Copilot for Security provides a natural language and assistive copilot experience. It helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management.

Designed with integration, Copilot for Security offers a standalone experience and seamlessly integrates with products in the Microsoft Security portfolio. Copilot for Security integrates with products such as Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, and other third-party services such as ServiceNow.

This post, “The Power of Promptbooks: A Closer Look at Copilot for Security Promptbook,” will navigate the specific capabilities, how to prompts, a specific scenario with Defender for Identity, and how to create a promptbook for a new session. 

The Role of Promptbooks

In the ever-evolving world of cybersecurity, staying ahead of threats requires vigilance and innovation. Enter the concept of promptbooks, a transformative tool introduced by Copilot for Security that’s reshaping how security teams manage and respond to incidents. But what exactly are promptbooks, and how do they enhance security operations? Let’s dive into this innovative approach to cybersecurity.

Understanding Promptbooks

Promptbooks are advanced, structured instructions designed to tackle specific security tasks. Much like a script in a play guides actors through their performances, promptbooks guide security professionals through various procedures tailored to address distinct security scenarios. These are theoretical frameworks and practical, actionable tools pre-built to manage tasks like incident response, threat hunting, and security investigations.

The Role of Promptbooks in Copilot for Security

Copilot for Security harnesses the concept of promptbooks to offer a ready-to-use, automated workflow similar to what is found in security playbooks. However, promptbooks integrate more deeply with automation and AI tools, enhancing the efficiency and effectiveness of security operations. Each promptbook in Copilot for Security is designed for a specific purpose and requires precise inputs. For instance, a promptbook might need a snippet of malicious code or the name of a suspected threat actor to kickstart an investigation or response process.

Key Features and Benefits

• Specificity and Customization: Each promptbook is crafted to address specific security incidents or threats. This high level of specificity ensures that the responses and actions taken are not just general or generic but are tailored to the nuances of the particular scenario.
• Automation of Repetitive Tasks: Security teams often face repetitive and time-consuming tasks that can detract from more strategic work. Promptbooks automate these tasks, freeing up valuable time and resources. This automation ensures that responses are faster but also consistent and repeatable.
• Scalability: As organizations grow, so does the complexity of their security needs. Promptbooks scale to meet these demands, providing a framework that adapts to varying volumes and types of security incidents.
• Integration with Existing Tools: Copilot for Security’s promptbooks are designed to seamlessly integrate with existing security tools and platforms. This integration helps create a cohesive security ecosystem that leverages the full capabilities of all tools at an organization’s disposal.

Practical Applications

In practice, a promptbook might be used in the following ways:

• Incident Response: When detecting a potential security breach, a promptbook could be activated to guide the response team through the necessary steps to mitigate the threat, document actions taken, and restore systems to regular operation.
• Threat Hunting: If an organization needs to investigate potential threats, a prompt book could guide the security team through collecting evidence, analyzing data, and identifying the sources of suspicious activities.
• Compliance and Reporting: For organizations needing to comply with regulatory requirements, promptbooks can streamline the processes of gathering necessary data, generating compliance reports, and ensuring that all steps are properly documented.

---

Promptbooks Types

In the dynamic field of cybersecurity, the ability to quickly adapt and respond to threats is crucial. Copilot for Security offers a sophisticated solution with its promptbooks, which are available in built-in and custom formats. These tools streamline security operations and offer flexibility to meet specific organizational needs. Let’s explore how built-in and custom promptbooks can enhance cybersecurity management and response.

Built-in Promptbooks

Built-in promptbooks are pre-designed templates created by cybersecurity experts to cover many common security scenarios. These are ready to deploy immediately and are designed based on industry best practices and typical threat models. Built-in promptbooks offer several advantages:

• Speed: They provide immediate functionality, allowing security teams to quickly implement standardized procedures without requiring extensive setup or customization.
• Expertise: Built-in promptbooks leverage the collective knowledge of cybersecurity professionals and are crafted to handle typical security situations effectively.
• Consistency: Using these standardized promptbooks ensures that every incident is handled consistently, reducing the chance of errors or oversights.

