I came across an excellent article on Copilot for Security on a GitHub page and wanted to share it with you. It’s a valuable resource that I highly recommend reviewing. If you have any questions after reading it, feel free to reach out.
Before we jump in some information about Microsoft Copilot for security:
Microsoft Copilot for Security integrates advanced AI and machine learning capabilities to enhance security operations. Here’s some data and key details about it:
1. Features:
- Threat Detection and Response: Uses AI to analyze security data, identify potential threats, and suggest automated responses.
- Incident Management: Assists with incident prioritization, remediation recommendations, and automating response actions.
- Data Analysis: Provides advanced analytics and insights into security operations, helping to identify trends and vulnerabilities.
- Integration: Works with Microsoft Sentinel, Microsoft Defender, and other Microsoft security solutions to provide a comprehensive security posture.
2. Benefits:
- Improved Efficiency: Automates repetitive tasks and provides actionable insights, allowing security teams to focus on more strategic activities.
- Enhanced Threat Intelligence: Leverages AI to improve threat detection and reduce false positives by analysing patterns and contextual data.
- Streamlined Incident Response: Facilitates faster and more effective responses to security incidents through automated recommendations and actions.
3. Pricing and Licensing:
- Security Compute Units (SCUs): Priced based on SCUs, which measure the computational resources used for security operations. Pricing can vary based on the volume of SCUs and the level of features required.
4. Deployment and Integration:
- Cloud-Based: Designed to integrate seamlessly with Microsoft Azure.
- Compatibility: Works with Microsoft’s suite of security products, including Microsoft Sentinel and Microsoft Defender, to enhance overall security management and some of the third party security solutions.
5. Customer Use Cases:
- Enterprise Security Operations: Used by large organizations to improve their security posture and streamline their security operations.
- SMBs and Partners: Provides scalable security solutions for small to medium-sized businesses and partners looking to enhance their security capabilities.
6. Updates and Innovations:
- Continuous Improvement: Regular updates and enhancements are made to leverage the latest advancements in AI and machine learning for better security outcomes.
- Community and Support: Backed by Microsoft’s extensive support network and community resources to assist with deployment and optimization.
Copilot for Security Prompting Tips:
| Best Practice | Description |
| State your Goal | What are you hoping to achieve out your inquiry (prompt)? Make Copilot aware of your intended goal. |
| Provide Context & Set Expectations | Be specific and provide context when asking questions, such as the name of the plugin, skill, or the promptbook you’d like to use. Be mindful of the words you use in your prompts and how they may affect the chatbot’s response. Words matter and they can influence the selection of skills. Include modifiers such as format, audience, length, and confidence to guide the model and avoid ambiguity. |
| Provide the Source | State the source of the information you seek in your prompt, especially if there are multiple sources which could extract similar information. |
| Continue to Iterate | Iterate and refine your prompts if you don’t get the expected results. Use different words or phrases to ask the same question if you don’t get the desired result the first time. The chatbot may recognize synonyms or alternative expressions better. |
| Be Positive and Respectful | Use positive instructions instead of negative ones. Be respectful and appropriate for the workplace and avoid any biased, inappropriate, or violent content. Use the singular “they” pronoun to refer to people and avoid guessing their gender, roles, or feelings. |
| Treat Copilot as your Compadre | Address Copilot as “you” instead of “model” or “assistant”. |
| Treat new Copilot sessions as if they are a Stranger | Sessions currently cannot reference other sessions. Meaning, if you ask a question in relation to an answer provided in a previous session, your new Copilot will likely struggle to address without enough context. Please be mindful of this working with Copilot. |
| Make Copilot do the Heavy Lifting when it comes to summarizing your sessions | Concluding your session, leverage Copilot for Security to summarize the prompts’ responses for whatever audience you choose. |
| Bridge your KQL knowledge gap with NL2KQL skills and KQL custom plugins | Use the natural language to KQL (NL2KQL) plugin to hunt for information in your data sources using plain English. Junior KQL users will appreciate our KQL custom plugins to execute common KQL queries via natural language. |
| Automate wherever possible | Use promptbooks and custom promptbooks to automate common security workflows, which require iterative responses to collate and summarize the information you seek. |
| It’s okay to experiment. In fact, it’s encouraged! | We’re venturing unchartered territory as a market with Security LLMs. Don’t be afraid to experiment with different ways of framing your prompts and evaluate the results based on your needs and expectations. You may be pleasantly surprised to find new things you never thought possible. Share your learnings with us in the comments of Microsoft blogs. |
Following best practices above, listed below are good and bad examples of prompts intended to support various security-related use cases.
