Tips & Tricks for Maximising Threat Detection with Microsoft Copilot for Security

Cyber threats are a constant worry, and continually evolve. If left unaddressed and unprepared for, attacks threaten an organisation’s IT systems, networks, and cloud infrastructure.

Consequences beyond the initial data breach include business disruptions, financial losses, and reputational damage. Most worryingly, cyber attacks are becoming more common.

It’s no surprise that 71% of organisations now prioritise investments in AI and machine learning for cyber security, compared to just two years ago.

Copilot for Security allows companies of all sizes to proactively identify threats and mitigate their potentially devastating impact.

Threat Detection in Microsoft Copilot for Security

Microsoft Copilot for Security is the first generative AI solution designed to empower security and IT professionals in the cyber security industry.

This AI security tool helps organisations catch what experts might miss, move swiftly, and strengthen team expertise with ease. It works by leveraging Microsoft’s large-scale data and threat intelligence, including over 78 trillion security signals processed by Microsoft daily.

By combining this intelligence with advanced language models, Copilot for Security delivers tailored, deeper insights and guidance for the necessary steps, making threat detection and management quicker and easier for security teams.

A recent study showed that experienced security analysts using Copilot were 22% faster in their tasks, 7% more accurate across all activities, and 97% expressed a desire to continue using Copilot. Microsoft Copilot for Security breaks down learning barriers and improves the work experience for all security professionals.

Key features and benefits of Copilot for Security include:

Generative AI: Copilot assists IT professionals in security tasks, generates responses, and enhances decision-making.

Speed and Scale: Protect at the speed and scale of AI, transforming security operations from reactive system defence to a more proactive strategy.

Collaboration: Strengthen collaboration among security teams.

Global Threat Intelligence: Copilot is always many steps ahead with real-time threat data from Microsoft data centres.

Customisable: Tailor Copilot for Security to your organisation’s needs.

Pay-as-You-Go Licensing: Flexible pricing model for greater accessibility.

Maximising Copilot Threat Detection

Optimise Your Prompts:

Maximising Copilot’s threat detection begins with writing clear and specific prompts. You can experiment with different variations to find what works best for your use case. Good prompts lead to better results, so invest time in refining your prompts.

Let’s explore how to effectively use prompts in Microsoft Copilot for Security to enhance threat detection:

Accessing Copilot for Security:

• On the Copilot home page, click the sparkle icon at the prompt bar.
• You’ll find a list of promptbooks and individual prompts that you can start with — promptbooks are collections of related prompts designed for specific security tasks.

Create Your Prompts:

• Use the same prompt bar to directly write requests in your own words.
• Type your question or instruction for Copilot for Security and click Send or press Enter.
• Wait for Copilot to generate a response.
• Observe the process log to see the steps taken to form the response.

Review and Refine:

• Carefully read the generated response. Verify if it meets your needs and is accurate.
• If necessary, try again. But ask the question differently or provide additional context.
• You can also cancel, edit, or delete your prompt during response generation.

Provide Feedback:

• Copilot doesn’t always get everything right, so your feedback is valuable — especially since it gets to learn to serve you better.
• Use the feedback buttons at the bottom of the response:
  • Looks right: If you’re satisfied with the response.
  • Needs improvement: If you’re not satisfied and want to provide details.
  • Inappropriate: If the response is concerning or unexpected.

Remember, effective prompts lead to more accurate and relevant outputs. Experiment, iterate, and refine your prompts to get the best results!

Leverage Threat Intelligence:

Microsoft Copilot for Security lists and summarises relevant campaigns, activities, and threat actors, providing links to related threat analytics reports or intel profiles. You can type the query, “Summarise” in the prompt bar to get an overview of the latest threats in your environment.

Follow these steps to leverage threat intelligence effectively in Microsoft Copilot for Security:

Use Copilot for Security standalone portal to get threat intelligence:

• Sign in to Microsoft Copilot for Security with your credentials.
• Ensure that the Defender TI plugin is turned on.
• In the prompt bar, select the Sources icon.
• In the Manage plugins pop-up window that appears, confirm that the Microsoft Defender Threat
• Intelligence toggle is turned on, then close the window.

Experiment with Effective Prompts:

• Be clear and specific with your prompts.
• For better results, include specific threat actor names or IOCs (Indicators of Compromise) in your prompts.
• For example:
  • “Show me threat intelligence data for Aqua Blizzard.”
  • “Summarise threat intelligence data for malicious.com.”
  • Be specific when referencing an incident, e.g., “incident ID 15324.”
• Experiment with different prompts and variations to find what works best for your use case.
• Remember that chat AI models vary and this AI security tool is the first of its kind, so iterate and refine your prompts based on the results you receive.

