Security Copilot with Microsoft Sentinel
Microsoft Security Copilot is a platform that helps you defend your organization at machine speed and scale. Microsoft Sentinel's vast security data provides an excellent source for Copilot to help analyze incidents and generate hunting queries.
Together with other Security Copilot sources you enable, your Microsoft Sentinel incidents and data provide wider visibility into threats and their context for your organization.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading these articles:
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Get started with Microsoft Security Copilot
- Understand authentication in Microsoft Security Copilot
- Prompting in Microsoft Security Copilot
Security Copilot integration with Microsoft Sentinel
This integration primarily supports the standalone experience accessed through https://securitycopilot.microsoft.com, where you interact in a chat-like experience to summarize incidents and get other answers about your security data. For more information, see Microsoft Security Copilot experiences.
Key features
Microsoft Sentinel data integrates with Security Copilot in two ways.
- In Microsoft's unified security operations platform, Copilot in Microsoft Defender XDR benefits from unified incidents integrated with Microsoft Sentinel.
- In the standalone experience, Microsoft Sentinel provides two plugins to integrate with Security Copilot:
Microsoft Sentinel (Preview)
Natural language to KQL for Microsoft Sentinel (Preview).
Important
The "Microsoft Sentinel" and "Natural Language to KQL for Microsoft Sentinel" plugins are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Enable Security Copilot integration with Microsoft Sentinel
To maximize your Security Copilot integration with Microsoft Sentinel do the following:
- configure a default Microsoft Sentinel workspace for Security Copilot
- connect your Microsoft Sentinel workspace to Microsoft Defender XDR
Configure a default Microsoft Sentinel workspace
Increase your prompt accuracy by configuring a Microsoft Sentinel workspace as the default.
Navigate to Security Copilot at https://securitycopilot.microsoft.com/.
Open Sources
in the prompt bar.On the Manage plugins page, set the toggle to On
Select the gear icon on the Microsoft Sentinel (Preview) plugin.
Configure the default workspace name.
Tip
Specify the workspace in your prompt when it doesn't match the configured default.
Example: What are the top 5 high priority Sentinel incidents in workspace "soc-sentinel-workspace"?
Integrate Microsoft Sentinel with Copilot in Defender
Use the Microsoft Defender portal with your Microsoft Sentinel data for an embedded Security Copilot experience. Microsoft Sentinel's unique data sources flowing into Microsoft Defender XDR unified incidents allow Copilot in Defender to maximize its capabilities.
For example:
- The SAP (Preview) solution is installed in your workspace for Microsoft Sentinel.
- The near real-time rule SAP - (Preview) File Downloaded From a Malicious IP Address triggers an alert, creating a Microsoft Sentinel incident.
- Microsoft Sentinel was onboarded to the Defender portal.
- Microsoft Sentinel incidents are now unified with Defender XDR incidents.
- Use Copilot in Microsoft Defender for incident summary, guided responses and incident reports.
For more information, see the following resources:
- Integrate Microsoft Defender XDR
- Microsoft Sentinel in the Microsoft Defender portal
- Copilot in Microsoft Defender
Integrate Microsoft Sentinel with Security Copilot in advanced hunting
The Natural language to KQL for Microsoft Sentinel (Preview) plugin generates and runs KQL hunting queries using Microsoft Sentinel data. This capability is available in the standalone experience and the advanced hunting section of the Microsoft Defender portal.
Note
In the unified Microsoft Defender portal, you can prompt Security Copilot to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported.
For more information, see Security Copilot in advanced hunting.
Sample Microsoft Sentinel prompts
Consider the Microsoft Sentinel incident investigation promptbook as a starting point for creating effective prompts. This promptbook delivers a report about a specific incident, along with related alerts, reputation scores, users, and devices.
| Guidance | Prompt |
|---|---|
| Nudge Copilot to provide human readable information instead of responding with object IDs. | Show me Sentinel incidents that were closed as a false positive. Supply the Incident number, Incident Title, and the time they were created. |
| Copilot knows who you are. Use the "me" pronoun to find incidents related to you. The following prompt targets incidents assigned to you. | What Sentinel incidents created in the last 24 hours are assigned to me? List them with highest priority incidents at the top. |
| When you narrow a prompt response down to a single incident, Copilot knows the context. | Tell me about the entities associated with that incident. |
| Copilot is good at summarizing. Describe a specific audience you want the prompts and responses summarized for. | Write an executive report summarizing this investigation. It should be suited for a nontechnical audience. |
For more prompt guidance and samples, see the following resources:
- Using promptbooks
- Prompting in Microsoft Security Copilot
- Rod Trent's Security Copilot Prompt Library
Provide feedback
Your feedback is vital to guide the current and planned development of the product. The best way to provide this feedback is directly in the product. Select How’s this response? at the bottom of each completed prompt and choose any of the following options:
- Looks right - Select if the results are accurate, based on your assessment.
- Needs improvement - Select if any detail in the results is incorrect or incomplete, based on your assessment.
- Inappropriate - Select if the results contain questionable, ambiguous, or potentially harmful information.
For each feedback option, you can provide more information in the next dialog box that appears. Whenever possible, and especially when the result is Needs improvement, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Azure Firewall and the results aren't related, then include that information.
Privacy and data security in Security Copilot
To understand how Security Copilot handles your prompts and the data that's retrieved from the service (prompt output), see Privacy and data security in Microsoft Security Copilot.