IT scenario: Perform a security incident investigation
Available with: Copilot for Security Scenario level:
KPIs impacted
IT management costs
Application downtime
Value benefit
Cost savings
Employee experience
Using Copilot to perform a security incident investigation
1. Summarize incident
A security analyst wants to get a summary of an incident in Defender XDR or Unified Security Operations Platform.
Copilot for Security
Prompt: Summarize Defender incident <DEFENDER_INCIDENT_ID>
Activity in embedded: Or open the incident page and click on the INCIDENT in the Defender XDR portal or Unified SecOps platform
2. Guided response
The analyst wants to check how to respond to the incident.
Copilot for Security
Prompt: How to respond to this incident?
Activity in embedded: Guided response offers actions that can be taken to remediate the incident
3. IP reputation
The analyst wants to check if the IP address involved belongs to a known threat actor.
Copilot for Security
Prompt: What is the reputation for the IPv4 addresses observed in this incident?
4. Impacted devices
The analyst wants to check which user devices may be impacted by generating a KQL query.
Copilot for Security
Prompt: If a user is listed in the incident details, show which devices they have used recently and indicate whether they are compliant with policies.
Activity in embedded: Use the Generate KQL queries for advanced hunting option for a guided experience to
5. Verify OS updates
The analyst checks to see if the impacted devices have the latest operating system updates.
Copilot for Security
Prompt: If any devices are listed in the previous output, show details from Intune on the one that checked in most recently. Especially indicate if it is current on all operating system updates.
6. Create report
Generate an incident report to document the incident and communicate with the leadership team.
Copilot for Security
Prompt: Write an executive report summarizing this investigation. It should be suited for non-technical audience.
1Access Copilot at copilot.microsoft.com or the Microsoft Copilot mobile app and set toggle to “Web”.
2Access Business Chat at copilot.microsoft.com or the Microsoft Copilot mobile app and set toggle to “Web”.
3Copilot agents allow Microsoft 365 Copilot to access your company-specific apps. In the past, this would have required an API call to get data from a system of record. The content in this example scenario is for demonstration purposes only. You should evaluate how Copilot aligns with your organization’s business processes, regulatory requirements, and responsible AI principles.
The content in this example scenario is for demonstration purposes only. You should evaluate how Copilot aligns with your organization’s business processes, regulatory requirements, and responsible AI principles.