Use Microsoft Security Copilot with Data Security Posture Management

2025-05-30

Use Microsoft Security Copilot and Data Security Posture Management (DSPM) to quickly dive into the details and get answers about unprotected sensitive data assets and potentially risky user activities in your organization. Data security insights are generated from scanned data across Data Loss Prevention (DLP), Information Protection, and Insider Risk Management solutions in Microsoft Purview.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Get started with Copilot

After you configure DSPM, onboard your organization to Security Copilot, and the automated scanning is complete, you can use Security Copilot featured promptbooks to help you get started. Promptbooks are a built-in sequence of prompts to help you quickly learn more about your data security posture. Choose from the following Security Copilot promptbooks:

Risky user investigation promptbook

This promptbook is a six prompt sequence to help you investigate users handling sensitive data, show their data activities, anomalies, and related alerts. Using the User Principal Name (UPN) for a user and a duration (in days), this promptbook automatically runs the following prompts in order:

Show all sensitive data activities performed by <upn> in the last <duration> days
Was <upn> involved in any potential sensitive data exfiltration (for example, email forwarding, external file sharing, USB transfers, cloud uploads) in the last <duration> days?
Summarize <upn>'s sensitive data interactions over the last <duration> days, highlighting the most accessed classifiers, labels, SharePoint sites, common upload domains, and primary email recipient domains and users.
Did <upn> exhibit unusual behavior or take uncommon actions like excessive access or downloads in the last <duration> days?
Are there any alerts associated with <upn> in the last <duration> days, and what is the user's current risk level?
What actions can be taken to prevent <upn> from leaking sensitive data? Include policies, data loss prevention controls, and access restriction strategies.

Sensitive data protection promptbook

This promptbook is a six prompt sequence to help you identify and protect sensitive data across your organization and that suggests recommended policy changes and data loss prevention rules. Using the full name of the trainable classifier, sensitivity label, or sensitive information type (SIT) and a duration (in days), this promptbook automatically runs the following prompts in order:

Where is data labeled as <label_or_classifier_or_SIT> stored?
Provide an overview of activities involving <label_or_classifier_or_SIT> data in the last <duration> days.
Identify instances where <label_or_classifier> data was transferred outside of the organization in the last <duration> days.
Who are the top five users with the most <label_or_classifier_or_SIT> data exfiltration in the last <duration> days?
Are there any alerts for users who interacted with <label_or_classifier_or_SIT> data in the last <duration> days?
How can I prevent unauthorized transfers of <label_or_classifier_or_SIT> data?

To get started with Security Copilot promptbooks, complete the following steps:

Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned DSPM permissions.
Select the Data Security Posture Management solution card and then select Overview in the left nav.
Select one of the suggested prompts for Security Copilot:
- Risky user investigation promptbook
- Sensitive data protection promptbook
Enter the requested inputs for the user, classifier, sensitivity label, or SIT and duration (in days).
Select Submit.

The promptbook responses automatically scope insight data and provide quick answers in a separate flyout pane. You can select additional built-in prompts to automatically update and generate new responses in the flyout pane. Select New chat to clear previous responses to suggested prompts. Create additional custom prompts directly in Copilot to generate responses from AI-driven analytics based the scanning results from your organization.

Tips for custom Copilot prompts in DSPM

For an enhanced experience with Copilot in DSPM, use the following tips for higher accuracy in Copilot responses:

Questions involving a specific user should always include the user's UPN.
Questions involving a specific type of sensitive info type or label should always specify the complete name for the sensitive info type or label.
Questions for top users, activities, and alerts should clearly list the sorting criteria.
Questions for data in a specific date period, always specify the date period. If a date period isn't specified, only data from the last 10 days from current date is included. The maximum lookback is 30 days from the current date.
Put all items (classifiers or labels) in single quotes in your prompt.
Any path (for example, a file path) in a user prompt must use "/" as a separator.
The accuracy of responses is higher if the prompt is scoped to a single intent. Break complex prompts into single intent questions and enter the prompts one by one.
Questions should be self-contained. Avoid referring to previous questions or responses.
Avoid using generic terms.
Prompts are supported for data security across Information Protection, DLP, Insider Risk Management, or from public documentation.

For more information on creating Security Copilot prompts, see Create effective prompts.

Using Copilot in other solutions

Security Copilot is also available directly in other Purview solutions to help you quickly find answers for specific scenarios or to generate insights scoped to specific solution areas not related to unprotected assets.