First draft

Author: yelevin

articles/sentinel/TOC.yml

@@ -1004,6 +1004,8 @@
     items: 
     - name: Overview
       href: sentinel-security-copilot.md
+    - name: Summarize incidents in Azure portal
+      href: sentinel-security-copilot-incident-summary.md
     - name: Microsoft Copilot in Microsoft Defender
       items:
       - name: Overview

articles/sentinel/sentinel-security-copilot-incident-summary.md

@@ -39,107 +39,54 @@ This capability is also available in the Security Copilot standalone experience
 
 ## Key features
 
-Microsoft Sentinel data integrates with Security Copilot in two ways.
+Incidents containing up to 100 alerts can be summarized into one incident summary. An incident summary, depending on the availability of the data, includes the following:
 
-- In Microsoft's unified security operations platform, Copilot in Microsoft Defender XDR benefits from unified incidents integrated with Microsoft Sentinel.
-- In the standalone experience, Microsoft Sentinel provides two plugins to integrate with Security Copilot:
-   <br>**Microsoft Sentinel (Preview)**
-   <br>**Natural language to KQL for Microsoft Sentinel (Preview)**.
+- The time and date when an attack started.
+- The entity or asset where the attack started.
+- A summary of timelines of how the attack unfolded.
+- The assets involved in the attack.
+- Indicators of compromise (IoCs).
+- Names of [threat actors](/unified-secops-platform/microsoft-threat-actor-naming) involved.
 
-> [!IMPORTANT]
-> The "Microsoft Sentinel" and "Natural Language to KQL for Microsoft Sentinel" plugins are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
-
-## Enable Security Copilot integration with Microsoft Sentinel
+To summarize an incident, perform the following steps:
 
-To maximize your Security Copilot integration with Microsoft Sentinel do the following:
+1. Open an incident page. Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting **Cancel** or restart creation by selecting **Regenerate**.
 
-- configure a default Microsoft Sentinel workspace for Security Copilot
-- connect your Microsoft Sentinel workspace to Microsoft Defender XDR 
+1. The incident summary appears on the details pane of the incident page (in place of the description). Review the generated summary on the details pane.
+ 
+   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-small.png" alt-text="Screenshot that shows the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary.png":::
 
-### Configure a default Microsoft Sentinel workspace
+   > [!TIP]
+   > You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results.
 
-Increase your prompt accuracy by configuring a Microsoft Sentinel workspace as the default.
+1. **RELEVANT??? - YL**  
+Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Security Copilot portal. Selecting **Open in Security Copilot** opens a new tab to the Security Copilot standalone portal where you can input prompts and access other plugins.
 
-1. Navigate to Security Copilot at [https://securitycopilot.microsoft.com/](https://securitycopilot.microsoft.com/).
+   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/incident-summary-options.png" alt-text="Screenshot that shows the actions available on the incident summary card.":::
 
-1. Open **Sources** :::image type="icon" source="media/sentinel-security-copilot/sources.png"::: in the prompt bar.
+1. Review the summary and use the information to guide your investigation and response to the incident.
 
-1. On the **Manage plugins** page, set the toggle to **On**
+> [!IMPORTANT]
+> The Copilot incident summary feature for Microsoft Sentinel is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-1. Select the gear icon on the Microsoft Sentinel (Preview) plugin.
+## Sample incident summary prompt
 
-   :::image type="content" source="media/sentinel-security-copilot/sentinel-plugins.png" alt-text="Screenshot of the personalization selection gear icon for the Microsoft Sentinel plugin.":::
+**RELEVANT??? - YL**  
 
-1. Configure the default workspace name.
+In the Security Copilot standalone portal, you can use the following prompt to generate incident summaries:
 
-   :::image type="content" source="media/sentinel-security-copilot/configure-default-sentinel-workspace.png" alt-text="Screenshot of the plugin personalization options for the Microsoft Sentinel plugin.":::
+- *Provide a summary for Microsoft Sentinel incident {incident ID}.*
 
