Bewerken

Delen via


Using promptbooks in Microsoft Copilot for Security

What are promptbooks?

Copilot for Security comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way as security playbooks—ready-to-use workflows that can serve as templates to automate repetitive steps—for instance, with regard to incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name).

You can find the different promptbooks by going to the promptbook library or by selecting the Prompts icon Screenshot of sparkle icon. at the prompt bar. You can then search for a promptbook or select See all promptbooks to view all.

Watch the following video to learn more about promptbooks:

Incident investigation

You can run the incident investigation promptbook after supplying an incident number to either the Microsoft Sentinel or Microsoft Defender XDR plugin. Use the appropriate promptbook for the plugin you want to use. The incident investigation promptbooks contain several prompts to generate an executive report for a nontechnical audience that summarizes the investigation. Each prompt builds on the previous prompt.

To run the Microsoft Sentinel incident investigation promptbook:

  1. Select the Prompts button in the prompt bar and start to type "incident investigation" until the promptbooks appear in the list.

  2. Select Microsoft Sentinel incident investigation. (To use the Microsoft Defender XDR plugin instead, select Microsoft Defender XDR incident investigation.) Screenshot of suspicious script analysis promptbook.

  3. Supply the incident number that you want to investigate in the input box that says Sentinel Incident ID.

  4. Next, select Run in the upper left corner of the dialog box.

  5. Wait for Copilot for Security to run the incident number through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts, building on each response until it gets to the last prompt.

  6. Read the responses by Copilot for Security. The last prompt by Copilot for Security generates an executive report summarizing the investigation based on the responses. Review and verify whether the responses are accurate and meet your needs.

Threat actor profile

The threat actor profile promptbook is a quick way to get an executive summary about a specific threat actor. The promptbook looks for any existing threat intelligence articles about the actor, including known tools, tactics, and procedures (TTPs) and indicators, including remediation suggestions. It then summarizes the findings into a report for less technical readers.

To run the threat actor profile promptbook:

  1. Select the Prompts button in the prompt bar and start to type "threat actor profile" until the promptbooks appear in the list.
  2. Select Threat actor profile.
  3. Type the name of the threat actor in the input box that says Threat actor name. Screenshot of threat actor promptbook.
  4. Next, select the Run button in the upper left corner of the dialog box.
  5. Wait for Copilot for Security to run the threat actor name through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts and builds on each until it gets to the last prompt.
  6. Read the response by Copilot for Security. The last prompt by Copilot for Security generates an easily readable report that includes pertinent information about the identified threat actor. Review and verify whether the responses are accurate and meet your needs.

Suspicious script analysis

The suspicious script analysis promptbook is useful when you're investigating a PowerShell or Windows command-line script. For example, if a PowerShell script was involved in a critical incident in your network, you can copy the body of the script and run the promptbook to find out more about it.

To run the promptbook: 1.Select the Prompts button in the prompt bar and start to type "suspicious script analysis" until the promptbooks appear in the list.

  1. Select Suspicious script analysis.

  2. Paste the script string that you want analyzed in the input box saying Script to analyze. Screenshot shows suspicious script analysis in a promptbook.

  3. Next, select Run in the upper left corner of the dialog box.

  4. Wait for Copilot for Security to run the script content through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts, building on each response until it gets to the last prompt.

  5. Read the responses by Copilot for Security. The last prompt by Copilot for Security generates a full report of what the script does, any related threat activities, and recommended next steps based on the assessment about file intent. Review and verify whether the responses are accurate and meet your needs.

Vulnerability impact assessment

The vulnerability impact assessment promptbook accepts a CVE number or known vulnerability name to find out if the vulnerability has been publicly disclosed or exploited and whether it has been used by threat actors in their campaigns. It can then provide recommendations to address or mitigate the threat and summarize these findings in an executive summary.

To run this promptbook:

  1. Select the Prompts button in the prompt bar and start to type "vulnerability impact assessment" until the promptbooks appear in the list.
  2. Select Vulnerability impact assessment.
  3. Type the CVE number or common vulnerability name that you want to learn about in the input box saying CVEID. Screenshot of vulnerability impact assessment promptbook.
  4. Next, select the Run button in the upper left corner of the dialog box.
  5. Wait for Copilot for Security to run the vulnerability name or CVE through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Security Copilot generates responses for each of the prompts and builds on each until it gets to the last prompt.
  6. Read the response from Copilot for Security. The last prompt generates an easily readable report about the vulnerability. The report includes details about known exploitation activities, including mitigation suggestions. Review and verify whether the responses are accurate and meet your needs.

Microsoft User analysis

The Microsoft User analysis promptbook can be used by an IT Admin to analyze and get detailed insights about a user and associated devices across multiple Microsoft 365 products. This includes sign-in and authentication data from Microsoft Entra ID, device information from Intune, unusual activity details from Microsoft Purview, and a Microsoft Defender summary highlighting important detections.

To get a comprehensive response from this promptbook, you first need to activate or make sure that you have the following roles:

  • Global Reader role for Microsoft Entra ID
  • Security Reader role for Entra ID, Intune and Defender
  • Insider Risk Management Investigator or Analyst role for Microsoft Purview

To run this promptbook:

  1. Go to the Promptbook library and look for the Microsoft User Analysis promptbook.
  2. Select Start new session. Screenshot of Microsoft user analysis promptbook.
  3. You need the following inputs:
    • the user principal name or UPN of the user
    • the time range you want Copilot for Security to look up the information.
  4. Next, select the Submit button in the upper right corner of the dialog box.
  5. Wait for Copilot for Security to run your inputs through the different prompts. If you see a round progress indicator in place of the response, then the promptbook is still running. Copilot for Security generates responses for each of the prompts and builds on each until it gets to the last prompt.
  6. Read the response from Copilot for Security. Using the response from the prompts, you can deduce faster whether the user being investigated has been performing suspicious activities so you can focus on your next steps in securing your system.

View the promptbook library

Both prebuilt and user-built promptbooks across your organization appear in the promptbook library. View the promptbooks by going to the Copilot for Security menu and selecting Promptbook library.

Screenshot of library in menu.

You can also select View promptbook library on the home page.

Screenshot of library in home page.

The promptbook library displays all the promptbooks available to you. The promptbooks are listed by name, and you can view the description, owner, number of prompts, the required plugins, inputs, and tags, if any.

Screenshot of library.

Select the magnifying glass icon in the Promptbook library in the top left region of the page. Type in the first few letters of your promptbook title and wait for the results to load.

You can also filter based on tags.

See also