| Bad | Good | Better | Best | |
| Incident Summary | Provide an incident summary. | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience. | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience. List the entities of the incident in a table providing context from MDTI. | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience. List the entities of the incident in a table which includes the following headers: “Entity”, “Entity Type”, “MDTI reputation”. Within entity, list the entity associated with the incident or incident’s alerts. Within Entity Type, list what type of entity it is. For example, domain name, IP address, URL, hash. Within the MDTI reputation, enrich the entity against MDTI’s Copilot reputation skill. |
| KQL Query for Hexadecimal Strings | Create a KQL query to hunt for hexadecimal strings. | Create a KQL query to hunt for hexadecimal strings associated with svchost.exe process. | Prompt 1: Create a Defender KQL query to hunt for hexadecimal strings associated with the svchost.exe process. Prompt 2: What threat actor groups tend to use this svchost.exe process? Prompt 3: What are the TTPs associated with these threat actor groups? Prompt 4: Please create a table to list the MITRE ATT&CK techniques associated with each threat actor group as unique rows. List each MITRE ATT&CK technique associated with each threat actor group in column 1 “MITRE ATT&CK technique” and which threat actor groups used that technique in column 2, “Threat Actor Group(s)”. | Prompt 1: Create a Defender KQL query to hunt for hexadecimal strings associated with the svchost.exe process. Prompt 2: What threat actor groups tend to use this svchost.exe process? Prompt 3: What are the TTPs associated with these threat actor groups? Prompt 4: Please create a table to list the MITRE ATT&CK techniques associated with each threat actor group as unique rows. List each MITRE ATT&CK technique associated with each threat actor group in column 1 “MITRE ATT&CK technique” and which threat actor groups used that technique in column 2, “Threat Actor Group(s)”. Prompt 5: Based on the MITRE ATT&CK techniques gathered in the previous response, which ones do not have analytic (detection) rule coverage based on what our organization has configured in our Sentinel workspace? Prompt 6: Which CVEs do these threat actor groups tend to exploit? Prompt 7: What threat intelligence exists associated with each of these CVEs from MDTI? Prompt 8: What threat intelligence exists associated with each of these CVEs from inthewild.io? Prompt 9: What remediation and/or mitigation recommendations are associated with each of these CVEs from MDTI? Prompt 10: Which of my MDEASM, MDVM, MDC, and IoT assets are vulnerable to these CVEs? Prompt 11: Based on the incident comments (or wherever you document your postmortem steps), have these recommendations been followed? [Save this as a custom promptbook] |
General Tips
- Check the plugin menu to see what plugins are enabled and what skills they offer.
- Select the icon in the prompt bar to force a specific plugin or promptbook to bypass the orchestrator and get predictable results.
- Review the promptbooks available in the promptbook library and see how they are designed and what inputs they require.
- Use the custom promptbook feature to create templates of a series of prompts that you can reuse for different scenarios or parameters.
- Use the pinboard to select and summarize the most relevant prompts from your session. You can also edit or delete prompts that are not useful or accurate.
- Use the process log or the debugger to understand what plugins are selected and executed and how they enrich your prompt. Use the custom plugin feature to create your own skills and enrichments based on your own security information (e.g. custom logs) or APIs
Kiran NR Cybersecurity blog 