Where possible when retrieving information from Sentinel and Defender XDR, specify the following details:
Microsoft Sentinel:
Tenant ID
Subscription Name
Resource Group Name
Sentinel Workspace Name
Defender XDR:
Tenant ID
Defender Incident / Alert ID
Example of Prompt Format:
WorkspaceName:*workspace*, SubscriptionName:*Subscription*, ResourceGroupName:*Workspace*, Request:*In Microsoft Sentinel show me detailed information for incident ID 12345*.
If you wish for a Table of Contents to be generated based on information you are collecting through prompts, Specify the Table Column Headings and the information you would like included into those columns.
If you are looking at what type of information you could gather from a Prompt, you should consider using the Copilot for Security portal.
For additional prompting Tips and Samples, please review the following resources:
Show me detailed information for incident ID 12345.
This prompt can provide detailed information for a specific incident, including its severity, the number of entities involved, the raw events that triggered the incident, the incident’s unique ID, and any mapped MITRE ATT&CK tactics or techniques.
This prompt retrieves all relevant properties of the specified device, including its name, ID, manufacturer, enrollment date, primary user, device type (e.g., laptop, mobile), and compliance status.
By comparing these two devices, you can identify any differences in their configurations, compliance status, or other relevant attributes. This helps troubleshoot issues and understand why one device is functioning correctly while another isn’t.
This prompt provides a direct link to the corresponding device in Microsoft Defender. From there, you can take further security actions, investigate threats, and analyze security events.
The following prompt suggestions are based around potential reporting capabilities via Copilot for Security.
These prompts may require certain plugins to be enabled, or the use of additional toolsets and capabilities within your Microsoft Stack to retrieve relative information.
Show me the top 50 IP addresses from where login attempts have been denied in the last 24 hours.
This prompt can help you generate a User Authentication report, which can detect attempts to gain access to your IT infrastructure through any existing account.
List all the unsuccessful file access attempts in the past week.
This prompt can help you generate a report on file access attempts, which can be crucial in identifying unauthorized attempts to access sensitive files.
List all the vulnerabilities detected in the last quarter.
This prompt can help you generate a Vulnerability Assessment report, which can provide a comprehensive view of the vulnerabilities in your IT infrastructure.