Custom Promptbooks

While built-in promptbooks cover a broad spectrum of needs, every organization has unique challenges and requirements. Custom promptbooks cater to these specific needs by allowing organizations to create tailored workflows based on their own security policies, threat landscapes, and operational practices. Custom promptbooks offer several key benefits:

• Tailored Security Responses: Organizations can design promptbooks that align precisely with their internal processes, threat models, and compliance requirements.
• Flexibility: As new threats emerge or organizational priorities shift, custom promptbooks can be adjusted or newly created to address these changes directly.
• Integration: Custom promptbooks can integrate more deeply with specialized tools or data sources unique to an organization, enhancing the overall security posture.

Combining Built-in and Custom Promptbooks

The true power of promptbooks in Copilot for Security lies in combining built-in and custom versions to create a comprehensive security strategy. Here’s how organizations can effectively utilize this combination:

• Foundation with Built-in: Start with built-in promptbooks to quickly establish a robust baseline for security operations. This approach ensures that all fundamental and everyday security tasks are covered.
• Customization for Specific Needs: Develop custom promptbooks for scenarios specific to the organization or requiring a particular focus not covered by the built-in options. For example, if an organization uses proprietary technology or has specific regulatory compliance needs, custom promptbooks can ensure these areas are adequately addressed.
• Continuous Improvement: Use insights from incident responses and security operations to refine and evolve built-in and custom promptbooks. This iterative process helps fine-tune security measures and adapt to the changing cyber threat landscape.

---

Prompts in a Nutshell

As with any Copilot, a prompt refers to the text-based, natural language input you provide in the prompt bar that instructs Copilot for Security to generate a response. The quality of the reaction that Copilot for Security returns depends mainly on the prompt used. A well-crafted prompt with clear and specific inputs generally leads to more valuable responses by Copilot for Security.

The Elements

Effective prompts give Copilot for Security adequate and functional parameters to generate a valuable response. Security analysts or researchers should include the following elements when writing a prompt.

• Goal – This must be a specific goal, security-related information you need.
• Context – why you need this information or how you plan to use it.
• Expectations – format or target audience to which you want the response tailored.
• Source – known information, data sources, or plugins should be used.

The image is from the Microsoft Learn.

For Copilot for Security, context can mean information such as the time frame or the time frame in which you plan to use the response for a report. Expectations can include whether you want the response to be in a table format, a list of action steps, a summary, or a diagram. The source might help specify which Microsoft plugins you’re referring to if needed. Some plugins require more context to work effectively or supporting plugins to ensure a response when initial responses fail.

---

Using Promptbooks

Promptbooks in Microsoft Copilot for Security contain one or more prompts that have been put together to accomplish specific security-related tasks. They run one prompt after another, building on previous responses. You can use the built-in promptbooks or create your own. Remember to create promptbooks based on your existing plugins. Otherwise, the promptbooks will be useless and provide no information.

How can you start using promptbooks?

The Microsoft Promptbooks

The Copilot for Security has several built-in PROMPTBOOKS and SYSTEM CAPABILITIES. You can use them with minimal changes, especially for promptbooks. When using the, you can need a bit of information like Defender XDR Incident ID to speed up the process. Still, if you’re unfamiliar with the information in your systems, you can ask for specific details.

In this example, we use the “Microsoft 365 Defender incident investigation” promptbook with built-in prompts

To run the promptbook:

• Choose a specific prompt from the “Copilot for Security” prompt bar.
• Choose the relevant prompt – “Microsoft 365 Defender incident investigation”.
• Type the incident ID number in the “Defender Incident ID.”

Keep in mind Promptbooks must have a few prompts. The first prompt should be with any information you have. Otherwise, the analysis will take time. We need the speed and quality of Copilot for Security. You should scope the prompts with specific plugins for a fast and accurate result. From that point on, the incident will run automatically. Still, there are a few scenarios where the promptbook can fail in the middle of the process because you need to change the prompt or adapt it to specific information.

