Merge pull request #279372 from austinmccollum/main

create copilot in sentinel doc

Author: JamesJBarnett

articles/sentinel/TOC.yml

@@ -1060,6 +1060,8 @@
     href: investigate-incidents.md
   - name: Investigate incidents (Legacy)
     href: investigate-cases.md
+  - name: Investigate incidents in Copilot for Security
+    href: sentinel-security-copilot.md
   - name: Tutorial - Investigate with UEBA
     href: investigate-with-ueba.md
   - name: Relate alerts to incidents

articles/sentinel/media/sentinel-security-copilot/configure-default-sentinel-workspace.png

@@ -25,11 +25,11 @@ The following table describes the new or improved capabilities available in the
 
 | Capabilities      | Description              |
 | ----------------- | ------------------------ |
-| Advanced hunting  | Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.<br><br>  For more information, see [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410). |
+| Advanced hunting  | Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Copilot for Security to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.<br><br>  For more information, see the following articles:<br>- [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410)<br>- [Copilot for Security in advanced hunting](/defender-xdr/advanced-hunting-security-copilot) |
 | Attack disrupt    |  Deploy automatic attack disruption for SAP with both the unified security operations platform and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.  <br><br>Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity. <br><br>  For more information, see [Automatic attack disruption for SAP](sap/deployment-attack-disrupt.md).  |
 |SOC optimizations   | Get high-fidelity and actionable recommendations to help you identify areas to:<br>- Reduce costs <br>- Add security controls<br>- Add missing data<br>SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.  <br><br>For more information, see the following articles:<br>- [Optimize your security operations](soc-optimization/soc-optimization-access.md) <br>- [SOC optimization reference of recommendations](soc-optimization/soc-optimization-reference.md)  |
 | Unified entities  | Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.<br><br>For more information, see [Investigate entities with entity pages in Microsoft Sentinel](/azure/sentinel/entity-pages). |
-| Unified incidents | Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Incidents include:<br>- Data from the breadth of sources<br>- AI analytics tools of security information and event management (SIEM)<br>- Context and mitigation tools offered by extended detection and response (XDR) <br><br> For more information, see [Incident response in the Microsoft Defender portal](/microsoft-365/security/defender/incidents-overview). |
+| Unified incidents | Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Copilot for Security to summarize, respond and report. Incidents include:<br>- Data from the breadth of sources<br>- AI analytics tools of security information and event management (SIEM)<br>- Context and mitigation tools offered by extended detection and response (XDR) <br><br> For more information, see the following articles:<br>- [Incident response in the Microsoft Defender portal](/microsoft-365/security/defender/incidents-overview)<br>- [Investigate Microsoft Sentinel incidents in Copilot for Security](sentinel-security-copilot.md) |
 
