How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training
This course is designed to equip you with the necessary skills to effectively utilize Microsoft Copilot for Security, a cloud-based platform renowned for providing comprehensive visibility and safeguarding of organizational assets and data. You'll learn to monitor, detect, analyze, and respond to security threats across hybrid environments.
The course is divided into three parts—beginner, intermediate, and advanced—each consisting of several modules that explain different aspects and features of Copilot for Security. After completing each module, you will be given a knowledge assessment to measure your comprehension and retention of the information presented. Furthermore, participants will have access to additional resources and dedicated support, ensuring a guided and enriching learning experience.
Microsoft Copilot for Security Ninja Certificate
To obtain the Microsoft Copilot for Security Ninja certificate:
(Please Note, this is a certificate of program completion not an official Microsoft Certification)
Part 1: Getting Started
Module 0: Other Learning and Support Options
This Ninja training is an up to level 400 training.
If you’re on this page and you haven’t yet explored how Generative AI (GenAI) works and terms like “transformer” (and no we’re not talking about the film series with Megan Fox and Shia LeBeouf), “prompt engineering”, “large language models (LLMs)”, “vector search”, and “responsible AI (RAI)” are new to you, dig in to those keyword links as a baseline before diving into the additional Copilot for Security specific content in the upcoming modules.
Additionally, Brandon Dixon, published his own Applied GAI in Security newsletter. He leverages generative AI to summarize new security related LLM papers and designed it in such a way to reduce errors in reporting by including links directly back to the source material. Some of his blogs will also be published to our Copilot for Security Tech Community Blog should they relate to Copilot for Security, specifically. Stay on top of bleeding edge GenAI security trends by reviewing new content from both sources.
Module 1: Introduction and Onboarding
Overview
Microsoft Copilot for Security (Copilot) is the first generative AI (GenAI) security product to help defend organizations at machine speed. Copilot for Security provides a natural language, assistive copilot experience that helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management.
A leadership view on deploying Microsoft Copilot for Security (youtube.com, 2:42)
The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. This is a special moment for all of us with the new era of AI showing a whole different world of opportunity with Security. The synergy of hyper-scale data, computing power, and an extended threat intelligence (TI) landscape allows us to provide TI signals to AI, aiding in the defense against attackers at machine speed. Refer to How does Copilot for Security work? to learn more.
Minimum Requirements to setup your Copilot for Security default environment:
• Azure subscription
• Provision SCU capacity through Copilot standalone (recommended) or Azure
For step-by-step Copilot for Security onboarding instructions, see Get started with Microsoft Copilot for Security | Microsoft Learn.
Module 2: Microsoft Copilot for Security Configuration
Understanding Authentication
Copilot for Security uses on-behalf of authentication to access security related data through active Microsoft plugins. Specific Copilot for Security roles must be assigned for a group or individual to access the Copilot for Security platform. Once you're logged into the portal, your access determines what plugins are available to utilize.
Copilot for Security introduces two roles that function like access groups but aren't Microsoft Entra ID roles. Instead, they only control access to the capabilities of the Copilot for Security platform.
Note: The following Microsoft Entra roles automatically inherit Copilot owner access.
It’s important to understand that Copilot for Security doesn't go beyond the access you have. Each Microsoft plugin has its own role requirements for calling the plugin's service and its data. With verification you have the proper service roles and licenses assigned to use the capabilities of the Microsoft plugins activated.
Example: You have the Copilot Contributor role, which lets you use the Copilot for Security platform with the capability to create sessions. You follow the least privilege model, so you don't have any Microsoft Entra roles like Security Administrator. But if you want to use the Microsoft Sentinel plugin, you still need a suitable role like Microsoft Sentinel Reader, so that Copilot can access incidents in the Microsoft Sentinel workspace.
Put simply, the Security Administrator role has more permissions than needed just for Copilot access. It’s better to create a security group and assign it the Copilot role (Owner or Contributor) instead of using the Security Administrator role for Copilot access.
Introduction to Plugins
Copilot for Security plugins are specialized components that enhance the Copilot for Security platform's capabilities. These plugins act as connectors, enabling seamless integration with a variety of security services and tools.
Copilot for Security comes with many preinstalled plugins available for Microsoft Security Solutions and other commonly used services and websites that you can use. You also have the option of extending default capabilities by adding your own custom plugins.
For the latest list of preinstalled plugins, see Plugins overview Microsoft Copilot for Security (Preview) | Microsoft Learn.