The following images will be taken into an existing promptbook.

Type a specific incident id and run it.

All of the prompts should run automatically. Sometimes, when the promptbook does not have a good prompt, it can fail.

In this scenario, the prompt didn’t have specific information, which is shown in the response.

TIP: The rest can fail if the required information is missing from a specific prompt in the middle of the prompts.

---

Custom Promptbook Tips

Before creating a custom promptbook, let’s review some highlights that give you the right way to make one with minimal issues. This promptbook allows you to run it across many scenarios.

While the built-in promptbook provides specific prompts, you should create your own promptbook for dedicated scenarios. Here are the steps to create a promptbook.

• Choose a scenario based on your existing plugins.
• Create the prompts with clear requests and straightforward questions.
• Make sure to have a scope for each question.
• “Inputs you’ll need”—Include only the first question with statements and random data, such as specific IDs or findings.
• You can duplicate an existing promptbook to speed up the process of promptbook creation – keep in mind that it will be good for a specific scenario.
• A good promptbook has minimal plugins, but sometimes, we need to analyze incidents across many plugins.
• The prompts will be easier if you know the incident investigation processes and actions. Otherwise, it will be useless.
• Prompt Engineer – You should learn how it works because it allows you to create good prompts. Start with the learning module: Describe the elements of an effective prompt.
• Editing the prompt or the order of prompts might affect the response unexpectedly. Promptbooks can contain a series of prompts that are run one after another based on previous responses, so reordering prompts, for instance, might result in unexpected responses.

Create Promptbook – Defender for Identity Scenario

You can run with the following prompts if you’ve got Defender for Identity in your environment and the Defender XDR plugin is connected.

What does the promptbook look like? As the image below.

How do you create a promptbook? Start with many prompts and finish with a few, around 8-12 prompts. Then, save it.

The actions should be:

• Run prompts against Defender for Identity scenario.
• Choose the most accurate and scoped prompts.
• Then, choose “Create a prompt book.”
• Make sure the “Plugins” are correct and create.

Give it a name and description, and make sure the correct plugins are available.

Once it’s created, you can run it against a specific incident ID.

TIP: You can do the same with “incident name.”

 

---

More Highlights

• Create effective prompts – defining the objectives that can help to craft specific initial and follow-up questions and prompts.
• Find a good balance between the number and complexity of your prompts. The number of prompts in your promptbook might or might not affect security compute unit (SCU) consumption, but in general, too many prompts can mean more resource consumption. On the other hand, prompts that are too verbose and complicated can be as counter-productive and resource-heavy.
• Check if each prompt contributes to your objective or whether it’s possible to streamline some prompts.
• If your promptbook is taking longer than expected to run, which might mean it’s consuming a lot of SCUs, you can select Cancel to stop the promptbook midway through.
• When a promptbook is open in an existing session, you can edit the content and order of prompts without changing the original promptbook.
• The output of a promptbook can vary from session to session, and a single prompt can result in slightly different responses even in the same session. Some randomness is expected in any natural language-based, AI-powered solution.
• You might consider reordering the prompts when creating or editing a promptbook from an existing session. However, keep in mind that doing so might affect your final output. Promptbooks run the prompts one after another, with the results of a previous prompt used or considered in succeeding prompts. Again, this might affect SCU consumption.

---

In Conclusion

Microsoft Security Copilot integrates advanced AI technologies, including OpenAI’s GPT-4, to deliver real-time insights and automation capabilities, thereby boosting the efficiency of security operations. It aids in simplifying complex security tasks, making it easier for professionals to detect and respond to threats rapidly, which is crucial given the velocity and sophistication of modern cyber threats.

In practical terms, Copilot for Security utilizes prompt engineering—crafting detailed and specific prompts to guide the AI in generating high-quality, relevant outputs. This is crucial for ensuring that the AI’s responses are prompt, accurate, and applicable to the context of the security issues being addressed. Effective prompts can significantly improve the AI’s utility in incident investigations, threat assessments, and routine security checks.