Sign in Subscribe
Security Copilot

Exploring Security Copilot Promptbooks with Examples

Sakaldeep Yadav

4 min read
Exploring Security Copilot Promptbooks with Examples

In this blog post, we delve into the innovative world of Microsoft Security Copilot Promptbooks. Promptbooks are a powerful collection of predefined prompts designed to streamline and enhance the process of investigating security incidents. By leveraging these promptbooks, security professionals can efficiently and effectively respond to potential threats and vulnerabilities.

What are Promptbooks?

Promptbooks are essentially a curated set of prompts that guide users through various security investigation scenarios. These prompts are tailored to address specific types of incidents, providing a structured approach to incident response. The goal is to simplify the investigation process, reduce response times, and improve the accuracy of threat detection and mitigation.

Using Promptbooks for Incident Investigation

One of the key applications of Promptbooks is in the investigation of security incidents. For instance, in Microsoft Defender for Endpoint, security analysts can utilize predefined promptbooks to investigate incidents on specific devices. Let's take a closer look at an example.

Example: Investigating Incident Number 54 on Device 'vm01'

In the screenshot below from Defender for Endpoint, the device 'vm01' has multiple incidents. For this example, we will focus on investigating incident number 54 using the Promptbook titled 'Microsoft 365 Defender Incident Investigation'.

To investigate incident number 54 on device 'vm01', follow these steps:

  1. Open the Promptbook: Access the 'Microsoft 365 Defender Incident Investigation' Promptbook.
  2. Provide Incident Details: Enter incident number 54.
  3. Submit the Request: Click on the 'Submit' button to initiate the investigation.

Upon submission, the Promptbook will guide you through 7 sequential steps (prompts), each designed to systematically analyze and address the incident. These steps will run in sequence and provide you with the necessary outputs to effectively manage the incident.

This structured approach ensures a thorough and consistent investigation, helping you to quickly identify and mitigate potential threats.

The first prompt, 'Summarize Defender Incident 54', has successfully run and provided a detailed overview of the incident. Here are the key points from the summary:

  • Incident Date: The incident occurred on January 11, 2024.
  • Affected Device: The device involved is VM01.
  • Tools Used: The PowerSploit tool was utilized during the incident.

This initial summary is crucial as it gives a clear and concise snapshot of the incident, helping analysts quickly grasp the situation. With this information, they can proceed to the next steps of the investigation with a solid understanding of the incident's context.

Following the initial summary, the next prompt in the 'Microsoft 365 Defender Incident Investigation' Promptbook runs and provides its output. This step continues the investigation process by delving deeper into the incident details.

Then Next

Next

Next

In the final stage of the investigation using the 'Microsoft 365 Defender Incident Investigation' Promptbook, a summary is generated for a non-technical audience. This summary consolidates all the details gathered during the investigation into an easily understandable format. Here are the key points included:

  • Incident Overview: A brief description of the incident, including when it occurred and the affected device.
  • Tools Used: Mention of any tools or methods used in the incident, such as PowerSploit.
  • Investigation Findings: Highlights of the investigation, including any unusual activities or threats identified.
  • Mitigation Actions: Steps taken to address the incident, such as isolating the device or removing malicious files.
  • Impact and Resolution: Explanation of the incident's impact and how it was resolved.

This summary is designed to communicate the essential information to stakeholders who may not have a technical background, ensuring they understand the incident's significance and the actions taken to resolve it.

Conclusion

Microsoft Security Copilot Promptbooks represent a significant advancement in the field of cybersecurity incident response. By providing a structured and guided approach to investigations, Promptbooks enables security professionals to effectively manage and mitigate threats. As we continue to face an evolving landscape of cyber threats, tools like Promptbooks will be essential in maintaining robust security postures.