 > [!TIP]
-> Specify the workspace in your prompt when it doesn't match the configured default.
-> 
-> Example: `What are the top 5 high priority Sentinel incidents in workspace "soc-sentinel-workspace"?`
-
-### Integrate Microsoft Sentinel with Copilot in Defender
-
-Use the Microsoft Defender portal with your Microsoft Sentinel data for an embedded Security Copilot experience. Microsoft Sentinel's unique data sources flowing into Microsoft Defender XDR unified incidents allow Copilot in Defender to maximize its capabilities.
-
-For example:
-
-- The SAP (Preview) solution is installed in your workspace for Microsoft Sentinel.
-- The near real-time rule [**SAP - (Preview) File Downloaded From a Malicious IP Address**](sap/sap-solution-security-content.md#data-exfiltration) triggers an alert, creating a Microsoft Sentinel incident.
-- [Microsoft Sentinel was onboarded to the Defender portal](/defender-xdr/microsoft-sentinel-onboard).
-- Microsoft Sentinel incidents are now unified with Defender XDR incidents.
-- Use Copilot in Microsoft Defender for incident summary, guided responses and incident reports.
-
-:::image type="content" source="media/sentinel-security-copilot/sentinel-incident-copilot-in-defender-example.png" lightbox="media/sentinel-security-copilot/sentinel-incident-copilot-in-defender-example.png" alt-text="Screenshot of Microsoft Sentinel incident from Defender portal with Copilot embedded experience.":::
-
-For more information, see the following resources:
-
-- [Integrate Microsoft Defender XDR](microsoft-365-defender-sentinel-integration.md)
-- [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md#new-and-improved-capabilities)
-- [Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)
-
-### Integrate Microsoft Sentinel with Security Copilot in advanced hunting
-
-The Natural language to KQL for Microsoft Sentinel (Preview) plugin generates and runs KQL hunting queries using Microsoft Sentinel data. This capability is available in the standalone experience and the advanced hunting section of the Microsoft Defender portal.
-
-> [!NOTE]
-> In the unified Microsoft Defender portal, you can prompt Security Copilot to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported.
-
-For more information, see [Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot).
-
-## Sample Microsoft Sentinel prompts
-
-Consider the **Microsoft Sentinel incident investigation** promptbook as a starting point for creating effective prompts. This promptbook delivers a report about a specific incident, along with related alerts, reputation scores, users, and devices.
-
-| Guidance | Prompt |
-|---|---|
-|Nudge Copilot to provide human readable information instead of responding with object IDs. |`Show me Sentinel incidents that were closed as a false positive. Supply the Incident number, Incident Title, and the time they were created.`|
-|Copilot knows who you are. Use the "me" pronoun to find incidents related to you. The following prompt targets incidents assigned to you. |`What Sentinel incidents created in the last 24 hours are assigned to me? List them with highest priority incidents at the top.` |
-|When you narrow a prompt response down to a single incident, Copilot knows the context.|`Tell me about the entities associated with that incident.`|
-|Copilot is good at summarizing. Describe a specific audience you want the prompts and responses summarized for. |`Write an executive report summarizing this investigation. It should be suited for a nontechnical audience.`|
-
-For more prompt guidance and samples, see the following resources:
-
-- [Using promptbooks](/copilot/security/using-promptbooks)
-- [Prompting in Microsoft Security Copilot](/copilot/security/prompting-security-copilot)
-- [Rod Trent's Security Copilot Prompt Library](https://github.com/rod-trent/Copilot-for-Security/tree/main/Prompts)
+> When generating an incident summary in the Security Copilot portal, Microsoft recommends including the word ***Defender*** in your prompts to ensure that the incident summary capability delivers the results.
 
 ## Provide feedback
 
-Your feedback is vital to guide the current and planned development of the product. The best way to provide this feedback is directly in the product. Select **How’s this response?** at the bottom of each completed prompt and choose any of the following options:
-- **Looks right** - Select if the results are accurate, based on your assessment. 
-- **Needs improvement** - Select if any detail in the results is incorrect or incomplete, based on your assessment. 
-- **Inappropriate** - Select if the results contain questionable, ambiguous, or potentially harmful information.
-
-For each feedback option, you can provide more information in the next dialog box that appears. Whenever possible, and especially when the result is **Needs improvement**, write a few words explaining what can be done to improve the outcome. If you entered prompts specific to Azure Firewall and the results aren't related, then include that information.
-
-## Privacy and data security in Security Copilot
+Microsoft highly encourages you to provide feedback to Copilot, as it's crucial for a capability's continuous improvement. You can provide feedback on the summary by selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom of the Copilot pane.
 
-To understand how Security Copilot handles your prompts and the data that's retrieved from the service (prompt output), see [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security).
+**HOW TO ADAPT FOR SENTINEL? --YL**
 
-## Related articles
+## See also
 
-- [Microsoft Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)
-- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md)
+- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot)
+- [Privacy and data security in Security Copilot](/copilot/security/privacy-data-security)