As we described in the “Understanding Authentication” section of Module 2 of this Ninja Training, Copilot for Security relies on the authenticated user access to retrieve the information from the plugin. It means that even if you have the plugin enabled in your Copilot for Security settings, it’s still required that you have the specific roles related to that solutions/product to be able to prompt and receive information from that resource.
The same applies for Custom Plugins (API type) that requires API keys, it’s required that you setup properly your custom plugin with the required keys to retrieve the right information from the data source that you need.
Note: Currently, Plugin settings are managed by user level, which means that each user needs to enable/disable the required plugins and set the required authentication methods for those plugins that require. There isn’t an available option today to set a Plugin configuration at the Tenant level.
Module 3: Microsoft Copilot for Security Features and Overview
Understanding Architecture
Working with AI in complex and specialized spaces like cybersecurity and IT makes it difficult for LLMs (GPTs) alone to be successful. Relying solely upon an LLM (GPT) and fine-tuning processes doesn’t work well because of the nature of the domain – it’s a fast evolving, highly fragmented ecosystem. Training a new model, which is laborious and expensive would be dated the moment a new system or the need for current data is introduced – vulnerability publication is on such example of this challenge. Instead, architecture built from the ground up to address both those complexities is needed. Microsoft Copilot for Security is a compound AI system and through orchestration, components of the AI system are leveraged to reason across an ecosystem, and respond to a user with real-time, accurate insights, safeguarded with RAI elements.
Microsoft Copilot for Security serves as the core infrastructure, the orchestrator, facilitating connections to diverse solutions across various sources. These sources include elements such as knowledgebases, plugins which are comprised of skills tailored for specific tasks, and grounding data. Copilot leverages (GPTs) to process information, make judgments, and generate outputs from its available sources, forming the foundation of its operational framework.
Copilot for Security Experiences: Microsoft Copilot for Security experiences | Microsoft Learn
Standalone Experience
Copilot for Security’s standalone experience can be accessed through https://securitycopilot.microsoft.com is considered the standalone experience.
Copilot’s standalone experience empowers users to use natural language in the form of prompts to round out their end-to-end security workflows. Standalone affords users the ability to aggregate data from various data sources via plugins. Plugins leverage skills to invoke a response associated with a user’s prompt. For example, CTI analysts or incident responders could leverage the standalone experience to analyze a script, identify which threat actor groups use the script, collect a list of their TTPs, identify their detection rule coverage gaps, and which assets are vulnerable to the CVEs those actor groups tend to exploit. We’ll learn more about the use cases our standalone experience supports today and how users can leverage plugins, custom plugins, promptbooks, custom promptbooks, and Copilot for Security Logic App data connector prompts in their Logic Apps to optimize their automated workflows in the upcoming modules.
Embedded Experience
Copilot’s embedded experience offers users a seamless integrated UI within existing Microsoft Security Products, which currently include Defender XDR, Sentinel, Intune, Entra, Purview and Defender Threat Intelligence.
For both standalone and embedded experiences, users can expect more security solutions to be folded into Copilot for Security to address more security-related use cases. To that end, Copilot for Security Ninjas should expect these modules to be updated as more integrated Microsoft features, plugins, skills, and promptbooks are released as well as third-party plugins.
Plugins
Copilot for Security plugins are specialized components that enhance the Copilot for Security platform's capabilities. These plugins act as connectors, enabling seamless integration with a variety of security services and tools.
Copilot for Security comes with many preinstalled plugins available for Microsoft security services and other commonly used services and websites that you can use. You also have the option of extending default capabilities by adding your own custom plugins.
Types of Plugins
Prompting and Promptbooks
After completing the setup process within Copilot for Security, users can commence utilizing prompts. These prompts serve as the principal input mechanism necessary for Copilot for Security to generate responses conducive to aiding users in their security-related endeavors.
Custom promptbooks are also available that allow customers to create and save their own series of natural language prompts for common security workstreams, tasks, and scenarios.
Get Started (Use Cases Scenarios for Copilot for Security)
To begin with, our focus will be on practical technical use cases tailored to empower your security operations.
Use cases
Bonus Module: Understanding the Basics of Generative AI and Prompt Engineering
Below are free prompt engineering resources:
Part 2: Become Proficient
Module 1: Microsoft Security Product Plugins
This module highlights the Microsoft security product plugins integrated with Copilot for Security at this time. Each product overview section will include a link to an additional Tech Community blog incorporating the plugin's skills, promptbooks, sample prompts, embedded experience features, and additional resources. As new enhancements and additional plugins are introduced, this module will be updated, accordingly.
