Security Copilot in Microsoft Purview Overview
Microsoft Security Copilot is a cloud-based AI platform that can assist security and compliance professionals in protecting their organization's data. Security and compliance professionals can use Security Copilot to identify, summarize, triage, and remediate issues within the following Microsoft Purview solutions:
- Microsoft Purview Data Loss Prevention (DLP)
- Microsoft Purview Insider Risk Management
- Microsoft Purview Communication Compliance
- Microsoft Purview eDiscovery
For more information about what Security Copilot can do and the different scenarios it supports, read What is Microsoft Security Copilot?.
Know before you begin
If you're new to Security Copilot, you should familiarize yourself with it by reading these articles:
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Get started with Microsoft Security Copilot
- Understand authentication in Microsoft Security Copilot
- Prompting in Microsoft Security Copilot
- Configure Owner settings
Security Copilot integration in Microsoft Purview
When you sign up for Security Copilot in the same tenant as Microsoft Purview, you can use both the Security Copilot embedded and standalone experiences. Security Copilot capabilities, like summarizing DLP or insider risk management alerts, are embedded into Microsoft Purview features.
Copilot in Microsoft Purview embedded experiences is a set of capabilities that are embedded in Microsoft Purview features. For more information, see standalone and embedded experiences.
Copilot in Microsoft Purview standalone experience is a chat-like experience that you can use to ask questions and get answers about your data. For more information, see standalone and embedded experiences.
Key features in the embedded experience
You can open Security Copilot in Microsoft Purview by selecting the Copilot icon in the top navigation bar. It is available across all Microsoft Purview solutions.
The embedded experience in Purview can help you:
- Get AI-generated summaries from Microsoft Purview product documentation.
- Summarize alerts in DLP. Fo r more information on this and how to access Copilot in DLP, see Investigate a DLP alert.
- Get insights into policies. Security copilot can help you understand what you policies are doing in your organization, and where they're active. For more information, see Get insights with Security Copilot.
- Summarize alerts in insider risk management. For more information on this and how to access Copilot in Insider Risk Management, see Investigate insider risk management activities.
- Summarize policy matches based on trainable classifiers for communication compliance. Communication compliance also provides an interactive prompt experience to dig deeper into the summary. For more information on this and the steps to access Copilot in Communication Compliance, see Investigate and remediate communication compliance alerts.
- Get contextual summary for eDiscovery cases. For more information, see Group and view documents in a review set in eDiscovery (Premium).
- Gain insights in activity explorer data and generate filters from natural language prompts (preview). For more information, see Security Copilot in activity explorer (preview).
Key features in the standalone experience
The Copilot in Microsoft Purview standalone experience has many capabilities built in. You can use these capabilities to get insights from your Purview data and make connections between datapoints. This information can help you understand your information security and compliance posture and triage alerts.
- DLP and Insider Risk Management data and user risk promptbook. Copilot in Microsoft Purview analyzes data from DLP and insider risk management and, by running multiple, sequential prompts contained in a promptbook, presents you with integrated results. For more information, see Microsoft Copilot in Microsoft Purview prompts and promptbooks.
System capabilities of Security Copilot
In the standalone experience, there are built-in capabilities (prompts) that are available once the Microsoft Purview plugin is enabled.
Copilot in Purview brings three types of capabilities:
- Summarize Microsoft Purview alerts.
- Triage Microsoft Purview alerts.
- Drill down into your Microsoft Purview data.
Enable the Microsoft Purview source in Microsoft Security Copilot
Important
Copilot in Purview must be enabled for both the standalone and embedded experiences to work.
Copilot in Purview is enabled by default. To enable or disable the Microsoft Purview source in Microsoft Security Copilot, follow these steps:
Ensure that you have permissions.
Open Sources in the prompt bar.
On the Manage plugins page, set the Purview toggle to On to enable or Off to disable.
Review the Microsoft Purview system capabilities
Select the capabilities control in the prompt bar.
Select See all system capabilities to see all the system capabilities that are available for Microsoft Purview. Here are a few:
- Get Data Risk Summary
- Get User Risk Summary
- Summarize Purview Alert
- Triage Purview Alerts
- Zoom into Purview Data and User Risk
Sample prompts
For guidance on writing effective prompts, see Prompting in Microsoft Security Copilot. Here are some examples:
- Show me the top five DLP alerts from the past 24 hours.
- Summarize the DLP alert with ID <12345>.
- What's the risk profile of the user that's associated with the DLP alert <12345>.
- Show me the top five Insider Risk Management alerts from the past 24 hours.
- What items did user <user> exfiltrate in the past 30 days.
Provide feedback
Your feedback is vital to guide the current and planned development of the product. The best way to provide this feedback is directly in the product. Select How’s this response? at the bottom of each completed prompt and choose any of the following options:
- Looks right - Select if the results are accurate, based on your assessment.
- Needs improvement - Select if any detail in the results is incorrect or incomplete, based on your assessment.
- Inappropriate - Select if the results contain questionable, ambiguous, or potentially harmful information.
For each feedback option, you can provide more information in the next dialog box that appears. Whenever possible, and especially when the result is Needs improvement, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Microsoft Purview and the results aren't related, then include that information.
Privacy and data security in Microsoft Security Copilot
To understand how Microsoft Security Copilot in Purview handles your prompts and the data that's retrieved from the service (prompt output), see the Privacy and data security in Microsoft Security Copilot.