Mastering Promptbooks in Microsoft Copilot for Security: Best Practices, Key Takeaways, and Pro Tips

Cybersecurity incidents demand precision and speed. Microsoft Copilot for Security provides the capabilities to streamline responses, but mastering Promptbooks can take your security operations to the next level. In this blog, I’ll share best practices, key takeaways, and pro tips to help you fully leverage Promptbooks and optimize your prompt-writing for consistent, high-quality outcomes.

If you're planning to attend my upcoming session at TechnoSecurity West on Mastering Microsoft Copilot for Security Promptbooks: Creation, Application, and Beyond, this blog offers a sneak peek!

Why Promptbooks Are Essential in Microsoft Copilot for Security

In the fast-paced world of cybersecurity, time and accuracy are everything. Microsoft Copilot for Security empowers security teams to respond faster to incidents, but it’s the Promptbooks that enable them to do so with consistency and precision.

For a deeper dive into why Promptbooks are so crucial, you can check out my previous blog, The Essential Role of Promptbooks in Microsoft Copilot for Security. There, I break down how they help streamline operations, reduce errors, and provide a structured approach to managing security incidents.

Best Practices for Promptbooks

Promptbooks are the cornerstone of an efficient Microsoft Copilot for Security (referred to as Copilot in this article) strategy. By carefully crafting, organizing, and managing your prompts, you ensure more accurate and cost-effective results. Here are some best practices to consider when building and using Promptbooks:

• Craft Effective Prompts: A well-crafted prompt is clear, specific, and aligned with your security objectives. To ensure accuracy, include four key elements in your prompts: specify the data source or plugin Copilot should use (Source), define the specific security-related information you need (Goal), explain why you need the information and how you’ll use it (Context), and clarify the desired format or audience for the response (Expectations). For example, instead of just asking for "network vulnerabilities," ask Copilot to "identify the top five high-risk network vulnerabilities detected in the past 24 hours using Microsoft Sentinel." This level of detail provides Copilot with all the information it needs to generate a useful response.

• Balance Complexity and Quantity: Avoid overloading your promptbooks with unnecessary complexity. Each prompt should contribute directly to the overall goal of the investigation. Excessive prompts not only increase the likelihood of errors but also consume more Security Compute Units (SCUs), driving up costs. Streamlining your prompts ensures that every action is meaningful and cost-efficient. 

• Order Matters: The sequence of prompts can significantly influence the output. Since each response builds on the previous prompt, ensure the order logically progresses to avoid incomplete or misaligned results. Be cautious when reordering prompts in ongoing sessions, as this can lead to unintended outcomes.

• Chain Plugins with “Use”: Leverage the term "use" throughout your Promptbooks to chain plugins or data sources together. This ensures that Copilot pulls the most relevant data for each prompt and builds context accurately. For instance, chaining Microsoft Defender and Microsoft Sentinel plugins allows for a more comprehensive view of potential threats.

• Manage Resource Consumption: If a promptbook session runs longer than expected, using the Cancel option can save SCUs. This is particularly important when dealing with large datasets or extended investigations. Efficient use of SCUs helps keep costs under control while maintaining operational effectiveness.

Key Takeaways from the Presentation

The session will highlight several key takeaways that distinguish Microsoft Copilot for Security from other generative AI tools like ChatGPT:

• Copilot for Security is Specialized: Unlike general-purpose chatbots, Copilot for Security is specifically designed for cybersecurity use cases. It is less forgiving with incomplete or vague prompts that a multi-purpose LLM might tolerate, making it essential to be precise and detailed in your requests.

• Promptbooks Ensure Consistency: Relying on Promptbooks helps maintain consistency in responses, making your security operations more predictable and scalable. They serve as a repository of trusted prompts that your team can rely on across different scenarios, ensuring reliable outcomes.

• Effective Prompts = Better Results: The quality of the responses you receive from Copilot is directly tied to the quality of your prompts. Each prompt should include four key elements: the source of the data, the goal of the prompt, the context of the request, and the expected outcome. For example: “Using Microsoft Sentinel, generate a detailed report on the user John Doe, including login history and security events, so I can incorporate it into my ongoing investigation.” A more generic prompt structure would be: “Using <plugin name>, generate a <type of output format> about <subject ID> that <specific details needed>, so I can <purpose or context>.”

• Choosing the Right Plugin is Critical: With a wide range of available plugins, it’s crucial to choose the right one for the task at hand. Selecting the wrong plugin can lead to irrelevant or incorrect results, which can derail investigations or lead to higher costs. If you don’t know the correct data source, be as detailed and specific as possible so Copilot can find the best match. If you know the plugin is not correct, cancel it immediately to save on compute units.

• Prioritize Tasks for Copilot: Given the consumption model of Copilot for Security, prioritize its use for high-value tasks. For less critical needs, you may want to use other tools or search engines to save resources.

• Refine, Review, and Verify: Always refine your prompts as you go, but also take the time to review and verify the responses before acting. Human oversight is still critical in ensuring that Copilot’s responses meet the standards necessary for security operations. Feedback is essential for improving Copilot, so be sure to like any responses you find valuable.

Tips for Optimizing Copilot for Security

To help you make the most of your experience with Copilot, here are some practical tips for boosting your efficiency:

• Automate SCU Scheduling: Automate the provisioning of SCUs to better manage costs and ensure availability during critical periods. This allows you to allocate SCUs based on anticipated needs, avoiding potential delays in security operations. For a great breakdown on the topic, check out Stefano Pescosolido's guide.

• Allocate More SCUs for Prompt Development: Consider dedicating more SCUs to prompt development and optimization. The time spent refining your prompts will pay off in the long run by reducing errors and speeding up future responses.

• Explore Pre-Built Promptbooks: Don’t hesitate to use pre-built Promptbooks available in GitHub repositories like the Copilot for Security repository or Rod Trent: Copilot for Security Repository. These resources and others can save you valuable time and provide a solid foundation for building your own custom prompts.

• Leverage Other Generative AI Tools: Using other AI tools like ChatGPT to practice and refine your prompt-writing skills can be incredibly beneficial, both because they are free or less costly and because you can instruct the LLM on the role (e.g. cybersecurity expert) it should play before refining the prompt. This helps ensure the best results. Once refined, these prompts can be adapted for use in Copilot for Security.

• Extend with Plugins and Files: Connect your organization’s knowledge bases or personal resources to Copilot to improve the accuracy of responses. By integrating additional relevant data, Copilot can provide more precise, context-specific results. There are two ways to integrate a knowledge base into Copilot:

  • Organizational: Use the Azure AI Search plugin to connect Copilot with your organization’s knowledge base via an Azure AI Search index.
    Example: Prompt Copilot with: "Using our organizational knowledge base, summarize the steps for responding to a ransomware incident based on company protocols."

  • Personal: Upload frequently used files, like compliance checklists or security frameworks, and prompt Copilot to use them repeatedly.
    Example: "Use our uploaded security framework to generate a checklist for auditing our cloud infrastructure."

Remember: Garbage In, Garbage Out! The quality of the prompts you provide directly affects the quality of the responses. Always ensure your inputs are clear, detailed, and relevant to the task at hand.

By following these best practices, key takeaways, and tips, you can fully harness the power of Microsoft Copilot for Security in your organization. Promptbooks are a powerful tool to streamline and enhance your security operations, but as with any tool, success comes down to how effectively you use them.

Stay tuned for more updates on Copilot for Security, and feel free to reach out if you have any questions or need further insights!