Using promptbooks in Copilot for Security

by | Jun 16, 2024 | Microsoft 365 Copilot | 0 comments

Effectively combating cyber threats requires efficient and accurate analysis tools. Microsoft Copilot for Security introduces an innovative approach with its promptbooks, which are collections of predefined prompts designed to guide investigations and analyses. These promptbooks streamline complex security tasks, making the process faster and more reliable.

Promptbooks are structured sequences of prompts that guide Microsoft Copilot for Security through specific tasks. Each prompt builds on the previous one, allowing the AI to conduct thorough investigations or analyses. Promptbooks can be prebuilt, covering common security scenarios, or custom-made to address unique organizational needs.

Hi Copilot for Security, let’s analyze a script

To illustrate the power and utility of promptbooks, let’s walk through a scenario where a security team needs to analyze a suspicious PowerShell script detected on their network. Using the “Suspicious Script Analysis” promptbook, the team can efficiently determine the script’s intent and potential threat.

The promptbook wil execute a chain of prompts that will:

  • Exmplain the PowerShell script
  • Check wether there are any threat indicators found
  • Use Defender TI to try and determine the threat actor
  • Advises the security team wether the script is malicious or not

Explore the built-in promptbooks

Copilot for Security comes with a wide variety of built in promptbooks. There are promptbooks available for incident investigation, script analysis, a vulnerability impact assessment etc.

By clicking on the prompt icon in the prompt field, you get access to your plugin settings.

After opening the “prompt” panel, you can click on See all promptbooks to have a complete overview of what is in store. I would recommend to play with these promptbook and explore them. This gives you a good overview of what promptbooks are capable of.

What does a promptbook consist of?

Promptbooks in Microsoft Copilot for Security are not only pre-configured workflows but also highly adaptable tools thanks to their ability to utilize variables. These variables allow for dynamic inputs, making promptbooks versatile for a range of scenarios.

Variables

Consider the “Suspicious Script Analysis” promptbook as an example. Within this promptbook, you might see a placeholder like “SNIPPET” in the initial prompt. This placeholder is a variable that will be replaced with the actual content you wish to analyze—in this case, the “script to analyze.”

Variables are crucial because they allow promptbooks to be reused across different situations without the need for extensive modifications. For the “Suspicious Script Analysis” promptbook, this means you can analyze various scripts simply by changing the input, leveraging the same workflow for each analysis. This flexibility is particularly beneficial in cybersecurity, where different incidents may involve diverse scripts and code snippets that require analysis.

By incorporating variables, promptbooks become powerful tools that adapt to the specific needs of each SOC task, ensuring that security teams can quickly and effectively respond and prevent a wide range of threats.

This dynamic approach not only saves time but also ensures that the analysis is consistent and thorough, leveraging the predefined logic of the promptbook while accommodating the unique details of each situation.

Creating your own promptbook

Creating a promptbook is actualy easy!

  1. Just start a chat with Copilot and execute all the prompts that you would like to be part of your promptbook.
  2. Once you have selected the prompts that you would like to include in your promptbook, click on the “create promptbook” icon in the topmenu.
  3. Fill in the form (give the promptbook a name and description).
  4. Replace your script with SNIPPET or any other variable-name of your like. Please know that certain keywords are reserved (e.g. it is not possible to use “script” as variable.
  5. Click on create.

Your promptbook is now created. Congratulations!

Execute a promptbook

Executing a promptbook in Microsoft Copilot for Security can be done in two straightforward ways, each offering a seamless experience to automate your security workflows.

From Within a Chat

  • Access the Prompt Icon: Begin by navigating to the prompt icon within your chat interface.
  • Browse and Select: Browse through the available prompts until you find the desired promptbook. This process is similar to how you explore built-in promptbooks.
  • Input Variables: Once you’ve selected the promptbook, fill in any required variables (if applicable).
  • Run the Promptbook: Click on “Run” to automatically deploy and execute all the prompts in sequence. This ensures each step of the promptbook is carried out efficiently.

From the Promptbook Library

  • Navigate to the Library: Access the “Promptbook Library” from the main menu of Copilot for Security.
  • Select the Promptbook: Click on the title of the promptbook you wish to run. This action opens a window similar to the one used during a chat session.
  • Input Variables and Start: Fill in any necessary variables and click on “Start New Session”. This initiates a new Copilot for Security session, deploying all prompts. The prompts will be executed one by one, ensuring a comprehensive analysis or investigation.

These methods offer flexibility, allowing users to quickly and effectively execute promptbooks based on their needs and preferences. Whether initiating from a chat or directly from the promptbook library, Copilot for Security ensures a streamlined and user-friendly process for managing security tasks.

Conclusion

Promptbooks in Microsoft Copilot for Security are a transformative tool for standardizing Security Operations Center (SOC) activities. By automating and streamlining complex security workflows, promptbooks enhance the efficiency and consistency of SOC operations. They enable security teams to quickly respond to incidents, analyze potential threats, and generate comprehensive reports, all while maintaining high accuracy. Whether using built-in promptbooks or creating custom ones, SOC teams can significantly boost their productivity and effectiveness, ultimately leading to a more robust security posture for the organization.

By integrating promptbooks into daily operations, SOC teams can ensure standardized procedures, reduce the risk of human error, and free up valuable resources to focus on more strategic tasks. The adaptability and ease of use of promptbooks make them an invaluable asset in the ongoing battle against cyber threats.

Submit a Comment

Your email address will not be published. Required fields are marked *