Hi Community,

Welcome to part 2 of my blog series on Security Copilot. If you missed part 1 you can find it here.

In part 2 i will go over what Microsoft features are available with Security Copilot, how you can use it in the embedded and stand alone version. I will go over the settings, prompts and promtbooks. Also you will notice that Security Copilot isn’t always bullit proof but hey what Microsoft product or AI tool  in preview (or GA is 😉 )

Where can you use Security Copilot?

Security Copilot is embedded in the following Microsoft  products:

• Microsoft Defender
• Microsoft Sentinel
• Microsoft Entra
• Microsoft Intune
• Microsoft Priva
• Microsoft Purview

Defender and Sentinel are for the Security Experts

Entra and Intune are for the IT Specialists

Purview and Priva are for the Data Governance Team

You can access it through a standalone experience or through embedded experiences in other Microsoft security products. The foundation language model and proprietary Microsoft technologies work together to boost the efficiency and capabilities of defenders.

Microsoft security solutions like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune integrate seamlessly with it. Some embedded experiences in these solutions give you access to Security Copilot and its prompting capabilities right within your workflow.

Plugins from Microsoft and third-party security products extend and integrate services with it. They bring more context from event logs, alerts, incidents, and policies from both Microsoft security products and supported third-party solutions like ServiceNow.

It also taps into threat intelligence and authoritative content through plugins. These plugins can search across Microsoft Defender Threat Intelligence articles, intel profiles, Microsoft Defender XDR threat analytics reports, and vulnerability disclosure publications, among others.

Here’s how Security Copilot works:

• User prompts from security products are sent to Security Copilot.
• Security Copilot preprocesses the input prompt through grounding, which improves the specificity of the prompt to help you get relevant and actionable answers. It accesses plugins for preprocessing, then sends the modified prompt to the language model.
• Security Copilot takes the response from the language model and post-processes it, including accessing plugins to gain contextualized information.
• Security Copilot returns the response for you to review and assess.
• Security Copilot iteratively processes and orchestrates these sophisticated services to help produce results that are relevant to your organization because they’re based on your organizational data.

In the image below you can see the flow.

If you are interested in knowing more on Security Copilot and/or engaging in product feedback, private previews, …. There is an MMCCP (Microsoft Management Customer Connection Program) just for this feature. To enter you need to fill in a form. Check out this page.

Innovate with Microsoft Management Customer Connection Program - Windows IT Pro Blog

Microsoft engineers and IT pros come together to develop solutions that better meet customer needs.

As previously said there is a standalone and embedded experience.

Standalone experience
Accessed through https://securitycopilot.microsoft.com, is considered the standalone experience.

Embedded experience
Accessing the embedded experiences in other Microsoft security products is considered an embedded experience.

The following table lists the available embedded experiences.

Let’s talk Settings

In the standalone version you have some settings that you can alter. On the preferences section you can change the theme, language and time zone.

On the data and privacy section you can check the privacy, terms and conditions and the location of your data.

On the about section you can check you app version.

Now the fun stuff

Promptbooks

Security Copilot comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way as security playbooks—ready-to-use workflows that can serve as templates to automate repetitive steps—for instance, regarding incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name).

You can find the different promptbooks by going to the promptbook library or by selecting the Prompts icon – sparkle icon. at the prompt bar. You can then search for a promptbook or select See all promptbooks to view all.

You can also create your own promtbooks. Let’s say you asked a couple of questions and you would like to save all these questions into a promtbook. You just select these questions and you click on the Create Promtbook icon to save your promptbook.

Now you can name your promtbook, give it a tag, add a description, you can see what plug-ins Security Copilot is using, you can see the different questions and who can see this promtbook. you can also edit this later and add extra questions to it as you want, these extra question do not need to address the same plugin, you can also add questions that are EntraID or Defender related .

Your promtbooks are accessible via the top left menu. and the My promtbooks button. I usualy try to split my promptbook up per used plugin. However sometimes it can be convenient to address more plugins in the same promptbook. as you can see in promptbook number 3.

This concludes part 2 of this series. If you missed part 1 you can find it here. Subscribe to get an instant message when my next blog goes live! If you want to see all these cool things live in action make sure you join me at one of the events where i will speak about this topic. Just check the speaker sessions section on my home page.

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!