Muokkaa

Jaa


Microsoft Sentinel incidents in Copilot for Security

Microsoft Copilot for Security is a platform that helps you defend your organization at machine speed and scale. Microsoft Sentinel provides a plugin for Copilot to help analyze incidents and generate hunting queries.

Together with the iterative prompts using other sophisticated Copilot for Security sources you enable, your Microsoft Sentinel incidents and data provide wider visibility into threats and their context for your organization.

For more information on Copilot for Security, see the following articles:

Integrate Microsoft Sentinel with Copilot for Security

Microsoft Sentinel provides two plugins to integrate with Copilot for Security:

  • Microsoft Sentinel (Preview)
  • Natural language to KQL for Microsoft Sentinel (Preview).

Important

The "Microsoft Sentinel" and "Natural Language to KQL for Microsoft Sentinel" plugins are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Configure a default Microsoft Sentinel workspace

Increase your prompt accuracy by configuring a Microsoft Sentinel workspace as the default.

  1. Navigate to Copilot for Security at https://securitycopilot.microsoft.com/.

  2. Open Sources in the prompt bar.

  3. On the Manage plugins page, set the toggle to On

  4. Select the gear icon on the Microsoft Sentinel (Preview) plugin.

    Screenshot of the personalization selection gear icon for the Microsoft Sentinel plugin.

  5. Configure the default workspace name.

    Screenshot of the plugin personalization options for the Microsoft Sentinel plugin.

Tip

Specify the workspace in your prompt when it doesn't match the configured default.

Example: What are the top 5 high priority Sentinel incidents in workspace "soc-sentinel-workspace"?

Integrate Microsoft Sentinel with Copilot in Defender

Use the unified security operations platform with your Microsoft Sentinel data for an embedded Copilot for Security experience. Microsoft Sentinel's unified incidents in the Defender portal allow Copilot in Defender to use its capabilities with Microsoft Sentinel data.

For example:

Screenshot of Microsoft Sentinel incident from Defender portal with Copilot embedded experience.

For more information, see the following resources:

Integrate Microsoft Sentinel with Copilot for Security in advanced hunting

The Natural language to KQL for Microsoft Sentinel (Preview) plugin generates and runs KQL hunting queries using Microsoft Sentinel data. This capability is available in the standalone experience and the advanced hunting section of the Microsoft Defender portal.

Note

In the unified Microsoft Defender portal, you can prompt Copilot for Security to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future.

For more information, see Copilot for Security in advanced hunting.

Improve your Microsoft Sentinel prompts

Consider the Microsoft Sentinel incident investigation promptbook as a starting point for creating effective prompts. This promptbook delivers a report about a specific incident, along with related alerts, reputation scores, users, and devices.

Guidance Prompt
Nudge Copilot to provide human readable information instead of responding with object IDs. Show me Sentinel incidents that were closed as a false positive. Supply the Incident number, Incident Title, and the time they were created.
Copilot knows who you are. Use the "me" pronoun to find incidents related to you. The following prompt targets incidents assigned to you. What Sentinel incidents created in the last 24 hours are assigned to me? List them with highest priority incidents at the top.
When you narrow a prompt response down to a single incident, Copilot knows the context. Tell me about the entities associated with that incident.
Copilot is good at summarizing. Describe a specific audience you want the prompts and responses summarized for. Write an executive report summarizing this investigation. It should be suited for a nontechnical audience.

For more prompt guidance and samples, see the following resources: