How to Become a Microsoft Security Copilot Ninja: The Complete Level 400 Training

How to Become a Microsoft Security Copilot Ninja: The Complete Level 400 Training

This course is designed to equip you with the necessary skills to effectively utilize Microsoft  Security Copilot, a cloud-based platform renowned for providing comprehensive visibility and safeguarding of organizational assets and data. You'll learn to monitor, detect, analyze, and respond to security threats across hybrid environments.

 

The course is divided into three parts—beginner, intermediate, and advanced—each consisting of several modules that explain different aspects and features of Security Copilot. After completing each module, you will be given a knowledge assessment to measure your comprehension and retention of the information presented. Furthermore, participants will have access to additional resources and dedicated support, ensuring a guided and enriching learning experience.

 

Figure 1: Technical skilling curriculum

 

Microsoft Security Copilot Ninja Certificate

To obtain the Microsoft Security Copilot Ninja certificate:

(Please Note, this is a certificate of program completion not an official Microsoft Certification)

1. Take the knowledge check here.
2. If you score 80% or more in the knowledge check, request your participation certificate here.

 

Part 1: Getting Started

 

Module 0: Other Learning and Support Options

This Ninja training is an up to level 400 training.

• Microsoft Security Copilot FAQ is a great place to start.
• The official Microsoft Security Copilot Learning Path is best, if you want a step-by-step training guide on how to use the Microsoft Security Copilot features.
• Unified Customer? Explore the readiness and onboarding Security Copilot workshops with your Microsoft Customer Success Account Manager. 
• Already a Ninja? Keep track of or join our Security Copilot Customer Connection Program (CCP) for insight into new features and capabilities underway. 
• Have a specific issue? Ask (or answer other) on the Microsoft Security Copilot Blog - Microsoft Community Hub.
• Microsoft Security Copilot Video Series Playlist: Microsoft Security Copilot YouTube Playlist
• Microsoft Mechanics Video: How Microsoft Security Copilot works (youtube.com) and Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal (youtube.com)

 

Recommended Generative AI (GenAI) Prerequisites

If you’re on this page and you haven’t yet explored how Generative AI (GenAI) works and terms like “transformer” (and no we’re not talking about the film series with Megan Fox and Shia LeBeouf), “prompt engineering”, “large language models (LLMs)”, “vector search”, and “responsible AI (RAI)” are new to you, dig in to those keyword links as a baseline before diving into the additional Security Copilot specific content in the upcoming modules.

 

Additionally, Brandon Dixon, published his own Applied GAI in Security newsletter. He leverages generative AI to summarize new security related LLM papers and designed it in such a way to reduce errors in reporting by including links directly back to the source material. Some of his blogs will also be published to our Security Copilot Tech Community Blog should they relate to Security Copilot, specifically. Stay on top of bleeding edge GenAI security trends by reviewing new content from both sources.

 

Call to Action

1. Watch the Webinar: Part I: Basics of generative AI and intro to Security Copilot
2. Review of the Newsletter Article
3. Join The Microsoft Security Copilot Tech community Blog
4. Get access to the Microsoft Security Copilot GitHub
5. Access the MS Learn Doc for Microsoft Security Copilot
6. Check out Microsoft's Generative AI for Beginners on Github
7. Take the exercise on Learn prompting.org.  

 

Module 1: Introduction and Onboarding

 

Overview

Microsoft Security Copilot (Copilot) is the first generative AI (GenAI) security product to help defend organizations at machine speed. Security Copilot provides a natural language, assistive copilot experience that helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management.

 

A leadership view on deploying Microsoft Security Copilot (youtube.com, 2:42)

 

The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. This is a special moment for all of us with the new era of AI showing a whole different world of opportunity with Security. The synergy of hyper-scale data, computing power, and an extended threat intelligence (TI) landscape allows us to provide TI signals to AI, aiding in the defense against attackers at machine speed. Refer to How does Security Copilot work? to learn more.

Minimum Requirements to setup your Security Copilot default environment:
• Azure subscription
• Provision SCU capacity through Copilot standalone (recommended) or Azure

 

For step-by-step Security Copilot onboarding instructions, see Get started with Microsoft Security Copilot | Microsoft Learn.

 

Figure 2: Overview of Microsoft Learn | Get started with Microsoft Security Copilot

 

Module 2: Microsoft Security Copilot Configuration

Understanding Authentication

Security Copilot uses on-behalf of authentication to access security related data through active Microsoft plugins. Specific Security Copilot roles must be assigned for a group or individual to access the Security Copilot platform. Once you're logged into the portal, your access determines what plugins are available to utilize.

 

Security Copilot introduces two roles that function like access groups but aren't Microsoft Entra ID roles. Instead, they only control access to the capabilities of the Security Copilot platform.

• Copilot Owner
• Copilot Contributor

 

Note: The following Microsoft Entra roles automatically inherit Copilot owner access.

• Security Administrator
• Global Administrator

 

It’s important to understand that Security Copilot doesn't go beyond the access you have. Each Microsoft plugin has its own role requirements for calling the plugin's service and its data. With verification you have the proper service roles and licenses assigned to use the capabilities of the Microsoft plugins activated.

Example: You have the Copilot Contributor role, which lets you use the Security Copilot platform with the capability to create sessions. You follow the least privilege model, so you don't have any Microsoft Entra roles like Security Administrator. But if you want to use the Microsoft Sentinel plugin, you still need a suitable role like Microsoft Sentinel Reader, so that Copilot can access incidents in the Microsoft Sentinel workspace.

 

Put simply, the Security Administrator role has more permissions than needed just for Copilot access. It’s better to create a security group and assign it the Copilot role (Owner or Contributor) instead of using the Security Administrator role for Copilot access.

• For more information, see Best practices for Microsoft Entra roles.

 

Introduction to Plugins

Security Copilot plugins are specialized components that enhance the Security Copilot platform's capabilities. These plugins act as connectors, enabling seamless integration with a variety of security services and tools.

 

Security Copilot comes with many preinstalled plugins available for Microsoft Security Solutions and other commonly used services and websites that you can use. You also have the option of extending default capabilities by adding your own custom plugins.

For the latest list of preinstalled plugins, see Plugins overview Microsoft Security Copilot (Preview) | Microsoft Learn.

 

As we described in the “Understanding Authentication” section of Module 2 of this Ninja Training, Security Copilot relies on the authenticated user access to retrieve the information from the plugin. It means that even if you have the plugin enabled in your Security Copilot settings, it’s still required that you have the specific roles related to that solutions/product to be able to prompt and receive information from that resource.

 

The same applies for Custom Plugins (API type) that requires API keys, it’s required that you setup properly your custom plugin with the required keys to retrieve the right information from the data source that you need.

 

Note: Currently, Plugin settings are managed by user level, which means that each user needs to enable/disable the required plugins and set the required authentication methods for those plugins that require. There isn’t an available option today to set a Plugin configuration at the Tenant level.

 

Module 3: Microsoft Security Copilot Features and Overview

Understanding Architecture

Working with AI in complex and specialized spaces like cybersecurity and IT makes it difficult for LLMs (GPTs) alone to be successful.  Relying solely upon an LLM (GPT) and fine-tuning processes doesn’t work well because of the nature of the domain – it’s a fast evolving, highly fragmented ecosystem.  Training a new model, which is laborious and expensive would be dated the moment a new system or the need for current data is introduced – vulnerability publication is on such example of this challenge.  Instead, architecture built from the ground up to address both those complexities is needed.  Microsoft Security Copilot is a compound AI system and through orchestration, components of the AI system are leveraged to reason across an ecosystem, and respond to a user with real-time, accurate insights, safeguarded with RAI elements.

 

Microsoft Security Copilot serves as the core infrastructure, the orchestrator, facilitating connections to diverse solutions across various sources. These sources include elements such as knowledgebases, plugins which are comprised of skills tailored for specific tasks, and grounding data.  Copilot leverages (GPTs) to process information, make judgments, and generate outputs from its available sources, forming the foundation of its operational framework.

 

• How Microsoft Security Copilot works

 

Figure 3: The diagram illustrates operational procedures and interactions within the system architecture. Within the Microsoft Security Trust boundary, the focus is on ensuring ethical and trustworthy AI system operations.

Security Copilot Experiences: Microsoft Security Copilot experiences | Microsoft Learn

Standalone Experience

Security Copilot’s standalone experience can be accessed through https://securitycopilot.microsoft.com is considered the standalone experience.

 

Copilot’s standalone experience empowers users to use natural language in the form of prompts to round out their end-to-end security workflows. Standalone affords users the ability to aggregate data from various data sources via plugins. Plugins leverage skills to invoke a response associated with a user’s prompt. For example, CTI analysts or incident responders could leverage the standalone experience to analyze a script, identify which threat actor groups use the script, collect a list of their TTPs, identify their detection rule coverage gaps, and which assets are vulnerable to the CVEs those actor groups tend to exploit. We’ll learn more about the use cases our standalone experience supports today and how users can leverage plugins, custom plugins, promptbooks, custom promptbooks, and Security Copilot Logic App data connector prompts in their Logic Apps to optimize their automated workflows in the upcoming modules.

Embedded Experience

Copilot’s embedded experience offers users a seamless integrated UI within existing Microsoft Security Products, which currently include Defender XDR, Sentinel, Intune, Entra, Purview and Defender Threat Intelligence.

 

Figure 4: End-to-end security at machine speed and scale

For both standalone and embedded experiences, users can expect more security solutions to be folded into Security Copilot to address more security-related use cases. To that end, Security Copilot Ninjas should expect these modules to be updated as more integrated Microsoft features, plugins, skills, and promptbooks are released as well as third-party plugins.

Plugins

Security Copilot plugins are specialized components that enhance the Security Copilot platform's capabilities. These plugins act as connectors, enabling seamless integration with a variety of security services and tools.

 

Security Copilot comes with many preinstalled plugins available for Microsoft security services and other commonly used services and websites that you can use. You also have the option of extending default capabilities by adding your own custom plugins.

• Plugins overview Microsoft Security Copilot (Preview) | Microsoft Learn

 

Types of Plugins

• Preinstalled Plugins
  • Security Copilot comes with a set of pre-installed plugins that allow it to source information when responding to your prompts.
• Custom Plugins
  • These extend Microsoft Security Copilot capabilities by integrating with third-party solutions or adding custom functionality.

Prompting and Promptbooks

After completing the setup process within Security Copilot, users can commence utilizing prompts. These prompts serve as the principal input mechanism necessary for Security Copilot to generate responses conducive to aiding users in their security-related endeavors.

• Create effective prompts
• How to use prompts in Microsoft Security Copilot | Microsoft Security Blog

Custom promptbooks are also available that allow customers to create and save their own series of natural language prompts for common security workstreams, tasks, and scenarios.

• Build your own promptbooks | Microsoft Learn
• Microsoft Security Copilot: General Availability details - Microsoft Community Hub

 

Get Started (Use Cases Scenarios for Security Copilot)

To begin with, our focus will be on practical technical use cases tailored to empower your security operations.

 

Use cases

• Sample prompts on the Security Copilot GitHub.
• Sample case scenarios.
  • Incident triage
  • Incident summarization
  • Investigating Business email compromise
  • Human Operated Ransomware
  • Getting Threat intelligence Data with Security Copilot
  • Vulnerability Assessments
  • Script Analysis
  • Extended user account investigation with Copilot (accelerated)

 

Bonus Module: Understanding the Basics of Generative AI and Prompt Engineering

 

Below are free prompt engineering resources:

• Microsoft Azure AI Fundamentals: Generative AI Learning Path
• OpenAI’s Documentation on GPT best practices
• Learnprompting.org

 

Part 2: Become Proficient

 

Module 1: Microsoft Security Product Plugins

 

This module highlights the Microsoft security product plugins integrated with Security Copilot at this time. Each product overview section will include a link to an additional Tech Community blog incorporating the plugin's skills, promptbooks, sample prompts, embedded experience features, and additional resources. As new enhancements and additional plugins are introduced, this module will be updated, accordingly.

Microsoft Defender XDR Plugin

What is Defender XDR?

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

 

XDR Plugin Key Features

Microsoft Defender XDR integrates the functionalities of Security Copilot into its portal, empowering security teams to efficiently address attack investigations with accuracy and efficiency. The incorporation of AI into Microsoft Defender XDR facilitates instantaneous comprehension of attacks, swift assessment for applying suitable mitigation measures to halt and contain threats, expedited analysis of intricate files, and seamless threat hunting capabilities.

• Incident summarization
• Triage and investigate incidents with guided responses
• Script analysis
• Generate KQL queries
• Create incident reports
• File analysis
• Device summarization

For more information regarding our Microsoft Security Copilot Defender XDR plugin, see Microsoft Security Copilot Defender XDR Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Microsoft Entra Plugin

 

What is Microsoft Entra?

Microsoft Entra is the product family name for all identity and network access solutions from Microsoft. It’s part of the Microsoft Security portfolio, which also includes Microsoft Purview for compliance, Microsoft Priva for privacy, Microsoft Defender for cyberthreat protection and cloud security, and Microsoft Sentinel for security information and event management (SIEM).

When Microsoft announced Microsoft Entra in May 2022, the Microsoft Entra product family consisted of Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID. The current product family has expanded beyond identity and access management into new market categories such as security service edge. Microsoft Entra is the new unifying brand for this portfolio of products. To align with this change, Azure AD is now Microsoft Entra ID.

Entra Plugin Key Features

In a world where 20% of security breaches happen as a result of weak or stolen credentials, identity and access management professionals aim to strengthen security and compliance without creating hurdles to business growth or user experience. Microsoft Security Copilot in Entra is your ultimate secret weapon. It empowers you to investigate and fix identity risks, understand user access with smart AI, and handle tough tasks quickly. Copilot gathers info from Entra users, groups, sign-in logs, audit logs and more.

With Copilot, you can check sign-ins, respond to identity threats using risky user summarization, investigate incidents, and receive recommendations on how to remediate problems in simple language. It utilizes real-time learning to identify access gaps, create workflows, and resolve issues quickly. Additionally, it trains administrators of all levels to handle tough tasks like incident investigations and log analysis, saving time and resources.

• Quick Response: Microsoft Entra Security Copilot is now integrated into the Entra admin portal (Public Preview as an Embedded experience)
• AI-Driven: Understand and act on identity threats swiftly with AI insights.
• Efficient: Immediate risk comprehension and timely remediation steps.

For more information regarding our Microsoft Security Copilot Entra plugin, see Microsoft Security Copilot Entra Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Microsoft Intune Plugin

 

What is Microsoft Intune?

Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.

 

Intune Plugin Key Features

There are Intune capabilities built into Security Copilot. Intune’s integration with Security Copilot optimizes users’ ability to identify and troubleshoot issues with their organization’s devices, compliance, and configuration policies and more.

• Gather Information about your devices, apps, compliance & configuration policies, and policy assignments managed in Intune.
• Manage device attributes and gather hardware details.
• Resolve issues with specific devices by comparing working and non-working devices.

For more information regarding our Microsoft Security Copilot Intune plugin, see Microsoft Security Copilot Intune Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA) Plugin

 

What is Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA)?

MDTI

Microsoft Defender Threat Intelligence (MDTI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering raw and finished threat intelligence.

 

TA

Threat analytics (TA) is our in-product threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:

• Active threat actors and their campaigns
• Popular and new attack techniques
• Critical vulnerabilities
• Common attack surfaces
• Prevalent malware

 

MDTI & TA Plugin Key Features

Security Copilot delivers information about threat actors, indicators of compromise (IOCs), tools, and vulnerabilities, as well as contextual threat intelligence from Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics (TA). Copilot users can leverage prompts and promptbooks to investigate incidents, enrich their hunting flows with threat intelligence information as well as gain more knowledge about threats facing their organization or the globe.

• Summarize the latest threats related to your organization
• Prioritize which threats to focus on based on your environment's highest exposure level to these threats
• Ask about the threat actors targeting the communications infrastructure

For more information regarding our Microsoft Security Copilot Defender Threat Intelligence and Threat Analytics plugin, see Microsoft Security Copilot Defender Threat Intelligence and Threat Analytics Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Microsoft Purview Plugin

 

What is Microsoft Purview?

Microsoft Purview is a comprehensive set of solutions that can help your organization govern, protect, and manage data, wherever it lives. Microsoft Purview solutions provide integrated coverage and help address the fragmentation of data across organizations, the lack of visibility that hampers data protection and governance, and the blurring of traditional IT management roles.

 

Purview Plugin Key Features

Microsoft Security Copilot is a cloud-based AI platform that can assist you in identifying, summarizing, triaging, and remediating alerts and events in Microsoft Purview for:

• Microsoft Purview Data Loss Prevention (DLP)
• Microsoft Purview Insider Risk Management
• Microsoft Purview Communication Compliance
• Microsoft Purview eDiscovery

For more information regarding our Microsoft Security Copilot Purview plugin, see Microsoft Security Copilot Purview Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Microsoft Defender External Attack Surface Management (MDEASM) Plugin

 

What is Microsoft Defender External Attack Surface Management (MDEASM)?

