Microsoft Copilot in Microsoft Purview prompts and promptbooks

Microsoft Security Copilot is a stand-alone chat-based experience that helps you get insights from your security data and make connections between datapoints. You interact with the stand-alone experience by entering prompts, and Security Copilot returns results. This article focuses on the stand-alone experience and how to use it to get insights from your Microsoft Purview data.

Know before you begin

If you're new to Microsoft Security Copilot, read these articles before you begin creating your own prompts and promptbooks:

Important

You must enable the Copilot for Purview plugin to use the Microsoft Purview prompts and promptbooks. Use the steps in Enable the Microsoft Purview source in Microsoft Security Copilot

Prompting in Copilot in Microsoft Purview

You can use prompts in three different ways:

Open ended

Open ended prompts are ones that you write yourself without any suggestions from Security Copilot. You can use these prompts to ask questions about your data that are specific to your needs at a certain point in time or when you need a custom prompt that isn't covered by the prompt suggestions or a promptbook. For more information on creating solid prompts, see Create effective prompts.

Prompt suggestions

Prompt suggestions are prewritten prompts that you can use as a starting point and customize to fit your needs. They're listed under all system capabilities. Once you enable the Purview add-in, these prompt suggestions are available to you.

Get Data Risk Summary fetches information from Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention (DLP), and summarizes the risk associated with data impacted by a security incident or a DLP alert.

Get User Risk Summary summarizes the risk associated with any user by using their risk profile from Microsoft Purview Insider Risk Management.

Summarize Purview Alert provides more details about a Purview alert, including a DLP alert and an insider risk management alert.

Triage Purview Alerts retrieves the top or most recent DLP alerts, organizing DLP alerts based on user preferences.

Zoom Into Purview Data Risk fetches the information from Microsoft Purview Information Protection and DLP and helps identify the risks and attributes related to the data.

Zoom Into Purview User Risk fetches information about the user's activities, including operations and actions done by the user, user activity over a time span, data leakage or exfiltration activities by the user, sequential activities by the user, or any signs of anomalous or unusual behavior by the user.

Promptbooks

A promptbook is a collection of prompts that are in sequence. The stand-alone experience can use the output from one prompt as the input for the next prompt, and it can run multiple prompts in a sequence. As you use Security Copilot with the Microsoft Purview add-in enabled, you may find that you keep using the same prompts over and over. You can save time by collecting all these prompts into a promptbook. Then, you can run the promptbook to get all the insights you need in one go. You can limit the use of a promptbook to yourself, or you can share it with others in your organization.

This article provides two sample sets of prompts you can use for investigating Microsoft Purview Data Loss Prevention (DLP) and Microsoft Purview Insider Risk Management data. You can start with these prompts, then customize them to fit your specific needs. Once you have them tuned the way you want, you can create promptbooks from them.

Run a prompt

  1. Go to Microsoft Security Copilot and sign in with your credentials.
  2. By default, the Purview plugin should be enabled. To confirm, select Sources. In Plugins, confirm Microsoft Purview is on. Close Sources.
  3. Navigate to the prompt bar.
  4. Enter your prompt.

For example, enter:

  • Show me the five most recent high severity DLP alerts or
  • Show me the risk associated with user [email protected].

For more information on creating solid prompts, see Create effective prompts

Promptbooks for Microsoft Purview features

Here are two sequences of prompts that you can use to investigate Microsoft Purview Data Loss Prevention (DLP) and Microsoft Purview Insider Risk Management data. Refer to Build your own promptbooks for the procedures on how to create, share, and edit a promptbook.

Sample prompt sequences

Microsoft Purview Data Loss Prevention

  1. Show me the top five high severity DLP alerts.
  2. Summarize the first alert in the list.
  3. What actions were performed on the file in the alert?
  4. Who is the user related to the alert?
  5. What are the data risks related to the alert?
  6. What is the risk summary of the user?

Microsoft Purview Insider Risk Management

  1. Show me the risk associated with user [email protected]
  2. Show me the exfiltration activities for this user.
  3. Show me the sequential activities for this user.
  4. Show me obfuscation activities for this user.
  5. Show me all the activities that this user performed over the past 30 days.