Review Previous Sessions:

• Copilot for Security saves your prompt sessions.
• To see previous sessions, go to the Copilot Home menu and navigate to My sessions — doing this can give you a better understanding of Copilot and also improve your prompt skills.

Build Effective Hunting Theories:

Copilot helps you build impactful hunting theories quickly by reasoning over Microsoft Defender Threat Intelligence (MDTI). Not just that, using natural language queries to create hypotheses enhances your threat-hunting efficiency.

Let’s explore how you can build effective hunting theories in Microsoft Copilot for Security with proactive threat detection:

Understand Threat Hunting

• Threat hunting involves actively searching for signs of compromise or malicious activity within your network.
• Unlike traditional security methods that rely on alerts or signatures, threat hunting requires hypotheses, techniques, and tools to uncover hidden threats.

Reasoning Over Microsoft Defender Threat Intelligence (MDTI)

• Copilot for Security assists in building impactful hunting theories by reasoning over MDTI.
• Use natural language queries to create hypotheses related to specific threats or indicators.

Experiment with Queries

• Start with specific queries related to threat actors, IOCs, or suspicious activities.
• Iterate and refine your queries based on the results you receive.

Leverage Copilot’s Expertise

• Copilot provides expertise at your fingertips, even if you lack specific technical knowledge.
• Use Copilot to quickly build and validate hunting theories.

Remember that effective threat hunting requires a combination of human expertise and AI-powered detection tools. By leveraging Copilot for Security, you can enhance your threat detection capabilities and stay ahead of emerging risks!

Stay Updated

Regularly update Copilot and associated Microsoft software to benefit from the latest features and threat intelligence. Keep plugins, third-party software, and networks in your environment current to ensure optimal performance and minimise the chances of a security breach.

Customise Plugin Settings

Maximise threat detection and personalise your Copilot experience by configuring plugin settings. For example, specify preferences for the Microsoft Sentinel plugin, such as workspace selection.

Follow these steps to customise plugin settings in Microsoft Copilot for Security:

Turn Plugins On or Off

You can select which plugins Copilot for Security uses as a data source by turning service toggles on or off. Here’s how:

• Select the Copilot for Security plugin icon.
• Choose the plugin you’d like to use by turning the toggle on or off.

Personalise Plugin Settings

Copilot for Security allows you to further personalise your experience by configuring specific plugin settings. For example, if you want the Microsoft Sentinel plugin to use a designated workspace for each prompt, you can specify the workspace in the settings.

Manage Custom Plugins

As an admin, you can set permissions for adding custom plugins — by default, only admins can add and manage their own custom plugins. They can also specify who other than themselves can add and manage custom plugins for everyone in the organisation.

Custom plugins added by admins can be set to be available only to them or anyone in the organisation. Remember that only admins can make modifications to custom plugins.

Collaborate and Learn

Collaborate with other security professionals and explore learning resources, videos, and documentation to enhance your skills.

Microsoft Copilot for Security provides several options to do this:

Microsoft Learn — Visit the Microsoft Learn page dedicated to Microsoft Copilot for Security. Explore various learning paths, modules, and resources to deepen your understanding.

Embedded Experiences — Access Copilot for Security directly from some Microsoft security products. For example, within Microsoft Defender XDR, you can:

• Summarise incidents
• Analyse scripts and codes
• Generate KQL queries for hunting
• Use guided response
• Create incident reports
• Summarise device information
• Analyse files

Documentation Libraries — Each embedded experience has its own documentation library. For specific guidance related to a particular service, refer to the corresponding documentation. For example, if you access a Microsoft Defender XDR embedded experience, find the relevant documentation in the Microsoft Defender XDR documentation.

Remember that collaboration and continuous learning are essential for maximising the benefits of Microsoft Copilot for Security. However, you are not limited to the Microsoft ecosystem. Feel free to explore communities on Github, StackOverflow, etc.

The more knowledge you have on Copilot for Security and new threats, the better you become at using it as a threat-detection tool.

Get Copilot-Ready

Copilot Security’s powerful features make it a great addition to any cybersecurity team. But integrating Copilot can feel daunting.

AAG’s comprehensive support helps you get the most out of Microsoft Copilot for Security. An initial consultation and readiness assessment ensures that the new services can be accessed securely, while customised training helps your team understand Copilot features and its applications in their workflows. We’ll even run regular updates based on your usage to keep your Copilot services optimised.