Microsoft Defender External Attack Surface Management (MDEASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.

 

MDEASM Plugin Key Features

Security Copilot can surface insights from MDEASM about an organization's attack surface. Copilot users can use the standalone features built into Security Copilot and use prompts to get more information. This information can help users understand their security posture and mitigate vulnerabilities.

 

For more information regarding our Microsoft Security Copilot Defender External Attack Surface Management plugin, see Microsoft Security Copilot Defender External Attack Surface Management Plugin Overview | Microsoft Security Copilot Tech Community. 

 

Module 2: OpenAI Security Copilot Plugins

 

The following plugins were developed by OpenAI for Security Copilot users to take advantage of in Copilot standalone.

 

Generic

Skills

• Analyze a script or command
  
  • Analyze and interpret a command or script to natural language.
• Analyze security data
  
  • Analyze, summarize, and explain security data such as event logs, and answer security questions.
• Convert Unix Timestamp
  
  • Convert a Unix timestamp to a human readable date and time.
• Extract entities
  
  • Extract entities (e.g. accounts, URLs, hashes) from security data (e.g. logs, alerts and incidents)
• Extract indicators of compromise
  
  • Extract indicators of compromise from plain text.
• Generate security examples
  
  • Generate security-specific examples, such as event logs, reports, and configuration instructions.
• Summarize data
  
  • Get a summary of the given data.

 

Public Web

Skill

• FetchUrl
  • Downloads the content from an anonymously accessible URL. If the content is HTML then it is converted.

 

Module 3: Creating Effective Prompts

 

Prompting Tips with Security Copilot

• Prompting tips for Security Copilot can be found in our GitHub here.
• Check out a webinar, which covers these tips here.

 

Module 4: Managing Plugins

In previous modules, you were introduced to plugins. This module will focus on how Copilot owners and contributors can manage their own plugins and how Copilot owners can set controls for how all Copilot contributors within their Copilot environment can or cannot upload and manage their custom plugins. For more on security roles associated with Copilot owners vs. contributors, see Understand authentication in Microsoft Security Copilot | Microsoft Learn.

 

1. Copilot owners and contributors can manage their plugins. See Manage plugins in Microsoft Security Copilot | Microsoft Learn for more information.
2. Copilot owners can set controls for who can upload and modify custom plugins as well as whether those plugins can be used by other Copilot users within their Copilot environment. See Manage plugins in Microsoft Security Copilot | Microsoft Learn for more information.

 

Important Reminders:

• By default, every Copilot user has contributor access. We recommend using security groups to assign Security Copilot roles instead of individual users. This reduces administrative complexity.
• By default, only owners can add and manage their own custom plugins.

 

Module 5: Third-Party integrations

Netskope

Netskope One is a cloud-native platform that offers converged security and networking services so users can enable their Secure Access Services Edge (SASE) and Zero Trust transformation. In addition to using the built-in Netskope plugin with Microsoft Security Copilot, users can integrate other Netskope custom plugins. This article describes how to set up and use the built-in plugin for Security Copilot.

• Netskope and Microsoft Security Copilot | Microsoft Learn
• Netskope Plugin for Microsoft Security CoPilot | Community
• Netskope better protects customers with Security Copilot

 

Tanium

Tanium delivers comprehensive visibility across devices, a unified set of controls, real-time remediation, and a common taxonomy to protect critical information and infrastructure at scale.

• Tanium and Microsoft Security Copilot | Microsoft Learn
• Tanium is a Proud Participant in the Microsoft Security Copilot Partner Private Preview | Tanium
• Transform Security and Operations with Tanium and Microsoft | ODFP276

 

Crowdsec

CrowdSec Threat Intelligence provides information about IP addresses and verification or identification of potentially aggressive IP addresses. You can use the CrowdSec Cyber Threat Intelligence (CrowdSec CTI) plugin with Microsoft Security Copilot.

• CrowdSec Cyber Threat Intelligence and Microsoft Security Copilot | Microsoft Learn

 

Cyware

Cyware Respond is an end-to-end incident management and threat response automation platform. You can use the Cyware Respond plugin with Microsoft Security Copilot to find specific types of incidents, actions, applications, critical software assets, malware, vulnerabilities, and more.