Microsoft Defender XDR Plugin
What is Defender XDR?
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
XDR Plugin Key Features
Microsoft Defender XDR integrates the functionalities of Copilot for Security into its portal, empowering security teams to efficiently address attack investigations with accuracy and efficiency. The incorporation of AI into Microsoft Defender XDR facilitates instantaneous comprehension of attacks, swift assessment for applying suitable mitigation measures to halt and contain threats, expedited analysis of intricate files, and seamless threat hunting capabilities.
For more information regarding our Microsoft Copilot for Security Defender XDR plugin, see Microsoft Copilot for Security Defender XDR Plugin Overview | Microsoft Security Copilot Tech Commun....
Microsoft Entra Plugin
What is Microsoft Entra?
Microsoft Entra is the product family name for all identity and network access solutions from Microsoft. It’s part of the Microsoft Security portfolio, which also includes Microsoft Purview for compliance, Microsoft Priva for privacy, Microsoft Defender for cyberthreat protection and cloud security, and Microsoft Sentinel for security information and event management (SIEM).
When Microsoft announced Microsoft Entra in May 2022, the Microsoft Entra product family consisted of Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID. The current product family has expanded beyond identity and access management into new market categories such as security service edge. Microsoft Entra is the new unifying brand for this portfolio of products. To align with this change, Azure AD is now Microsoft Entra ID.
Entra Plugin Key Features
In a world where 20% of security breaches happen as a result of weak or stolen credentials, identity and access management professionals aim to strengthen security and compliance without creating hurdles to business growth or user experience. Microsoft Copilot for Security in Entra is your ultimate secret weapon. It empowers you to investigate and fix identity risks, understand user access with smart AI, and handle tough tasks quickly. Copilot gathers info from Entra users, groups, sign-in logs, audit logs and more.
With Copilot, you can check sign-ins, respond to identity threats using risky user summarization, investigate incidents, and receive recommendations on how to remediate problems in simple language. It utilizes real-time learning to identify access gaps, create workflows, and resolve issues quickly. Additionally, it trains administrators of all levels to handle tough tasks like incident investigations and log analysis, saving time and resources.
For more information regarding our Microsoft Copilot for Security Entra plugin, see Microsoft Copilot for Security Entra Plugin Overview | Microsoft Security Copilot Tech Community.
Microsoft Intune Plugin
What is Microsoft Intune?
Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
Intune Plugin Key Features
There are Intune capabilities built into Copilot for Security. Intune’s integration with Copilot for Security optimizes users’ ability to identify and troubleshoot issues with their organization’s devices, compliance, and configuration policies and more.
For more information regarding our Microsoft Copilot for Security Intune plugin, see Microsoft Copilot for Security Intune Plugin Overview | Microsoft Security Copilot Tech Community.
Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA) Plugin
What is Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA)?
MDTI
Microsoft Defender Threat Intelligence (MDTI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering raw and finished threat intelligence.
TA
Threat analytics (TA) is our in-product threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:
MDTI & TA Plugin Key Features
Copilot for Security delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA). Copilot users can leverage prompts and promptbooks to investigate incidents, enrich their hunting flows with threat intelligence information as well as gain more knowledge about threats facing their organization or the globe.
For more information regarding our Microsoft Copilot for Security Defender Threat Intelligence and Threat Analytics plugin, see Microsoft Copilot for Security Defender Threat Intelligence and Threat Analytics Plugin Overview | M....
Microsoft Purview Plugin
What is Microsoft Purview?
Microsoft Purview is a comprehensive set of solutions that can help your organization govern, protect, and manage data, wherever it lives. Microsoft Purview solutions provide integrated coverage and help address the fragmentation of data across organizations, the lack of visibility that hampers data protection and governance, and the blurring of traditional IT management roles.
Purview Plugin Key Features
Microsoft Copilot for Security is a cloud-based AI platform that can assist you in identifying, summarizing, triaging, and remediating alerts and events in Microsoft Purview for:
For more information regarding our Microsoft Copilot for Security Purview plugin, see Microsoft Copilot for Security Purview Plugin Overview | Microsoft Security Copilot Tech Community.
Microsoft Defender External Attack Surface Management (MDEASM) Plugin
What is Microsoft Defender External Attack Surface Management (MDEASM)?
Microsoft Defender External Attack Surface Management (MDEASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.