 ## Capability differences between portals
 

articles/sentinel/media/sentinel-security-copilot/prompts.png

@@ -0,0 +1,111 @@
+---
+title: Microsoft Sentinel plugin (Preview) in Copilot for Security
+description: Learn about Microsoft Sentinel capabilities in Copilot for Security. Understand the best prompts to use and how to get timely, accurate results for natural language to KQL.
+keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, query assistant, incident report, incident response automated, automatic incident response, summarize incidents, summarize incident report, plugins, Microsoft plugins, preinstalled plugins, Microsoft Copilot for Security, Copilot for Security, Microsoft Defender, Copilot in Sentinel, NL2KQL, natural language to KQL, generate queries
+ms.service: microsoft-sentinel
+ms.collection: usx-security
+ms.pagetype: security
+ms.author: austinmc
+author: austinmccollum
+ms.localizationpriority: medium
+audience: ITPro
+ms.topic: conceptual
+appliesto:
+    - Microsoft Sentinel
+    - Copilot for Security
+ms.date: 07/04/2024
+#Customer intent: As a SOC administer or analyst, understand how to use Microsoft Sentinel data with Copilot for Security.
+---
+
+# Investigate Microsoft Sentinel incidents in Copilot for Security
+
+Microsoft Copilot for Security is a platform that helps you defend your organization at machine speed and scale. Microsoft Sentinel provides a plugin for Copilot to help analyze incidents and generate hunting queries.
+
+Together with the iterative prompts using other sophisticated Copilot for Security sources you enable, your Microsoft Sentinel incidents and data provide wider visibility into threats and their context for your organization.
+
+For more information on Copilot for Security, see the following articles:
+- [Get started with Microsoft Copilot for Security](/copilot/security/get-started-security-copilot)
+- [Understand authentication in Microsoft Copilot for Security](/copilot/security/authentication)
+
+## Integrate Microsoft Sentinel with Copilot for Security
+
+Microsoft Sentinel provides two plugins to integrate with Copilot for Security:
+- **Microsoft Sentinel (Preview)**
+- **Natural language to KQL for Microsoft Sentinel (Preview)**.
+
+> [!IMPORTANT]
+> The "Microsoft Sentinel" and "Natural Language to KQL for Microsoft Sentinel" plugins are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+### Configure a default Microsoft Sentinel workspace
+
+Increase your prompt accuracy by configuring a Microsoft Sentinel workspace as the default.
+
+1. Navigate to Copilot for Security at [https://securitycopilot.microsoft.com/](https://securitycopilot.microsoft.com/).
+
+1. Open **Sources** :::image type="icon" source="media/sentinel-security-copilot/sources.png"::: in the prompt bar.
+
+1. On the **Manage plugins** page, set the toggle to **On**
+
+1. Select the gear icon on the Microsoft Sentinel (Preview) plugin.
+
+   :::image type="content" source="media/sentinel-security-copilot/sentinel-plugins.png" alt-text="Screenshot of the personalization selection gear icon for the Microsoft Sentinel plugin.":::
+
+1. Configure the default workspace name.
+
+   :::image type="content" source="media/sentinel-security-copilot/configure-default-sentinel-workspace.png" alt-text="Screenshot of the plugin personalization options for the Microsoft Sentinel plugin.":::
+
+> [!TIP]
+> Specify the workspace in your prompt when it doesn't match the configured default.
+> 
+> Example: `What are the top 5 high priority Sentinel incidents in workspace "soc-sentinel-workspace"?`
+
+### Integrate Microsoft Sentinel with Copilot in Defender
+
+Use the unified security operations platform with your Microsoft Sentinel data for an embedded Copilot for Security experience. Microsoft Sentinel's unified incidents in the Defender portal allow Copilot in Defender to use its capabilities with Microsoft Sentinel data.
+
+For example:
+
+- The [SAP (Preview) solution]() is installed in your workspace for Microsoft Sentinel.
+- The near real-time rule [**SAP - (Preview) File Downloaded From a Malicious IP Address**](sap/sap-solution-security-content.md#data-exfiltration) triggers an alert, creating a Microsoft Sentinel incident.
+- [Microsoft Sentinel was added to the unified security operations platform](/defender-xdr/microsoft-sentinel-onboard).
+- Microsoft Sentinel incidents are now unified with Defender XDR incidents.
+- Use Copilot in Microsoft Defender for incident summary, guided responses and incident reports.
+
+:::image type="content" source="media/sentinel-security-copilot/sentinel-incident-copilot-in-defender-example.png" lightbox="media/sentinel-security-copilot/sentinel-incident-copilot-in-defender-example.png" alt-text="Screenshot of Microsoft Sentinel incident from Defender portal with Copilot embedded experience.":::
+
+For more information, see the following resources:
+
+- [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md#new-and-improved-capabilities).
+- [Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)
+
+### Integrate Microsoft Sentinel with Copilot for Security in advanced hunting
+
+The Natural language to KQL for Microsoft Sentinel (Preview) plugin generates and runs KQL hunting queries using Microsoft Sentinel data. This capability is available in the standalone experience and the advanced hunting section of the Microsoft Defender portal.
+
+> [!NOTE]
+> In the unified Microsoft Defender portal, you can prompt Copilot for Security to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future.
+
+For more information, see [Copilot for Security in advanced hunting](/defender-xdr/advanced-hunting-security-copilot).
+
+## Improve your Microsoft Sentinel prompts
+
+Consider the **Microsoft Sentinel incident investigation** promptbook as a starting point for creating effective prompts. This promptbook delivers a report about a specific incident, along with related alerts, reputation scores, users, and devices.
+
+| Guidance | Prompt |
+|---|---|
+|Nudge Copilot to provide human readable information instead of responding with object IDs. |`Show me Sentinel incidents that were closed as a false positive. Supply the Incident number, Incident Title, and the time they were created.`|
+|Copilot knows who you are. Use the "me" pronoun to find incidents related to you. The following prompt targets incidents assigned to you. |`What Sentinel incidents created in the last 24 hours are assigned to me? List them with highest priority incidents at the top.` |
+|When you narrow a prompt response down to a single incident, Copilot knows the context.|`Tell me about the entities associated with that incident.`|
+|Copilot is good at summarizing. Describe a specific audience you want the prompts and responses summarized for. |`Write an executive report summarizing this investigation. It should be suited for a nontechnical audience.`|
+
+For more prompt guidance and samples, see the following resources:
+
+- [Using promptbooks](/copilot/security/using-promptbooks)
+- [Prompting in Microsoft Copilot for Security](/copilot/security/prompting-security-copilot)
+- [Rod Trent's Copilot for Security Prompt Library](https://github.com/rod-trent/Copilot-for-Security/tree/main/Prompts)
+
+## Related articles
+
+- [Microsoft Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)
+- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md)