• Cyware Respond and Microsoft Security Copilot | Microsoft Learn

 

Greynoise

Greynoise’s integration enables users to leverage the Greynoise database to enhance their organization's security posture, identify emerging threats, and prioritize response efforts. Users can configure the Greynoise Enterprise or Greynoise Community plugin with Security Copilot to get information about IP addresses, scanning activity, and attacker behaviors.

• Greynoise Enterprise and Microsoft Security Copilot | Microsoft Learn

 

URLscan

UrlScan.io is a free online service and tool that allows users to scan and analyze URLs (Uniform Resource Locators) or website links to determine potential security threats and risks associated with those URLs. It helps users assess the safety and trustworthiness of a website or a specific web page.

• UrlScan and Microsoft Security Copilot | Microsoft Learn

 

Valence

The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. Users can investigate user activity across multiple SaaS platforms and create reports to understand a specific user's SaaS security posture.

• Valence Security and Microsoft Security Copilot | Microsoft Learn

 

CIRCL

CIRCL Hash Lookup’s integration enables users to validate suspicious files in the form of hashes, either MD5, SHA-1, or SHA-256, in Security Copilot. Users can leverage this plugin to get information about a file and verify whether it's allowlisted or blocklisted by trusted security platforms.

• CIRCL Hash Lookup and Microsoft Security Copilot | Microsoft Learn

 

Part 3: Grow into an Expert

 

Module 1: Custom Promptbooks

 

What are Custom Promptbooks?

Security Copilot comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way to security playbooks, ready-to-use workflows that can serve as templates to automate repetitive steps, for instance, with regards to incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name). Custom promptbooks consist of the natural language prompts you choose in the order you wish them to run to meet your unique common security-related use cases to optimize your workflows.

 

To learn more on how to create and manage custom promptbooks, see Leverage Custom Promptbooks to Optimize your Security Workflows | Microsoft Security Copilot Tech Community.

 

For more on promptbooks and Copilot’s promptbook library, see Using promptbooks in Microsoft Security Copilot | Microsoft Learn.

 

Call to Action

• Test your own Custom promptbooks based off your unique use case scenarios.
• Test and use Sample promptbooks from our GitHub here.

 

Module 2: Custom Plugins

 

Training Resources

• Learn how to manage custom plugins effectively in Microsoft Security CoPilot to enhance security measures and streamline processes.
• You can also see how to create a custom plugin here.
• View the Ninja Training Show, capturing how to create a custom plugin.
• Tech Community blog series showcasing how to create a custom plugin.

 

Security Copilot Custom Plugin Workshop Resources

• Discover the Custom Plugin Workshop within the Copilot-For-Security repository's Technical Workshops section on GitHub, designed to elevate your expertise in plugin customization.
• Security Copilot GitHub custom plugin samples.
• Security Copilot Microsoft Plugin samples.

 

Module 3: Automation Scenarios for Microsoft Security Copilot using Logic Apps

 

• Discover how to integrate Security Copilot with Logic Apps seamlessly to automate security incident response workflows effectively.
• Workshop for automation scenarios: Discover the Logic Apps and Automation Workshop within the Copilot-For-Security repository's Technical Workshops section on GitHub, meticulously crafted to enhance your proficiency in leveraging automation and Logic Apps for streamlined security operations.
• GitHub Automation Scenarios for Security Copilot samples.
• Tech community Blog on Using Logic App Connector with Security Copilot: Announcing Security Copilot Azure Logic App connectors (microsoft.com)

 

Module 4: Connect your Knowledge Base to Microsoft Security Copilot

 

Microsoft Security Copilot allows you to integrate your organization’s knowledge base (KB) as an additional source of information. The inclusion of knowledge bases gives Copilot more context, resulting in responses that are more relevant, specific, and customized to the user.

 

 

Standalone

Skills

• Azure AI Search (Preview)
  • Search Azure AI Search index
    • Search and retrieve text context from your Azure AI Search index.
• File Uploads
  • Query Uploaded Files
    • Answers questions using user’s uploaded files

 

Additional resources

• Security Copilot: Customize your Copilot | Microsoft Secure Tech Accelerator – How to connect your knowledgebase to Security Copilot
• Github | Security Copilot Technical Workshop – Connect your knowledgebase with Security Copilot