MDEASM Plugin Key Features
Copilot for Security can surface insights from MDEASM about an organization's attack surface. Copilot users can use the standalone features built into Copilot for Security and use prompts to get more information. This information can help users understand their security posture and mitigate vulnerabilities.
For more information regarding our Microsoft Copilot for Security Defender External Attack Surface Management plugin, see Microsoft Copilot for Security Defender External Attack Surface Management Plugin Overview | Microso....
Module 2: OpenAI Copilot for Security Plugins
The following plugins were developed by OpenAI for Copilot for Security users to take advantage of in Copilot standalone.
Generic
Skills
Public Web
Skill
Module 3: Creating Effective Prompts
Prompting Tips with Copilot for Security
Module 4: Managing Plugins
In previous modules, you were introduced to plugins. This module will focus on how Copilot owners and contributors can manage their own plugins and how Copilot owners can set controls for how all Copilot contributors within their Copilot environment can or cannot upload and manage their custom plugins. For more on security roles associated with Copilot owners vs. contributors, see Understand authentication in Microsoft Copilot for Security | Microsoft Learn.
Important Reminders:
Module 5: Third-Party integrations
Netskope
Netskope One is a cloud-native platform that offers converged security and networking services so users can enable their Secure Access Services Edge (SASE) and Zero Trust transformation. In addition to using the built-in Netskope plugin with Microsoft Copilot for Security, users can integrate other Netskope custom plugins. This article describes how to set up and use the built-in plugin for Copilot for Security.
Tanium
Tanium delivers comprehensive visibility across devices, a unified set of controls, real-time remediation, and a common taxonomy to protect critical information and infrastructure at scale.
Crowdsec
CrowdSec Threat Intelligence provides information about IP addresses and verification or identification of potentially aggressive IP addresses. You can use the CrowdSec Cyber Threat Intelligence (CrowdSec CTI) plugin with Microsoft Copilot for Security.
Cyware
Cyware Respond is an end-to-end incident management and threat response automation platform. You can use the Cyware Respond plugin with Microsoft Copilot for Security to find specific types of incidents, actions, applications, critical software assets, malware, vulnerabilities, and more.
Greynoise
Greynoise’s integration enables users to leverage the Greynoise database to enhance their organization's security posture, identify emerging threats, and prioritize response efforts. Users can configure the Greynoise Enterprise or Greynoise Community plugin with Copilot for Security to get information about IP addresses, scanning activity, and attacker behaviors.
URLscan
UrlScan.io is a free online service and tool that allows users to scan and analyze URLs (Uniform Resource Locators) or website links to determine potential security threats and risks associated with those URLs. It helps users assess the safety and trustworthiness of a website or a specific web page.
Valence
The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. Users can investigate user activity across multiple SaaS platforms and create reports to understand a specific user's SaaS security posture.
CIRCL
CIRCL Hash Lookup’s integration enables users to validate suspicious files in the form of hashes, either MD5, SHA-1, or SHA-256, in Copilot for Security. Users can leverage this plugin to get information about a file and verify whether it's allowlisted or blocklisted by trusted security platforms.
Part 3: Grow into an Expert
Module 1: Custom Promptbooks
What are Custom Promptbooks?
Copilot for Security comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way to security playbooks, ready-to-use workflows that can serve as templates to automate repetitive steps, for instance, with regards to incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name). Custom promptbooks consist of the natural language prompts you choose in the order you wish them to run to meet your unique common security-related use cases to optimize your workflows.
To learn more on how to create and manage custom promptbooks, see Leverage Custom Promptbooks to Optimize your Security Workflows | Microsoft Security Copilot Tech Co....
For more on promptbooks and Copilot’s promptbook library, see Using promptbooks in Microsoft Copilot for Security | Microsoft Learn.
Call to Action
Module 2: Custom Plugins
Training Resources
Copilot for Security Custom Plugin Workshop Resources
Module 3: Automation Scenarios for Microsoft Copilot for Security using Logic Apps
Module 4: Connect your Knowledge Base to Microsoft Copilot for Security
Microsoft Copilot for Security allows you to integrate your organization’s knowledge base (KB) as an additional source of information. The inclusion of knowledge bases gives Copilot more context, resulting in responses that are more relevant, specific, and customized to the user.
Options to Integrate KBs into Copilot for Security | Ways to integrate KBs into Microsoft Copilot for Security |
Azure AI Search plugin | Follow the steps in Prompting for a KB connected using Azure AI Search |
File upload | Follow the steps in Prompting for an uploaded file |
Standalone
Skills
Additional resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.