts
For guidance on writing effective prompts, see Prompting in Microsoft Copilot for Security. Here are some examples:
- Show me the top five DLP alerts from the past 24 hours.
- Summarize the DLP alert with ID <12345>.
- What's the risk profile of the user that's associated with the DLP alert <12345>.
- Show me the top five Insider Risk Management alerts from the past 24 hours.
- What items did user <user> exfiltrate in the past 30 days.
Privacy and data security in Microsoft Copilot for Security
To understand how Microsoft Copilot for Security in Purview handles your prompts and the data that's retrieved from the service (prompt output), see the Microsoft Purview data security and privacy guide.
Related articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for