IT scenario: Perform a security incident investigation

Download scenario guide
Available with: Copilot for Security Scenario level:
Buy

KPIs impacted

IT management costs

Application downtime

Value benefit

Cost savings

Employee experience

Using Copilot to perform a security incident investigation


1. Summarize incident

A security analyst wants to get a summary of an incident in Defender XDR or Unified Security Operations Platform.

Copilot icon

Copilot for Security

Prompt: Summarize Defender incident <DEFENDER_INCIDENT_ID>

Activity in embedded: Or open the incident page and click on the INCIDENT in the Defender XDR portal or Unified SecOps platform

2. Guided response

The analyst wants to check how to respond to the incident.

Copilot icon

Copilot for Security

Prompt: How to respond to this incident?

Activity in embedded: Guided response offers actions that can be taken to remediate the incident

3. IP reputation

The analyst wants to check if the IP address involved belongs to a known threat actor.

Copilot icon

Copilot for Security

Prompt: What is the reputation for the IPv4 addresses observed in this incident?

4. Impacted devices

The analyst wants to check which user devices may be impacted by generating a KQL query.

Copilot icon

Copilot for Security

Prompt: If a user is listed in the incident details, show which devices they have used recently and indicate whether they are compliant with policies.

Activity in embedded: Use the Generate KQL queries for advanced hunting option for a guided experience to

5. Verify OS updates

The analyst checks to see if the impacted devices have the latest operating system updates.

Copilot icon

Copilot for Security

Prompt: If any devices are listed in the previous output, show details from Intune on the one that checked in most recently. Especially indicate if it is current on all operating system updates.

6. Create report

Generate an incident report to document the incident and communicate with the leadership team.

Copilot icon

Copilot for Security

Prompt: Write an executive report summarizing this investigation. It should be suited for non-technical audience.

1Access Copilot at copilot.microsoft.com or the Microsoft Copilot mobile app and set toggle to “Web”.

2Access Business Chat at copilot.microsoft.com or the Microsoft Copilot mobile app and set toggle to “Web”.

3Copilot agents allow Microsoft 365 Copilot to access your organization-specific apps. In the past, this would have required an API call to get data from a system of record. The content in this example scenario is for demonstration purposes only. You should evaluate how Copilot aligns with your organization’s business processes, regulatory requirements, and responsible AI principles.

The content in this example scenario is for demonstration purposes only. You should evaluate how Copilot aligns with your organization’s business processes, regulatory requirements, and responsible AI principles.